Untrusted Cloud Services

Today, when applications consider moving to the cloud, they must also fully trust cloud providers with their sensitive and important data. Yet the history of such services is one rife with unplanned data disclosures, malicious break-ins, and sometimes insider attacks. And indeed, the very centralization of information makes cloud providers high value targets for attack. This research project challenges the assumption that applications must sacrifice security (integrity) and privacy (confidentiality) in order to enjoy the benefits of cloud deployment, through a series of systems that demonstrate the potential use of untrusted cloud services.

SPORC: Group Collaboration using Untrusted Cloud Resources

Cloud-based services are an attractive deployment model for user-facing applications like word processing and calendaring.  Unlike desktop applications, cloud services allow multiple users to edit shared state concurrently and in real-time, while being scalable, highly available, and globally accessible.  Unfortunately, these benefits come at the cost of fully trusting cloud providers with potentially sensitive and important data.

To overcome this strict tradeoff, we have designed and prototyped the SPORC system, a generic framework for building a wide variety of collaborative applications with untrusted servers. In SPORC, a server observes only encrypted data and cannot deviate from correct execution without being detected. SPORC allows concurrent, low-latency editing of shared state, permits disconnected operation, and supports dynamic access control even in the presence of concurrency. We have demonstrated SPORC’s flexibility through two prototype applications: a causally-consistent key-value store and a browser-based collaborative text editor.

Conceptually, SPORC illustrates the complementary benefits of operational transformation (OT) and fork* consistency.  The former allows SPORC clients to execute concurrent operations without locking and to resolve any resulting conflicts automatically.  The latter prevents a misbehaving server from equivocating about the order of operations unless it is willing to fork clients into disjoint sets.  Notably, unlike previous systems, SPORC can automatically recover from such malicious forks by leveraging OT’s conflict resolution mechanism.

Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider

Today’s social networking services require users to trust the service provider with the confidentiality and integrity of their data. But with their history of data leaks and privacy controversies, these services are not always deserving of this trust. Indeed, a malicious provider could not only violate users’ privacy, it could equivocate and show different users divergent views of the system’s state. Such misbehavior can lead to numerous harms including surreptitious censorship.

In light of these threats, this project has developed Frientegrity, a framework for social networking applications that can be realized with an untrusted service provider. In Frientegrity, a provider observes only encrypted data and cannot deviate from correct execution without being detected. Prior secure social networking systems have either been decentralized, sacrificing the availability and convenience of a centralized provider, or have focused almost entirely on users’ privacy while ignoring the threat of equivocation. On the other hand, existing systems that are robust to equivocation do not scale to the needs social networking applications in which users may have hundreds of friends, and in which users are mainly interested the latest updates, not in the thousands that may have come before.

To address these challenges, we present a novel method for detecting provider equivocation in which clients collaborate to verify correctness. In addition, we introduce an access control mechanism that offers efficient revocation and scales logarithmically with the number of friends. We present a prototype implementation demonstrating that Frientegrity provides latency and throughput that meet the needs of a realistic workload.