Enabling Verifiable Execution of Distributed Secure Enclave Platforms

Saharsh Agrawal and Karen Tu

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2021-153

May 21, 2021

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-153.pdf

Outsourcing data computations to a cloud provider is a common way to process large datasets. However, a user might not trust the cloud provider with sensitive data, and enclaves are a promising way to ensure data confidentiality and integrity. For distributed applications, code that affects data flow but not the data contents can be placed outside of the enclave; the execution of the data flow can be verified to have happened correctly. However, there are no existing frameworks to perform this verification.

We propose an execution flow verification library. Our library contributes (i) a way to securely log inputs and outputs of enclave functions, (ii) a verification strategy based on a ruleset specification and (iii) automatic API integration and ruleset generation. This saves developers from having to write their own custom application-specific verification code. Our library provides data flow integrity at the cost of a reasonable code footprint of about 500 lines and a latency overhead of roughly 3%.

An orthogonal line of research over the past several years has been blockchain and distributed ledger platforms, some with smart contract capabilities. Supporting private data and computation on such platforms using secure enclaves (e.g. Intel SGX) has become of interest as of late. Hyperledger Fabric Private Chaincode (FPC) is one such project; however it currently lacks a way to prevent speculative execution since the previous mechanism to prevent this (explicit barrier placed on-chain) is no longer feasible due to design constraints imposed by the Hyperledger Fabric maintainers. We demonstrate how our verification system is useful for synchronizing peers and preventing speculative execution in FPC by using runtime verification as the barrier instead.

Advisors: Raluca Ada Popa

BibTeX citation:

@mastersthesis{Agrawal:EECS-2021-153,
    Author= {Agrawal, Saharsh and Tu, Karen},
    Title= {Enabling Verifiable Execution of Distributed Secure Enclave Platforms},
    School= {EECS Department, University of California, Berkeley},
    Year= {2021},
    Month= {May},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-153.html},
    Number= {UCB/EECS-2021-153},
    Abstract= {Outsourcing data computations to a cloud provider is a common way to process large datasets. However, a user might not trust the cloud provider with sensitive data, and enclaves are a promising way to ensure data confidentiality and integrity. For distributed applications, code that affects data flow but not the data contents can be placed outside of the enclave; the execution of the data flow can be verified to have happened correctly. However, there are no existing frameworks to perform this verification.

We propose an execution flow verification library. Our library contributes (i) a way to securely log inputs and outputs of enclave functions, (ii) a verification strategy based on a ruleset specification  and (iii) automatic API integration and ruleset generation. This saves developers from having to write their own custom application-specific verification code. Our library provides data flow integrity at the cost of a reasonable code footprint of about 500 lines and a latency overhead of roughly 3%.

An orthogonal line of research over the past several years has been blockchain and distributed ledger platforms, some with smart contract capabilities. Supporting private data and computation on such platforms using secure enclaves (e.g. Intel SGX) has become of interest as of late. Hyperledger Fabric Private Chaincode (FPC) is one such project; however it currently lacks a way to prevent speculative execution since the previous mechanism to prevent this (explicit barrier placed on-chain) is no longer feasible due to design constraints imposed by the Hyperledger Fabric maintainers. We demonstrate how our verification system is useful for synchronizing peers and preventing speculative execution in FPC by using runtime verification as the barrier instead.},
}

EndNote citation:

%0 Thesis
%A Agrawal, Saharsh 
%A Tu, Karen 
%T Enabling Verifiable Execution of Distributed Secure Enclave Platforms
%I EECS Department, University of California, Berkeley
%D 2021
%8 May 21
%@ UCB/EECS-2021-153
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-153.html
%F Agrawal:EECS-2021-153