View
217
Download
0
Category
Tags:
Preview:
Citation preview
Query Execution Assurance for Outsourced Databases
1.31 - 08/29/05 prepared for VLDB 2005
Radu Sion(sion@cs.stonybrook.edu)
http://www.cs.stonybrook.edu/~sion
Secure Systems Lab
Computer SciencesStony Brook University
2
Radu SionRadu Sion Securing Outsourced Data
outline
data outsourcing query completeness searching secure co-processor
prepared for VLDB, 8/05
3
Radu SionRadu Sion Securing Outsourced Data
data outsourcing
prepared for VLDB, 8/05
Data Server(Bob)
Data Client
(Alice)
Q1,…,Qb
Q1)…,(Qb)
1
2
OnlineQueryInterface
Outsourced Data
client• PDA• personal email user• file-client
server• email server• PostgreSQL• file-server
4
Radu SionRadu Sion Securing Outsourced Data
data outsourcing: challenges
prepared for VLDB, 8/05
Untrusted server: • lazy: incentives to perform less • curious: incentives to aquire information• malicious:
• denial of service • incorrect results• possibly compromised
Why is this hard ?• how ?• arbitrary expressivity• overheads
• network• computational costs
What do we do ?• query assurances• full privacy
• of queries (even encrypted)• of access patterns
• data confidentiality
5
Radu SionRadu Sion Securing Outsourced Data
pointer
prepared for VLDB, 8/05
data outsourcing query completeness searching secure co-processor
6
Radu SionRadu Sion Securing Outsourced Data
querying with completeness: why ?!
prepared for VLDB, 8/05
Client requires quantifiable assurances that query results are complete and correct, for arbitrary query types in the presence of a server that could be …
… lazy (we do this *here*)
… and/or fully malicious (!)
7
Radu SionRadu Sion Securing Outsourced Data
ringers
prepared for VLDB, 8/05
P. Golle and I. Mironov,”Uncheatable Distributed Computations”, RSA 2001 (Cryptographer's track)
Alice Bob
a1,…,an1
f(a1),…,f(an)2
b1,…,bx,…,bnf(bx)1
f(b1),…,f(bn) x’ 2x’=x ?3
a1,…,an,f()
f(ai)=? f()
8
Radu SionRadu Sion Securing Outsourced Data
query completeness proofs (lazy server)
prepared for VLDB, 8/05
Database ServiceProvider (Bob)
Data
Data Owner(Alice)
S1
Si
Ss
x=x’?3
Q1,…,Qb,C(Q,x,)1
Q1)…,(Qb),x’2
Que
ryIn
terf
ace
A challenge token (computed by client) is sent together with the batch of queries. Upon return, batch execution is proved by (x==x’).
9
Radu SionRadu Sion Securing Outsourced Data
secure query interface (SQi)
prepared for VLDB, 8/05
network
sqi.server.QueryServer
DBMS
Database Service Provider
Traditional JDBC
sqi.client.QueryClient
Extended JDBC Interface
Traditional JDBCSecurity Controls
Secure Client
Data Client
securityevent
10
Radu SionRadu Sion Securing Outsourced Data
SQi: client interface
prepared for VLDB, 8/05
sqi.client.QueryClient
Legacy Query Interface Security Controls
Data Client
securityevent
Fast Crypto
PrivacyManager
Event Callback Management
Extended Query Interface
Security LogicExecution Proofs
Query Pre-processor
PersistentQuery Store
Transparent QueryBatch Scheduler
Client DataSource Adapter
to
server
Plugin Handler
11
Radu SionRadu Sion Securing Outsourced Data
SQi: server
prepared for VLDB, 8/05
sqi.server.QueryServer
Security LogicExecution Proofs
Server DataSource Adapter
Incoming Query Queue
QueryPost-processor
PrivacyManagerAgent
LegacyData
Source
Fast Crypto
from
client
Plugin Handler
12
Radu SionRadu Sion Securing Outsourced Data
success probability of cheating
prepared for VLDB, 8/05
15
Radu SionRadu Sion Securing Outsourced Data
beyond laziness
prepared for VLDB, 8/05
• client-side result checking • weaker assurances of a stronger type
• secure hardware (we’ll see later)
• etc. ?
16
Radu SionRadu Sion Securing Outsourced Data
pointer
prepared for VLDB, 8/05
data outsourcing query completeness searching secure co-processor
17
Radu SionRadu Sion Securing Outsourced Data
searching: fun for sure, but important?
prepared for VLDB, 8/05
Selected scenarios • compromised server (e.g. network context)• secure email server
• do not allow sysadmin to read email
• secure networked file system• unable to deploy forensics (without data owner consent)
• secures (from commercial competition):
• company data• data access patterns
sample: “return all emails containing ‘John’ and ‘lunch’”
18
Radu SionRadu Sion Securing Outsourced Data
searching: fun for sure, but important?!
prepared for VLDB, 8/05
Challenges • result assurances
• completeness• correctness
• confidentiality of data• obliviousness
• privacy of searches• no correlation leaks
• overheads • computational• network• storage constrained client
• dynamic (updates)
19
Radu SionRadu Sion Securing Outsourced Data
searching: helicopter overview
prepared for VLDB, 8/05
document serverdata client
…
…
k1
k2
k3 x
xx
d’4d’3d’2d’1
k4 x
C~
x
x
x
k1: (d1+x)(d3+x) mod p
k2: (d2+x)(d3+x) mod p
…
k1
k2
xx
d’4d’3d’2d’1C~
x
…
k1
k2
xx
d4d3d2d1C
xx
d1: k1
d2: k2
d3: k1 k2
d4: k3 k4
query: {k1 ,k2}1
F-1
4
retrieve: d3
6
qnr1,qr2, qr3,…, qrk
2
qr’1,qnr’2, qr’3,... , qr’k
v’1,... ,v’n
compute vi values3
v1,... ,vn
5
verifychecksums
Deploying a modified version of computational PIR targeted at a server-side indexing structure to achieve complete privacy.
Computational Privacy
QueryCompleteness
20
Radu SionRadu Sion Securing Outsourced Data
pointer
prepared for VLDB, 8/05
data outsourcing query completeness searching secure co-processor
24
Radu SionRadu Sion Securing Outsourced Data
scpu: possible benefits
prepared for VLDB, 8/05
data management server
Server Storage
OutsourcedData
(encrypted)
Host CPUdata client
secure
insert/update
arbitrary
private query
encrypted query
response
SecureMemory
Secure Co-Processor
A secure co-processor on the data management side may allow for significant
leaps in expressivity for queries where privacy and completeness assurance are important.
encrypted item
25
Radu SionRadu Sion Securing Outsourced Data
scpu: searching with privacy
prepared for VLDB, 8/05
document server
Server Storage
OutsourcedDocuments(encrypted)
Host CPUdata client
conjunctive keyword
search query
encrypted query
response
SecureMemory
Secure Co-Processor
For conjunctive keyword searches on document (email, files) servers, oblivious search index
structures could be queried in secure memory achieving a novel zero-leak query model.
search index
secure
insert/remove
update index
26
Radu SionRadu Sion Securing Outsourced Data
scpu: hash-join (with privacy)
prepared for VLDB, 8/05
database server
Server Storage
OutsourcedRelations
(encrypted)
Host CPUdata client
P x Q
private query
encrypted query
response
SecureMemory
Secure Co-Processor
Hash-JOIN could be naturally accomodated.
P
Q
HP
27
Radu SionRadu Sion Securing Outsourced Data
scpu: merge-join (with privacy)
prepared for VLDB, 8/05
database server
Server Storage
OutsourcedRelations
(encrypted)
Host CPUdata client
P x Q
private query
encrypted query
response
SecureMemory
Secure Co-Processor
For Merge-JOIN, order-preserving encryption primitives could be deployed to minimize the amount
of data parsing required in the sorting phase.
P Q
28
Radu SionRadu Sion Securing Outsourced Data
scpu: what about general semantics ?
prepared for VLDB, 8/05
How do we aproach the problem of arbitrary query expressivity with strong computational (at least)
privacy ?
Let’s look at things we don’t “believe” in …
29
Radu SionRadu Sion Securing Outsourced Data
sample “wouldn’t do”: SCPU=client proxy
prepared for VLDB, 8/05
database server
Host CPUdata
client
queriesSecure Co-Processor
Server Storage
OutsourcedData
“client-server”interaction
“client proxy”
crypto work
database server
Host CPUdata
client
queries
Server Storage
OutsourcedData
client/serverinteraction
crypto work
crypto work
good idea ?not so sure !
30
Radu SionRadu Sion Securing Outsourced Data
scpu: some things we are afraid to do
prepared for VLDB, 8/05
• Process entire queries on SCPU (!)
• Dedicate (one) SCPU per query or equivalent• e.g., limit TPS by SCPU TPS
• Synchronize CPU with SCPU• e.g., block main CPU until SCPU completes
• Transfer >= O(n) on SCPU-CPU bus (!)
• Anything else un-smart
31
Radu SionRadu Sion Securing Outsourced Data
selected related research (SCPU)
prepared for VLDB, 8/05
Kenneth Goldman, Enriquillo Valdez: “Matchbox: Secure Data Sharing”, IEEE Internet Computing 2004
“Practical server privacy with secure coprocessors”, IBM Systems Journal 2001, S. W. Smith, D. Safford
J. Marchesini, S.W. Smith, “SHEMP: Secure Hardware Enhanced MyProxy”Technical Report TR2005-532, Department of Computer Science, Dartmouth College, February
2005.
A. Iliev, S.W. Smith, "Protecting Client Privacy with Trusted Computing at the Server", IEEE Security and Privacy, March/April 2005
A. Iliev, S.W. Smith, "Private Information Storage with Logarithmic-space Secure Hardware.", 3rd Working Conference on Privacy and Anonymity in Networked and Distributed Systems.
A. Iliev, S.W. Smith, "Prototyping an Armored Data Vault: Rights Management on Big Brother's Computer.", Privacy-Enhancing Technology 2002
E. Mykletun and G. Tsudik, “On using Secure Hardware in Outsourced Databases”, International Workshop on Innovative Architecture for Future Generation High-Performance
Processors and Systems, January 2005
Related research at IBM TJ Watson (Bishwaranjan Bhattacharjee a.o.)
Recommended