Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API...
Transcript of Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API...
![Page 1: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/1.jpg)
Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data
Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, Emmett Witchel
1
![Page 2: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/2.jpg)
Disease risk assessment: Trust issues
2
Disease Risk
![Page 3: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/3.jpg)
Disease risk assessment: Trust issues
3
Disease Risk
Classification Result
![Page 4: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/4.jpg)
Disease risk assessment: Trust issues
4
Disease Risk
Classification Result
![Page 5: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/5.jpg)
Disease risk assessment: Trust issues
5
Disease Risk
Classification Result
![Page 6: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/6.jpg)
Disease risk assessment: Trust issues
6
Disease Risk
Classification Result
![Page 7: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/7.jpg)
Disease risk assessment: Trust issues
7
Disease Risk
Classification Result
![Page 8: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/8.jpg)
Talk outline
IntroductionControlling untrusted modulesCovert and side channelsEvaluation
8
![Page 9: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/9.jpg)
Ryoan’s goals
9
◎ Provide user data secrecy○ Without trusting the application○ Without trusting the platform (OS, Hypervisor)
◎ Support cooperation between service providers
Userspace
Platform ( )
![Page 10: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/10.jpg)
Ryoan Sandbox
Ryoan’s goals
10
◎ Provide user data secrecy○ Without trusting the application○ Without trusting the platform (OS, Hypervisor)
◎ Support cooperation between service providers
Userspace
Platform ( )
![Page 11: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/11.jpg)
Ryōan-ji
11
![Page 12: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/12.jpg)
Threat model
Users◎ Don’t trust
service providers for secrecy
◎ Don’t trust platforms for secrecy
12
Everyone◎ Trusts Ryoan◎ Trusts Intel SGX
- User- User Data
- Untrusted Code - Ryoan
- SGX- Untrusted Platform
Service Providers◎ Control platforms◎ Don’t trust other
service provides for secrecy
![Page 13: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/13.jpg)
Threat model
Users◎ Don’t trust
service providers for secrecy
◎ Don’t trust platforms for secrecy
13
Everyone◎ Trusts Ryoan◎ Trusts Intel SGX
- User- User Data
- Untrusted Code - Ryoan
- SGX- Untrusted Platform
Service Providers◎ Control platforms◎ Don’t trust other
service provides for secrecy
![Page 14: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/14.jpg)
Threat model
Users◎ Don’t trust
service providers for secrecy
◎ Don’t trust platforms for secrecy
14
Everyone◎ Trusts Ryoan◎ Trusts Intel SGX
- User- User Data
- Untrusted Code - Ryoan
- SGX- Untrusted Platform
Service Providers◎ Control platforms◎ Don’t trust other
service provides for secrecy
![Page 15: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/15.jpg)
Threat model
Users◎ Don’t trust
service providers for secrecy
◎ Don’t trust platforms for secrecy
15
Service Providers◎ Control platforms◎ Don’t trust other
service provides for secrecy
Everyone◎ Trusts Ryoan◎ Trusts Intel SGX
- User- User Data
- Untrusted Code - Ryoan
- SGX- Untrusted Platform
![Page 16: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/16.jpg)
Sandboxes◎ Trusted code◎ Confine modules◎ Based on Google’s
Native Client (NaCl)
Ryoan’s world
16
Module
Modules◎ NaCl x86 binaries
from service providers
◎ Application logic
Platforms◎ More service
providers’ code◎ Host computation
![Page 17: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/17.jpg)
Sandboxes◎ Trusted code◎ Confine modules◎ Based on Google’s
Native Client (NaCl)
Ryoan’s world
17
Module
Modules◎ NaCl x86 binaries
from service providers
◎ Application logic
Platforms◎ More service
providers’ code◎ Host computation
![Page 18: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/18.jpg)
Sandboxes◎ Trusted code◎ Confine modules◎ Based on Google’s
Native Client (NaCl)
Ryoan’s world
18
Module
Modules◎ NaCl x86 binaries
from service providers
◎ Application logic
Platforms◎ More service
providers’ code◎ Host computation
![Page 19: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/19.jpg)
Sandboxes◎ Trusted code◎ Confine modules◎ Based on Google’s
Native Client (NaCl)
Ryoan’s world
19
Module
Modules◎ NaCl x86 binaries
from service providers
◎ Application logic
Platforms◎ More service
providers’ code◎ Host computation
![Page 20: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/20.jpg)
Ryoan applications
Modules◎ Request oriented◎ Well defined unit of work
○ One request→one result○ e.g, 1 email, 1 photo
Composable◎ Modules can be connected to build services
20
Module
![Page 21: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/21.jpg)
Talk outline
IntroductionControlling untrusted modulesCovert and side channelsEvaluation
21
![Page 22: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/22.jpg)
Intel SGX in 2 minutes (or less)
◎ Provides Enclaves○ Regions of a process's virtual address
space
◎ Enclaves○ Can only be accessed by enclave code○ Still have access to the rest of memory
◎ Attestations○ Hardware signed hashes of initial code
and data
22
Enclave Code’s View
Other Code’s View
Ryoan InstanceModule
Enclave (Inaccessible)
![Page 23: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/23.jpg)
◎ SGX provides unforgeable attestation of the sandbox
◎ Statements Ryoan makes about the module can now be trusted
Chain of trust
23
RyoanAttests
ModuleRyoan Attests
![Page 24: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/24.jpg)
Ryoan’s view of SGX
◎ SGX gives you:○ Trusted computation on secret data
◎ Ryoan uses SGX to give you:○ Guarantees on Untrusted computation
24
![Page 25: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/25.jpg)
Confining untrusted code
25
Problem:◎ Platform can read secrets out
of memory
Solution:◎ Execute module inside of an
enclave
Module
![Page 26: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/26.jpg)
26
Problem:◎ Platform can read secrets out
of memory
Solution:◎ Execute module inside of an
enclave
EnclaveModule
Confining untrusted code
![Page 27: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/27.jpg)
27
Enclave
Module
Confining untrusted code
Problem:◎ Module can copy secrets to
non-enclave memory
Solution:◎ Restrict accessible memory
with a sandbox○ Property of NaCl
![Page 28: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/28.jpg)
28
Problem:◎ Module can copy secrets to
non-enclave memory
Solution:◎ Restrict accessible memory
with a sandbox○ Property of NaCl
SandboxModule
Confining untrusted code
![Page 29: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/29.jpg)
29
Problem:◎ Modules can use system calls
to write out user data
Solution:◎ NaCl modules call sandbox to
access system calls◎ Enforce encryption
Confining untrusted code
Sandbox
Module
write( );
![Page 30: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/30.jpg)
30
Confining untrusted code
Sandbox
Module
write([CIPHERTEXT]);
Problem:◎ Modules can use system calls
to write out user data
Solution:◎ NaCl modules call sandbox to
access system calls◎ Enforce encryption
![Page 31: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/31.jpg)
31
Confining untrusted code
Problem:◎ Modules can collude with
users to steal data
Solution:◎ Don’t let modules keep state
between requests
ModuleModule
Disease Risk
Later
It’s M
E!
![Page 32: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/32.jpg)
32
Confining untrusted code
Problem:◎ Modules can collude with
users to steal data
Solution:◎ Don’t let modules keep state
between requests
ModuleModule
Disease Risk
Later
It’s M
E!
![Page 33: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/33.jpg)
Modules cannot keep state
◎ Module life cycle imposed by Ryoan○ Read, process, write, destroy
◎ Sandbox enforces one request per module execution○ Represent a complete unit of work○ Only contain content from one user
33
Initialize Read Input Process Write
OutputDestroy
![Page 34: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/34.jpg)
Talk outline
IntroductionControlling untrusted modulesCovert and side channelsEvaluation
34
![Page 35: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/35.jpg)
Covert and side channels
◎ Output, via some externally visible property of execution
◎ Ryoan: Software covert channels○ System calls○ Execution time
◎ Hardware covert channels: ○ Hardware vendor’s responsibility
35
Module
![Page 36: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/36.jpg)
System call covert channel
36
Module
write(8bytes); write(16bytes); write(8bytes); write(16bytes); write(16bytes); write(16bytes); write(8bytes);
8bytes 0
16bytes 1
0101110
0101110
![Page 37: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/37.jpg)
Eliminating system call channel
◎ Remove modules ability to make system calls
◎ Ryoan performs all data input and output independent of the content
37
Confined; Module cannot make system calls.
Initialize Read Input Process Done
Ryoanmakes input
available Ryoan flushes all outputDestroy
![Page 38: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/38.jpg)
Initialization is expensive
Confined; Module cannot make system calls.
Initialize Read Input
38
Process Done
Checkpoint
Restore Checkpoint
ClamAV (virus scanner):25.0 seconds to initialize 0.1 seconds to process a request
![Page 39: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/39.jpg)
Confined compatibility API
In-memory file API◎ File system operations
in memory◎ Examples:
○ Temp files○ Preexisting files
Dynamic Memory◎ Modules can call
mmap for “new” memory
◎ Return memory from a pre-allocated pool.
39
Replaced system calls: mmap
Replaced system calls: open, close, read, write, stat, lseek, unlink, mkdir, rmdir, getdents
![Page 40: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/40.jpg)
Confined compatibility API
In-memory file API◎ File system operations
in memory◎ Examples:
○ Temp files○ Preexisting files
Dynamic Memory◎ Modules can call
mmap for “new” memory
◎ Return memory from a pre-allocated pool.
40
Replaced system calls: mmap
Replaced system calls: open, close, read, write, stat, lseek, unlink, mkdir, rmdir, getdents
![Page 41: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/41.jpg)
Confined compatibility API
In-memory file API◎ File system operations
in memory◎ Examples:
○ Temp files○ Preexisting files
Dynamic Memory◎ Modules can call
mmap for “new” memory
◎ Return memory from a pre-allocated pool.
41
Replaced system calls: mmap
Replaced system calls: open, close, read, write, stat, lseek, unlink, mkdir, rmdir, getdents
![Page 42: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/42.jpg)
Talk outline
IntroductionControlling untrusted modulesCovert channelsEvaluation
42
![Page 43: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/43.jpg)
43
MosesClassifier
ReturnResults
ParseInput
CombineDistribute
Health
In: Genome/health dataOut: Disease risk
Translation
In: French textOut: English text
EmailImages
In: PicturesOut: Array of objects
In: EmailsOut: Spam & virus status
RecognizeNSFW
RecognizeHorse
RecognizeFace
CombineDistribute
![Page 44: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/44.jpg)
44
MosesClassifier
ReturnResults
ParseInput
CombineDistribute
Health
In: Genome/health dataOut: Disease risk
Translation
In: French textOut: English text
EmailImages
In: PicturesOut: Array of objects
In: EmailsOut: Spam & virus status
RecognizeNSFW
RecognizeHorse
RecognizeFace
CombineDistribute
![Page 45: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/45.jpg)
45
MosesClassifier
ReturnResults
ParseInput
CombineDistribute
Health
In: Genome/health dataOut: Disease risk
Translation
In: French textOut: English text
EmailImages
In: PicturesOut: Array of objects
In: EmailsOut: Spam & virus status
RecognizeNSFW
RecognizeHorse
RecognizeFace
CombineDistribute
![Page 46: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/46.jpg)
46
MosesClassifier
ReturnResults
ParseInput
CombineDistribute
Health
In: Genome/health dataOut: Disease risk
Translation
In: French textOut: English text
EmailImages
In: PicturesOut: Array of objects
In: EmailsOut: Spam & virus status
RecognizeNSFW
RecognizeHorse
RecognizeFace
CombineDistribute
![Page 47: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/47.jpg)
47
MosesClassifier
ReturnResults
ParseInput
CombineDistribute
Health
In: Genome/health dataOut: Disease risk
Translation
In: French textOut: English text
EmailImages
In: PicturesOut: Array of objects
In: EmailsOut: Spam & virus status
RecognizeNSFW
RecognizeHorse
RecognizeFace
CombineDistribute
![Page 48: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/48.jpg)
Evaluation
◎ Implementation requires SGX v2 instructions (spec: Fall 2014, coming soon)○ Dynamic memory allocation/protection
◎ SGX performance model ○ Measured SGX v1 latencies on our hardware○ Estimated SGX v2 latencies (sensitivity study in
paper)○ Flush TLB on all system calls, page faults, and
interrupts
48
![Page 49: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/49.jpg)
49
Health 20,000 1.4KB Boolean vectors from different users
Translation 30 short paragraphs, sizes 25-300B, 4.1KB total
Images 12 images, sizes 17KB-613KB
Email 250 emails, 30% with 103KB-12MB attachment
![Page 50: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/50.jpg)
50
Health 20,000 1.4KB Boolean vectors from different users
Translation 30 short paragraphs, sizes 25-300B, 4.1KB total
Images 12 images, sizes 17KB-613KB
Email 250 emails, 30% with 103KB-12MB attachment
![Page 51: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/51.jpg)
51
Health 20,000 1.4KB Boolean vectors from different users
Translation 30 short paragraphs, sizes 25-300B, 4.1KB total
Images 12 images, sizes 17KB-613KB
Email 250 emails, 30% with 103KB-12MB attachment
![Page 52: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/52.jpg)
52
Health 20,000 1.4KB Boolean vectors from different users
Translation 30 short paragraphs, sizes 25-300B, 4.1KB total
Images 12 images, sizes 17KB-613KB
Email 250 emails, 30% with 103KB-12MB attachment
![Page 53: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/53.jpg)
53
Health 20,000 1.4KB Boolean vectors from different users
Translation 30 short paragraphs, sizes 25-300B, 4.1KB total
Images 12 images, sizes 17KB-613KB
Email 250 emails, 30% with 103KB-12MB attachment
![Page 54: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/54.jpg)
Ryoan summary
◎ Allows untrusted code to operate on secret data on untrusted platforms
◎ Sandbox with SGX○ Eliminates explicit channels
◎ Module can’t call platform○ Eliminates covert channels
◎ Mostly backwards compatible○ Sandbox code implements system calls
54
![Page 55: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/55.jpg)
55
![Page 56: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/56.jpg)
56
(Backup Slides Follow)
![Page 57: Untrusted Computation on Secret Data Ryoan: A Distributed ... · Confined compatibility API In-memory file API File system operations in memory Examples: Temp files Preexisting files](https://reader034.fdocuments.in/reader034/viewer/2022052012/6028aff88b3a2013a72dc4c7/html5/thumbnails/57.jpg)
◎ Output Size is a (configurable) fixed function of input size.○ Output is padded or truncated by Ryoan○ Always predefined in the specification○ Examples (n bytes of input)
◉ Virus Scanner output: n bytes + 1 bit◉ Machine Translation output: 2n bytes
Output Size
57
Module
n bytes n bytes
n bytes n/2 bytes