X-Search: Revisiting private web search using Intel SGX

X-Search: Revisiting private web search
using Intel SGX
Sonia Ben Mokhtar †, Antoine Boutet †,
Pascal Felber *, Marcelo Pasin *, Rafael Pires *, Valerio Schiavoni *
† LIRIS, CNRS, University of Lyon, France
* University of Neuchâtel, Switzerland
Invited Talk
February 02, 2018 – UFSM, Santa Maria, Brasil
(previously: Middleware’17, Las Vegas, USA)

X-Search: Revisiting private web search with Intel SGX
Invited Talk – February 02, 2018 – UFSM, Santa Maria, Brasil
Introduction
Every day, millions of
users are querying
SEARCH ENGINES
USER PROFILES
We also use this information
[that we collect from all of
our services] to offer you
tailored content – like giving
you more relevant search
results and ads.
http://www.google.com/policies/privacy/
“
”
2

Privacy threats
numb fingers
60 single men
dog that urinates on everything
Landscapers in Lilburn, Ga,
face is
exposed for AOL searcher no. 4417749." New York Times 9.2008
(2006): 8For.
Retrieve user’s identity
User ID
4417749
Barbaro, Michael, Tom Zeller, and Saul Hansell. "A
3

Privacy threats
numb fingers
60 single men
a 62-year-old
widow who
lives in Lilburn,
Ga., and loves
her three
dogs.
Thelma Arnold
Barbaro, Michael, Tom Zeller, and Saul Hansell. "A face is
exposed for AOL searcher no. 4417749." New York Times 9.2008
(2006): 8For.
4

Privacy threats
numb fingers
60 single men
Hansell.
New York
"A face is
Times 9.2008
Barbaro, Michael, Tom Zeller, and Saul
exposed for AOL searcher no.
4417749." (2006): 8For.
a 62-year-old
widowwho lives
in Lilburn,Ga.,
andlovesher
threedogs.
Thelma Arnold
Age
Gender
Zip Code
InterestsDiseases
Religion
Infer extra information
Jones, Rosie, et al. "I know what you did last summer: query
logs and user privacy." Proceedings of the sixteenth ACM
conference on Conference on information and knowledge
management. ACM, 2007.
5

Problem
● How can users protect their privacy from curious
search engines?
1 Hiding identities (IPAddress)
2
6
Making queries and user’s interests
indistinguishable

State of the art
Unlinkability between user and query (Tor)
7

State of the art
Indistinguishability between real and fake queries (TrackMeNot)
8

State of the art
Unlinkability and Indistinguishability (PEAS)
9

Limitations
10
● Tor
– Query content and browser meta-data may be
enough to link it to user
– Performance limitations
● TrackMeNot
– Relies on RSS feeds for fake queries: easy to detect
● PEAS
– Assumes a weak adversary: non colluding proxies

Challenges
1 Stronger adversary model
2
11
Protection against re-identification

X-Search
●
Runs inside SGX enclaves, in the cloud
● Platform is subject to bugs, failures or
malicious behavior
1
12
Stronger adversary model

Software Guard Extensions
SGX
13
●
●
●
New instruction set since Intel Skylake processors (2015)
Provides a protected environment called enclave
– Memory encryption, integrity and freshness
– Not even the OS or hypervisor are able to inspect
– Suitable for using in hostile environments (cloud)
Limitations:
– Memory usage is limited to 128 MB per CPU
Enclave
Create enclave
Call trusted function
…
Execute
Return
Call
gate
Trusted function
Untrusted Code Trusted Code
➊
➋
➏
➎
➍➌
➐

X-Search
● Unlinkability
– Proxy executes the query on user’s behalf
– Encrypted channel, endpoint within SGX enclave
● Indistinguishability
– Query obfuscation with better query quality
– Aggregation of k random past queries and the original
using the logical OR operator
– Past queries are kept in the enclave
2
14

X-Search Architecture
Client Untrusted Cloud Provider Search Engine
15

Encrypted flow
16

Encrypted flow
GET /search?q=Qu
17
Obfuscation

Encrypted flow
GET /search?q=Qu
Obfuscation
Past queries
Get k
random
queries
18

Encrypted flow
GET /search?q=Qu
Obfuscation
Past queries
Get k
random
queries
Store
current
query
19

Encrypted flow
GET /search?q=Qu
Obfuscation
Past queries
Get k
random
queries
Store
current
query
GET /search?q=Qp1 OR Qu OR ... OR Qpk
20

Encrypted flow
GET /search?q=Qu
Obfuscation
Past queries
Get k
random
queries
Store
current
query
Filtering
21

Encrypted flow
GET /search?q=Qu
Obfuscation
Past queries
Get k
random
queries
Store
current
query
Filtering
22

Encrypted flow
GET /search?q=Qu
Obfuscation
Past queries
Get k
random
queries
Store
current
query
Filtering
23

Query obfuscation
rock concerts baby foodORORflu medicationchocolate cake OR
Random positionk = 3
History of
past queries
of all users
Randomly picked
SGX Enclave
24

Evaluation
25
● Dataset: AOL query logs (March to May 2006)
– 100 most active users (meaningful profiles, more
difficult to protect)
– Off-line profile of each user: 2/3 of queries
● Comparison baselines:
– Direct connection (no privacy)
– Tor
– PEAS

Performance
0.57
26
1.060.13

Privacy 27 % improvement
0.16
0.12
Privacy
27

Accuracy
0.87
0.74
Accuracy
28

Memory usage
900,000
29

Performance
8.86 ms
0.83 ms
2400 req/s
26,000 req/s
30

Conclusions
1
2
3
31
Stronger adversary model
– by leveraging SGX
– presents acceptable accuracy for low numbers of fake queries
– performs better than PEAS with regards to a re-identification
attack due to its obfuscation strategy
Performance
– has better round-trip time and throughput × latency
than alternatives
●
Future work
– Scalability

Thank you.
Questions?
For off-line questions, also in Portuguese: Rafael Pires
rafael.pires@unine.ch
valerio.schiavoni@unine.ch
32

54
●
●
●
Code and platform on which clients run are trusted
X.Search proxy runs on public cloud platforms
– Can arbitrarily deviate from correct behavior
– Subject to bugs, failures or malicious behavior
Search engine is honest but curious
– Behaves correctly by serving queries
– May collect and exploit client information in all possible
ways (including re-identification attacks)
– May collude with proxy nodes
Adversary Model

Encrypted flow
GET /search?q=Qu
Obfuscation
Past queries
Get k
random
queries
Store
current
query
Filtering
34

Filtering
Rock and Roll Concert Tickets
And Info!
Rock Concerts Now is your
home for the hottest concert
tickets, tour schedules and artist
updates!
Query results
1. The Most Amazing Chocolate
Cake Recipe
The Most Amazing Chocolate
Cake is here. Find more food
recipes.
35
2.

Filtering
And Info!
updates!
Query Score
chocolate+cake
flu+medication
rock+concerts
baby+food
36
*
Query results
Cake Recipe
recipes.
2.

Filtering
And Info!
updates!
Query results
Cake Recipe
recipes.
37
2.
Query Score
chocolate+cake 4
flu+medication
rock+concerts
baby+food
*

Filtering
And Info!
updates!
Query Score
chocolate+cake 4
flu+medication 0
rock+concerts
baby+food
38
*
Query results
Cake Recipe
recipes.
2.

Filtering
And Info!
updates!
Query Score
chocolate+cake 4
flu+medication 0
rock+concerts 0
baby+food
39
*
Query results
Cake Recipe
recipes.
2.

Filtering
And Info!
updates!
Query Score
chocolate+cake 4
flu+medication 0
rock+concerts 0
baby+food 1
40
*
Query results
Cake Recipe
recipes.
2.

Filtering
And Info!
updates!
Query results
Cake Recipe
recipes.
2.
Query Score
chocolate+cake 4
flu+medication 0
rock+concerts 0
baby+food 1
*
Max
41

Filtering
And Info!
updates!
Query results
1.
2.
Query Score
chocolate+cake 4
flu+medication 0
rock+concerts 0
baby+food 1
*
Max
The Most Amazing Chocolate ✘Cake Recipe
recipes.
42

Filtering
And Info!
updates!
Query results
43
1.
2.
Query Score
chocolate+cake 0
flu+medication 0
rock+concerts 3
baby+food 0
*
recipes.

Filtering
And Info!
updates!
Query results
1.
2.
Query Score
chocolate+cake 0
flu+medication 0
rock+concerts 3
baby+food 0
*
recipes.
Max
44

Filtering
And Info!
updates!
Query results
1.
2.
Query Score
chocolate+cake 0
flu+medication 0
rock+concerts 3
baby+food 0
*
recipes.
Max
✔
45

X-Search: Revisiting private web search using Intel SGX

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie X-Search: Revisiting private web search using Intel SGX

Ähnlich wie X-Search: Revisiting private web search using Intel SGX (20)

Mehr von vschiavoni

Mehr von vschiavoni (13)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

X-Search: Revisiting private web search using Intel SGX