Untrusted Cloud Services
Today, when applications consider moving to the cloud, they must also fully trust cloud providers with their sensitive and important data. Yet the history of such services is one rife with unplanned data disclosures, malicious break-ins, and sometimes insider attacks. And indeed, the very centralization of information makes cloud providers high value targets for attack. This research project challenges the assumption that applications must sacrifice security (integrity) and privacy (confidentiality) in order to enjoy the benefits of cloud deployment, through a series of systems that demonstrate the potential use of untrusted cloud services.
SPORC: Group Collaboration using Untrusted Cloud Resources
Cloud-based services are an attractive deployment model for user-facing applications like word processing and calendaring. Unlike desktop applications, cloud services allow multiple users to edit shared state concurrently and in real-time, while being scalable, highly available, and globally accessible. Unfortunately, these benefits come at the cost of fully trusting cloud providers with potentially sensitive and important data.
To overcome this strict tradeoff, we have designed and prototyped the SPORC system, a generic framework for building a wide variety of collaborative applications with untrusted servers. In SPORC, a server observes only encrypted data and cannot deviate from correct execution without being detected. SPORC allows concurrent, low-latency editing of shared state, permits disconnected operation, and supports dynamic access control even in the presence of concurrency. We have demonstrated SPORC’s flexibility through two prototype applications: a causally-consistent key-value store and a browser-based collaborative text editor.
Conceptually, SPORC illustrates the complementary benefits of operational transformation (OT) and fork* consistency. The former allows SPORC clients to execute concurrent operations without locking and to resolve any resulting conflicts automatically. The latter prevents a misbehaving server from equivocating about the order of operations unless it is willing to fork clients into disjoint sets. Notably, unlike previous systems, SPORC can automatically recover from such malicious forks by leveraging OT’s conflict resolution mechanism.
- SPORC: Group Collaboration using Untrusted Cloud Resources
Ariel J. Feldman, William P. Zeller, Michael J. Freedman, and Edward W. Felten
Proc. 9th Symposium on Operating Systems Design and Implementation (OSDI ’10), October 2010. [pdf]
Untrusted Online Social Networking
Current social networking applications require users to trust service providers with the contents of their social interactions. In response, numerous works have proposed distributing users’ data across multiple servers controlled by different parties. But unless users bear the burden of running their own servers, they are still forced to trust third parties. Instead, we are developing a social networking system that allows users’ data to be hosted entirely on untrusted servers while still protecting the data’s confidentiality and integrity. Our design includes novel data structures that support efficient membership operations even for large groups and provide strong protection against server equivocation for the append-only logs that social networking applications use extensively.