AUTOCRYPT: Enabling Homomorphic
Computation on Servers to Protect
Sensitive Web Content
Shruti Tople
Shweta Shinde, Zhaofeng Chen,
Prateek Saxena
National University of Singapore
1
Problem
• Cloud providers offer various services
Leak data
Sensitive
Data
Cloud
Server
2
Goal
Client
Request
Encrypted
Data
Output
Encrypted
Output
• Preserve confidentiality of user’s data
• By encryption
• Allow benign functionalities on encrypted data
3
Main Insight: Computing on Encrypted Data
• Partially Homomorphic Encryption Schemes
Search
==E
+E Paillier
XE Elgamal
• Trusted APIs
– To switch between encryption schemes
a = y
+
ans = a
z
xa
4
Enabling Homomorphic Computation:
An Example
Unix Word Count (wc)
xE
==E
+E
RAM
Sensitive
Input
ch = getc(file);
if (ch == '\n')
lines++;
if (ch == '\r' || ch == '\f') {
if (linepos > linelength)
linelength = linepos;
linepos = 0;
words++;}
if (ch == '\t') {
linepos += 8 - (linepos % 8);
words++;}
}
write_counts (lines, words); 5
Challenges
❶ How
to automatically transform applications
that work on encrypted content ?
❷ Can
it be enabled on untrusted commodity cloud
server?
❸ Is
such a solution practical in the real world ?
6
Contributions
❶
‘C’
Program
❷
AutoCrypted
Program
❸
AutoCrypted
Program
AutoCrypt
Expressiveness
APIs
Statically
Verified
Efficient
Secure
7
Our Solution : AutoCrypt
8
AutoCrypt Architecture
crypted
Encrypted
Encrypted
Input
Input
Input
‘C’
Program F
Source
Annotations
AutoCrypt
AutoCrypted
Program
APIs
Encrypted
Output
9
How AutoCrypt works?
LLVM Pass
‘C’ Program
SSA
Untyped
IR
Information
Flow Analysis
Annotated
IR
Autocrypted
Code
Transformation
Well Typed
IR
Type Inference
AutoCrypt
10
AutoCrypt’s Type System
‘C’
Program
Type checks ?
Unsafe
Conversion
YES
NO
Unsupported
Operation
11
What are Unsafe Conversions ?
Do +1, +2
and check
a = y
+
ans = a
z
v = ch
+
1;
If (v
.... }
xa
‘\n’){
Both need conversion between encryption schemes
Safe Conversion
Is it safe to convert arbitrarily ?
Unsafe Conversion
NO
Only 6 fixed conversion APIs are allowed
12
Security:
Attackers knowledge set
13
Security Goal
Attacker’s Knowledge Set
‘C’
Program F
AutoCrypt
Source
Annotations
Privacy Preserving
Execution
Encrypted
Input
AutoCrypted
Program
Encrypted
Output
14
Leakage via Execution Path
Unix Word Count (wc)
xE
==E
+E
RAM
Attackers Knowledge Set
Search
Constants
Program
Execution
Path
ch = getc(file);
if (ch == '\n')
lines++;
if (ch == '\r' || ch == '\f') {
if (linepos > linelength)
linelength = linepos;
linepos = 0;
words++;}
if (ch == '\t') {
linepos += 8 - (linepos % 8);
words++;}
write_counts (lines, words);
15
Security Theorem
• Reduced Indistinquishability Modulo W
∑ = 256
∑-W
ch
W
ch == W
yes
Cannot
Distinguish
no
Can
Distinguish
• Adversary is bound to use only W keywords
W = 12 / 256
16
Application of AutoCrypt:
Protecting Data on Web Servers
17
Attacks on Web Server
Web Server
SQL
Injection
Memory
Corruption
File Type
Confusion Bugs
Server
Misconfiguration
Command
Injection
Client-Server Architecture : Setup
Client
AutoCrypted
Program
Encrypted
“A”
Data
Untrusted VM
Trusted
APIs
Trusted
Hypervisor
Hardware
19
Serving Requests
Client
Request : “A”
Plaintext
data
Response
AutoCrypted
Encrypted
Program
Output
+“A”
Encrypted
Data
E
Untrusted VM
Trusted
xE
APIs
Trusted
Hypervisor
Hardware
20
Evaluation
21
Selecting Benchmarks
Selection Criteria :
Large scale
OnGNU
real world
applications
CoreUtils
Which are complex enough
Out of total 11 categories,
8 file-based categories
3 directory based
Total 30 file-based programs
shred, truncate, sort, uniq,
comm, od, wc, sum, cksum, fmt,
old, pr , expand, unexpand, tr,
cut, paste, join, base64, shuf, ptx,
head, tail, split, csplit, cat, tac, nl,
22
Additional Micro-benchmarks
File Utility
Determines the MIME
type of a file
3 Custom Programs
Used in Previous Work
Matrix
Multiplication
Image
Transforms
Euclidean
Distance
Square
HFKV’12
HEKM’11
Hamming
Distance
Face
Recognition
Face
Recognition
23
Expressiveness
• Successfully Transform
– 25 CoreUtils
– File Utility
– 3 Custom Program
• AutoCrypt’s Rejected Program ( 5 )
– Sort  Order Preserving
– uniq & comm  Deterministic Encryption
– od & cat –show-non-printing Unsafe Conversion
24
Reduction in Developer Effort
• 1% instructions are modified ( Total : 500 - 3000)
• 9-10 % variables are encrypted (Total: 300 - 2500)
• 7-8% constants are encrypted (Total: 10 – 150 )
• AutoCrypt automates all of the above
– which is otherwise difficult to identify manually
25
Comparison to Previous Work
• Native Execution
– Fast but not secure
• Circuit Encoding Schemes
– Fully Homomorphic Encryption, Garbled Circuits
– Secure but expensive for real applications
• Not fair to compare with them
26
Efficiency
• Commercial solutions to protect data
4.88 ms/KB
Decrypt
Download
Compute
6 ms/KB
• “Download & Compute”
Execute
Out
ofslower
25Faster
619
Execute
by
by factor
factor of
ofprograms
AutoCrypted
22 -- 6100
27
Conclusion
• Enabling homomorphic computation on
untrusted server is a promising direction
• AutoCrypt automates this for the developer
Expressiveness
• GNU CoreUtils
• Custom Programs
• File Utility
Efficiency
• Vs Download &
Compute
Secure
• New Reduced
Indistinquishability
28
Thank You !
Email : shruti90@comp.nus.edu.sg
29