Yanjing Ren,Jingwei Li,Zuoru Yang,Patrick P. C. Lee,Xiaosong Zhang

2021-01-01

Abstract:Encrypted deduplication preserves the deduplication effectiveness on encrypted data and is attractive for outsourced storage. However, existing encrypted deduplication approaches build on expensive cryptographic primitives that incur substantial performance slowdown. We present SGXDedup, which leverages Intel SGX to speed up encrypted deduplication based on server-aided message-locked encryption (MLE), while preserving security via SGX. SGXDedup implements a suite of secure interfaces to execute MLE key generation and proof-ofownership operations in SGX enclaves. It also proposes various designs to support secure and efficient enclave operations. Evaluation on synthetic and real-world workloads shows that SGXDedup achieves significant speedups and maintains high bandwidth and storage savings.

Jian Liu,N. Asokan,Benny Pinkas

DOI: https://doi.org/10.1145/2810103.2813623

2015-01-01

Abstract:Encrypting data on client-side before uploading it to a cloud storage is essential for protecting users' privacy. However client-side encryption is at odds with the standard practice of deduplication. Reconciling client-side encryption with cross-user deduplication is an active research topic. We present the first secure cross-user deduplication scheme that supports client-side encryption without requiring any additional independent servers. Interestingly, the scheme is based on using a PAKE (password authenticated key exchange) protocol. We demonstrate that our scheme provides better security guarantees than previous efforts. We show both the effectiveness and the efficiency of our scheme, via simulations using realistic datasets and an implementation.

Prince Hamandawana,Da-Jung Cho,Tae-Sun Chung

DOI: https://doi.org/10.3390/electronics13224393

IF: 2.9

2024-11-10

Electronics

Abstract:Conventional deduplication systems face critical challenges such as excessive write amplification, high read/write latency, and sub-optimal storage utilization. These limitations often undermine the performance benefits of deduplication by slowing down I/O acknowledgements due to amplified deduplication I/Os, excessive data chunk replication, and strict consistency requirements. To address these issues, we present Speed-Dedup, a novel deduplication framework that employs a deduplicated primary–semi-deduplicated replica object approach. This strategy reduces write amplification by restricting deduplication to the primary object while maintaining a semi-deduplicated replica object used for immediate read/write acknowledgements, thus enhancing I/O latency and storage efficiency. Speed-Dedup also replaces traditional strong consistency models with eventual consistency, allowing for non-blocking read operations and improving overall system throughput. Experimental results demonstrate that Speed-Dedup significantly outperforms traditional methods like GRATE and CAO, showing up to 21% improvement in I/O performance under low deduplication ratios and maintaining 14% or more gains under higher ratios. Additionally, write amplification is substantially reduced and latency improves by over 100% with faster recovery times during system failures. These findings highlight the effectiveness of Speed-Dedup as a scalable and efficient solution.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wen Xia,Hong Jiang,Dan Feng,Lei Tian,Min Fu,Zhongtao Wang

DOI: https://doi.org/10.1109/nas.2012.46

2012-01-01

Abstract:Data deduplication, an efficient space reduction method, has gained increasing attention and popularity in data-intensive storage systems. Most existing state-of-the-art deduplication methods remove redundant data at either the file level or the chunk level, which incurs unavoidable and significant overheads in time (due to chunking and fingerprinting). These overheads can degrade the write performance to an unacceptable level in a data storage system. In this paper, we propose P-Dedupe, a fast and scalable deduplication system. The main idea behind P-Dedupe is to fully compose pipelined and parallel computations of data deduplication by effectively exploiting the idle resources of modern computer systems with multi-core and many-core processor architectures. Our experimental evaluation of the P-Dedupe prototype based on real-world datasets shows that P-Dedupe speeds up the deduplication write throughput by a factor of 2~4 through pipelining deduplication and parallelizing hash calculation and achieves 80%~250% of the performance of a conventional storage system without data deduplication.

Pengfei Wu,Jianting Ning,Wu Luo,Xinyi Huang,Debiao He

DOI: https://doi.org/10.1109/tsc.2021.3123511

IF: 11.019

2021-01-01

IEEE Transactions on Services Computing

Abstract:Nowadays, data privacy is one of the most critical concerns in cloud computing, and many privacy-preserving distributed computing systems based on the trusted execution environment (e.g., Intel SGX) have been proposed to protect the user's privacy during cloud-outsourced computation. However, these SGX-based solutions are vulnerable to some traffic analyses, and loading all tasks into the enclave introduces much overhead for frequent EPC-paging. In this article, we propose a T-SGX framework, which keeps the confidentiality of a distributed job and guarantees the system efficiency by allowing dynamically loading an enclave shared object for the task under processing. In T-SGX, all these objects are secretly shared and stored in a verifiably distributed share management system (SMS) outside the TCB. To mitigate the exposure of sensitive information, we present an efficient oblivious transfer (OT) protocol under the Decisional Diffie-Hellman (DDH) assumption for obliviously transmitting desired shares. Detailed security analysis demonstrates that the proposed T-SGX achieves the goal of secure distributed computing without privacy leakage to unauthorized parties. Finally, we benchmark the framework in six real-world applications, and the experimental results show that T-SGX significantly outperforms a state-of-the-art solution, with 11.9%-29.7% less overhead performing an SGX-based application.

Jiawei Huang,Hao Han,Fengyuan Xu,Bing Chen

DOI: https://doi.org/10.1109/issre59848.2023.00016

2023-01-01

Abstract:In the era of cloud computing, many applications are migrated to public servers not fully controlled by users who may fear their critical operations or data from being compromised by attackers. Previous studies have shown that Intel SGX enclaves can improve applications’ security in many market products. Yet they mainly rely on developers to reprogram and recompile the application into an SGX-aware version. To address this problem, we propose SAPPX, an SGX-based program retrofitting method that can automatically partition COTS application binaries into two parts without breaking the original program semantics. The first part of the application runs in user space, while the second part is executed in an SGX enclave to protect the user’s sensitive information. We have implemented a prototype of SAPPX on x86/Linux platforms and evaluated its performance using real-world applications and SPECCPU 2017 benchmarks. The experimental results show that the average overhead of the proposed approach is up to 19%.

Liang Ma,Caijun Zhen,Bin Zhao,Jingwei Ma,Gang Wang,Xiaoguang Liu

DOI: https://doi.org/10.1109/NAS.2010.29

2010-01-01

Abstract:Backup technology based on data de-duplication has become a hot topic in nowadays. In order to get a better performance, traditional research is mainly focused on decreasing the disk access time. In this paper, we consider computing complexity problem in data de-duplication system, and try to improve system performance by reducing computing time. We put computing tasks on commodity coprocessor to speed up the computing process. Compared with general-purpose processors, commodity coprocessors have lower energy consumption and lower cost. Experimental results show that they have equal or even better performance compared with general-purpose processors.

Wen Xia,Hong Jiang,D. Feng,Lei Tian

2012-01-01

Abstract:As the amount of the digital data grows explosively, Data deduplication has gained increasing attention for its space-efficient functionality that not only reduces the storage space requirement by eliminating duplicate data but also minimizes the transmission of redundant data in data-intensive storage systems. Most existing state-ofthe-art deduplication methods remove redundant data at either the file level or the chunk level (e.g. Fixed-Sized Chunking and Content-Defined Chunking). But the four stages of the traditional data deduplication process, chunking, fingerprinting, indexing, writing the metadata & unique data chunks, are time consuming in storage systems, especially the processes of chunking and fingerprinting take up significant CPU resources. Since the computing power of single-core stagnates while the throughput of storage devices continues to increase steadily (e.g. flash and PCM), the chunking and fingerprinting stages of deduplication are becoming much slower than the writing stage in real-world deduplication based storage systems. More specifically, the Rabin-based chunking algorithm and the SHA-1or MD5-based fingerprinting algorithms all need to compute the hash digest, which may lengthen the write process to an unacceptable level for the required write speed in high performance storage systems. Currently, there are two general approaches to accelerating the time-consuming hash calculation and alleviating the computing bottleneck of data deduplication, namely, software-based and hardware-based methods. The former refers to employing a dedicated co-processor to minimize the time overheads of computing the hash function so that the deduplication-induced storage performance degradation becomes negligible or acceptable [1, 2, 4]. A good example of the hardware-based methods is called StoreGPU [5] that makes full use of the computing power of the GPU device to meet the computational demand of the hash calculation in storage systems. The software-based approaches exploit the parallelism of data deduplication instead of employing faster computing devices. Liu et al. [5] and Guo et al. [3] have attempted to improve the write performance by pipelining the Fixed-Sized Chunking (FSC) process. Because of the internal content dependency, it remains a challenge to fully exploit the parallelism in the chunking and fingerprinting tasks of the Content-Defined Chunking (CDC) based deduplication approaches. In this report, we propose P-Dedupe, a deduplication system for high performance data storage that pipelines and parallelizes the compute-intensive deduplication processes to remove the write bottleneck. PDedupe exploits the pipelining among the deduplication data units (e.g. chunks and files) and parallelism among the deduplication functional units (e.g. the fingerprinting and chunking tasks) by making full use of the idle computing resources in a multicoreor manycore-based computer system. P-Dedupe aims to remove the time overheads of hashing and shift the deduplication bottleneck from the CPU to the IO, so as to easily embed data deduplication into a normal data storage system with little or no impact on the write performance.

Zuoru Yang,Jingwei Li,Patrick P. C. Lee

2022-01-01

Abstract:Outsourced storage should fulfill confidentiality and storage efficiency for large-scale data management. Conventional approaches often combine encryption and deduplication based on deduplication-after-encryption (DaE), which first performs encryption followed by deduplication on encrypted data. We argue that DaE has fundamental limitations that lead to various drawbacks in performance, storage savings, and security in secure deduplication systems. In this paper, we study an unexplored paradigm called deduplication-before-encryption (DbE), which first performs deduplication and encrypts only non-duplicate data. DbE has the benefits of mitigating the performance and storage penalties caused by the management of duplicate data, but its deduplication process is no longer protected by encryption. To this end, we design DEBE, a shielded DbE-based deduplicated storage system that protects deduplication via Intel SGX. DEBE builds on frequency-based deduplication that first removes duplicates of frequent data in a space-constrained SGX enclave and then removes all remaining duplicates outside the enclave. Experiments show that DEBE outperforms state-of-the-art DaE approaches.

Chongchong Zhao,Daniyaer Saifuding,Hongliang Tian,Yong Zhang,Chunxiao Xing

DOI: https://doi.org/10.1109/wisa.2016.45

2016-01-01

Abstract:As cloud computing is widely used in various fields, more and more individuals and organizations are considering outsourcing data to the public cloud. However, the security of the cloud data has become the most prominent concern of many customers, especially those who possess a large volume of valuable and sensitive data. Although some technologies like Homomorphic Encryption were proposed to solve the problem of secure data, the result is still not satisfying. With the advent of Intel SGX processor, which aims to thoroughly eliminate the security concern of cloud environment in a hardware-assisted approach, it brings us a number of questions on its features and its practicability for the current cloud platform. To evaluate the potential impact of Intel SGX, we analyzed the current SGX programming mode and inferred some possible factors that may arise the overhead. To verify our performance hypothesis, we conducted a systematic study on SGX performance by a series of benchmark experiments. After analyzing the experiment result, we performed a workload characterization to help programmer better exploit the current availability of Intel SGX and identify feasible research directions.

Marcus Birgersson,Cyrille Artho,Musard Balliu

2024-10-14

Abstract:Many applications benefit from computations over the data of multiple users while preserving confidentiality. We present a solution where multiple mutually distrusting users' data can be aggregated with an acceptable overhead, while allowing users to be added to the system at any time without re-encrypting data. Our solution to this problem is to use a Trusted Execution Environment (Intel SGX) for the computation, while the confidential data is encrypted with the data owner's key and can be stored anywhere, without trust in the service provider. We do not require the user to be online during the computation phase and do not require a trusted party to store data in plain text. Still, the computation can only be carried out if the data owner explicitly has given permission. Experiments using common functions such as the sum, least square fit, histogram, and SVM classification, exhibit an average overhead of $1.6 \times$. In addition to these performance experiments, we present a use case for computing the distributions of taxis in a city without revealing the position of any other taxi to the other parties.

Cryptography and Security

Wen Xia,Dan Feng,Hong Jiang,Yucheng Zhang,Victor Chang,Xiangyu Zou

DOI: https://doi.org/10.1016/j.future.2019.02.008

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Data deduplication, a data reduction technique that efficiently detects and eliminates redundant data chunks and files, has been widely applied in large-scale storage systems. Most existing deduplication-based storage systems employ content-defined chunking (CDC) and secure-hash-based fingerprinting (e.g., SHA1) to remove redundant data at the chunk level (e.g., 4 KB/8 KB chunks), which are extremely compute-intensive and thus time-consuming for storage systems. Therefore, we present P-Dedupe, a pipelined and parallelized data deduplication system that accelerates deduplication process by dividing the deduplication process into four stages (i.e., chunking, fingerprinting, indexing, and writing), pipelining these four stages with chunks & files (the processing data units for deduplication), and then parallelizing CDC and secure-hash-based fingerprinting stages to further alleviate the computation bottleneck. More important, to efficiently parallelize CDC with the requirements of both maximal and minimal chunk sizes and inspired by the MapReduce model, we first split the data stream into several segments (i.e., “Map”), where each segment will be running CDC in parallel with an independent thread, and then re-chunk and join the boundaries of these segments (i.e., “Reduce”) to ensure the chunking effectiveness of parallelized CDC. Experimental results of P-Dedupe with eight datasets on a quad-core Intel i7 processor suggest that P-Dedupe is able to accelerate the deduplication throughput near linearly by exploiting parallelism in the CDC-based deduplication process at the cost of only 0.02% decrease in the deduplication ratio. Our work provides contributions to big data science to ensure all files go through deduplication process quickly and thoroughly, and only process and analyze the same file once, rather than multiple times.

Md Washik Al Azad,Spyridon Mastorakis

2024-05-04

Abstract:Load balancing has been a fundamental building block of cloud and, more recently, edge computing environments. At the same time, in edge computing environments, prior research has highlighted that applications operate on similar (correlated) data. Based on this observation, prior research has advocated for the direction of "computation reuse", where the results of previously executed computational tasks are stored at the edge and are reused (if possible) to satisfy incoming tasks with similar input data, instead of executing incoming tasks from scratch. Both load balancing and computation reuse are critical to the deployment of scalable edge computing environments, yet they are contradictory in nature. In this paper, we propose the Deduplicator, a middlebox that aims to facilitate both load balancing and computation reuse at the edge. The Deduplicator features mechanisms to identify and deduplicate similar tasks offloaded by user devices, collect information about the usage of edge servers' resources, manage the addition of new edge servers and the failures of existing edge servers, and ultimately balance the load imposed on edge servers. Our evaluation results demonstrate that the Deduplicator achieves up to 20% higher percentages of computation reuse compared to several other load balancing approaches, while also effectively balancing the distribution of tasks among edge servers at line rate.

Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture

Aritra Dhar,Supraja Sridhara,Shweta Shinde,Srdjan Capkun,Renzo Andri

DOI: https://doi.org/10.48550/arXiv.2211.00306

2022-11-01

Abstract:Modern data centers have grown beyond CPU nodes to provide domain-specific accelerators such as GPUs and FPGAs to their customers. From a security standpoint, cloud customers want to protect their data. They are willing to pay additional costs for trusted execution environments such as enclaves provided by Intel SGX and AMD SEV. Unfortunately, the customers have to make a critical choice -- either use domain-specific accelerators for speed or use CPU-based confidential computing solutions. To bridge this gap, we aim to enable data-center scale confidential computing that expands across CPUs and accelerators. We argue that having wide-scale TEE-support for accelerators presents a technically easier solution, but is far away from being a reality. Instead, our hybrid design provides enclaved execution guarantees for computation distributed over multiple CPU nodes and devices with/without TEE support. Our solution scales gracefully in two dimensions -- it can handle a large number of heterogeneous nodes and it can accommodate TEE-enabled devices as and when they are available in the future. We observe marginal overheads of $0.42$--$8\%$ on real-world AI data center workloads that are independent of the number of nodes in the data center. We add custom TEE support to two accelerators (AI and storage) and integrate it into our solution, thus demonstrating that it can cater to future TEE devices.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Yaxing Chen,Qinghua Zheng,Dan Liu,Zheng Yan,Wenhai Sun,Ning Zhang,Wenjing Lou,Y. Thomas Hou

DOI: https://doi.org/10.48550/arxiv.1912.08454

2019-01-01

Abstract:While the security of the cloud remains a concern, a common practice is to encrypt data before outsourcing them for utilization. One key challenging issue is how to efficiently perform queries over the ciphertext. Conventional crypto-based solutions, e.g. partially/fully homomorphic encryption and searchable encryption, suffer from low performance, poor expressiveness and weak compatibility. An alternative method that utilizes hardware-assisted trusted execution environment, i.e., Intel SGX, has emerged recently. On one hand, such work lacks of supporting scalable access control over multiple data users. On the other hand, existing solutions are subjected to the key revocation problem and knowledge extractor vulnerability. In this work, we leverage the newly hardware-assisted methodology and propose a secure, scalable and efficient SQL-like query framework named QShield. Building upon Intel SGX, QShield can guarantee the confidentiality and integrity of sensitive data when being processed on an untrusted cloud platform. Moreover, we present a novel lightweight secret sharing method to enable multi-user access control in QShield, while tackling the key revocation problem. Furthermore, with an additional trust proof mechanism, QShield guarantees the correctness of queries and significantly alleviates the possibility to build a knowledge extractor. We implemented a prototype for QShield and show that QShield incurs minimum performance cost.

Yuzhe Tang,Kai Li,Yibo Wang,Jiaqi Chen,Cheng Xu

DOI: https://doi.org/10.48550/arxiv.2212.12656

2022-01-01

Abstract: Intel SGX is known to be vulnerable to a class of practical attacks exploiting memory access pattern side-channels, notably page-fault attacks and cache timing attacks. A promising hardening scheme is to wrap applications in hardware transactions, enabled by Intel TSX, that return control to the software upon unexpected cache misses and interruptions so that the existing side-channel attacks exploiting these micro-architectural events can be detected and mitigated. However, existing hardening schemes scale only to small-data computation, with a typical working set smaller than one or few times (e.g., $8$ times) of a CPU data cache. This work tackles the data scalability and performance efficiency of security hardening schemes of Intel SGX enclaves against memory-access pattern side channels. The key insight is that the size of TSX transactions in the target computation is critical, both performance- and security-wise. Unlike the existing designs, this work dynamically partitions target computations to enlarge transactions while avoiding aborts, leading to lower performance overhead and improved side-channel security. We materialize the dynamic partitioning scheme and build a C++ library to monitor and model cache utilization at runtime. We further build a data analytical system using the library and implement various external oblivious algorithms. Performance evaluation shows that our work can effectively increase transaction size and reduce the execution time by up to two orders of magnitude compared with the state-of-the-art solutions.

Shijing Li,Tian Lan,Bharath Balasubramanian,Hee Won Lee,Moo-Ryong Ra,Rajesh Krishna Panta

DOI: https://doi.org/10.1109/tnse.2022.3155357

IF: 6.6

2022-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Edge computing has become a new computing paradigm with explosive growth in recent years. We consider the problem of pushing data deduplication to the network edge and propose a new framework for distributed edge-facilitated deduplication (EF-dedup). Deduplication at the network edge allows us to exploit the high degree of geographic- and temporal-correlation in edge data to achieve space efficiency. By leveraging distributed computing power available on the edge in a collaborative fashion, the edge nodes can effectively suppress duplicated edge data, consuming considerably less space and WAN bandwidth. To this end, we partition the edge nodes into disjoint collaborative clusters, maintain a deduplication index structure across them using a distributed key-value store and perform deduplication within those clusters. However, this partitioning problem is very challenging and requires the optimization of a novel tradeoff: edge nodes with highly correlated data may not always be within the same edge cloud, with non-trivial network cost among them. We formulate a joint storage and network optimization problem with different design objectives, such as arbitrary partitioning and balanced partitioning of edge nodes. The problem is shown to be NP-Hard in general. Then, an optimization framework with efficient algorithms is developed and is proven to achieve a closed-form competitive ratio. Our experiments, performed on edge nodes in a corporate lab1 and a central cloud at AWS, demonstrate that EF-dedup achieves 67.4$\sim$133.7% better deduplication throughput than sole cloud-based techniques and achieves 20.0-62.6$\%$ lesser aggregate cost in terms of the network-storage trade-off as compared to approaches that solely favor one over the other.

Zijin Han,Wen Xia,Yuchong Hu,Dan Feng,Yucheng Zhang,Yukun Zhou,Min Fu,Liang Gu

DOI: https://doi.org/10.1109/ICPADS.2016.0075

2016-01-01

Abstract:Data compression is widely used in storage systems to reduce redundant data and thus save storage space. One challenge facing the traditional compression approaches is the limitation of compression windows size, which fails to reduce redundancy globally. In this paper, we present DEC, a Deduplication-Enhanced Compression approach that effectively combines deduplication and traditional compressors to increase compression ratio and efficiency. Specifically, we make full use of deduplication to (1) accelerate data reduction by fast but global deduplication and (2) exploit data locality to compress similar chunks by clustering the data chunks which are adjacent to the same duplicate chunks. Our experimental results of a DEC prototype based on real-world datasets show that DEC increases the compression ratio by 20% to 71% and speeds up the compression throughput by 17%~183% compared to traditional compressors, without sacrificing the decompression throughput by leveraging deduplication in traditional compression approaches.

Rodolfo Silva,Pedro Barbosa,Andrey Brito

DOI: https://doi.org/10.48550/arXiv.1710.11423

2017-10-31

Abstract:Intel(R) Software Guard eXtensions (SGX) is a hardware-based technology for ensuring security of sensitive data from disclosure or modification that enables user-level applications to allocate protected areas of memory called enclaves. Such memory areas are cryptographically protected even from code running with higher privilege levels. This memory protection can be used to develop secure and dependable applications, but the technology has some limitations: ($i$) the code of an enclave is visible at load time, ($ii$) libraries used by the code must be statically linked, and ($iii$) the protected memory size is limited, demanding page swapping to be done when this limit is exceeded. We present DynSGX, a privacy preserving tool that enables users and developers to dynamically load and unload code to be executed inside SGX enclaves. Such a technology makes possible that developers use public cloud infrastructures to run applications based on sensitive code and data. Moreover, we present a series of experiments that assess how applications dynamically loaded by DynSGX perform in comparison to statically linked applications that disregard privacy of the enclave code at load time.

Cryptography and Security

Yukun Zhou,Dan Feng,Wen Xia,Min Fu,Fangting Huang,Yucheng Zhang,Chunguang Li

DOI: https://doi.org/10.1109/msst.2015.7208297

2015-01-01

Abstract:Nowadays, many customers and enterprises backup their data to cloud storage that performs deduplication to save storage space and network bandwidth. Hence, how to perform secure deduplication becomes a critical challenge for cloud storage. According to our analysis, the state-of-the-art secure deduplication methods are not suitable for cross-user fine-grained data deduplication. They either suffer brute-force attacks that can recover files falling into a known set, or incur large computation (time) overheads. Moreover, existing approaches of convergent key management incur large space overheads because of the huge number of chunks shared among users.Our observation that cross-user redundant data are mainly from the duplicate files, motivates us to propose an efficient secure deduplication scheme SecDep. SecDep employs UserAware Convergent Encryption (UACE) and Multi-Level Key management (MLK) approaches. (1) UACE combines cross-user file-level and inside-user chunk-level deduplication, and exploits different secure policies among and inside users to minimize the computation overheads. Specifically, both of file-level and chunk-level deduplication use variants of Convergent Encryption (CE) to resist brute-force attacks. The major difference is that the file-level CE keys are generated by using a server-aided method to ensure security of cross-user deduplication, while the chunk-level keys are generated by using a user-aided method with lower computation overheads. (2) To reduce key space overheads, MLK uses file-level key to encrypt chunk-level keys so that the key space will not increase with the number of sharing users. Furthermore, MLK splits the file-level keys into share-level keys and distributes them to multiple key servers to ensure security and reliability of file-level keys.Our security analysis demonstrates that SecDep ensures data confidentiality and key security. Our experiment results based on several large real-world datasets show that SecDep is more time-efficient and key-space-efficient than the state-of-the-art secure deduplication approaches.