| With the expansion of the Internet data scale,cloud storage service has become the development trend of future storage by decency of its advantages of large storage space and low maintenance cost.At the same time,to further enhance cloud storage's ability to handle large data workloads,in-memory key-value stores,such as Memcached and Redis,have become mainstream solutions for cloud storage.However,since cloud service providers are not fully trusted,cloud users' data security and privacy are faced with great challenges.One possible solution is to use a hardware-based trusted execution environment,such as SGX,a new processor security technology proposed by Intel Corporation.This technology can provide an isolated and trusted execution environment for cloud users on the computing platform and guarantee the confidentiality and integrity of user code and data.However,the current SGX-based schemes of in-memory key-value storage still suffer from performance and security issues.First of all,the database capacity of the existing scheme is limited to 128 MB,and the system call overhead is large,which seriously affects the database query performance.Secondly,the existing scheme does not protect the access pattern of memory,so it will be subjected to side-channel attacks.Finally,the existing scheme only considers the case of a single machine,but the single machine provides limited query ability and poor fault tolerance.To solve the above problems,this thesis carries out the following three research works:This thesis presents a high-performance in-memory key-value storage system to protect data privacy.By encrypting key-value data stored in untrusted memory to expand the memory available on a single machine,SGX's limitation of 128 MB of trusted memory is broken through.By using the switchless system call,the number of program switching between trusted and untrusted states is reduced,and the performance overhead of a single system call is reduced.To verify the effectiveness of the above method,this thesis uses the YCSB benchmark framework to evaluate the system performance.Experiments show that the system has a high throughput,and the performance is significantly better than the SGX benchmark scheme and pure cryptography scheme.Then,this thesis designs an in-memory key-value storage system to protect the access pattern.The pattern of untrusted memory access is hidden by combining ORAM technology with SGX.The program in trusted memory is designed with the data-oblivious execution method,which can effectively resist the side-channel attack based on the page-granularity access pattern.This thesis makes a comprehensive theoretical analysis of the computing cost,storage cost,and privacy of access pattern of the scheme,and evaluates the system performance in the experiment chapter to verify the availability of the system.Finally,the above two works are extended to the distributed case of multi-machine processing.The attestation protocol among SGX applications running on multiple machines are designed to ensure that multiple nodes that co-process data requests can communicate securely.The consistent hashing technique is used to implement data sharding,which improves the parallel processing ability of the system and expands the data storage capacity.This thesis uses the YCSB benchmark framework to test the system performance and verifies that the system has high throughput and fault tolerance. |
PDF Full Text Request