chang liu, michael hicks, elaine shi the university of maryland, college park
TRANSCRIPT
![Page 1: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/1.jpg)
Memory Trace Oblivious Program Execution
Chang Liu, Michael Hicks, Elaine ShiThe University of Maryland, College Park
![Page 2: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/2.jpg)
MotivationCloud computing compromise users’ privacy
Transfer both code and data to the cloud provider
Threat ModelCPU and secure co-processor can be trustedAll other hardware is not trusted
Memory Memory bus Etc.
Encryption is not enoughMemory access trace may leak information about secret
data
![Page 3: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/3.jpg)
Scenario 1Program
a[x]:=1
Memory bus
read(x)readarr(a, x)
![Page 4: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/4.jpg)
Scenario 2Program
if(s) thenx:=1
elsey:=1
Memory busread(s)
true branch:write (x)
false branch:write (y)
![Page 5: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/5.jpg)
Scenario 3Program
1: if(s) then 2: x:=1 3: else 4: x:=1
Memory busread(s)
true branch:fetch instruction
2false branch:
fetch instruction 4
![Page 6: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/6.jpg)
Oblivious RAM (ORAM)A primitive to hide access patterns from the
untrusted server
Practical implementationRen et al. Design Space Exploration and
Optimization of Path Oblivious RAM in Secure Processors, In Proc. of ISCA ‘13
Drawback overhead for an ORAM of size
![Page 7: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/7.jpg)
Problem with ORAMProgram 1
a[1]:=0
Program 2for i=110
a[i]=1
Program 3for i=110
b[a[i]]=ic[a[i]]=c[a[i]]+1
end for
a[] can be store in DRAM w/o encryption
a[] can be store in DRAM w/ encryption
a[] can be stored in DRAM w/ encryption; b[] and c[] can be stored in two ORAM banks
![Page 8: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/8.jpg)
ObservationsSome data can be stored in DRAM w/ or w/o
encryption
Some data need be stored in ORAMWe can use multiple ORAM banks to store
different data
![Page 9: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/9.jpg)
Question
ORAM
Secure
Inefficient
Normal Program
Insecure
Efficient
Tradeoff(This work)
Secure
Efficient
![Page 10: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/10.jpg)
Questions: How to do this safely?Q1: What programs are secure
Memory trace non-interference
Q2: How to check if a program is secureA security type system with trace
Q3: How to get a secure programA security compiler
![Page 11: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/11.jpg)
Language Syntax
![Page 12: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/12.jpg)
Trace
![Page 13: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/13.jpg)
MemoryMemory is a mapping, which maps a variable
to a pair is either a Nat or a mapping from Nat to Nat
(i.e. array) is a security label which is either L or an ORAM
A security environment is a mapping from variable to a type (i.e. Nat l, or Array l)
(-validity) is -valid
![Page 14: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/14.jpg)
Semantics
![Page 15: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/15.jpg)
Memory Trace Non-interferenceDEF. Given a security environment , a
program satisfies -memory trace obliviousness if for any two -valid memories if and , then , and
![Page 16: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/16.jpg)
Security Type SystemCannot get trace without given memory
configuration
Trace Pattern
![Page 17: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/17.jpg)
Security Type System (cont’d)
![Page 18: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/18.jpg)
Soundness
Theorem 1. If , then satisfies memory trace obliviousness
![Page 19: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/19.jpg)
Compilation1. Type checking
Standard
2. Allocating variables to ORAM banksAllocate each secret variable in a separate
ORAM bankOther allocation strategy (open)
3. Insert padding instructions (for If)Least common subsequence problem
![Page 20: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/20.jpg)
EvaluationPrograms
Dijstra (100 nodes, 10,000 edges)K-means (100 data points, k=2)Matrix Multiplication (, )
Compilation StrategiesStrawman: place all secret variables in a giant ORAM bank
Opt 1: Store each variable in a separate ORAM bank, but store whole array in the same ORAM bank
Opt 2: store each element in an array in a different ORAM bank when possible (equivalent to encryption only)
![Page 21: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/21.jpg)
Asymptotic Analysis
Program
Memory accesses for data Memory accesses for instructions
Strawman
Opt 1 Opt 2 Strawman
Opt 1 Opt 2
Dijstra
K-means
Mat. mul.
Find max.
![Page 22: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/22.jpg)
Simulation Results
![Page 23: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/23.jpg)
Conclusion
![Page 24: Chang Liu, Michael Hicks, Elaine Shi The University of Maryland, College Park](https://reader030.vdocuments.site/reader030/viewer/2022032801/56649dd25503460f94ac950a/html5/thumbnails/24.jpg)
Q&A