LibSEAL: Revealing Service Integrity Violations Using Trusted Execution Pierre-Louis Aublin, Florian Kelbert, Dan Robert Krahn, Christof Fetzer O’Keeffe, Divya Muthukumaran, Christian TU Dresden Priebe, Joshua Lind Imperial College London David Eyers Peter Pietzuch University of Otago Imperial College London ABSTRACT 1 INTRODUCTION Users of online services such as messaging, code hosting and collab- Today, users rely on the correct operation of many Internet ser- orative document editing expect the services to uphold the integrity vices: they expect Dropbox [32] and Google Drive [46] to store of their data. Despite providers’ best efforts, data corruption still their files reliably; GitHub [40] to accurately record the commit occurs, but at present service integrity violations are excluded from histories of repositories; and Google Docs [45], Office 365 [70] and SLAs. For providers to include such violations as part of SLAs, the ownCloud [79] to preserve the integrity of shared documents. Ser- competing requirements of clients and providers must be satisfied. vice providers are not immune to data loss or corruption (e.g. both Clients need the ability to independently identify and prove ser- Dropbox and Gmail have lost data in the past [35, 44]) but the terms vice integrity violations to claim compensation. At the same time, and conditions for best-effort services typically absolve them of providers must be able to refute spurious claims. any legal liability [33, 41, 47]. When services fail, it is challenging We describe LibSEAL, a SEcure Audit Library for Internet ser- for users to uncover these failures and receive compensation. vices that creates a non-repudiable audit log of service operations Instead, when users require assurances of higher integrity from and checks invariants to discover violations of service integrity. services, there is a business opportunity for providers to offer pre- LibSEAL is a drop-in replacement for TLS libraries used by services, mium integrity-assured services with stronger service level agree- and thus observes and logs all service requests and responses. It runs ments (SLAs), e.g. offering compensation if integrity violations inside a trusted execution environment, such as Intel SGX, to protect occur. However, users must obtain independent indisputable proof the integrity of the audit log. Logs are stored using an embedded of integrity violations, which is hard. At the same time, malicious relational database, permitting service invariant violations to be users must be prevented from fabricating evidence to slander the discovered using simple SQL queries. We evaluate LibSEAL with provider’s reputation. three popular online services (Git, ownCloud and Dropbox) and Our goal is to help users discover service integrity violations, demonstrate that it is effective in discovering integrity violations, such as incorrect processing or data loss, for integrity-assured ser- while reducing throughput by at most 14%. vices and demonstrate unequivocally that a violation has taken place. We achieve this goal by creating a trusted, non-repudiable CCS CONCEPTS audit log of user operations and their service responses over time, which constitutes a ground truth for dispute resolution. In the case • Security and privacy → Distributed systems security; of Dropbox [32], for example, the audit log could include the hashes of all files uploaded by a user. Violations of service integrity can ACM Reference Format: Pierre-Louis Aublin, Florian Kelbert, Dan O’Keeffe, Divya Muthukumaran, then be detected as invariant violations over the audit log. For Drop- Christian Priebe, Joshua Lind, Robert Krahn, Christof Fetzer, David Eyers, box, this could be the failure to retrieve a file that was uploaded and Peter Pietzuch. 2018. LibSEAL: Revealing Service Integrity Violations but not subsequently deleted. Using Trusted Execution. In EuroSys ’18: Thirteenth EuroSys Conference A secure auditing solution must satisfy multiple requirements in 2018, April 23–26, 2018, Porto, Portugal. ACM, New York, NY, USA, 15 pages. order to be adopted in practice: it must (a) be flexible and expressive https://doi.org/10.1145/3190508.3190547 to support a wide range of Internet services and service-specific integrity invariants; (b) be easily deployable with existing Internet services and avoid third-party dependencies that affect its scalability Permission to make digital or hard copies of all or part of this work for personal or or availability; (c) protect the audit log and sensitive data handled classroom use is granted without fee provided that copies are not made or distributed by the service; and (d) incur low performance overhead. for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM We describe LibSEAL, a SEcure Audit Library for Internet must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, services that creates a non-repudiable log of information about to post on servers or to redistribute to lists, requires prior specific permission and/or a service requests and responses. It then checks invariants over the fee. Request permissions from [email protected]. EuroSys ’18, April 23–26, 2018, Porto, Portugal log to discover service integrity violations. LibSEAL makes the © 2018 Association for Computing Machinery. following contributions: ACM ISBN 978-1-4503-5584-1/18/04...$15.00 https://doi.org/10.1145/3190508.3190547 P.-L. Aublin, F. Kelbert, D. O’Keeffe, D. Muthukumaran, C. Priebe, EuroSys ’18, April 23–26, 2018, Porto, Portugal J. Lind, R. Krahn, C. Fetzer, D. Eyers and P. Pietzuch (i) Auditing using trusted execution. LibSEAL executes as part 2 INTEGRITY OF INTERNET SERVICES of a provider’s infrastructure to avoid third-party dependencies. It Next we motivate the problem of integrity violations in Internet uses a trusted execution environment (TEE), such as Intel SGX [56], services (§2.1) and describe different application scenarios (§2.2). to protect the audit log integrity and shield itself from tampering. We further introduce our threat model (§2.3), survey the space of LibSEAL observes all service requests and responses, by acting as existing solutions (§2.4) and give background on trusted execution a termination endpoint for transport layer security (TLS) [29] con- environments (§2.5). nections to the service. Using the TEE’s cryptographic capabilities, the audit log is stored securely on persistent storage. The TEE also 2.1 Violations of service integrity protects invariant checks over the audit log issued by clients. Users of Internet services expect them to uphold service integrity. (ii) Efficient TLS support within the TEE. The performance of We define service integrity to be the correctness of the state of LibSEAL depends on how efficiently it handles TLS connections the service with respect to its public API, taking into account all inside the TEE. LibSEAL uses an existing TLS implementation (Li- user interactions. For example, GitLab [42] and Dropbox [32] are breSSL [77]) and, for performance reasons, executes non-sensitive expected to maintain correct histories and versions of all files; parts outside the TEE. It uses shadow pointers to permit untrusted collaborative document services such as Google Docs [45] and code to refer to protected TLS data structures without compromis- ownCloud [79] must offer consistent views across documents, even ing security. It avoids expensive TEE code transitions by relying on under concurrent edits by multiple users; and messaging services user-level threading inside the TEE and implementing asynchronous such as Slack [94] and XMPP [112] should deliver messages without calls to and from the TEE. The above techniques do not change the modification and should not drop them. TLS API, allowing LibSEAL to provide a transparent replacement Service providers cannot avoid data loss and corruption alto- for existing TLS libraries. gether: in February 2017, GitLab lost several hours’ worth of user (iii) Relational audit log and invariant queries. Even though repository data, including merge requests and code snippets [91]; the information logged and the invariants checked are service- in October 2014, Dropbox admitted to a bug that caused thou- specific, LibSEAL is easy to apply to new services. It uses a relational sands of files to be deleted [35]; in February 2011 and January 2014, log format with a service-specific schema. Small service-specific Gmail [44] lost the emails of thousands of users [52, 111]; and, in modules parse requests and responses and log information. The log August 2014, Microsoft’s OneDrive service corrupted stored Excel is stored using an embedded database [96] running inside the TEE. spreadsheet files [71]. LibSEAL persists the log to avoid data loss and protect its integrity Since many Internet services offer a free best-effort service, their and regularly prunes old superfluous log entries. terms and conditions exclude liability under violations of service Invariants are written as standard SQL queries and clients can integrity. A survey reports that ‘providers not only avoided giving trigger invariant checks by including a special header field as part undertakings in respect of data integrity but actually disclaimed of HTTP requests. A web browser plug-in receives the results and liability for it’ [16]. Dropbox’ terms state that ‘to the fullest extent alerts users of invariant violations. For example, the following