Data Centers

Microsoft EnclaveDB can defend against malicious database admins, compromised OS

EnclaveDB is a research project from Imperial College London and Microsoft that uses trusted hardware to protect that data.

EnclaveDB, a new project from researchers at Microsoft and Imperial College London, uses trusted hardware to protect a database from insider and outsider threats.

As noted in a research paper, hardware like Intel SGX is used to store sensitive data in enclaves within the database. Examples of such sensitive data are tables, indexes, and other metadata, the paper said.

By securing data in such a way, Microsoft can help protect the database from an insider threat such as a malicious database admin, as well as a compromised operating system or hypervisor, the paper said. It also provides security "when the database runs in an untrusted host in the cloud," the paper noted.

SEE: Information security incident reporting policy (Tech Pro Research)

"EnclaveDB has a small trusted computing base, which includes an in-memory storage and query engine, a transaction manager and pre-compiled stored procedures," the paper said. "A key component of EnclaveDB is an efficient protocol for checking integrity and freshness of the database log. The protocol supports concurrent, asynchronous appends and truncation, and requires minimal synchronization between threads."

In terms of programming model, the EnclaveDB works similar to a traditional relational database. Tables can be queried using using stored procedures in SQL, and certain users must be authorized to be able to create tables in the database, the paper said.

After performing experiments with industry standard benchmarks, the researchers were able to achieve the security of EnclaveDB with up to 40% overhead for TPC-C compared to an in-memory database.

As noted by The Register, the non-enclave part of the database handles admin tasks but doesn't give any access to the enclave itself. And the queries handled through the enclave require a very complex process.

"EnclaveDB clients execute pre-compiled queries by establishing a secure channel with the enclave and sending requests with encrypted parameters," the paper said. "The enclave authenticates requests, decrypts parameters, executes the pre-compiled query, encrypts query results, and sends the results back to the client."

The big takeaways for tech leaders:
  • EnclaveDB, from Microsoft and Imperial College London, uses Intel SGX hardware to create a secure enclave database for sensitive data.
  • The EnclaveDB can protect against insider threats including malicious database admins, due to its secure enclave for critical data.

Also see

dc.jpg
Image: iStockphoto/HYWARDS

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox