Is a Safer Cloud on the Horizon?
A new technology called Haven could provide unprecedented protection for data stored in the cloud
When you store data in the cloud, you entrust the cloud provider with your data. You essentially cross your fingers and hope the provider won’t leak the data, tamper with it, or leave it vulnerable to hackers or malicious code stored by others on the same machine. You take a leap of faith that the provider’s employees are trustworthy and won’t compromise your secrets.
This is a disincentive for many companies to consider moving their run-the-business data and applications to the cloud. Despite the promise of tremendous cost savings by moving computing and data storage to the cloud, the risks are not insignificant for organizations in highly regulated industries, or others alarmed by revelations of NSA spying and government subpoenas that have required cloud providers to reveal user data without informing users.
The problem of trust in cloud computing has occupied security researchers for years.
In early October, Microsoft researchers Andrew Baumann (@1andrewb), Marcus Peinado, and Galen Hunt (@igalenhunt) unveiled a groundbreaking new system called Haven that could allow users to run existing software and data in the cloud with equivalent trust in the privacy and integrity of the data as if it were on-site or in a secure co-location facility.
Haven is garnering attention and generating excitement both within and outside the research community, and the paper that details it won a best paper award at the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2014), a leading research conference.
An unconventional approach
The solution in this case emerged from an unexpected direction, and from researchers whose specialty lies outside the field of traditional computer security. The researchers behind Haven are in fact part of the Operating Systems group at Microsoft Research.
“When you talk about research, normally you have some fundamental problem you want to work on, and then you try to come up with different technical solutions to that problem,” says Baumann. “This was one of those funny cases where the problem wasn’t the genesis.”
The genesis was two existing technologies, each with a far more limited purpose. Microsoft Research had a system called Drawbridge, developed by Hunt and others, that improved the efficiency of virtualization—it increased the number of user programs that can run on a single machine by running each one within what is called a library operating system. Hunt, Baumann, and Peinado then heard about a hardware extension being designed at Intel that would allow a portion of an application to run securely on a platform that has bugs or is compromised. The technology, called SGX, runs security-critical parts of the application within a protected “enclave” in which the data is encrypted. Intel designed SGX to protect specific application components, enabling applications such as a secure password manager or a secure document viewer.
Protecting data from cloud providers’ software and even malware
Baumann and his team had the idea of running Drawbridge within an SGX enclave, and researchers at Intel worked with the team on SGX integration. Once the team got the first prototype of the combined system working, they realized that it might provide a way for applications to run in the cloud without trusting any other software on the cloud provider’s system.
“The problem that it was applicable to was, in hindsight, really, really obvious,” says Baumann. “But we actually started with the technology.”
The researchers have shown that Haven can protect user data in the cloud from the cloud provider’s software as well as from anyone else’s software or even malware on the same machine. “The cloud provider only ever sees encrypted data,” Baumann says, “and the only thing the cloud provider could give to the government or some law enforcement body would be encrypted data. There’s no way for them to see the raw data.”
The Intel Labs SGX team even made some modifications to SGX to better support Haven. The first public demo of the system was jointly presented by the Microsoft Research and Intel teams.
Intel has not yet announced a release date for SGX, but it released the first specification in 2013 and last month issued the revised specification, which includes the modifications to support Haven. For now, Haven runs on an emulator.
“We’ve proved all the concepts, and we’ve analyzed the behavior and the performance of the system enough to write a research paper about it,” Baumann says. “We’ve shown how it can be done. If—hopefully, once—they build the hardware, this is something we can take to the next level and try to go beyond the research and see if we can build a real system and make it fly.”
Counterintuitive, yet Haven offers a huge advantage without re-engineering
Not only are Baumann and his team an unlikely group to tackle the problem of trust in the cloud, but the solution that Haven offers is counterintuitive from the perspective of traditional computer security.
“Security people traditionally are very focused on the trusted computing base,” explains Baumann. “It means the set of all things—software and hardware—that need to be correct, that you need to trust, to ensure the overall security of your system. Obviously, one really important way to improve the security of a system is to reduce the size of the trusted computing base.
“Haven, in one sense, flies in the face of all of that because the trusted computing base for Haven is pretty big,” he says. “It includes the application, the library operating system—which includes vast amounts of code—and a couple of other bits and pieces.”
From the standard security perspective, that’s not good. But from a practical perspective, Haven offers a huge advantage in that existing applications can run within the system without any re-engineering or modification.
“We can take unmodified applications like a SQL database that people already run on their own machines outside the cloud and move them into a secure environment in the cloud,” says Baumann. “Yes, there’s a lot more code in the trusted computing base, but, practically, you end up with a more secure system than if you didn’t have it.”
Cloud users shouldn’t have to trust the cloud provider beyond the raw resources needed to run the technology, he says.
“You have to trust the provider to keep the power on and allow you to send packets on the network, but you should not have to trust the provider not to leak or tamper with your data,” he says. “If this kind of hardware becomes more widespread, I very much hope that in the future this will be the default model for the way things work in the cloud.”
Hunt echoes Baumann’s optimism about what Haven can bring to the world of cloud computing. “For a typical Microsoft enterprise customer, this means that in the future, they could store even their most sensitive data and run their most sensitive applications in the cloud with complete peace of mind,” he says.
And for the industry as a whole? “If Haven effectively addresses individuals’ and businesses’ concerns about trust,” says Hunt, “any lingering doubts about moving run-the-business data and workloads to the cloud could be removed, and the headlong rush to the cloud will begin in earnest.”