Upload
gil
View
20
Download
0
Embed Size (px)
DESCRIPTION
AUTOCRYPT : Enabling Homomorphic Computation on Servers to Protect Sensitive Web Content. Shruti Tople Shweta Shinde , Zhaofeng Chen, Prateek Saxena National University of Singapore. Problem. Cloud providers offer various services. Leak data . Cloud Server . Sensitive Data. Goal. - PowerPoint PPT Presentation
Citation preview
1
AUTOCRYPT: Enabling Homomorphic Computation on Servers to Protect
Sensitive Web Content
Shruti Tople Shweta Shinde, Zhaofeng Chen, Prateek
SaxenaNational University of Singapore
2
Problem
• Cloud providers offer various services
Sensitive Data
Leak data
CloudServer
3
EncryptedData
Goal
Request
Output
Client
• Preserve confidentiality of user’s data• By encryption
• Allow benign functionalities on encrypted data
EncryptedOutput
4
Main Insight: Computing on Encrypted Data
• Partially Homomorphic Encryption Schemes
• Trusted APIs– To switch between encryption schemes
Search ElgamalPaillier
a = y + z
ans = a x a
==E+E XE
5
ch = getc(file);if (ch == '\n')lines++;if (ch == '\r' || ch == '\f') {if (linepos > linelength)linelength = linepos;linepos = 0;words++;}if (ch == '\t') {linepos += 8 - (linepos % 8);words++;}} write_counts (lines, words);
xE
+E
==E
Enabling Homomorphic Computation:An Example
Unix Word Count (wc)
RAM
Sensitive Input
6
Challenges
How to automatically transform applications that work on encrypted content ?
Can it be enabled on untrusted commodity cloud server?
Is such a solution practical in the real world ?
❶
❷
❸
7
Contributions
AutoCrypt‘C’ Program
AutoCryptedProgram
APIsAutoCryptedProgram
Statically Verified
Expressiveness Efficient Secure❸
❶
❷
8
Our Solution : AutoCrypt
9
AutoCrypt Architecture
‘C’Program F
AutoCryptedProgram
Source Annotations Encrypted
Output
AutoCrypt
cryptedInput
EncryptedInputEncrypted
Input
APIs
How AutoCrypt works?
‘C’ Program
Autocrypted Code
SSA
Transformation Type Inference
Information Flow Analysis
Untyped
IRAnnotated IR
Well Typed
IR
LLVM Pass
10
AutoCrypt
11
AutoCrypt’s Type System
Type checks ?
‘C’Program
YES NO
UnsafeConversion
Unsupported Operation
12
What are Unsafe Conversions ?
v = ch + 1;
If (v == ‘\n’){.... }
Unsafe Conversion
a = y + z
ans = a x a
Both need conversion between encryption schemes
Is it safe to convert arbitrarily ?
NO
Safe Conversion
Only 6 fixed conversion APIs are allowed
Do +1, +2and check
13
Security:Attackers knowledge set
14
Security Goal
‘C’Program F
AutoCryptedProgram
Source Annotations Encrypted
Output
AutoCrypt
EncryptedInput
Attacker’s Knowledge Set
Privacy Preserving Execution
15
ch = getc(file);if (ch == '\n')lines++;if (ch == '\r' || ch == '\f') {if (linepos > linelength)linelength = linepos;linepos = 0;words++;}if (ch == '\t') {linepos += 8 - (linepos % 8);words++;}write_counts (lines, words);
Unix Word Count (wc)
RAM
xE
+E
==E
Attackers Knowledge Set
Search Constants
Program Execution
Path
Leakage via Execution Path
16
Security Theorem
• Reduced Indistinquishability Modulo W
• Adversary is bound to use only W keywords
W = 12 / 256
W
Cannot Distinguish
Can Distinguish
∑ = 256
∑ - Wch == W
yes no
ch
17
Application of AutoCrypt:Protecting Data on Web Servers
Attacks on Web Server
SQL Injection
Memory Corruption
Command Injection
Server Misconfiguration
File Type Confusion Bugs
Web Server
19
Client-Server Architecture : Setup
Hardware
Trusted Hypervisor
Trusted APIs
Untrusted VM
Client
AutoCryptedProgram
“A”Encrypted
Data
20
Encrypted Output
Serving Requests
Hardware
Trusted Hypervisor
Trusted APIs
Untrusted VM
Client
EncryptedData
AutoCryptedProgram
“A”
Request : “A”
ResponsePlaintext
data +E
xE
21
Evaluation
22
Selecting Benchmarks
Selection Criteria :
Large scale
On real world applications
Which are complex enough
GNU CoreUtils
shred, truncate, sort, uniq, comm, od, wc, sum, cksum, fmt, old, pr , expand, unexpand, tr, cut, paste, join, base64, shuf, ptx, head, tail, split, csplit, cat, tac, nl,
Total 30 file-based programs
Out of total 11 categories, 8 file-based categories3 directory based
23
Additional Micro-benchmarks
File Utility
3 Custom Programs
Determines the MIME type of a file
Matrix Multiplication
EuclideanDistanceSquare
HammingDistance
Used in Previous Work
Image Transforms Face
Recognition
FaceRecognition
HFKV’12 HEKM’11
24
Expressiveness
• Successfully Transform – 25 CoreUtils– File Utility– 3 Custom Program
• AutoCrypt’s Rejected Program ( 5 )– Sort Order Preserving– uniq & comm Deterministic Encryption– od & cat –show-non-printing Unsafe Conversion
25
Reduction in Developer Effort
• 1% instructions are modified ( Total : 500 - 3000)
• 9-10 % variables are encrypted (Total: 300 - 2500)
• 7-8% constants are encrypted (Total: 10 – 150 )
• AutoCrypt automates all of the above– which is otherwise difficult to identify manually
26
Comparison to Previous Work
• Native Execution – Fast but not secure
• Circuit Encoding Schemes– Fully Homomorphic Encryption, Garbled Circuits– Secure but expensive for real applications
• Not fair to compare with them
27
Efficiency
• Commercial solutions to protect data
• “Download & Compute”
19 Execute Fasterby factor of 2 - 100 6 Execute slower by
factor of 2 - 6Out of 25
AutoCrypted programs
4.88 ms/KB
6 ms/KB
DownloadDecrypt
Compute
28
Conclusion
• Enabling homomorphic computation on untrusted server is a promising direction
• AutoCrypt automates this for the developer
Expressiveness
• GNU CoreUtils• Custom Programs• File Utility
Efficiency
• Vs Download & Compute
Secure
• New Reduced Indistinquishability
29
Thank You !Email : [email protected]