PRIvacy preserving Multi-compartment Trusted Execution

A project funded by the ANR and DFG

Project Abstract

Nowadays, a wide variety of online services (e.g., web search engines, location-based services, recommender systems) are being used by billions of users on a daily basis. Key to the success of these services is the personalisation of their results, that is returning to each user those results that are closer to their interests. For instance, given a web search query sent by two different users, search engines generally rank differently the search results to best fit each user's preferences. However, according to the underlying application, user profiles may contain sensitive information about end users. In this context, it becomes urgent to devise mechanisms that allow users to securely access online services without fearing that their data will be leaked out from the cloud platforms where it is being stored and processed.

The proposed PRIMaTE project addresses privacy-preserving in online services. We propose a system that reduces and precisely specifies trust assumptions, while still providing improved performance compared to the state of the art. Our key contribution will be to systematically decompose these services in strongly hardware-secured compartments, where each has access only to the data essential for performing the assigned task. In case of security breaches for example due to attackers exploiting a weakness in the code of one or even multiple compartments, the impact of the leaked data will be kept at bounds and their effect can be precisely quantified. Thus, the attacker might only learn certain aspects of a profile but cannot link it to a user. PRIMaTE achieves this goal by utilizing novel trusted execution support offered by recent commodity processors such as the 2016 introduced Skylake generation of Intel processors. Trusted execution as offered by Intel Software Guard Extensions (SGX) is a disruptive technology that will impact how code and data is protected in the future.

PRIMaTE will utilize trusted execution to devise novel privacy-preserving online services. While current research on trusted execution focused either on deploying whole legacy applications such as a databases in a single Trusted Execution Environment (TEE) or on ad-hoc solutions to split existing applications into two parts - a trusted and untrusted one - PRIMaTE aims for a more systematic and fine-grained approach. It targets to develop a methodology to split privacy-preserving online services into multiple interacting compartments each implemented by a TEE. Thereby, each TEE should handle as little data as possible and have a tailored and therefore minimal trusted computing base. While the latter makes it hard to exploit a PRIMaTE TEE, the former limits the exposed information if an attacker is able to successfully break into a TEE.

Recent news can be found here