Enabling Trusted Data-intensive execution in cloud computing

摘要

The security and privacy of user data has become a major concern in the cloud computing era. Cryptographic solutions based on secure computation outsourcing have been extensively studied in order to protect the security and privacy of user data. However, these solutions either suffer from forbiddingly high computation overhead or are only applicable to certain special classes of computations. In this paper, we tackle the challenge of secure computation outsourcing using an entirely different approach - the idea is to have a secure execution environment in the cloud such that user data can be processed in plain text format without compromising its confidentiality. We propose a TrUsted Data-intensive ExeCution (TUDEC) environment optimized for data applications in the cloud. TUDEC is a new system architecture, designed to provide a secure environment for arbitrary data computations in the cloud server. Using a very small trusted computing base including only firmware and hardware, TUDEC is able to provide user VM with isolation against both the legacy host and neighboring VMs. Such isolation is unique in that it provides protection against any software-based attacks. By direct interrupt delivery, interrupt rerouting and IOMMU configuration lock, TUDEC enables close to bare metal computation and I/O performance without sacrificing any security guaranteed. We built a prototype and showed the high efficiency of TUDEC. In particular, when the server is heavily loaded, the TCP bandwidth of the guest VM in TUDEC is significantly better than the current state of art secure execution environment design.