DOCSLIB.ORG

“A Novel Architecture for Secure Database Processing in Cloud

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
“A Novel Architecture for Secure Database Processing in Cloud Abstract of thesis entitled “A Novel Architecture for Secure Database Processing in Cloud Computing” submitted by Hung-Kwan Chen for the degree of Joint Doctor of Philosophy at The University of Hong Kong and Imperial College London in October 2016 Security, particularly data privacy, is one of the biggest barriers to the adop- tion of Database-as-a-Service (DBaaS) in Cloud Computing. Recent security breaches demonstrate that a more powerful protection mechanism is needed to protect data confidentiality from any honest-but-curious administrator. Typi- cal prior effort on addressing this security problem is either prohibitively slow or highly restrictive in operation. In this thesis, a novel cloud system architecture CypherDB, which makes use of a secure processor, is proposed to protect the confidentiality of out- sourced database processing. To achieve this, a framework is developed to use these secure processors in the cloud for secure database processing. This framework allows distributed and parallel processing of the encrypted data and exhibits virtualization features in Cloud Computing. The CypherDB ar- chitecture also relies on two major components to protect the privacy of an outsourced database against any honest-but-curious administrator of high per- formance. Firstly, a novel database encryption scheme is developed to protect the out- sourced database which can be executed under a CypherDB secure processor with high performance. Our proposed scheme makes use of custom instructions to hide the encryption latency from the program execution. This scheme is extensively validated through an integration with SQLite, a practical database application program. Secondly, a novel secure processor architecture is also developed to pro- vide architectural support to our proposed database encryption scheme and efficient protection mechanism to secure all intermediate data generated on- the-fly during query execution. The efficiency, robustness and the cost of our novel processor architecture are validated and evaluated through extensive simulations and implementation on a FPGA platform. A fully-functional Field-Programmable Gate Array (FPGA) implementa- tion of our CypherDB secure processor and simulation studies demonstrate that our proposed architecture is cost-effective and of high performance. Our experiment of running the TPC-H database benchmark on SQLite demon- strates 10 to 14 percent performance overhead on average. The security com- ponents in CypherDB consume about 21K Logic Elements and 54 Block RAMs on the FPGA. The modification of SQLite only consists of 208 lines of code (LOC). An abstract of exactly 331 words A Novel Architecture for Secure Database Processing in Cloud Computing by Hung-Kwan Chen B.Eng., The University of Hong Kong, 2011 A thesis submitted in partial fulfilment of the requirements for the Degree of Joint Doctor of Philosophy at The University of Hong Kong and Imperial College London. October 2016 Declarations Declaration of Originality I hereby declare that this thesis represents my own work, except where due acknowledgement is made, and that it has not been previously included in a thesis, dissertation or report submitted to these universities or to any other institution for a degree diploma or other qualifications. Declaration of Copyright The copyright of this thesis rests with the author and is made available un- der a Creative Commons Attribution Non-Commercial No Derivatives licence. Researchers are free to copy, distribute or transmit the thesis on the condition that they attribute it, that they do not use it for commercial purposes and that they do not alter, transform or build upon it. For any reuse or redistribution, researchers must make clear to others the licence terms of this work I Dedication To my dearest parents, brothers and my love. II Acknowledgements I would like to express my sincerest gratitude to my supervisors, Prof. Paul Cheung, Prof. Peter Cheung and Prof. Ricky Kwok, without whom the work described in this thesis would not have been possible. I still remember the first day I met Prof. Paul Cheung for my final year project during my undergradu- ate study and to now the completion of my PhD. He has given me substantial support and guidance throughout my university study. I also have to thank him for the introduction of this joint PhD degree with Imperial College Lon- don that provided me a chance to meet Prof. Peter Cheung, his twin brother, who is also my primary supervisor at ICL. Prof. Peter Cheung is as supportive and encouraging as Prof. Paul Cheung. I will never forget how Prof. Peter Cheung helped me to write the academic paper by reading it word-by-word and taught me how to write it in a better way. It is my greatest honour to be a student (probably the only student) co-supervised by Prof. Paul Cheung and Prof. Peter Cheung. I would also like to thank Prof. Ricky Kwok who is my secondary supervisor at HKU. I deeply appreciate his attitude, insightful thought and guidance, his sharing and also caring in relation to my study. This thesis could not be completed without his continuous stimulation of my research. I would like to thank my examiners Prof. Simon Moore, Dr. David Thomas and Prof. Cho-Li Wang for their useful comments and suggestions that helped to improve my thesis. I also have to thank CAS group at ICL and my student colleagues at HKU. It was definitely a great pleasure to have met a group of talents who worked intelligently, discussed critically and played hard with me throughout my PhD life. Special thanks to Justin Wong, Jungyi Liu, Hilda Xue, Shuanglong Liu, Guangwei Chen, Aryan Tavakkoli, James Davis, Edward Stott, Joshua Levine and James Mardell at ICL for their time spent with me in the laboratory III and at Holland Club/H-bar for pints of beer; and Ho-Cheung Ng, Junqi Deng and Sam Ho for the discussion of various academic or non-academic aspects at HKU. I would like to thank the landlady Gillie Gratham who provided enormous support to my living in London and also Raul, Hassan, Aizar, Ben for chatting, partying and cooking during my life in the UK. To my friends Gary Chan, Tony Cheng, Leslie Pang, June-Limb Wong, Henry Yip and Jeffrey Wong, I am grateful to have had their support, encour- agement, and blessing over all these years. Last but not least, I would like to thank my beloved parents and broth- ers for their unconditional love and support during these years which let me pursue my own career path and chase my dream. Most importantly, I am most grateful to my girlfriend, Yoki, for her love and support for my studies and her encouragement to keep me moving forward whenever I was tired and frustrated. IV Contents Declarations I Dedication II Acknowledgements III List of Figures XI List of Tables XVIII List of Acronyms XX 1 Introduction 1 1.1 Database-as-a-Service . 4 1.2 ThreatModel ............................ 5 1.3 ResearchObjectives. 6 1.4 Contributions . 7 1.5 List of Publications . 9 1.6 Organization of the Thesis . 9 2 Background 11 2.1 Database-as-a-Service . 11 2.1.1 Deployment Model . 12 2.1.2 Relational Data Model . 12 2.1.3 Database Three Schema Concept . 13 2.1.4 Database Query . 14 V 2.1.5 Distributed Database . 15 2.2 Processor Architecture . 19 2.2.1 Memory Addressing Model . 19 2.2.2 ISA architecture . 21 2.2.3 Architectural Model . 22 2.3 Cryptography: Encryption . 24 2.3.1 Symmetric-key Cryptography . 24 2.3.2 Public-key Cryptography . 25 2.3.3 Digital Signature . 26 3 Literature Review 29 3.1 Homomorphic Encryption . 30 3.1.1 Fully homomorphic encryption . 30 3.1.2 Partially homomorphic encryption . 31 3.2 Commercially Available Architecture . 32 3.2.1 Secure Co-Processor . 33 3.2.2 Trusted Platforms . 35 3.3 Academically Proposed Architecture . 36 3.3.1 Secure Processor . 37 3.3.2 Secure Hypervisor . 40 3.3.3 Data-Centric Security . 41 3.4 Chapter Summary . 42 4 CypherDB System Overview 45 4.1 GeneralOverview.......................... 45 4.1.1 Application Scenario . 46 4.2 Architectural Model of a Secure Server/Node . 49 4.2.1 On-Chip Encryption Key Exchange . 49 4.2.2 On-Chip Computations on the Encrypted Data . 50 4.3 Attestation ............................. 51 VI 4.3.1 Secure Processor Attestation . 51 4.3.2 Query Key Attestation . 52 4.4 Execution Flow . 53 4.5 Database Virtualization . 55 5 Proposed Encryption Mechanism 57 5.1 Block-Cipher Encryption . 57 5.2 Look-Ahead Encryption Scheme . 60 5.2.1 Performance Impact . 62 5.2.2 Discussion . 63 5.3 Database Encryption . 64 5.3.1 Attribute Encryption . 64 5.3.2 Attribute Encryption Seed . 64 5.3.3 Query Output Protection . 66 5.3.4 Index Protection . 66 5.3.5 An Illustrative Example . 67 5.3.6 Remote Database Modification . 68 5.4 Security Analysis . 70 6 Processor Architecture 72 6.1 Database Profiling . 72 6.2 Architectural Overview . 75 6.2.1 Private Key Registers . 77 6.2.2 New Security Instructions . 78 6.3 Virtual to Physical Memory Mapping . 80 6.4 DataProtection........................... 82 6.4.1 DBPage Seed Buffer .................... 82 6.5 Execution Protection . 86 6.5.1 Cache Line Encryption . 86 6.5.2 SMC Execution Setup . 89 VII 6.5.3 SMC Seed Buffer...................... 91 6.6 Query Execution Example . 94 6.7 Discussion . 96 6.7.1 SMC Allocation . 96 6.7.2 Comparison with Alternative Approaches . 97 6.7.3 Extension on Speculative OoO multicore processor . 99 6.8 Security Analysis . 101 7 Implementation 103 7.1 Overview............................... 103 7.1.1 Impact on the Processor Pipeline .
Load more

Recommended publications
  • Rapid Adoption of Cloud Data Warehouse Technology Using Datometry Hyper-Q
    Technical White Paper Copyright (C) 2019 Datometry Inc. Rapid Adoption of Cloud Data Warehouse Technology Using Datometry Hyper-Q L. Antova, D. Bryant, T. Cao, M. Duller, M. A. Soliman, F. M. Waas Datometry Inc. 300 Brannan St #610, San Francisco, CA 94107, U.S.A. www.datometry.com ABSTRACT query or manipulate data freely, yet shield them from the The database industry is about to undergo a fundamen- burden and headaches of having to maintain and operate tal transformation of unprecedented magnitude as enter- their own database. prises start trading their well-established database stacks The prospect of this new paradigm of data management for cloud-native database technology in order to take ad- is extremely powerful and well-received by IT departments vantage of the economics cloud service providers promise. across all industries [2]. However, it comes with signifi- Industry experts and analysts expect 2017 to become the cant adoption challenges. Through applications that de- watershed moment in this transformation as cloud-native pend on the specific databases they were originally written databases finally reached critical mass and maturity. Enter- for, database technology has over time established some of prises eager to move to the cloud face a significant dilemma: the strongest vendor lock-in in all of IT. Moving to a cloud- moving the content of their databases to the cloud is rela- native database requires adjusting or even rewriting of ex- tively easy. However making existing applications work with isting applications and migrations may take up to several new database platforms is an enormously costly undertaking years, cost millions, and are heavily fraught with risk.
    [Show full text]
  • Cloud Query Language for Cloud Databases
    Proc. of the Intl. Conf. on Recent Trends In Computing and Communication Engineering -- RTCCE 2013 Copyright © Institute of Research Engineers and Doctors. All rights reserved. ISBN: 978-981-07-6184-4 doi:10.3850/ 978-981-07-6184-4_24 Cloud Query Language for Cloud Databases Mansaf Alam and Bashir Alam Abstract- This paper deals with the cloud query language increases support costs. Shared-disk databases cleanly for manipulating the cloud data. The cloud definition and separate the functions of the DBA and the application cloud data manipulation language are proposed as developer, which is ideal for cloud databases. A globally component of cloud query language. This paper is also focus robust method has been developed for retrieving cloud on retrieval and manipulation cloud data dispersed on properties from high-resolution imager data during day different data centre. and night, Patrick Minnis et. al. [5]. A break in the clouds: towards a cloud definition, L. Vaquero et. al.[8],discusses Keyword- Cloud Database, Engine, Retrieval, Manipulation, the concept of Cloud Computing to achieve a complete Cloud Query definition of what a Cloud is, using the main characteristics typically associated with this paradigm in I. Introduction the literature. Gook-Pil Roh et. al.[12] support new types of queries that search for matching trajectory patterns in a The cloud database management system is emerging right database. While such pattern matching queries have been now. The cloud query will be used in cloud database successfully adopted for querying time series data, management system. The data are spread over the Qiujing Lia, et. al.[14] proposes the concept of network as a cloud.
    [Show full text]
  • Best Practices for Database Consolidation
    Best Practices for Database Consolidation A Guide for Implementation Including MAA Reference Architectures July, 2020 | Version [3.0] Copyright © 2020, Oracle and/or its affiliates Public DISCLAIMER This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. Your access to and use of this confidential material is subject to the terms and conditions of your Oracle software license and service agreement, which has been executed and with which you agree to comply. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. This document is for informational purposes only and is intended solely to assist you in planning for the implementation and upgrade of the product features described. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. Due to the nature of the product architecture, it may not be possible to safely include all features described in this document without risking significant destabilization of the code. 2 White Paper | MAA – Best Practices for Oracle Database Consolidation |
    [Show full text]
  • Shared-Nothing Vs. Shared-Disk Cloud Database Architecture
    International Journal of Energy, Information and Communications Vol. 2, Issue 4, November, 2011 Shared-Nothing vs. Shared-Disk Cloud Database Architecture Sunguk Lee Research Institute of Industrial Science and Technology Pohang,Korea [email protected] Abstract The cloud computing is the new promising computing system. It is evident that storage plays a major part in the data center and for cloud services. The storage virtualization plays a key part in the dynamic infrastructure attribute of Cloud Computing. Which means the storage is provisioned and de-allocated on demand and usage needs. The cloud protocol, architecture, implementation and services specifications are still in its immature stage. One of these specifications is the database architecture that is being used. There are two database architecture, the shared-disk and the shared-nothing. The primary database architectures, shared-disk and shared-nothing, each have their advantages. In this paper we discussed the characteristic, advantages and disadvantages of both database architectures for cloud computing. Keywords: Cloud computing, shared-disk, shared-nothing, database 1. Introduction Currently Cloud platforms have very little support for database design related virtualization enhancements. But in future designing databases specific for Cloud especially for private clouds in large enterprises is a sure possibility. In this context the following design principles are important when you design database applications which need to be delivered using Cloud platform [2]. It is evident that storage plays a major part in the data center and for cloud services. The storage virtualization plays a key part in the dynamic infrastructure attribute of Cloud Computing. Which means the storage is provisioned and de-allocated on demand and usage needs.
    [Show full text]
  • Web-Scale Data Management for the Cloud Web-Scale Data Management for the Cloud
    Wolfgang Lehner Kai-Uwe Sattler Web-Scale Data Management for the Cloud Web-Scale Data Management for the Cloud Wolfgang Lehner • Kai-Uwe Sattler Web-Scale Data Management for the Cloud 123 Wolfgang Lehner Kai-Uwe Sattler Dresden University of Technology Ilmenau University of Technology Dresden, Germany Ilmenau, Germany ISBN 978-1-4614-6855-4 ISBN 978-1-4614-6856-1 (eBook) DOI 10.1007/978-1-4614-6856-1 Springer New York Heidelberg Dordrecht London Library of Congress Control Number: 2013932864 © Springer Science+Business Media New York 2013 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location, in its current version, and permission for use must always be obtained from Springer. Permissions for use may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution under the respective Copyright Law. The use of general descriptive names, registered names, trademarks, service marks, etc.
    [Show full text]
  • Deploy a Fast and Secure Database Architecture: Oracle Optimized Solution for Secure Oracle Database
    Deploy a Fast and Secure Database Architecture: Oracle Optimized Solution for Secure Oracle Database ORACLE WHITE PAPER | MARCH 2016 Table of Contents Introduction 1 Oracle Optimized Solution for Secure Oracle Database 2 Oracle Infrastructure Choices for Oracle Database 3 Benefits of Deploying Oracle Optimized Solution for Secure Oracle Database 4 Pretested Solutions for Faster Deployment, Greater Security, Less Risk 4 Virtualized Architecture for Efficient and Secure Database Consolidation 4 Validated and Flexible Configurations 6 Oracle-Only Optimizations: An Overview 7 Oracle Optimized Solution Choices and Flexibility 8 A New Generation of SPARC Processors and Servers 9 Optimizing Oracle Database Deployments 10 Optimizing for Performance and Throughput 11 Oracle Database In-Memory Option 12 Accelerating Analytics in Mixed Workloads: An Example 14 Optimizing for Security 19 Optimizing for Availability 23 Oracle Best Practices for Highly Available Databases 25 Conclusion 27 Appendix A: Key Solution Components and Technologies 28 Oracle’s SPARC M7 Processor–Based Servers 28 Oracle Solaris 30 Virtualization Technologies 31 Oracle NAS and SAN Storage Options 33 DEPLOY A FAST AND SECURE DATABASE ARCHITECTURE: ORACLE OPTIMIZED SOLUTION FOR SECURE ORACLE DATABASE I/O Connectivity and Networking 36 System and Database Management 38 References 40 DEPLOY A FAST AND SECURE DATABASE ARCHITECTURE: ORACLE OPTIMIZED SOLUTION FOR SECURE ORACLE DATABASE Introduction Increasingly companies are turning to their database investments to analyze complex business problems and inform strategic business decisions. Initiatives such as cloud delivery and big data are fueling efforts to consolidate and leverage existing database assets. Analytics are becoming progressively entwined with Oracle Database applications that require traditional transaction processing, blurring the lines between online transaction processing (OLTP) systems and data warehousing solutions.
    [Show full text]
  • U Niversal I Ntegration a Rchitecture for H
    U NIVERSAL I NTEGRATION A RCHITECTURE FOR H ETEROGENEOUS D ATASOURCES AND O PTIMISATION M ETHODS UNIWERSALNA ARCHITEKTURA INTEGRACYJNA DLA HETEROGENICZNYCH ZRÓDEŁ´ DANYCH I METOD OPTYMALIZACJI THIS DISSERTATION IS SUBMITTED FOR THE DEGREE OF Doctor of Philosophy BY MICHAŁ CHROMIAK FACULTY OF MATHEMATICS, PHYSICS AND COMPUTER SCIENCE, Maria Curie-Skłodowska University, Lublin ADVISOR: prof. dr hab. Krzysztof Stencel INSTITUTEOF FUNDAMENTAL TECHNOLOGICAL RESEARCH, POLISH ACADEMYOF SCIENCES WARSAW 2015 Table of Contents Page LISTINGS ............................................... 5 LISTOF FIGURES ........................................... 6 LISTOF TABLES ........................................... 8 ABSTRACT .............................................. 9 CHAPTER 1. INTRODUCTION ................................... 19 1.1 Motivation . 19 1.2 Considerations, Objectives and the Thesis . 20 1.3 History and Related Work . 22 1.4 Thesis Outline . 23 CHAPTER 2. THE STATE OF THE ART AND THE RELATED WORKS . 25 2.1 Integrity - the Philosophy of Integration . 25 2.2 Integration - Cure for Chaos of Multiplicity, General Considerations . 27 2.2.1 At the beginning there was a relation . 28 2.2.2 Revolution - the Web changes everything ................... 30 2.2.3 Integration - Principia and Taxonomy . 35 2.2.4 Data Integration Practices . 38 2.2.5 Integration Theory . 42 2.2.6 Data Integration Issues . 47 2.3 Data Stores - the Integration Targets . 51 2.3.1 Database modelling - persistence . 51 2.3.2 Relational Model . 51 2.3.3 Object-oriented Database Model . 55 2.3.4 Column-oriented Relational Database Model (CORDB) – Relational Ap- proach . 56 2.3.5 NoSQL – Distributed Storage Services . 57 2.3.6 NewSQL . 63 2.3.7 Big Data - all or nothing . 66 2.3.8 After SQL Era . 68 2.3.9 Database taxonomy .
    [Show full text]
  • 6660 Database Design and Management (Oracle)
    Database Design and Management (Oracle) 6660 36 weeks Table of Contents Acknowledgments ......................................................................................................................................... 2 Course Description ........................................................................................................................................ 3 Task Essentials Table .................................................................................................................................... 3 Curriculum Framework ............................................................................................................................... 10 Exploring Database Technologies .............................................................................................................. 10 Identifying Business Requirements ............................................................................................................ 15 Examining Entity-Relationship Basics ....................................................................................................... 18 Applying Design Concepts to Database Models ......................................................................................... 21 Transitioning from Design Concepts to Database Management ................................................................. 27 Writing Structured Query Language (SQL) Statements ............................................................................. 30 Restricting and Sorting Data Using
    [Show full text]
  • Virtual Database Technology for Distributed Database in Ubiquitous Computing Environment
    American Journal of Database Theory and Application 2012, 1(2): 13-25 DOI: 10.5923/j.database.20120102.02 Virtual Database Technology for Distributed Database in Ubiquitous Computing Environment Yuji Wada1,*, Yuta Watanabe 1, Keisuke Syoubu1, Hiroshi Miida1, Jun Sawamoto2 1Department of Information Environment, Tokyo Denki University, Inzai, Chiba, 247-1382, Japan 2Faculty of Software and Information Science, Iwate Prefectural University, Takizawa, Iwate, 020-0193, Japan Abstract In this paper, our research objective is to develop a database virtualization technique in order to let data analysts or other users who apply data mining methods to their jobs use all ubiquitous databases on the Internet as if they were recognized as a single database, thereby helping to reduce their workloads such as data collection from the Internet databases and data cleansing works. In this study, firstly we examine XML schema advantages and propose a database virtualization method by which such ubiquitous databases as relational databases, object-oriented databases, and XML databases are accessed as if they all behave as a single database. Then, we show the method of virtualization of ubiquitous databas es that can describe ubiquitous database schema in a unified fashion using the XML schema. It consists of a high-level concept of distributed database management of the same type and of different types, and also of a location transparency feature. Ne xt , we discuss about the development of a common schema generation method and propose the virtual database query language for use in the virtualized ubiquitous database environment. Finally, we propose a database incompatibility trouble-recovery technique for use in a virtualized ubiquitous database environment.
    [Show full text]