research-article

Authenticated key-value stores with hardware enclaves

Authors:

Ju ChenAuthors Info & Claims

Middleware '21: Proceedings of the 22nd International Middleware Conference: Industrial Track

Pages 1 - 8

https://doi.org/10.1145/3491084.3491425

Published: 06 December 2021 Publication History

Abstract

Authenticated data storage on an untrusted platform is an important computing paradigm for cloud applications ranging from data outsourcing, to cryptocurrency and general transparency logs. These modern applications increasingly feature update-intensive workloads, whereas existing authenticated data structures (ADSs) designed with in-place updates are inefficient to handle such workloads. This work addresses the issue and presents a novel authenticated log-structured merge tree (eLSM) based key-value store built on Intel SGX.

We present a system design that runs the code of eLSM store inside enclave. To circumvent the limited enclave memory (128 MB with the latest Intel CPUs), we propose to place the memory buffer of the eLSM store outside the enclave and protect the buffer using a new authenticated data structure by digesting individual LSM-tree levels. We design protocols to support data integrity, (range) query completeness, and freshness. Our protocol causes small proofs by including the Merkle proofs at selected levels.

We implement eLSM on top of Google LevelDB and Facebook RocksDB with minimal code change and performance interference. We evaluate the performance of eLSM under the YCSB workload benchmark and show a performance advantage of up to 4.5X speedup.

References

[1]

[n. d.]. Apache Cassandra, http://cassandra.apache.org/.

[2]

[n. d.]. Apache HBase, http://hbase.apache.org/.

[3]

[n. d.]. Certificate transparency, the Internet standards, https://tools.ietf.org/html/rfc6962.

[4]

[n. d.]. Compaction Filter, https://github.com/facebook/rocksdb/wiki/Compaction-Filter.

[5]

[n. d.]. eLSM source code, https://drive.google.com/file/d/1flnP4BlmwwNThPO-7wWqeAKwluUQygkr/view?usp=sharing.

[6]

[n. d.]. ExitLess services for SGX enclaves, https://github.com/acsl-technion/eleos.

[7]

[n. d.]. Facebook RocksDB, http://rocksdb.org/.

[8]

[n. d.]. Google LevelDB, http://code.google.com/p/leveldb/.

[9]

[n. d.]. HBase Coprocessor, https://blogs.apache.org/hbase/entry/coprocessor_introduction.

[10]

[n. d.]. Intel Corp. Software Guard Extensions programming reference, https://goo.gl/Ka3pnU.

[11]

[n. d.]. Intel Software Guard Extensions (Intel SGX) SDK, https://software.intel.com/en-us/sgx-sdk/download.

[12]

[n. d.]. Introducing Oak, a Free and Open Certificate Transparency Log (Let's Encrypt), https://bit.ly/2HtgDA0.

[13]

[n. d.]. RocksDB Hooks, https://github.com/facebook/rocksdb/wiki/rocksdb-basics.

[14]

[n. d.]. YCSB LevelDB adaptor, https://github.com/jtsui/ycsb-leveldb.

[15]

Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy. 1998. Proof Verification and the Hardness of Approximation Problems. <u>J. ACM</u> 45, 3 (1998), 501--555.

Digital Library

[16]

Maurice Bailleu, Jörg Thalheim, Pramod Bhatotia, Christof Fetzer, Michio Honda, and Kapil Vaswani. 2019. SPEICHER: Securing LSM-based Key-Value Stores using Shielded Execution. In <u>17th USENIX Conference on File and Storage Technologies, FAST 2019, Boston, MA, February 25-28, 2019.</u> 173--190. https://www.usenix.org/conference/fast19/presentation/bailleu

Digital Library

[17]

Andrew Baumann, Marcus Peinado, and Galen C. Hunt. 2015. Shielding Applications from an Untrusted Cloud with Haven. <u>ACM Trans. Comput. Syst.</u> 33, 3 (2015), 8:1--8:26.

Digital Library

[18]

Benjamin Braun, Ariel J. Feldman, Zuocheng Ren, Srinath T. V. Setty, Andrew J. Blumberg, and Michael Walfish. 2013. Verifying computations with state. In <u>ACM SIGOPS 24th Symposium on Operating Systems Principles, SOSP '13, Farmington, PA, USA, November 3-6, 2013</u>. 341--357.

Digital Library

[19]

Fay Chang, Jeffrey Dean, Sanjay Ghemawat, Wilson C. Hsieh, Deborah A. Wallach, Michael Burrows, Tushar Chandra, Andrew Fikes, and Robert Gruber. 2006. Bigtable: A Distributed Storage System for Structured Data (Awarded Best Paper!). In <u>OSDI</u>. 205--218.

Digital Library

[20]

Brian F. Cooper, Adam Silberstein, Erwin Tam, Raghu Ramakrishnan, and Russell Sears. 2010. Benchmarking cloud serving systems with YCSB. In <u>SoCC</u>. 143--154.

Digital Library

[21]

Premkumar Devanbu, Michael Gertz, Charles Martel, and Stuart G. Stubblebine. 2003. Authentic Data Publication over the Internet. <u>Journal of Computer Security</u> 11 (2003), 2003.

Digital Library

[22]

Feifei Li, Marios Hadjieleftheriou, George Kollios, and Leonid Reyzin. 2006. Dynamic authenticated index structures for outsourced databases. In <u>SIGMOD Conference</u>. 121--132.

Digital Library

[23]

Kai Li, Yuzhe Tang, Beom Heyn Kim, and Jianliang Xu. 2019. Secure Consistency Verification for Untrusted Cloud Storage by Public Blockchains. <u>SecureComm</u> abs/1904.06626 (2019). arXiv:1904.06626 http://arxiv.org/abs/1904.06626

[24]

Charles U. Martel, Glen Nuckolls, Premkumar T. Devanbu, Michael Gertz, April Kwong, and Stuart G. Stubblebine. 2004. A General Model for Authenticated Data Structures. <u>Algorithmica</u> 39, 1 (2004), 21--41.

Digital Library

[25]

Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Edward W. Felten, and Michael J. Freedman. 2015. CONIKS: Bringing Key Transparency to End Users. In <u>24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015.</u>, Jaeyeon Jung and Thorsten Holz (Eds.). USENIX Association, 383--398. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/melara

Digital Library

[26]

Ralph C. Merkle. 1980. Protocols for Public Key Cryptosystems. In <u>IEEE Symposium on Security and Privacy</u>. 122--134.

[27]

Meni Orenbach, Pavel Lifshits, Marina Minkin, and Mark Silberstein. 2017. Eleos: ExitLess OS Services for SGX Enclaves. In <u>Proceedings of the Twelfth European Conference on Computer Systems, EuroSys 2017, Belgrade, Serbia, April 23-26, 2017</u>, Gustavo Alonso, Ricardo Bianchini, and Marko Vukolic (Eds.). ACM, 238--253.

Digital Library

[28]

HweeHwa Pang and Kian-Lee Tan. 2004. Authenticating Query Results in Edge Computing. In <u>Proceedings of the 20th International Conference on Data Engineering (ICDE '04)</u>. IEEE Computer Society, Washington, DC, USA, 560-. http://dl.acm.org/citation.cfm?id=977401.978163

Digital Library

[29]

Stavros Papadopoulos, Yin Yang, and Dimitris Papadias. 2007. CADS: Continuous Authentication on Data Streams. In <u>VLDB</u>. 135--146.

Digital Library

[30]

Charalampos Papamanthou, Elaine Shi, Roberto Tamassia, and Ke Yi. 2013. Streaming Authenticated Data Structures. In <u>Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings (Lecture Notes in Computer Science)</u>, Thomas Johansson and Phong Q. Nguyen (Eds.), Vol. 7881. Springer, 353--370.

[31]

Charalampos Papamanthou, Roberto Tamassia, and Nikos Triandopoulos. 2008. Authenticated hash tables. In <u>Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, October 27-31, 2008</u>, Peng Ning, Paul F. Syverson, and Somesh Jha (Eds.). ACM, 437--448.

Digital Library

[32]

Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. 2013. Pinocchio: Nearly Practical Verifiable Computation. In <u>2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013</u>. 238--252.

Digital Library

[33]

Yi Qian, Yupeng Zhang, Xi Chen, and Charalampos Papamanthou. 2014. Streaming Authenticated Data Structures: Abstraction and Implementation. In <u>Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security, CCSW '14, Scottsdale, Arizona, USA, November 7, 2014</u>, Gail-Joon Ahn, Alina Oprea, and Reihaneh Safavi-Naini (Eds.). ACM, 129--139.

Digital Library

[34]

Srinath T. V. Setty, Benjamin Braun, Victor Vu, Andrew J. Blumberg, Bryan Parno, and Michael Walfish. 2013. Resolving the conflict between generality and plausibility in verified computation. In <u>Eighth Eurosys Conference 2013, EuroSys '13, Prague, Czech Republic, April 14-17, 2013</u>. 71--84.

Digital Library

[35]

Roberto Tamassia. 2003. Authenticated Data Structures. In <u>Algorithms - ESA 2003, 11th Annual European Symposium, Budapest, Hungary, September 16-19, 2003, Proceedings</u>. 2--5.

[36]

Yuzhe Tang, Kai Li, Jianliang Xu, Qi Zhang, and Ju Chen. 2019. Authenticated Key-Value Stores with Hardware Enclaves. <u>CoRR</u> abs/1904.12068 (2019). arXiv:1904.12068

[37]

Yuzhe Tang, Ting Wang, Ling Liu, Xin Hu, and Jiyong Jang. 2014. Lightweight authentication of freshness in outsourced key-value stores. In <u>Proceedings of the 30th ACSAC 2014, New Orleans, LA, USA</u>, Charles N. Payne Jr., Adam Hahn, Kevin R. B. Butler, and Micah Sherr (Eds.). ACM, 176--185.

Digital Library

[38]

Yuzhe Richard Tang, Kai Li, Yibo Wang, and Sencer Burak Somuncuoglu. 2020. Scalable Log Auditing on Private Blockchains via Lightweight Log-Fork Prevention. In <u>Proceedings of the 4th Workshop on Scalable and Resilient Infrastructures for Distributed Ledgers, SERIAL@Middleware 2020, Delft, The Netherlands, December 07-11, 2020</u>. ACM, 1--4.

Digital Library

[39]

Yuzhe Richard Tang, Zihao Xing, Cheng Xu, Ju Chen, and Jianliang Xu. 2018. Lightweight Blockchain Logging for Data-Intensive Applications. In <u>Financial Cryptography and Data Security - FC 2018 International Workshops, BITCOIN, VOTING, and WTSC, Nieuwpoort, Curaçao, March 2, 2018, Revised Selected Papers (Lecture Notes in Computer Science)</u>, Aviv Zohar, Ittay Eyal, Vanessa Teague, Jeremy Clark, Andrea Bracciali, Federico Pintore, and Massimiliano Sala (Eds.), Vol. 10958. Springer, 308--324.

Digital Library

[40]

Chia-che Tsai, Donald E. Porter, and Mona Vij. 2017. Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX. In <u>2017 USENIX Annual Technical Conference, USENIX ATC 2017, Santa Clara, CA, USA, July 12-14, 2017.</u> USENIX Association, 645--658. https://www.usenix.org/conference/atc17/technical-sessions/presentation/tsai

Digital Library

[41]

Riad S. Wahby, Srinath T. V. Setty, Zuocheng Ren, Andrew J. Blumberg, and Michael Walfish. 2015. Efficient RAM and control flow in verifiable outsourced computation. In <u>22nd NDSS 2015</u>. http://www.internetsociety.org/doc/efficient-ram-and-control-flow-verifiable-outsourced-computation

[42]

Yin Yang, Dimitris Papadias, Stavros Papadopoulos, and Panos Kalnis. 2009. Authenticated join processing in outsourced databases. In <u>ACM SIGMOD 2009</u>. 5--18.

Digital Library

[43]

Yin Yang, Stavros Papadopoulos, Dimitris Papadias, and George Kollios. 2009. Authenticated indexing for outsourced spatial databases. <u>VLDB J.</u> 18, 3 (2009), 631--648.

Digital Library

Cited By

Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Shen CFan L(2023)Pldb: Protecting LSM-based Key-Value Store using Trusted Execution Environment2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00111(762-771)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00111
Liu DHuang CXue LZhuang WShen XYing B(2023)Collaborative and Verifiable VNF Management for Metaverse With Efficient Modular DesignsIEEE Journal on Selected Areas in Communications10.1109/JSAC.2023.334542242:3(616-628)Online publication date: 21-Dec-2023
https://dl.acm.org/doi/10.1109/JSAC.2023.3345422

Index Terms

Authenticated key-value stores with hardware enclaves
1. Security and privacy
  1. Systems security
    1. Distributed systems security
    2. Operating systems security
      1. Trusted computing

Recommendations

An Efficient Memory-Mapped Key-Value Store for Flash Storage
SoCC '18: Proceedings of the ACM Symposium on Cloud Computing

Persistent key-value stores have emerged as a main component in the data access path of modern data processing systems. However, they exhibit high CPU and I/O overhead. Today, due to power limitations it is important to reduce CPU overheads for data ...
Building Efficient Key-Value Stores via a Lightweight Compaction Tree
Special Issue on MSST 2017 and Regular Papers

Log-Structure Merge tree (LSM-tree) has been one of the mainstream indexes in key-value systems supporting a variety of write-intensive Internet applications in today’s data centers. However, the performance of LSM-tree is seriously hampered by ...
Fast key-value stores: An idea whose time has come and gone
HotOS '19: Proceedings of the Workshop on Hot Topics in Operating Systems

Remote, in-memory key-value (RINK) stores such as Memcached [6] and Redis [7] are widely used in industry and are an active area of academic research. Coupled with stateless application servers to execute business logic and a databaselike system to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

Middleware '21: Proceedings of the 22nd International Middleware Conference: Industrial Track

December 2021

35 pages

ISBN:9781450391528

DOI:10.1145/3491084

General Chairs:
Kaiwen Zhang
ÉTS, Canada
,
Abdelouahed Gherbi
ÉTS, Canada
,
Program Chairs:
Nalini Venkatasubramanian
UC Irvine
,
Luís Veiga
IST (U.Lisboa) & INESC-ID, Portugal

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACM: Association for Computing Machinery

In-Cooperation

USENIX Assoc: USENIX Assoc
IFIP

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Natural Science Foundation

Conference

Middleware '21

Sponsor:

ACM

Middleware '21: 22nd International Middleware Conference

December 6 - 10, 2021

Québec city, Canada

Acceptance Rates

Overall Acceptance Rate 203 of 948 submissions, 21%

Upcoming Conference

MIDDLEWARE '24

25th International Middleware Conference

December 2 - 6, 2024

Hong Kong , Hong Kong

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
177
Total Downloads

Downloads (Last 12 months)36
Downloads (Last 6 weeks)7

Reflects downloads up to 10 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Shen CFan L(2023)Pldb: Protecting LSM-based Key-Value Store using Trusted Execution Environment2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00111(762-771)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00111
Liu DHuang CXue LZhuang WShen XYing B(2023)Collaborative and Verifiable VNF Management for Metaverse With Efficient Modular DesignsIEEE Journal on Selected Areas in Communications10.1109/JSAC.2023.334542242:3(616-628)Online publication date: 21-Dec-2023
https://dl.acm.org/doi/10.1109/JSAC.2023.3345422

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents