TwinStore: Secure Key-Value Stores Made Faster with Hybrid Trusted/Untrusted Storage
摘要
Key-value (KV) stores are one of the most prominent data storage engines in many cloud services, including those that keep sensitive user information and must be protected against privileged attackers in public clouds. While modern hardware processors could offer isolated execution environments during processing, existing secure KV stores still need to use software-based protection to ensure confidentiality, integrity, and freshness for external data I/O to disks. The recent development of hardware-based trusted I/O and disks provides a new way to implement secure KV stores and obviate software encryption. However, we find that although trusted I/O simplifies freshness enforcement, directly putting all data to the trusted disk is not optimal due to the repetitive encryption agnostic to the application behaviors. We thus propose TwinStore to combine the benefits of the software and hardware, by only storing the metadata associated with freshness in the trusted disks to minimize the performance overheads. With our prototypes on two KV store structures, TwinStore outperforms the software-only and hardware-only designs, by \(18.5\times \) and \(1.1\times \) , respectively.