Users can improve the security of remote communications by using Trusted Execution Environments (TEEs) to protect against direct introspection and tampering of sensitive data. This can even be done with applications coded in high-level languages with complex programming stacks such as R, Python, and Ruby. However, this creates a trade-off between programming convenience versus the risk of attacks using microarchitectural side channels. In this paper, we argue that it is possible to address this problem for important applications by instrumenting a complex programming environment (like R) to produce a Data-Oblivious Transcript (DOT) that is explicitly designed to support computation that excludes side channels. Such a transcript is then evaluated on a Trusted Execution Environment (TEE) containing the sensitive data using a small trusted computing base called the Data-Oblivious Virtual Environment (DOVE). To motivate the problem, we demonstrate a number of subtle side-channel vulnerabilities in the R language. We then provide an illustrative design and implementation of DOVE for R, creating the first side-channel resistant R programming stack. We demonstrate that the two-phase architecture provided by DOT generation and DOVE evaluation can provide practical support for complex programming languages with usable performance and high security assurances against side channels.
翻译:用户可以通过使用受信任执行环境(TEEs)来保护远程通信的安全,防止直接反省和篡改敏感数据。这甚至可以用高层次语言的应用程序进行编码,程序堆叠复杂,如R、Python和Ruby。然而,这在编程方便与攻击风险之间造成了一种权衡。在本文中,我们争辩说,对于重要的应用来说,解决这一问题是可能的,办法是使用一种复杂的编程环境(如R)来制作数据操作记录(DOT),明确设计该环境是为了支持不包括侧道的计算。然后,在使用称为数据操作虚拟环境(DOVE)的小型可信任计算基(TEE)包含敏感数据的可信任执行环境(TEE)上进行评估。为了激发问题,我们用R语展示了一些微妙的侧通道弱点。我们随后为R提供了DVE提供了一种说明性设计和实施DVE提供演示性设计和实施DVE, 创建了第一个侧面防向侧面编程系统(DOVE) 创建了第一个侧面防线路反侧编程程序堆。我们证明DODDD- 提供两阶段安全性业绩的系统,可以提供两阶段的系统。
相关内容
微信扫码咨询专知VIP会员