CRII: SaTC: Evolving I/O Protocols for Confidential Computing

CRII：SaTC：用于机密计算的不断发展的 I/O 协议

• 批准号: 2348130
• 负责人: Stephen Herwig
• 金额: $ 16.5万
• 依托单位: College of William and Mary
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-06-01 至 2026-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2348130&HistoricalAwards=false
• 关键词: CRII; SaTC; Evolving; Protocols; Confidential

Cloud computing has quickly become a standard approach for deploying online services due to its scalability and cost savings, despite the new threats it poses for data security and privacy. As the cloud service provider (CSP) operates the hardware and privileged software, a malicious CSP can readily access or alter a customer’s sensitive data, while a bug in the CSP’s software can allow an attacker to do the same. To improve cloud security, the major chip designers recently added support for confidential computing: running a workload in a secure hardware enclave where the workload’s memory is encrypted, thus shielding it from the CSP. This proposal advances the knowledge for extending confidential computing to distributed services, an increasingly common type of cloud computing. The proposed research will develop innovative, open-source systems software for organizations to make use of essential cloud services without sacrificing their privacy or the privacy of their users. To prepare the next generation of cybersecurity practitioners, planned activities include the mentoring undergraduates and outreach programs for K-12 students.The proposal’s central research questions are: (1) how must protocols handle authentication and authorization when some nodes in the system are enclaves, and (2) how can protocols safely encompass a mix of trusted and untrusted nodes, including nodes that an attacker compromised. The proposal investigates these questions for two important existing protocols: Transport Layer Security (TLS) and cloud object storage. Specifically, the proposal seeks to extend TLS to allow an enclave to authenticate itself using a set of identities (such as its launch measurement, runtime measurement, and domain name), and explores the use of joint signature schemes to make such authentication efficient and elegant. Having support for complex endpoint authentication, the proposal then develops extensions to TLS for authorizing how enclaves may share data, thus enforcing the flow of information through a distributed system of diverse parties. Finally, the proposal explores storage protocol extensions that mitigate the damage of key compromise in a shared, encrypted cloud object store by using efficient, enclave-assisted, key rotation and data re-encryption.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

云计算由于其可扩展性和成本节省而迅速成为部署在线服务的标准方法，目的地为数据安全和隐私带来的新威胁。由于云服务提供商（CSP）操作硬件和特权软件，因此恶意CSP可以随时访问或更改客户的敏感数据，而CSP软件中的错误可以允许攻击者这样做。为了提高云安全性，主要的芯片设计人员最近添加了对机密计算的支持：在安全的硬件飞地中运行工作负载，在该空地上加密工作负载的内存，从而将其屏蔽到CSP中。该建议将将机密计算扩展到分布式服务的知识，这是一种日益普遍的云计算类型。拟议的研究将为组织开发创新的开源系统软件，以利用基本的云服务而无需牺牲其用户的隐私或隐私。 To prepare the next generation of cybersecurity practitioners, planned activities include the mentaling undergraduates and outreach programs for K-12 students.The proposal’s central research questions are: (1) how must protocols handle authentication and authorization when some nodes in the system are enclaves, and (2) how can protocols safely encompass a mix of trusted and untrusted nodes, including nodes that an attacker compromised.该提案针对两个重要的现有协议调查了这些问题：运输层安全性（TLS）和云对象存储。具体而言，该提案试图扩展TLS，以允许飞地使用一组身份（例如其启动测量，运行时测量和域名）对自己进行身份验证，并探索使用联合签名方案的使用以使这种身份验证有效且优雅。随后，该提案支持复杂的端点身份验证，为TLS开发了扩展，以授权飞地如何共享数据，从而通过Divers Adenty的分布式系统来实施信息流。最后，该提案探讨了通过使用高效，飞地辅助，密钥旋转和数据重新加入的共享，加密对象存储中关键妥协损害的存储协议扩展。该奖项反映了NSF的法定任务，并被认为是通过基金会的知识优点和广泛的crister cripers crietia criperia criperia criperia criperia criperia criperia criperia criperia criperia criperia criperia criperia criperia criperia criperia criperia recectia recectia this奖项。