Menhir: An Oblivious Database with Protection against Access and Volume Pattern Leakage
Authors: 
Leonie Reichert, Gowri R Chandran, Phillipp Schoppmann, Thomas Schneider, Björn ScheuermannAuthors Info & Claims
Leonie Reichert, Gowri R Chandran, Phillipp Schoppmann, Thomas Schneider, Björn ScheuermannAuthors Info & ClaimsPages 1675 - 1690
Abstract
Analyzing user data while protecting the privacy of individuals remains a big challenge. Trusted execution environments (TEEs) are a possible solution as they protect processes and Virtual Machines (VMs) against malicious hosts. However, TEEs can leak access patterns to code and to the data being processed. Furthermore, when data is stored in a TEE database, the data volume required to answer a query is another unwanted side channel that contains sensitive information. Both types of information leaks, access patterns and volume patterns, allow for database reconstruction attacks.
In this paper, we present Menhir, an oblivious TEE database that hides access patterns with ORAM guarantees and volume patterns through differential privacy. The database allows range and point queries with SQL-like WHERE-clauses. It builds on the state-of-the-art oblivious AVL tree construction Oblix (S&P'18), which by itself does not protect against volume leakage. We show how volume leakage can be exploited in range queries and improve the construction to mitigate this type of attack. We prove the correctness and obliviousness of Menhir. Our evaluation shows that our approach is feasible and scales well with the number of rows and columns in the database.
Supplementary Material
Supplemental material.
- Download
- 413.18 MB
References
[1]
Abbas Acar, Hidayet Aksu, A. Selcuk Uluagac, and Mauro Conti. 2018. A Survey on Homomorphic Encryption Schemes: Theory and Implementation. Comput. Surveys 51, 4 (2018), 79:1--79:35.
[2]
Adil Ahmad, Byunggill Joe, Yuan Xiao, Yinqian Zhang, Insik Shin, et al. 2019. OBFUSCURO: A Commodity Obfuscation Engine on Intel SGX. In NDSS '19. The Internet Society, 1--15.
[3]
Ahmet Aktay, Shailesh Bavadekar, Gwen Cossoul, John Davis, Damien Desfontaines, et al. 2020. Google Covid-19 Community Mobility Reports: Anonymization Process Description (version 1.0). CoRR abs/2004.04145 (2020). arXiv:2004.04145 https://arxiv.org/abs/2004.04145
[4]
Titan Alon, Minki Kim, David Lagakos, and Mitchell VanVuren. 2020. How should policy responses to the Covid-19 pandemic differ in the developing world? Technical Report. National Bureau of Economic Research. Accessed: 2023-06-27.
[5]
AMD. 2020. AMD SEV-SNP: Strengthening VM isolation with integrity protection and more. https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf. Accessed: 2023-10-11.
[6]
Azure. 2023. Azure Confidential Computing on 4th Gen Intel Xeon Scalable Processors with Intel TDX. https://azure.microsoft.com/en-us/blog/azure-confidential-computing-on-4th-gen-intel-xeon-scalable-processors-with-intel-tdx. Accessed: 2023-06-29.
[7]
Leonhard Balduf, Sebastian A. Henningsen, Martin Florian, Sebastian Rust, and Björn Scheuermann. 2022. Monitoring Data Requests in Decentralized Data Storage Systems: A Case Study of IPFS. In ICDCS'22. IEEE, 658--668.
[8]
Raef Bassily, Kobbi Nissim, Adam Smith, Thomas Steinke, Uri Stemmer, et al. 2016. Algorithmic Stability for Adaptive Data Analysis. In STOC '16. ACM, 1046--1059.
[9]
James Bell, Adrià Gascón, Badih Ghazi, Ravi Kumar, Pasin Manurangsi, et al. 2022. Distributed, Private, Sparse Histograms in the Two-Server Model. In CCS 22. ACM, 307--321.
[10]
Dmytro Bogatov, Georgios Kellaris, George Kollios, Kobbi Nissim, and Adam O'Neill. 2021. εpsolute: Efficiently Querying Databases While Providing Differential Privacy. In CCS '21. ACM, 2262--2276.
[11]
Ferdinand Brasser, Tommaso Frassetto, Korbinian Riedhammer, Ahmad-Reza Sadeghi, Thomas Schneider, et al. 2018. VoiceGuard: Secure and Private Speech Processing. In Interspeech '18. ISCA, 1303--1307.
[12]
Jan Camenisch and Anna Lysyanskaya. 2004. Signature Schemes and Anonymous Credentials from Bilinear Maps. In CRYPTO 04 (Lecture Notes in Computer Science), Vol. 3152. Springer, 56--72.
[13]
Darlan S Candido, Ingra M Claro, Jaqueline G De Jesus, William M Souza, Filipe RR Moreira, et al. 2020. Evolution and Epidemic Spread of SARS-CoV-2 in Brazil. Science 369, 6508 (2020), 1255--1260.
[14]
Sílvia Casacuberta, Michael Shoemate, Salil Vadhan, and Connor Wagaman. 2022. Widespread Underestimation of Sensitivity in Differentially Private Libraries and How to Fix It. In CCS '22. ACM, 471--484.
[15]
Henry Corrigan-Gibbs and Dan Boneh. 2017. Prio: Private, Robust, and Scalable Computation of Aggregate Statistics. In NSDI '17. USENIX, 259--282.
[16]
Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptol. ePrint Arch. (2016). http://eprint.iacr.org/2016/086
[17]
Cynthia Dwork and Aaron Roth. 2014. The Algorithmic Foundations of Differential Privacy. Foundations and Trends in Theoretical Computer Science 9, 3--4 (2014), 211--407.
[18]
Saba Eskandarian and Matei Zaharia. 2019. ObliDB: Oblivious Query Processing for Secure Databases. VLDB Endowment 13, 2 (2019), 169--183.
[19]
Susanne Felsen, Ágnes Kiss, Thomas Schneider, and Christian Weinert. 2019. Secure and Private Function Evaluation with Intel SGX. In CCSW '19. ACM, 165--181.
[20]
Benjamin Fuller, Mayank Varia, Arkady Yerukhimovich, Emily Shen, Ariel Hamlin, et al. 2017. SoK: Cryptographically Protected Database Search. In S&P '17. IEEE, 172--191.
[21]
GDPR.EU. 2023. What are the GDPR Consent Requirements? https://gdpr.eu/gdpr-consent-requirements. Accessed: 2023-06-29.
[22]
Ashish Gupta and Anil Dhami. 2015. Measuring the Impact of Security, Trust and Privacy in Information Sharing: A study on Social Networking Sites. Journal of Direct, Data and Digital Marketing Practice 17 (2015), 43--53.
[23]
Nick Hajli and Xiaolin Lin. 2016. Exploring the Security of Information Sharing on Social Networking Sites: The role of Perceived Control of Information. Journal of Business Ethics 133 (2016), 111--123.
[24]
Shima Hamidi and Ahoura Zandiatashbar. 2021. Compact Development and Adherence to Stay-at-Home Order During the Covid-19 Pandemic: A Longitudinal Investigation in the United States. Landscape and Urban Planning 205 (2021), 103952.
[25]
Marc Hasselwander, Tiago Tamagusko, Joao F Bigotte, Adelino Ferreira, Alvin Mejia, et al. 2021. Building Back Better: The Covid-19 Pandemic and Transport Policy Implications for a Developing Megacity. Sustainable Cities and Society 69 (2021), 102864.
[26]
Intel. 2020. Intel® TDX. https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html. Accessed: 2023-06-14.
[27]
Intel. 2021. Architecture Specification: Intel® Trust Domain Extensions (Intel® TDX) Module. Technical Report. Intel. Accessed: 2023-06-14.
[28]
Intel. 2021. Intel® TDX Module Base Architecture Specification. Technical Report. Intel. Accessed: 2023-06-14.
[29]
Intel. 2023. MKTME Side Channel Impact on Intel TDX. https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/mktme-side-channel-impact-on-intel-tdx.html. Accessed: 2023-08-08.
[30]
Kaggle Inc. 2023. kaggle. https://www.kaggle.com. Accessed: 2023-06-13.
[31]
Seny Kamara, Abdelkarim Kati, Tarik Moataz, Thomas Schneider, Amos Treiber, et al. 2022. SoK: Cryptanalysis of Encrypted Search with LEAKER - A framework for LEakage AttacK Evaluation on Real-world data. In EuroS&P '22. IEEE, 90--108.
[32]
Seny Kamara and Mariana Raykova. 2011. Secure Outsourced Computation in a Multi-Tenant Cloud. In IBM Workshop on Cryptography and Security in Clouds. IBM, 1--5.
[33]
Georgios Kellaris, George Kollios, Kobbi Nissim, and Adam O'Neill. 2016. Generic Attacks on Secure Outsourced Databases. In CCS '16. ACM, 1329--1340.
[34]
Patrick Koeberl, Vinay Phegade, Anand Rajan, Thomas Schneider, Steffen Schulz, et al. 2015. Time to Rethink: Trust Brokerage Using Trusted Execution Environments. In TRUST '15. Springer, 181--190.
[35]
Simeon Krastnikov, Florian Kerschbaum, and Douglas Stebila. 2020. Efficient Oblivious Database Joins. VLDB Endowment 13, 11 (2020), 2132--2145.
[36]
Marie-Sarah Lacharité, Brice Minaud, and Kenneth G. Paterson. 2018. Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage. In S&P '18. IEEE, 297--314.
[37]
Thomas Lecocq, Stephen P Hicks, Koen Van Noten, Kasper Van Wijk, Paula Koelemeijer, et al. 2020. Global Quieting of High-Frequency Seismic Noise due to Covid-19 Pandemic Lockdown Measures. Science 369, 6509 (2020), 1338--1343.
[38]
Xavier Leroy. 2023. CompCert. https://compcert.org/index.html. Accessed: 2023-10-11.
[39]
Chang Liu, Austin Harris, Martin Maas, Michael W. Hicks, Mohit Tiwari, et al. 2015. GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation. In ASPLOS '15. ACM, 87--101.
[40]
Chang Liu, Xiao Shaun Wang, Kartik Nayak, Yan Huang, and Elaine Shi. 2015. ObliVM: A Programming Framework for Secure Computation. In S&P '15. IEEE, 359--376.
[41]
MariaDB Foundation. 2023. MariaDB Server: The Open Source Relational Database. https://mariadb.org/. Accessed: 2023-12-05.
[42]
Pratyush Mishra, Rishabh Poddar, Jerry Chen, Alessandro Chiesa, and Raluca Ada Popa. 2018. Oblix: An Efficient Oblivious Search Index. In S&P '18. IEEE, 279--296.
[43]
Muhammad Naveed. 2015. The Fallacy of Composition of Oblivious RAM and Searchable Encryption. IACR Cryptol. ePrint Arch. (2015). http://eprint.iacr.org/2015/668
[44]
Alexander Nilsson, Pegah Nikbakht Bideh, and Joakim Brorsson. 2020. A Survey of Published Attacks on Intel SGX. CoRR abs/2006.13598 (2020). arXiv:2006.13598 https://arxiv.org/abs/2006.13598
[45]
Meir Nizri. 2023. COVID-19 Dataset. https://www.kaggle.com/datasets/meirnizri/covid19-dataset. Accessed: 2023-10-16.
[46]
Sarvar Patel, Giuseppe Persiano, Kevin Yeo, and Moti Yung. 2019. Mitigating Leakage in Secure Cloud-Hosted Data Structures: Volume-Hiding for Multi-Maps via Hashing. In CCS '19. ACM, 79--93.
[47]
Privacy Rights Clearinghouse. 2023. Data Breach Chronology. https://privacyrights.org/data-breaches. Accessed: 2023-06-21.
[48]
Wahbeh H. Qardaji, Weining Yang, and Ninghui Li. 2013. Understanding Hierarchical Methods for Differentially Private Histograms. VLDB Endowment 6, 14 (2013), 1954--1965.
[49]
Muhammad Usama Sardar, Saidgani Musaev, and Christof Fetzer. 2021. Demystifying Attestation in Intel Trust Domain Extensions via Formal Verification. IEEE Access 9 (2021), 83067--83079.
[50]
Sajin Sasy, Sergey Gorbunov, and Christopher W. Fletcher. 2018. ZeroTrace: Oblivious Memory Primitives from Intel SGX. In NDSS '18. The Internet Society.
[51]
Laurent Simon, David Chisnall, and Ross J. Anderson. 2018. What You Get is What You C: Controlling Side Effects in Mainstream C Compilers. In EuroS&P '18. IEEE, 1--15.
[52]
Nigel P. Smart. 2016. Cryptography Made Simple. Springer.
[53]
Emil Stefanov, Marten Van Dijk, Elaine Shi, T-H Hubert Chan, Christopher Fletcher, et al. 2018. Path ORAM: An Extremely Simple Oblivious RAM Protocol. Journal of the ACM 65, 4 (2018), 1--26.
[54]
Mihaly Sulyok and Mark Walker. 2020. Community Movement and Covid-19: A Global Study Using Google's Community Mobility Reports. Epidemiology & Infection 148 (2020).
[55]
Jun Tang, Aleksandra Korolova, Xiaolong Bai, Xueqiang Wang, and XiaoFeng Wang. 2017. Privacy Loss in Apple's Implementation of Differential Privacy on MacOS 10.12. CoRR abs/1709.02753 (2017). arXiv:1709.02753 http://arxiv.org/abs/1709.02753
[56]
Xiao Shaun Wang, Kartik Nayak, Chang Liu, T.-H. Hubert Chan, Elaine Shi, et al. 2014. Oblivious Data Structures. In CCS '14. ACM, 215--226.
[57]
Royce J. Wilson, Celia Yuxin Zhang, William Lam, Damien Desfontaines, Daniel Simmons-Marengo, et al. 2020. Differentially Private SQL with Bounded User Contribution. PoPETS 2020, 2 (2020), 230--250.
[58]
Xingliang Yuan, Xinyu Wang, Cong Wang, Chenyun Yu, and Sarana Nutanong. 2017. Privacy-Preserving Similarity Joins Over Encrypted Data. IEEE Transactions on Information Forensics and Security 12, 11 (2017), 2763--2775.
[59]
Wenting Zheng, Ankur Dave, Jethro G. Beekman, Raluca Ada Popa, Joseph E. Gonzalez, et al. 2017. Opaque: An Oblivious and Encrypted Distributed Analytics Platform. In NSDI 2017. USENIX, 283--298.
Index Terms
- Menhir: An Oblivious Database with Protection against Access and Volume Pattern Leakage
Recommendations
Database Access Pattern Protection Without Full-Shuffles
Privacy protection is one of the fundamental security requirements for database outsourcing. A major threat is information leakage from database access patterns generated by query executions. The standard private information retrieval (PIR) schemes, ...
Privacy-preserving deletion to generalization-based anonymous database
CUBE '12: Proceedings of the CUBE International Information Technology ConferenceWhile creating an anonymous database it is assumed that all data is available at the time of creation. Once record is added to database, it is not deleted or if a user wants to delete person's record from database, it will be removed from it in its next ...
Privacy Leakage in Access Mode: Revisiting Private RFID Authentication Protocols
ICPP '11: Proceedings of the 2011 International Conference on Parallel ProcessingExisting RFID Privacy-Preserving Authentication(PPA) solutions mainly focus on the design of crypto based interactive protocols between readers and tags. Although the cryptographic mechanisms enable randomization and enhance protocol-level privacy, the ...
Comments
Information & Contributors
Information
Published In
July 2024
1987 pages
ISBN:9798400704826
DOI:10.1145/3634737
- Chair:
- Jianying Zhou,
- Co-chair:
- Tony Q. S. Quek,
- Program Chairs:
- Debin Gao,
- Alvaro Cardenas
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 01 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- European Research Council
- Deutsche Forschungsgemeinschaft
- Deutsche Forschungsgemeinschaft Graduiertenkolleg
Conference
ASIA CCS '24
Sponsor:
ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security
July 1 - 5, 2024
Singapore, Singapore
Acceptance Rates
Overall Acceptance Rate 418 of 2,322 submissions, 18%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 166Total Downloads
- Downloads (Last 12 months)166
- Downloads (Last 6 weeks)49
Reflects downloads up to 06 Jan 2025
Other Metrics
Citations
Cited By
View allView Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in