Secure Tera-scale Data Crunching with a Small TCB Bruno Vavala Nuno - - PowerPoint PPT Presentation

Secure Tera-scale Data Crunching with a Small TCB

Bruno Vavala Nuno Neves Peter Steenkiste

UL / CMU UL CMU

47th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’17)

delivering security guarantees for generic and large-scale data processing on untrusted hosts

delivering security guarantees for large-scale data processing

• n untrusted hosts with a small TCB

Goal

2

3

delivering security guarantees for large-scale data processing

• n untrusted hosts with a small TCB

trusted HW based data integrity

4

delivering security guarantees for large-scale data processing

• n untrusted hosts with a small TCB

1 TB

5

delivering security guarantees for large-scale data processing

• n untrusted hosts with a small TCB

small code small interface No HW devices

Some use cases

6

public cloud service provider

Some use cases

computational genomics

7

public cloud service provider

0.3TB per genome

…more generally…

Model

trusted hardware module

S V P

9

Model

• 1. provide state authentication data
• 2. outsource

large state

S V P

10

Model

• 3. send 


request

S V P

• 1. provide state authentication data
• 2. outsource

large state

11

Model

• 3. send 


request

• 4. execute


command

S V P

• 1. provide state authentication data
• 2. outsource

large state

12

Model

• 3. send 


request

• 5. receive


authenticated reply

S V P

• 1. provide state authentication data
• 2. outsource

large state

• 4. execute


command

13

Outline

• Goal
• Previous Work
• Our solution: key ideas and
• verview
• Evaluation

Outline

• Goal
• Previous Work
• Our solution: key ideas and
• verview
• Evalution

Haven

(OSDI’14) picoprocess host OS enclave service libOS

interface

— designed for Intel SGX — large TCB (due to libOS) — 10s of new interface calls + works with 
 unmodified applications

VHD

16

VC3

(IEEE S&P’15) process host OS enclave map & reduce functions job execution protocol

narrow interface

— designed for Intel SGX — specific for Hadoop + small TCB + data confidentiality + can run unmodified
 Hadoop applications

17

small TCB Large State Interface calls App Specific Trusted Computing arch. Haven

(OSDI’14)

No Yes tens No SGX

VC3

(S&P’15)

Yes Yes

MapReduce workloads

R,W Yes SGX

XMHF- TrustVisor


(S&P’13,’10)

Yes No none

(but Minibox has tens)

No TPM / TXT

LaStGT

Yes Yes zero! No TV&SGX

A Niche in the State of the Art

18

Outline

• Goal
• Previous Work
• Our solution: key ideas and
• verview
• Evalution

untrusted env. trusted env.

20

Scenario: two execution environments

untrusted env. trusted env.

app’s execution flow

21

the service code is running

untrusted env. trusted env.

access data in block bi is bi in memory?

app’s execution flow

22

the service code accesses data in memory

untrusted env. trusted env.

access data in block bi is bi in memory?

app’s execution flow keep going

yes

23

when data is available, there are no interruptions

untrusted env. trusted env.

access data in block bi is bi in memory?

app’s execution flow

handle page fault load data

keep going

yes no

24

• therwise, the service is interrupted and


data memory pages are loaded

untrusted env. trusted env.

access data in block bi is bi in memory?

app’s execution flow

handle page fault load data validate data

keep going

yes no

25

data is validated inside trusted environment,
 independently from service execution

untrusted env. trusted env.

access data in block bi is bi in memory?

app’s execution flow

handle page fault load data validate data

keep going

yes no resume

26

service is resumed and


• nly if data is valid, service can make progress

…in practice…

trusted
 untrusted

Untrusted address space

Hardware SGX/TPM

Architecture

• ther

untrusted services

Trusted address space

state handler service code SMM

(State map manager)

OS

Supervisor

28

untrusted
 untrusted

Untrusted address space

Hardware SGX/TPM

Architecture

• ther

untrusted services

Trusted address space

state handler service code SMM

(State map manager)

OS

Supervisor

29

• n TrustVisor, Supervisor is trusted
• n SGX, Supervisor is untrusted

LaStGT in 5 steps

• Offline data protection at the source
• State registration
• Data processing
• Lazy loading from memory & disk
• Execution verification

4

• Offline data protection at the

source

• State registration
• Data processing
• Lazy loading from memory & disk
• Verification

1

0 1 0 0 0 1 1 1 1 0 1 0 0 0

Data protection

Hierarchical

• Incremental as 


data is created
 
 Made for:

• Incremental validation

as data is loaded

• Fast verification
• Single hash tree is

unsuitable

210 220 230 240 220 225 230 235 240

Tree size (bytes) State size (bytes)

bytes/block 210 215 220 225 230

0 1 0 0 0 1 1 1 1 0 1 0 0 0

32

State Hierarchy

files blocks

chunk chunk

chunks

masterchunk

master chunks

directory

directory

state root

root

33

State Hierarchy

34

state root directory masterchunk chunk chunk masterchunk chunk chunk

• components are

loaded separately

• unneeded components

not loaded in memory

• state root (1 hash)

allows state validation

• Offline data protection at the source
• State registration
• Data processing
• Lazy loading from memory & disk
• Verification

2

Untrusted address space

Trusted address space

SMM

(State map manager)

OS

Supervisor

state handler service code

When the trusted execution environment is created, only the code is available inside

36

Untrusted address space

Trusted address space

SMM

(State map manager)

OS

Supervisor

state handler service code

grab root from disk

37

Untrusted address space

Trusted address space

SMM

(State map manager)

OS

Supervisor

state handler service code

grab root from disk register state

• registration is

the first execution

• state handler

installs root

• root is trusted

38

Untrusted address space

Trusted address space

SMM

(State map manager)

OS

Supervisor

state handler service code state root

39

• state root is available 


before service code runs


• Offline data protection at the source
• State registration
• Data processing
• Lazy loading from memory & disk
• Verification

3

• service code has view of entire state
• state not readily available: inefficient loading it upfront

pages NOT available pages available

OS

Supervisor

Untrusted address space

Trusted address space

SMM

41

state handler service code state root data

page hit on access

• Service code execution begins
• Service accesses data in memory
• Data retrieval is fast if data is already available

OS

Supervisor

Untrusted address space

Trusted address space

SMM

42

state handler service code state root data

page miss on access

OS

Supervisor

• Service code may access data 

• n missing pages

Untrusted address space

Trusted address space

SMM

43

state handler service code state root data

• A page fault is triggered
• Execution is interrupted,

seamlessly waiting to continue

OS

Supervisor

page fault!

Untrusted address space

Trusted address space

SMM

44

state handler service code state root data

• Offline data protection at the source
• State registration
• Data processing
• Lazy loading from memory & disk
• Verification

4

Untrusted address space

Trusted address space

SMM OS

Supervisor

page fault!

46

state handler service code state root data

Untrusted address space

Trusted address space

OS

Supervisor

page fault!

page address grab state component from disk

• Let SMM handle missing data
• SMM loads data from disk

SMM

47

state handler service code state root data

Untrusted address space

Trusted address space

OS

Supervisor

page fault!

SMM data

validate data

• in TrustVisor, validate in place
• in SGX, copy, validate, copy

48

state handler service code state root data

Untrusted address space

Trusted address space

OS

Supervisor

page fault!

SMM data

data is valid

• If Supervisor is trusted,


invalid data => no resume 
 (e.g.: TrustVisor)


• If Supervisor is untrusted


invalid data => no accept,
 so no access (e.g.: SGX)

49

state handler service code state root data

Untrusted address space

Trusted address space

OS

Supervisor

SMM data

page hit on access resume

fault solved, data accessible on resume, continue…

50

state handler service code state root data

• Offline data protection at the source
• State registration
• Data processing
• Lazy loading from memory & disk
• Execution verification 5
• HW-based attestation of code identity,


including input request, state root, 


• utput reply, nonce
• Client checks validity of attestation


and intended identities/hashes

Outline

• Goal
• Previous Work
• Our solution: key ideas and
• verview
• Implemention(s)
• Evaluation

TCB size

VC3 Haven LaStGT

hypervisor library SQLite
 (example)

KSLoC


(lines of code x 1000)

9.2 O(103) 17 7.7 92.6 library is small compared to real service SGX-based TPM/TXT based

53

load&hash data upfront LaStGT entry/exit & block validation

Comparison

XMHF-TrustVisor vs. LaStGT

2 4 6 8 10 12

MB 128 MB 256 MB 384 MB 512 MB

seconds TrustVisor LaSt-GT

LaStGT is Incremental, Faster & Scalable

LaStGT chunk loading

54

SQLite on LaStGT

0.0 0.2 0.4 128 MB 256 MB 512 MB 1 GB 2 GB ... 0.25 TB 3.2 3.4 3.6 seconds

5 10 15 20 1 MB 2 MB 4 MB 8 MB 16 MB 32 MB 64 MB 128 MB 256 MB 512 MB 1 GB 2 GB ... 0.25 TB seconds

• First large-scale

experiment on hypervisor


• Data I/O can be
• ptimized

through state hierarchy


• SGX expected

to improve substantially

55

Conclusions

• Security for large-scale data processing can

be guaranteed with a small TCB

• Virtual memory-based data handling 


=> zero interface

• No change to source code


=> easy integration

• One design can fit diverse HW & SW

Secure Tera-scale Data Crunching with a Small TCB

Bruno Vavala1,2, Nuno Neves1, Peter Steenkiste2

1LaSIGE, Faculdade de Ciˆ

encias, Universidade de Lisboa, Portugal

2CSD, Carnegie Mellon University, U.S.

Abstract—Outsourcing services to third-party providers comes with a high security cost—to fully trust the providers. Us- ing trusted hardware can help, but current trusted execution environments do not adequately support services that process very large scale datasets. We present LASTGT, a system that bridges this gap by supporting the execution of self-contained services over a large state, with a small and generic trusted computing base (TCB). LASTGT uses widely deployed trusted hardware to guarantee integrity and verifiability of the execution

• n a remote platform, and it securely supplies data to the

service through simple techniques based on virtual memory. As a result, LASTGT is general and applicable to many scenarios such as computational genomics and databases, as we show in our experimental evaluation based on an implementation of LASTGT on a secure hypervisor. We also describe a possible implementation on Intel SGX.

support the execution of either small pieces of code and data [10], or large code bases [11], or specific software like database engines [12] or MapReduce applications [13]. Recent work [14] has shown how to support unmodified services. However, since ”the interface between modern applications and operating systems is so complex” [30], it relies on a considerable TCB that includes a library OS. In addition, the above systems are specific for TPMs [10], [15], secure coprocessors [12], or Intel SGX [13]. Hence, porting them to alternative architectures (e.g., the upcoming AMD Secure Memory Encryption and Secure Encrypted Virtualization [36], [37]) requires significant

• effort. Clearly, it is desirable to design a generic system “not

relying on idiosyncratic features of the hardware” [16]. We present LASTGT, a system that can handle a LArge STate on a Generic Trusted component with a small TCB.

ad maiora.

IEEE/IFIP DSN’17 Bruno Vavala, UL / CMU, bvavala@cs.cmu.edu

(blank)

58

Steve Wozniak

“Never trust a computer you can’t throw out the window.”

59

(excerpt from)

Intel’s Legal Desclaimer

“No computer system can be absolutely secure.”

60