查看文章

Protecting data-in-use from privileged attackers is challenging. New CPU extensions (notably: Intel SGX) and cryptographic techniques (specifically: Homomorphic Encryption) can guarantee privacy even in untrusted third-party systems. HE allows sensitive processing on ciphered data. However, it is affected by i) a dramatic ciphertext expansion making HE unusable when bandwidth is narrow, ii) unverifiable conditional variables requiring off-premises support. Intel SGX allows sensitive processing in a secure enclave. Unfortunately, it is i) strictly bonded to the hosting server making SGX unusable when the live migration of cloud VMs/Containers is desirable, ii) limited in terms of usable memory, which is in contrast with resource-consuming data processing. In this article, we propose the VIrtual Secure Enclave (VISE), an approach that effectively combines the two aforementioned techniques, to overcome their …