Citation Context

...fy a specific confidentiality policy: the code inside the SIR can perform arbitrary computations within the region, but it can only generate output data through an encrypted channel. We refer to this property as Information Release Confinement or IRC. This is a meaningful confidentiality policy because it guarantees that attackers can only observe encrypted data. We exclude covert channels and side channels (e.g., timing, power) from our threat model. Previous experience from building sensitive data analytics services using SIRs suggests that IRC is not unduly restrictive. For example, in VC3 [38], only map and reduce functions are hosted in SIRs; the rest of the Hadoop stack is untrusted. Both mappers and reducers follow a stylized idiom where they receive encrypted input from Hadoop’s untrusted communication layer, decrypt the input, process it, and send encrypted output back to Hadoop. No other interaction between these components and the untrusted Hadoop stack is required. Scalably verifying IRC is challenging, because we aim to have a verification procedure that can automatically certify machine code programs, without assuming the code to be type safe or memory safe; for example, ...

Citation Context

...nced cryptography or secure hardware. Although homomorphic encryption [12] may address our privacy concerns, it remains impractical for general processing of large ˚This is an extended version of the work to appear in the proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015). :Work done at Microsoft Research. data, in particular when they involve complex, dynamic intermediate data. Conversely, limited trust assumptions on the cloud infrastructure may lead to efficient solutions, but their actual security guarantees are less clear. As a concrete example, VC3 [26] recently showed that, by relying on the new Intel SGX infrastructure [19] to protect local mapper and reducer processing, one can adapt the popular Hadoop framework [2] and achieve strong integrity and confidentiality for large MapReduce tasks with a small performance overhead. All data is systematically AES-GCM-encrypted, except when processed within hardware-protected, remotely-attested enclaves that include just the code for mapping and reducing data, whereas the rest of the Hadoop distributed infrastructure need not be trusted. They report an average 4% performance overhead for typical Ma...

Citation Context

...ed module’s state can never be rolled back to a previous, stale state, (2) once a module accepted input, it must either (eventually) finish its execution or never advance at all and (3) unexpected loss of power at any moment in time should never result in a system that cannot be resumed after reboot. State continuity solutions must take the platform specifications and use case at hand into account. Existing solutions [32,46] rely on an uninterruptible power source (UPS) or risk wearing out non-volatile memory. Such approaches are acceptable in higher-end applications (e.g., in a cloud setting [7, 40]). On other platforms [35, 36] a UPS may not be available on commercial off-the-shelf (COTS) devices and may lead to significant increases in the bill-of-materials (BOM). In such cases wear and tear on non-volatile memory must be minimized to increase longevity of the device. We present a proven-secure solution to state-continuity and show that it can be applied on a large range of platforms. More specifically, we make following contributions: • We present Ariadne, a solution to the statecontinuity problem that achieves the mathematical lower-bound of only a single bit flip per state update. •...