More Web Proxy on the site http://driver.im/

research-article

Public Access

Behind Enemy Lines: Exploring Trusted Data Stream Processing on Untrusted Systems

Authors:

Alexandros LabrinidisAuthors Info & Claims

CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

Pages 243 - 254

https://doi.org/10.1145/3292006.3300021

Published: 13 March 2019 Publication History

Abstract

Data Stream Processing Systems (DSPSs) execute long-running, continuous queries over transient streaming data, often making use of outsourced, third-party computational platforms. However, third-party outsourcing can lead to unwanted violations of data providers' access controls or privacy policies, as data potentially flows through untrusted infrastructure. To address these types of violations, data providers can elect to use stream processing techniques based upon computation-enabling encryption. Unfortunately, this class of solutions can leak information about underlying plaintext values, reduce the possible set of queries that can be executed, and come with detrimental performance overheads. To alleviate the concerns with cryptographically-enforced access controls in DSPSs, we have developed \system, a DSPS that makes use of Intel's Software Guard Extensions (SGX) to protect data being processed on untrusted infrastructure. We show that \system can execute arbitrary queries while leaking no more information than an idealized \baseline system. At the same time, an extensive evaluation shows that the overheads associated with stream processing in \system are comparable to its computation-enabling encryption counterparts for many queries.

References

[1]

Daniel Abadi et al. 2003. Aurora: a new model and architecture for data stream management. VLDB 12, 2 (2003), 120--139.

Digital Library

[2]

D.J. Abadi et al. 2005. The design of the borealis stream processing engine. In CIDR.

[3]

Dinh Tien Tuan Anh and Anwitaman Datta. 2014. Streamforce: outsourcing access control enforcement for stream data to the clouds. In ACM CODASPY.

Digital Library

[4]

Arvind Arasu et al. 2004. Stream: The stanford data stream management system. Book chapter (2004).

[5]

Arvind Arasu et al. 2006. The CQL continuous query language: semantic foundations and query execution. The VLDB Journal 15, 2 (2006), 121--142.

Digital Library

[6]

Sergei Arnautov et al. 2016. SCONE: Secure linux containers with Intel SGX. In 12th USENIX OSDI.

Digital Library

[7]

Nathan Backman, Rodrigo Fonseca, and U?gur Çetintemel. 2012. Managing parallelism for stream processing in the cloud. In HOTCDP. ACM, 1--5.

Digital Library

[8]

Alexandra Boldyreva et al. 2009. Order-preserving symmetric encryption. In Eurocrypt. Springer, 224--241.

[9]

Stefan Brenner et al. 2016. SecureKeeper: Confidential ZooKeeper using Intel SGX. In Middleware.

Digital Library

[10]

Paris Carbone et al. 2015. Apache flink: Stream and batch processing in a single engine. Data Engineering (2015), 28.

[11]

Barbara Carminati et al. 2007. Enforcing access control over data streams. In ACM SACMAT. 21--30.

Digital Library

[12]

Barbara Carminati et al. 2007. Specifying access control policies on data streams. In DASFAA. Springer, 410--421.

Digital Library

[13]

Barbara Carminati et al. 2010. A framework to enforce access control over data streams. ACM TISSEC 13, 3 (2010), 28.

Digital Library

[14]

Debs Grand Challenge. 2014. DEBS Grand Challenge. http://dl.acm.org/citation. cfm?id=2772598. (2014).

[15]

Andreas Chatzistergiou and StratisDViglas. 2014. Fast heuristics for near-optimal task allocation in data stream processing over clusters. In CIKM. ACM.

Digital Library

[16]

Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive 2016 (2016), 86.

[17]

Aurélien Havet et al. 2017. SecureStreams: A Reactive Middleware Framework for Secure Data Stream Processing. In DEBS. ACM, 124--133.

Digital Library

[18]

Matthew Hoekstra et al. 2013. Using innovative instructions to create trustworthy software solutions. In HASP@ ISCA. 11.

Digital Library

[19]

Yuanqiang Huang et al. 2011. Operator placement with QoS constraints for distributed stream processing. In CNSM. IEEE, 1--7.

Digital Library

[20]

Paul Kocher, Daniel Genkin, et al. 2018. Spectre attacks: Exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018).

[21]

Sanjeev Kulkarni et al. 2015. Twitter Heron: Stream Processing at Scale. In SIGMOD. ACM, 239--250.

Digital Library

[22]

Wolfgang Lindner and Jörg Meier. 2006. Securing the borealis data stream engine. In IEEE IDEAS. 137--147.

Digital Library

[23]

Rima Nehme et al. 2008. A security punctuation framework for enforcing access control on streaming data. In ICDE. 406--415.

Digital Library

[24]

Rimma V Nehme et al. 2013. FENCE: Continuous access control enforcement in dynamic data stream environments. In ACM CODASPY. 243--254.

Digital Library

[25]

Wee Siong Ng et al. 2012. Privacy preservation in streaming data collection. In ICPADS. 810--815.

Digital Library

[26]

Pascal Paillier. 1999. Public Key Cryptosystems Based on Composite Degree Residuosity Classes. Advances in Cryptography - EURPCRYPT'99 1562 (1999).

Digital Library

[27]

Peter Pietzuch et al. 2006. Network-aware operator placement for streamprocessing systems. In ICDE. IEEE, 49--49.

Digital Library

[28]

Raluca Popa et al. 2011. Cryptdb: protecting confidentiality with encrypted query processing. In ACM SOSP. 85--100.

Digital Library

[29]

Christian Priebe, Kapil Vaswani, and Manuel Costa. 2018. EnclaveDB: A Secure Database using SGX. In EnclaveDB: A Secure Database using SGX. IEEE, 0.

[30]

Stamatia Rizou et al. 2010. Solving the multi-operator placement problem in large-scale operator networks. In ICCCN. IEEE, 1--6.

[31]

Felix Schuster, Manuel Costa, et al. 2015. VC3: Trustworthy data analytics in the cloud using SGX. In SP. IEEE, 38--54.

Digital Library

[32]

Fahad Shaon, Murat Kantarcioglu, et al. 2017. SGX-BigMatrix: A Practical Encrypted Data Analytic Framework With Trusted Processors. In SIGSAC. ACM, 1211--1228.

Digital Library

[33]

Utkarsh Srivastava, Kamesh Munagala, and Jennifer Widom. 2005. Operator placement for in-network stream query processing. In SIGMOD. ACM, 250--258.

Digital Library

[34]

StormProject. 2014. Storm: Distributed and Fault-Tolerant Realtime Computation. http://storm.incubator.apache.org/documentation/Home.html. (2014).

[35]

Cory Thoma et al. 2016. PolyStream: Cryptographically Enforced Access Controls for Outsourced Data Stream Processing. In SACMAT, Vol. 21. 12.

Digital Library

[36]

Jo Van Bulck, Marina Minkin, et al. 2018. Foreshadow: Extracting the Keys to the Intel {SGX} Kingdom with Transient Out-of-Order Execution. In 27th {USENIX} Security Symposium ({USENIX} Security 18). 991--1008.

Digital Library

[37]

Wenting Zheng, Ankur Dave, Jethro G Beekman, et al. 2017. Opaque: An Oblivious and Encrypted Distributed Analytics Platform. In NSDI. 283--298.

Digital Library

Cited By

De Capitani di Vimercati SForesti SJajodia SLivraga GParaboschi SSamarati P(2021)An authorization model for query execution in the cloudThe VLDB Journal10.1007/s00778-021-00709-x31:3(555-579)Online publication date: 6-Nov-2021
https://doi.org/10.1007/s00778-021-00709-x
Zaki MLee AChrysanthis P(2020)Effective Access Control in Shared-Operator Multi-tenant Data Stream Management SystemsData and Applications Security and Privacy XXXIV10.1007/978-3-030-49669-2_7(118-136)Online publication date: 18-Jun-2020
https://doi.org/10.1007/978-3-030-49669-2_7

Index Terms

Behind Enemy Lines: Exploring Trusted Data Stream Processing on Untrusted Systems
1. Hardware
  1. Emerging technologies
2. Security and privacy
  1. Database and storage security
    1. Management and querying of encrypted data
  2. Security services
    1. Access control

Recommendations

Efficient approximation and privacy preservation algorithms for real time online evolving data streams
Abstract
Because of the processing of continuous unstructured large streams of data, mining real-time streaming data is a more challenging research issue than mining static data. The privacy issue persists when sensitive data is included in streaming data. ...
SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity

As low-cost RFIDs become more and more popular, it is imperative to design ultra-lightweight RFID authentication protocols to resist all possible attacks and threats. However, all the previous ultra-lightweight authentication schemes are vulnerable to ...
An extensible test framework for the Microsoft StreamInsight query processor
DBTest '10: Proceedings of the Third International Workshop on Testing Database Systems

Microsoft StreamInsight (StreamInsight, for brevity) is a platform for developing and deploying streaming applications. StreamInsight adopts a deterministic stream model that leverages a temporal algebra as the underlying basis for processing long-...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

March 2019

373 pages

ISBN:9781450360999

DOI:10.1145/3292006

General Chairs:
Gail-Joon Ahn
Arizona State University, USA
,
Bhavani Thuraisingham
University of Texas at Dallas, USA
,
Program Chairs:
Murat Kantarcioglu
University of Texas at Dallas, USA
,
Ram Krishnan
University of Texas at San Antonio, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CODASPY '19

Sponsor:

SIGSAC

CODASPY '19: Ninth ACM Conference on Data and Application Security and Privacy

March 25 - 27, 2019

Texas, Richardson, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
375
Total Downloads

Downloads (Last 12 months)75
Downloads (Last 6 weeks)6

Reflects downloads up to 20 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

De Capitani di Vimercati SForesti SJajodia SLivraga GParaboschi SSamarati P(2021)An authorization model for query execution in the cloudThe VLDB Journal10.1007/s00778-021-00709-x31:3(555-579)Online publication date: 6-Nov-2021
https://doi.org/10.1007/s00778-021-00709-x
Zaki MLee AChrysanthis P(2020)Effective Access Control in Shared-Operator Multi-tenant Data Stream Management SystemsData and Applications Security and Privacy XXXIV10.1007/978-3-030-49669-2_7(118-136)Online publication date: 18-Jun-2020
https://doi.org/10.1007/978-3-030-49669-2_7

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents