incubator-teaclave-sgx-sdk
incubator-teaclave-sgx-sdk copied to clipboard
apache
use security and trust proxy to support kvdb like VeritasDB
This issue is related to #103 I'm recently starting to read this paper:VeritasDB: High Throughput Key-Value Store with Integrity using SGX, how about we using this way to import kvdb? It's not only limit rocksdb, if we try to import engine of db,it may take some time and it's hard to upgrade and find bugs.
Hope for you suggestion!
VeritasDB seems to guarantee on database integrity, we may need to add encryption at rest and encryption at untrusted server to protect the database privacy.
I'm not a professional Rustacean so I prepare to write a proof of concept by golang for fast developing. In theory, we could translate it on rust-sgx-sdk and db-client and db-server could be supported by any language.
If users want to use sql db, maybe could be done by maping the kvdb to sqldb by using Tidb engine.
Need to be check.
VeritasDB:
- authenticityis enforced via a cryptographic MAC (computed using a secret key), and freshness is enforced using protected state that keeps track of the latest version for each key. Furthermore, since this protected state may grow linearly with the size of the database size (specifically, the number of keys), and current SGX CPUs only provide fixed (relatively tiny) amount of protected memory,
- a Merkle B-tree data structure, which allows storing state in untrusted non-enclave memory while still cryptographically protecting accesses to that state
- In IV-C discussed how to ensure integrity in the event of crashes in the proxy or the database server, in which case we must defend against rollback attacks.
Merkle btree will be supported for both go and rust which is required by present and deleted
a simple mbtree was implemented here: https://github.com/bradyjoestar/merkle-btree I will optimize it after poc is finished.
I'm recently working on merkle-btree-go and merkle-btree-rust.
Maybe it's easy for us to do it with btree repo on the github.