Harpocrates: Giving Out Your Secrets and Keeping Them Too

摘要

Content Distribution Networks (CDNs) offer websites and web services the ability to host content on servers that are near the edge of the network, close to users. Benefits of this arrangement include low latency, scalability, and resistance to Denial of Service attacks. Traditionally, CDNs have hosted primarily static content, but increasingly, there is an interest in pushing active computation to the edge as well. This active computation, which is similar in style to the "server-less" computing becoming popular in clouds, offers a wealth of new opportunities for web services to be-come faster and more scalable. With this opportunity, however, comes a much greater exposure to security threats. One is leakage of secret materials (such as keys, identities, etc.) that are accessed by these functions. Another is the possibility that sensitive calculations are not executed faithfully in the CDN; e.g. a modified version of the customer's code is run. In this paper, we present the design of Harpocrates, a framework that allows active code to be pushed from an origin webserver out to workers at the edge of a CDN. Harpocrates makes use of Intel's SGX technology to keep data private, and presents an environment similar to the JavaScript WebWorker API to simplify the process of code that can run on either origin servers or the CDN. We use Harpocrates to design a number of interesting services, including a service that generates and checks secure cookies within the CDN, and a framework that protects against denial-of-service attacks in a way that is customized to a specific website. We show that the framework performs well enough to be deployable in practice.