A Trusted Hardware Based Approach To Protecting Data Confidentiality In Cloud

Cloud computing has grown rapidly in recent years and gone mainstream thanks to the economies of scale and easy of use.However,the concerns with the security of cloud are hindering its further adoption.For this reason,cloud security has become a hot topic in recent years.Among the issues regarding cloud security,one important one is protecting the data security—especially,the confidentiality—of user data in a cloud environment.To address this issue,most research works are either based on system software or cryptography;yet,both approaches are limited in terms of security,functionality and/or performance.This leads to a third approach that is based on trusted hardware.The most common trusted hardware are trusted platform modules(TPMs),secure co-processors and field programmable gate arrays(FPGAs).Unfortunately,these three kinds of traditional trusted hardware are unsatisfactory in either cost,performance or programmability.This thesis attempts to address the problem of protecting the data confidentiality in clouds with new kinds of trusted hardware.More specifically,we convert commodity hardware,e.g.,disk drives and CPUs,to trusted hardware.The contributions of this thesis are threefold:(1)Secure storage based on trusted solid-state drives.We design and implement TrustedSSD,a security-enhanced solid-state drive with a fine-grained access control mechanism,thus protecting the confidentiality of the data within the storage device.We present a thorough security analysis on the TrustedSSD and describe the technical challenges in implementing the system on real hardware.The experimental results show that on both synthetic and real-world workloads TrustedSSD incurs only a performance overhead of 3%in average.(2)Secure computation based on trusted CPUs.Intel SGX,an emerging trusted hardware technology on Intel x86 CPUs,enables users to create secure enclaves that can protect the confidentiality and integrity of code and data within enclaves.We design and implement SGXKernel,a library operating system designed and optimized for Intel SGX.SGXKernel is unique in its switch-less design,which completely eliminates the high overhead incurred from enclave transitions.Experimental evaluation shows that SGXKernel outperforms the state-of-the-art library OSes for SGX significant.(3)Secure SaaS based on trusted anchor.Software as a Service(or Saas)has become an increasingly attractive platform for enterprise applications.We propose a general-purpose,confidentiality-preserving architecture for deploying enterprise applications on SaaS.We describe the architecture in details and give a systematic analysis on its security.We present the design and implementation of its core module—trust anchor container.With a case study and experimental evaluation,we show the practicality and effectiveness of the proposed architecture.