SecureCached. Secure caching with the Diggi framework.

Abstract

Caching services are vital for the performance of large-scale web services running in the cloud. However, placing sensitive data in caching services, implicitly includes all components of the cloud infrastructure that can be exploited. Therefore, end-users place their trust in the entire security stack of their service providers. In order to achieve confidentiality and integrity of sensitive data residing in cache services, the cloud infrastructure must be removed from the set of trusted components. This has led to a wide adoption of hardware-assisted Trusted Execution Environments (TEEs), protecting user-level software from higher-privileged system software. The capabilities of TEEs do not support running legacy applications out-of-the-box. Many prominent frameworks for tees have been developed to achieve applicability through providing common programming abstractions. However, these frameworks focus on providing native Linux services for tees, which increases the probability for a trusted software component to be exploited. Diggi is one such framework, utilizing Intel’s Software Guard Extension (SGX) trusted computing infrastructure to provide secure execution. Diggi differs from other framework for tees by implementing simplified abstraction for creating distributed cloud applications. Moreover, by employing logically separated tasks split into multiple units of application code, Diggi allows moving parts of the application code and data into a tee, like, for instance, a caching service. This allows to drastically reduce the set of trusted components in a system, and only include the parts that require strong security guarantees. This thesis describes the introduction of a modified memcached implementation, called SecureCached, to the Diggi framework. We demonstrate the feasibility of having a distributed cache deployed in a trusted execution environment.