1

AUTOCRYPT: Enabling Homomorphic Computation on Servers to Protect

Sensitive Web Content

Shruti Tople Shweta Shinde, Zhaofeng Chen, Prateek

SaxenaNational University of Singapore

2

Problem

• Cloud providers offer various services

Sensitive Data

Leak data

CloudServer

3

EncryptedData

Goal

Request

Output

Client

• Preserve confidentiality of user’s data• By encryption

• Allow benign functionalities on encrypted data

EncryptedOutput

4

Main Insight: Computing on Encrypted Data

• Partially Homomorphic Encryption Schemes

• Trusted APIs– To switch between encryption schemes

Search ElgamalPaillier

a = y + z

ans = a x a

==E+E XE

5

ch = getc(file);if (ch == '\n')lines++;if (ch == '\r' || ch == '\f') {if (linepos > linelength)linelength = linepos;linepos = 0;words++;}if (ch == '\t') {linepos += 8 - (linepos % 8);words++;}} write_counts (lines, words);

xE

+E

==E

Enabling Homomorphic Computation:An Example

Unix Word Count (wc)

RAM

Sensitive Input

6

Challenges

How to automatically transform applications that work on encrypted content ?

Can it be enabled on untrusted commodity cloud server?

Is such a solution practical in the real world ?

❶

❷

❸

7

Contributions

AutoCrypt‘C’ Program

AutoCryptedProgram

APIsAutoCryptedProgram

Statically Verified

Expressiveness Efficient Secure❸

❶

❷

8

Our Solution : AutoCrypt

9

AutoCrypt Architecture

‘C’Program F

AutoCryptedProgram

Source Annotations Encrypted

Output

AutoCrypt

cryptedInput

EncryptedInputEncrypted

Input

APIs

How AutoCrypt works?

‘C’ Program

Autocrypted Code

SSA

Transformation Type Inference

Information Flow Analysis

Untyped

IRAnnotated IR

Well Typed

IR

LLVM Pass

10

AutoCrypt

11

AutoCrypt’s Type System

Type checks ?

‘C’Program

YES NO

UnsafeConversion

Unsupported Operation

12

What are Unsafe Conversions ?

v = ch + 1;

If (v == ‘\n’){.... }

Unsafe Conversion

a = y + z

ans = a x a

Both need conversion between encryption schemes

Is it safe to convert arbitrarily ?

NO

Safe Conversion

Only 6 fixed conversion APIs are allowed

Do +1, +2and check

13

Security:Attackers knowledge set

14

Security Goal

‘C’Program F

AutoCryptedProgram

Source Annotations Encrypted

Output

AutoCrypt

EncryptedInput

Attacker’s Knowledge Set

Privacy Preserving Execution

15

ch = getc(file);if (ch == '\n')lines++;if (ch == '\r' || ch == '\f') {if (linepos > linelength)linelength = linepos;linepos = 0;words++;}if (ch == '\t') {linepos += 8 - (linepos % 8);words++;}write_counts (lines, words);

Unix Word Count (wc)

RAM

xE

+E

==E

Attackers Knowledge Set

Search Constants

Program Execution

Path

Leakage via Execution Path

16

Security Theorem

• Reduced Indistinquishability Modulo W

• Adversary is bound to use only W keywords

W = 12 / 256

W

Cannot Distinguish

Can Distinguish

∑ = 256

∑ - Wch == W

yes no

ch

17

Application of AutoCrypt:Protecting Data on Web Servers

Attacks on Web Server

SQL Injection

Memory Corruption

Command Injection

Server Misconfiguration

File Type Confusion Bugs

Web Server

19

Client-Server Architecture : Setup

Hardware

Trusted Hypervisor

Trusted APIs

Untrusted VM

Client

AutoCryptedProgram

“A”Encrypted

Data

20

Encrypted Output

Serving Requests

Hardware

Trusted Hypervisor

Trusted APIs

Untrusted VM

Client

EncryptedData

AutoCryptedProgram

“A”

Request : “A”

ResponsePlaintext

data +E

xE

21

Evaluation

22

Selecting Benchmarks

Selection Criteria :

Large scale

On real world applications

Which are complex enough

GNU CoreUtils

shred, truncate, sort, uniq, comm, od, wc, sum, cksum, fmt, old, pr , expand, unexpand, tr, cut, paste, join, base64, shuf, ptx, head, tail, split, csplit, cat, tac, nl,

Total 30 file-based programs

Out of total 11 categories, 8 file-based categories3 directory based

23

Additional Micro-benchmarks

File Utility

3 Custom Programs

Determines the MIME type of a file

Matrix Multiplication

EuclideanDistanceSquare

HammingDistance

Used in Previous Work

Image Transforms Face

Recognition

FaceRecognition

HFKV’12 HEKM’11

24

Expressiveness

• Successfully Transform – 25 CoreUtils– File Utility– 3 Custom Program

• AutoCrypt’s Rejected Program ( 5 )– Sort Order Preserving– uniq & comm Deterministic Encryption– od & cat –show-non-printing Unsafe Conversion

25

Reduction in Developer Effort

• 1% instructions are modified ( Total : 500 - 3000)

• 9-10 % variables are encrypted (Total: 300 - 2500)

• 7-8% constants are encrypted (Total: 10 – 150 )

• AutoCrypt automates all of the above– which is otherwise difficult to identify manually

26

Comparison to Previous Work

• Native Execution – Fast but not secure

• Circuit Encoding Schemes– Fully Homomorphic Encryption, Garbled Circuits– Secure but expensive for real applications

• Not fair to compare with them

27

Efficiency

• Commercial solutions to protect data

• “Download & Compute”

19 Execute Fasterby factor of 2 - 100 6 Execute slower by

factor of 2 - 6Out of 25

AutoCrypted programs

4.88 ms/KB

6 ms/KB

DownloadDecrypt

Compute

28

Conclusion

• Enabling homomorphic computation on untrusted server is a promising direction

• AutoCrypt automates this for the developer

Expressiveness

• GNU CoreUtils• Custom Programs• File Utility

Efficiency

• Vs Download & Compute

Secure

• New Reduced Indistinquishability

29

Thank You !Email : shruti90@comp.nus.edu.sg