2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) SeGShare: Secure Group File Sharing in the Cloud using Enclaves Benny Fuhry Lina Hirschoff Samuel Koesnadi Florian Kerschbaum SAP Security Research SAP Security Research SAP Security Research University of Waterloo Karlsruhe, Germany Karlsruhe, Germany Karlsruhe, Germany Waterloo, Canada Abstract—File sharing applications using cloud storage are in- ness. Based on these schemes, cryptographically protected file creasingly popular for personal and business use. Due to data pro- sharing systems were proposed [10], [16], [19]–[22]. The main tection concerns, end-to-end encryption is often a desired feature drawback of such systems is that users gain plaintext access of these applications. Many attempts at designing cryptographic solutions fail to be adopted due to missing relevant features. We to the file key. To achieve immediate permission revocation, present SeGShare, a new architecture for end-to-end encrypted, it is necessary to re-encrypt the corresponding file with a new group-based file sharing using trusted execution environments key. Depending on the scheme, this involves expensive cryp- (TEE), e.g., Intel SGX. SeGShare is the first solution to protect tographic operations and the new key has to be distributed to the confidentiality and integrity of all data and management many users. The problem is more severe on immediate group files; enforce immediate permission and membership revocations; support deduplication; and mitigate rollback attacks. Next to membership revocation, as many files require re-encryption. authentication, authorization and file system management, our This becomes a critical problem if members are removed and implementation features an optimized TLS layer that enables added frequently [23]. high throughput and low latency. The encryption overhead of our In recent years, researchers propose solutions that use a implementation is extremely small in computation and storage trusted execution environment (TEE) for secure file sharing resources. Our enclave code comprises less than 8500 lines of code enabling efficient mitigation of common pitfalls in deploying code systems [24]–[27]. TEEs provide an isolated environment to TEEs. — an enclave — to protect code and data in an untrusted environment. A TEE called Intel SGX [28]–[33] is integrated I. INTRODUCTION into (most) modern Intel CPUs and used by all of these In many applications, users want to share files with a group approaches. A-SKY [24] and IBBE-SGX [25] are based on of other users. For instance, employees of a company want cryptographic access control schemes and also suffer from to share files with colleagues. One option is to distribute user’s access to plaintext file keys. Nexus [26] proposes a the files to each group member individually. A better option client-side enclave, which is a severe drawback due to the is a local or remote central repository to store the files heterogeneity of end-user devices. and manage access control. A convenient remote repository We propose and implement SeGShare, a solution supporting is a cloud-based file sharing service as it can reduce cost, group file sharing in large and dynamic groups. SeGShare increase availability and enable seamless multi-device access is TEE-based without using a cryptographic access control to files. Many commercial vendors provide such a service, e.g., scheme. Via tokens, users authenticate themselves to the Google Drive [1], Dropbox [2], or WeTransfer [3]. However, enclave and establish a secure channel with it, which is used data at cloud services could be accessed by unauthorized for all subsequent communication. On every user access, the parties or exposed by internal attackers [4]–[6]. Frequently, enclave checks encrypted access control policies to enforce company policies prohibit to upload files to an untrusted cloud read and/or write access on files. Immediate permission or provider [7]. membership revocations only require an inexpensive modifi- Some cloud providers, e.g., MEGA [8] or Sync.com [9], cation of an encrypted file. Users can upload arbitrarily large encrypt files client-side using file keys and store these keys files through the secure channel directly into the enclave. If the protected with the user’s password. They also enable group upload is granted, the enclave encrypts the files with a random file sharing by encrypting file keys with a group key, which is key using probabilistic authenticated encryption and stores the encrypted with the public key of each group member. How- files in the untrusted environment. On each granted file request, ever, this does not scale well for large groups as an additional the file is decrypted inside the enclave and sent to the user key is required for each group member. Furthermore, files have over the secure channel. SeGShare separates authentication to be re-encrypted on permission or membership revocations. and authorization using identity information in the tokens. MEGA and Sync.com use so-called Hybrid Encryption As long as the identity information is preserved, no further (HE) [10] with public-key management to enforce access change is necessary if a user’s token is replaced or if a user control. Besides HE, many cryptographic schemes have been has different tokens for multiple devices. A comprehensive proposed [11]–[18] to improve access control policies regard- list of SeGShare’s features not mentioned so far is presented ing, e.g., key distribution, the number of keys, and expressive- in Table II. Among others, it protects the confidentiality and 978-1-7281-5809-9/20/$31.00 ©2020 IEEE 476 DOI 10.1109/DSN48063.2020.00061 integrity of all data and administration files; supports data Memory Isolation. In the current version, SGX dedicates deduplication; and mitigates rollback attacks. 128 MB of the system’s main memory (RAM) for the so-called This combination of features is not met by any related Processor Reserved Memory (PRM). All code and data in the work (see Table III) and we agree with the authors of A- PRM are encrypted while residing outside of the CPU and SKY [24], who state that “given the memory and computa- decrypted and integrity checked when the data is loaded into tional limitations of SGX enclaves (e.g., trusted computing the CPU. All other software on the system, including privi- base (TCB) size, trusted/untrusted transition latency), it is far leged software such as OS, hypervisor, and firmware, cannot from trivial to develop such a proxy service able to scale and access the PRM. The OS can swap out enclave pages and SGX sustain a high data throughput, considering dynamic access ensures integrity, confidentiality and freshness of swapped-out control operations.” The key to achieve a high throughput pages, but paging comes with a major performance overhead. under dynamic groups is that SeGShare does not require com- Every program using SGX consists of an enclave and an plex cryptographic operations on permission or membership untrusted part, and the host process can invoke the enclave changes. Besides that, we build an efficient SGX-enabled TLS only through a well-defined interface. stack, use switchless enclave calls for all network and file Attestation. SGX has a remote attestation feature, which traffic, and the enclave requires only a small, constant size allows verification of code integrity and authenticity on a buffer for each request. remote system. This verification is done by hashing (called The main contributions of SeGShare are: measuring in SGX terminology) the initial code and data • New architecture for efficient, end-to-end encrypted loaded into the enclave. The authenticity of the measurement group file sharing supporting large and dynamic groups as well as the fact that the measurement originates from a using a server-side TEE, e.g., Intel SGX. benign enclave is ensured by SGX’s attestation feature (refer • First file sharing system combining confidentiality and to [28] for details). The measurement can be provided to an integrity of all data and administration files; immediate external party to prove the correct creation of an enclave. revocations without expensive re-encryptions; data dedu- Furthermore, the remote attestation feature allows to establish plication; rollback protection; and separation of authenti- a secure channel between an external party and an enclave. cation and authorization. This secure channel can be used to deploy sensitive data, e.g., • Latency average of 2.39 s and 2.17 s to upload and cryptographic keys, directly into the enclave. download a 200 MB file — faster than a plaintext storing Data Sealing. Inherently, SGX enclaves are stateless, i.e., Apache WebDAV server in the same setup. Latency all of its contents are lost when the enclave is destroyed. To under 170 ms for membership and permission operations, preserve data for multiple enclave runs, SGX offers data seal- independent of file sizes, stored files in total, number of ing. This process uses a sealing key to encrypt and integrity- group members, number of user permissions, and groups protect data. Afterwards, the data can be stored outside of the sharing a file. enclave in untrusted memory, and only an enclave with the • Storage overhead of only 1,06% for encrypted storage same sealing key can unseal the data. of a file shared with more than 1000 groups containing Protected File System Library. This library is shipped with 200 MB plaintext data. the Intel SGX SDK and provides a subset of the regular C • SGX-enabled, optimized TLS implementation. file API, e.g., file creation, file writing, and file reading. On • Enclave with only 8441 lines of code, reducing the write, data is separated into 4kB chunks, the data’s integrity potential for security-relevant implementation errors, un- is ensured with a Merkle hash tree variant, and each chunk intended leakages, hidden malware, and side-channel is encrypted with AES-GCM before it is stored in untrusted leakages.