A Verified Confidential Computing as a Service Framework for Privacy Preservation

Authors: 

Hongbo Chen and Haobin Hiroki Chen, Indiana University Bloomington; Mingshen Sun, Independent Researcher; Kang Li and Zhaofeng Chen, CertiK; XiaoFeng Wang, Indiana University Bloomington

Abstract: 

As service providers are moving to the cloud, users are forced to provision sensitive data to the cloud. Confidential computing leverages hardware Trusted Execution Environment (TEE) to protect data in use, no longer requiring users' trust to the cloud. The emerging service model, Confidential Computing as a Service (CCaaS), is adopted by service providers to offer service similar to the Function-as-a-Serivce manner. However, privacy concerns are raised in CCaaS, especially in multi-user scenarios. CCaaS need to assure the data providers that the service does not leak their privacy to any unauthorized parties and clear their data after the service. To address such privacy concerns with security guarantees, we first formally define the security objective, Proof of Being Forgotten (PoBF), and prove under which security constraints PoBF can be satisfied. Then, these constraints serve as guidelines in the implementation of the PoBF-compliant Framework (PoCF). PoCF consists of a generic library for different hardware TEEs, CCaaS prototype enclaves, and a verifier to prove PoBF-compliance. PoCF leverages Rust's robust type system and security features, to construct a verified state machine with privacy-preserving contracts. Last, the experiment results show that the protections introduced by PoCF incur minor runtime performance overhead.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {291293,
author = {Hongbo Chen and Haobin Hiroki Chen and Mingshen Sun and Kang Li and Zhaofeng Chen and XiaoFeng Wang},
title = {A Verified Confidential Computing as a Service Framework for Privacy Preservation},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {4733--4750},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/chen-hongbo},
publisher = {USENIX Association},
month = aug
}

Presentation Video