s601-sion - VLDB 2005

arghtalentData Management

Jan 31, 2013 (4 years and 4 months ago)

194 views

Query Execution Assurance
for Outsourced Databases

1.31
-

08/29/05

prepared for VLDB 2005

Radu Sion

(sion@cs.stonybrook.edu)

http://www.cs.stonybrook.edu/~sion


Secure Systems Lab


Computer Sciences

Stony Brook University

2



Radu Sion

Radu Sion

Securing Outsourced Data

outline



data outsourcing




煵敲q 捯浰汥瑥湥獳n



獥s牣桩湧



secure co
-
processor



prepared for VLDB, 8/05

3



Radu Sion

Radu Sion

Securing Outsourced Data

data outsourcing

prepared for VLDB, 8/05

Data Server

(Bob)


Data
Client

(Alice)

Q
1
,…,Q
b

r(
Q
1
)…,
r
(Q
b
)

1

2

Online

Query

Interface


Outsourced
Data

client



PDA



personal email user



file
-
client

server



email server



PostgreSQL



file
-
server

4



Radu Sion

Radu Sion

Securing Outsourced Data

data outsourcing: challenges

prepared for VLDB, 8/05

Untrusted server:




lazy: incentives to perform less



curious: incentives to aquire information



malicious:



denial of service



incorrect results



possibly compromised

Why is this hard ?



how ?



arbitrary expressivity



overheads



network



computational costs

What do we do ?



query assurances



full privacy



of queries (even encrypted)



of access patterns



data confidentiality

5



Radu Sion

Radu Sion

Securing Outsourced Data

pointer

prepared for VLDB, 8/05



data outsourcing




煵敲q 捯浰汥瑥湥獳




獥s牣桩湧



secure co
-
processor



6



Radu Sion

Radu Sion

Securing Outsourced Data

querying with completeness: why ?!

prepared for VLDB, 8/05

Client requires quantifiable assurances
that query results are complete and
correct, for
arbitrary

query types in the
presence of a server that could be …

… lazy (we do this *here*)


… and/or fully malicious (!)

7



Radu Sion

Radu Sion

Securing Outsourced Data

ringers

prepared for VLDB, 8/05

P. Golle and I. Mironov,
”Uncheatable Distributed
Computations”
, RSA 2001 (Cryptographer's track)


Alice

Bob

a
1
,…,a
n

1

f(a
1
),…,f(a
n
)

2

b
1
,…,b
x
,…,b
n

f(b
x
)

1

f(b
1
),…,f(b
n
)

x’

2

x’=x ?

3

a
1
,…,a
n
,f()

f(a
i
)=?

f()

8



Radu Sion

Radu Sion

Securing Outsourced Data

query completeness proofs (lazy server)

prepared for VLDB, 8/05

Database Service

Provider (Bob)

Data


Data
Owner

(Alice)

S
1

S
i

S
s

x=x’?

3

Q
1
,…,Q
b
,C(Q,x,

)

1

r(
Q
1
)…,
r
(Q
b
),x’

2

Query

Interface

A challenge token (computed by client) is sent together
with the batch of queries. Upon return, batch execution
is proved by (x==x’).

9



Radu Sion

Radu Sion

Securing Outsourced Data

secure query interface (SQi)

prepared for VLDB, 8/05

network

sqi.server.QueryServer

DBMS

Database Service
Provider

Traditional
JDBC

sqi.client.QueryClient

Extended JDBC Interface

Traditional JDBC

Security
Controls

Secure Client

Data
Client

security

event

10



Radu Sion

Radu Sion

Securing Outsourced Data

SQi: client interface

prepared for VLDB, 8/05

sqi.client.QueryClient


Legacy Query Interface

Security
Controls

Data
Client

security

event

Fast

Crypto

Privacy

Manager

Event Callback

Management


Extended Query Interface

Security Logic

Execution Proofs

Query Pre
-
processor

Persistent

Query Store

Transparent Query

Batch Scheduler

Client Data

Source Adapter

to

server

Plugin Handler

11



Radu Sion

Radu Sion

Securing Outsourced Data

SQi: server

prepared for VLDB, 8/05

sqi.server.QueryServer

Security Logic

Execution Proofs

Server Data

Source Adapter

Incoming Query Queue

Query

Post
-
processor

Privacy

Manager

Agent

Legacy

Data
Source

Fast

Crypto

from

client

Plugin Handler

12



Radu Sion

Radu Sion

Securing Outsourced Data

success probability of cheating

prepared for VLDB, 8/05

13



Radu Sion

Radu Sion

Securing Outsourced Data

execution times

prepared for VLDB, 8/05

14



Radu Sion

Radu Sion

Securing Outsourced Data

overheads are reasonable

prepared for VLDB, 8/05

15



Radu Sion

Radu Sion

Securing Outsourced Data

beyond laziness

prepared for VLDB, 8/05



client
-
side result checking



weaker assurances of a stronger type





secure hardware (we’ll see later)




etc. ?

16



Radu Sion

Radu Sion

Securing Outsourced Data

pointer

prepared for VLDB, 8/05



data outsourcing




煵敲q 捯浰汥瑥湥獳n



獥s牣桩湧r



secure co
-
processor



17



Radu Sion

Radu Sion

Securing Outsourced Data

searching: fun for sure, but important?

prepared for VLDB, 8/05

Selected scenarios




compromised server (e.g. network context)



secure email server



do not allow sysadmin to read email




secure networked file system



unable to deploy forensics (without
data owner consent)



secures (from commercial competition):



company data



data access patterns


sample: “return
all emails containing

‘John’ and ‘lunch’”

18



Radu Sion

Radu Sion

Securing Outsourced Data

searching: fun for sure, but important?!

prepared for VLDB, 8/05

Challenges




result assurances



completeness



correctness



confidentiality of data



obliviousness



privacy of searches



no correlation leaks



overheads



computational



network



storage constrained client



dynamic (updates)

19



Radu Sion

Radu Sion

Securing Outsourced Data

searching: helicopter overview

prepared for VLDB, 8/05

document server

data client





k
1

k
2

k
3

x

x

x

d’
4

d’
3

d’
2

d’
1

k
4

x

C

~

x

x

x

k
1
: (d
1
+x)(d
3
+x) mod p

k
2
: (d
2
+x)(d
3
+x) mod p



k
1

k
2

x

x

d’
4

d’
3

d’
2

d’
1

C

~

x



k
1

k
2

x

x

d
4

d
3

d
2

d
1

C

x

x

d
1
: k
1

d
2
: k
2

d
3
: k
1

k
2

d
4
: k
3

k
4

query: {k
1
,k
2
}

1

F
-
1

4

retrieve: d
3

6

qnr
1
,qr
2
, qr
3
,…, qr
k

2

qr’
1
,
qnr’
2
, qr’
3
,... , qr’
k

v’
1
,... ,v’
n

compute v
i

values

3

v
1
,... ,v
n

5

verify

checksums

Deploying a modified version of computational PIR
targeted at a server
-
side indexing structure to
achieve complete privacy.

Computational
Privacy

Query

Completeness

20



Radu Sion

Radu Sion

Securing Outsourced Data

pointer

prepared for VLDB, 8/05



data outsourcing




煵敲q 捯浰汥瑥湥獳n



獥s牣桩湧



secure co
-
processor



21



Radu Sion

Radu Sion

Securing Outsourced Data

e.g. IBM 4758 (4764)

prepared for VLDB, 8/05

22



Radu Sion

Radu Sion

Securing Outsourced Data

architecture overview (4758)

prepared for VLDB, 8/05

23



Radu Sion

Radu Sion

Securing Outsourced Data

trust propagation (4758)

prepared for VLDB, 8/05

24



Radu Sion

Radu Sion

Securing Outsourced Data

scpu: possible benefits

prepared for VLDB, 8/05

data management server

Server Storage

Outsourced

Data

(encrypted)

Host CPU

data client

secure

insert/update

arbitrary

private query

encrypted query

response

Secure

Memory

Secure Co
-
Processor

A secure co
-
processor on the data
management side may allow for significant
leaps in expressivity for queries where privacy
and completeness assurance are important.

encrypted item

25



Radu Sion

Radu Sion

Securing Outsourced Data

scpu: searching with privacy

prepared for VLDB, 8/05

document server

Server Storage

Outsourced

Documents

(encrypted)

Host CPU

data client

conjunctive keyword

search query

encrypted query

response

Secure

Memory

Secure Co
-
Processor

For conjunctive keyword searches on document
(email, files) servers, oblivious search index
structures could be queried in secure memory
achieving a novel zero
-
leak query model.

search
index

secure

insert/remove

update index

26



Radu Sion

Radu Sion

Securing Outsourced Data

scpu: hash
-
join (with privacy)

prepared for VLDB, 8/05

database server

Server Storage

Outsourced

Relations

(encrypted)

Host CPU

data client

P x Q

private query

encrypted query

response

Secure

Memory

Secure Co
-
Processor

Hash
-
JOIN could be naturally accomodated.

P

Q

H
P

27



Radu Sion

Radu Sion

Securing Outsourced Data

scpu: merge
-
join (with privacy)

prepared for VLDB, 8/05

database server

Server Storage

Outsourced

Relations

(encrypted)

Host CPU

data client

P x Q

private query

encrypted query

response

Secure

Memory

Secure Co
-
Processor

For Merge
-
JOIN, order
-
preserving encryption
primitives could be deployed to minimize the amount
of data parsing required in the sorting phase.

P

Q

28



Radu Sion

Radu Sion

Securing Outsourced Data

scpu: what about general semantics ?

prepared for VLDB, 8/05

How do we aproach the problem of arbitrary
query expressivity with strong computational
(at least) privacy ?



Let’s look at things we
don’t

“believe” in




29



Radu Sion

Radu Sion

Securing Outsourced Data

sample “wouldn’t do”: SCPU=client proxy

prepared for VLDB, 8/05

database server

Host CPU

data

client

queries

Secure Co
-
Processor

Server Storage

Outsourced

Data

“client
-
server”

interaction

“client proxy”

crypto work

database server

Host CPU

data

client

queries

Server Storage

Outsourced

Data

client/server

interaction

crypto work

crypto work

good idea ?

not so sure !

30



Radu Sion

Radu Sion

Securing Outsourced Data

scpu: some things we are afraid to do


prepared for VLDB, 8/05



Process entire queries on SCPU (!)




Dedicate (one) SCPU per query or equivalent



e.g., limit TPS by SCPU TPS




Synchronize CPU with SCPU



e.g., block main CPU until SCPU completes




Transfer >= O(n) on SCPU
-
CPU bus (!)




Anything else un
-
smart



31



Radu Sion

Radu Sion

Securing Outsourced Data

selected related research (SCPU)

prepared for VLDB, 8/05

Kenneth Goldman, Enriquillo Valdez: “Matchbox: Secure Data Sharing”, IEEE Internet
Computing 2004


“Practical server privacy with secure coprocessors”, IBM Systems Journal 2001, S. W. Smith,
D. Safford


J. Marchesini, S.W. Smith, “SHEMP: Secure Hardware Enhanced MyProxy”

Technical Report TR2005
-
532, Department of Computer Science, Dartmouth College, February
2005.


A. Iliev, S.W. Smith, "Protecting Client Privacy with Trusted Computing at the Server", IEEE
Security and Privacy, March/April 2005


A. Iliev, S.W. Smith, "Private Information Storage with Logarithmic
-
space Secure Hardware.",
3rd Working Conference on Privacy and Anonymity in Networked and Distributed Systems.


A. Iliev, S.W. Smith, "Prototyping an Armored Data Vault: Rights Management on Big Brother's
Computer.", Privacy
-
Enhancing Technology 2002


E. Mykletun and G. Tsudik, “On using Secure Hardware in Outsourced Databases”,

International Workshop on Innovative Architecture for Future Generation High
-
Performance
Processors and Systems, January 2005


Related research at IBM TJ Watson (Bishwaranjan Bhattacharjee a.o.)

32



Radu Sion

Radu Sion

Securing Outsourced Data

cat /proc/lunchtime

prepared for VLDB, 8/05

Thank You