2018 RyoanADistributedSandboxforUntr
- (Hunt et al., 2018) ⇒ Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel. (2018). "Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data"; In: ACM Transactions on Computer Systems (TOCS) Journal, 35(4). ISBN:0734-2071 doi:10.1145/3231594
Subject Headings: Ryoan Sandbox System; Chiron System, Sandbox Model, Intel's Software Guard Extensions (SGX).
Notes
- See: Hunt et al., 2016
Cited By
- Google Scholar: ~ 129 Ciations
- ACM-DL: No Citations
- Semantic Scholar: ~ 103 Citations (Retrieved:2019-09-29).
Quotes
Abstract
Users of modern data-processing services such as tax preparation or genomic screening are forced to trust them with data that the users wish to keep secret. Ryoan1 protects secret data while it is processed by services that the data owner does not trust. Accomplishing this goal in a distributed setting is difficult, because the user has no control over the service providers or the computational platform. Confining code to prevent it from leaking secrets is notoriously difficult, but Ryoan benefits from new hardware and a request-oriented data model. Ryoan provides a distributed sandbox, leveraging hardware enclaves (e.g., Intel's software guard extensions (SGX) [15]) to protect sandbox instances from potentially malicious computing platforms. The protected sandbox instances confine untrusted data-processing modules to prevent leakage of the user's input data. Ryoan is designed for a request-oriented data model, where confined modules only process input once and do not persist state about the input. We present the design and prototype implementation of Ryoan and evaluate it on a series of challenging problems including email filtering, health analysis, image processing and machine translation.
1. Introduction
2. Background And Threat Model
2.1 Threat Model
2.2 Intel Software Guard Extensions
2.3 Hardware Security Limitations
2.4 Native Client
3. Design Overview
4. The Ryoan Distributed Sandbox
4.1 Enforcing Topology
4.2 Label-Based Model For Communication
4.2.1 Non-Confining Labels
4.2.2 Confining Labels
4.2.3 Ryoan Data Audit Trail
4.3 Data Oblivious Communication
5. Module Confinement
5.1 Ryoan’s Confined Environment
5.2 Processing-Time Channels
5.3 Protecting Ryoan From Privileged Software
5.3 Protecting Ryoan From Privileged Software
6. Implementation
6.1 Constraints Of Current Hardware
6.2 Ryoan-libc
6.3 Module Address Space
6.4 I/O Control
6.5 Key Establishment Between Enclaves
6.6 Checkpointing Confined Code
7. Use Cases
7.1 Email Processing
7.2 Personal Health Analysis
7.3 Image Processing
7.4 Translation
8. Evaluation
9. Related Work
10. Conclusion
11. Acknowledgments
References
;
Author | volume | Date Value | title | type | journal | titleUrl | doi | note | year | |
---|---|---|---|---|---|---|---|---|---|---|
2018 RyoanADistributedSandboxforUntr | Tyler Hunt Emmett Witchel Zhiting Zhu Yuanzhong Xu Simon Peter | Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data | 10.1145/3231594 | 2018 |