VISE: Combining Intel SGX and Homomorphic Encryption for Cloud Industrial Control Systems

Protecting data-in-use from privileged attackers is challenging. New CPU extensions (notably: Intel SGX ) and cryptographic techniques (specifically: Homomorphic Encryption ) can guarantee privacy even in untrusted third-party systems. HE allows sensitive processing on ciphered data. However, it is...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on computers Vol. 70; no. 5; pp. 711 - 724
Main Authors Coppolino, Luigi, D'Antonio, Salvatore, Formicola, Valerio, Mazzeo, Giovanni, Romano, Luigi
Format Journal Article
LanguageEnglish
Published New York IEEE 01.05.2021
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Algorithms
Cloud computing
cloud security
Containers
Control systems
Cryptography
Data processing
Encryption
homomorphic encryption
Industrial control
industrial control systems
Industrial electronics
Integrated circuits
Intel SGX
Monitoring
Security
Sensors
Servers
Trusted computing
Online AccessGet full text

Cover

Abstract Protecting data-in-use from privileged attackers is challenging. New CPU extensions (notably: Intel SGX ) and cryptographic techniques (specifically: Homomorphic Encryption ) can guarantee privacy even in untrusted third-party systems. HE allows sensitive processing on ciphered data. However, it is affected by i) a dramatic ciphertext expansion making HE unusable when bandwidth is narrow, ii) unverifiable conditional variables requiring off-premises support. Intel SGX allows sensitive processing in a secure enclave. Unfortunately, it is i) strictly bonded to the hosting server making SGX unusable when the live migration of cloud VMs/Containers is desirable, ii) limited in terms of usable memory, which is in contrast with resource-consuming data processing. In this article, we propose the VIrtual Secure Enclave (VISE) , an approach that effectively combines the two aforementioned techniques, to overcome their limitations and ultimately make them usable in a typical cloud setup. VISE moves the execution of sensitive HE primitives (e.g., encryption) to the cloud in a remotely attested SGX enclave, and then performs sensitive processing on HE data-outside the enclave-leveraging all the memory resources available. We demonstrate that VISE meets the challenging security and performance requirements of a substantial application in the Industrial Control Systems domain. Our experiments prove the practicability of the proposed solution.
AbstractList Protecting data-in-use from privileged attackers is challenging. New CPU extensions (notably: Intel SGX ) and cryptographic techniques (specifically: Homomorphic Encryption ) can guarantee privacy even in untrusted third-party systems. HE allows sensitive processing on ciphered data. However, it is affected by i) a dramatic ciphertext expansion making HE unusable when bandwidth is narrow, ii) unverifiable conditional variables requiring off-premises support. Intel SGX allows sensitive processing in a secure enclave. Unfortunately, it is i) strictly bonded to the hosting server making SGX unusable when the live migration of cloud VMs/Containers is desirable, ii) limited in terms of usable memory, which is in contrast with resource-consuming data processing. In this article, we propose the VIrtual Secure Enclave (VISE) , an approach that effectively combines the two aforementioned techniques, to overcome their limitations and ultimately make them usable in a typical cloud setup. VISE moves the execution of sensitive HE primitives (e.g., encryption) to the cloud in a remotely attested SGX enclave, and then performs sensitive processing on HE data-outside the enclave-leveraging all the memory resources available. We demonstrate that VISE meets the challenging security and performance requirements of a substantial application in the Industrial Control Systems domain. Our experiments prove the practicability of the proposed solution.
Author Mazzeo, Giovanni
Romano, Luigi
Coppolino, Luigi
D'Antonio, Salvatore
Formicola, Valerio
Author_xml – sequence: 1
  givenname: Luigi
  orcidid: 0000-0002-2079-8713
  surname: Coppolino
  fullname: Coppolino, Luigi
  email: luigi.coppolino@uniparthenope.it
  organization: Department of Engineering, University of Naples 'Parthenope', Napoli, NA, Italy
– sequence: 2
  givenname: Salvatore
  surname: D'Antonio
  fullname: D'Antonio, Salvatore
  email: salvatore.dantonio@uniparthenope.it
  organization: Department of Engineering, University of Naples 'Parthenope', Napoli, NA, Italy
– sequence: 3
  givenname: Valerio
  surname: Formicola
  fullname: Formicola, Valerio
  email: valerio.formicola@uniparthenope.it
  organization: Department of Engineering, University of Naples 'Parthenope', Napoli, NA, Italy
– sequence: 4
  givenname: Giovanni
  orcidid: 0000-0002-0238-5616
  surname: Mazzeo
  fullname: Mazzeo, Giovanni
  email: giovanni.mazzeo@uniparthenope.it
  organization: Department of Engineering, University of Naples 'Parthenope', Napoli, NA, Italy
– sequence: 5
  givenname: Luigi
  orcidid: 0000-0003-2571-8572
  surname: Romano
  fullname: Romano, Luigi
  email: luigi.romano@uniparthenope.it
  organization: Department of Engineering, University of Naples 'Parthenope', Napoli, NA, Italy
BookMark eNo9kL1PwzAQxS1UJEphZmCxxJz2_BEnZkNRaStVYmhBMEVO4kCqxA52MvS_x1Ur7obTk97vTvdu0cRYoxF6IDAnBORin80pUJhTKWPB0is0JXGcRCc1QVMAkkaScbhBt94fAEBQkFP09bHZLZ9xZruiMY35xhsz6BbvVp9YmQqvbRfa9T9NiZemdMd-aKzBtXU4a-1YBXs1-sE1qg07zOBsYI9-0J2_Q9e1ar2-v8wZen9d7rN1tH1bbbKXbVQyBkNEWVwJJgjXWoiUxEUBStVUUJomCQ-yKEMpKWsOKZMJI0KzhKdchQ-UVGyGns57e2d_R-2H_GBHZ8LJnMYEOKM8UDO0OLtKZ713us5713TKHXMC-Sm_fJ_lp_zyS36BeDwTjdb63y1Bxpyk7A8x12wK
CODEN ITCOB4
CitedBy_id crossref_primary_10_3390_app11188379
crossref_primary_10_1109_TVT_2023_3317940
crossref_primary_10_3390_e22121339
crossref_primary_10_1016_j_cose_2023_103509
crossref_primary_10_1007_s11042_024_19137_4
crossref_primary_10_1007_s42979_021_00858_4
crossref_primary_10_1145_3593021
crossref_primary_10_1109_TC_2023_3238125
crossref_primary_10_1002_cpe_7829
crossref_primary_10_1007_s10207_023_00747_2
crossref_primary_10_1016_j_neucom_2021_05_070
Cites_doi 10.1007/978-3-319-45744-4_22
10.1016/j.compeleceng.2016.03.004
10.1109/SERVICES.2016.23
10.1109/QRS.2015.44
10.1109/TCBB.2018.2829760
10.1007/978-3-319-70694-8_15
10.1109/DSN.2018.00031
10.1007/s00145-019-09319-x
10.1109/COMPSAC.2012.113
10.1109/TrustCom.2012.188
10.1145/1536414.1536440
10.1016/j.future.2019.03.018
10.22667/JOWUA.2018.03.31.086
10.1002/sat.1019
10.1145/2046660.2046682
10.1007/s10676-014-9348-3
10.1145/3309697.3331480
10.1109/SP.2015.45
10.1016/j.jnca.2016.01.008
10.1109/DSN.2017.37
10.1145/2490301.2451145
10.1007/978-3-642-13190-5_2
10.1145/3065913.3065915
10.1109/TSE.2010.60
10.6028/NIST.IR.8221
10.1145/1506409.1506429
10.1109/WiMOB.2016.7763177
10.1145/2659651.2659692
10.1109/TC.2017.2647955
10.1145/2487726.2488368
ContentType Journal Article
Copyright Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2021
Copyright_xml – notice: Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2021
DBID 97E
RIA
RIE
AAYXX
CITATION
7SC
7SP
8FD
JQ2
L7M
L~C
L~D
DOI 10.1109/TC.2020.2995638
DatabaseName IEEE All-Society Periodicals Package (ASPP) 2005-present
IEEE All-Society Periodicals Package (ASPP) 1998–Present
IEEE Xplore
CrossRef
Computer and Information Systems Abstracts
Electronics & Communications Abstracts
Technology Research Database
ProQuest Computer Science Collection
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts – Academic
Computer and Information Systems Abstracts Professional
DatabaseTitle CrossRef
Technology Research Database
Computer and Information Systems Abstracts – Academic
Electronics & Communications Abstracts
ProQuest Computer Science Collection
Computer and Information Systems Abstracts
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts Professional
DatabaseTitleList
Technology Research Database
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Xplore
  url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Engineering
Computer Science
EISSN 1557-9956
EndPage 724
ExternalDocumentID 10_1109_TC_2020_2995638
9095418
Genre orig-research
GrantInformation_xml – fundername: H2020 Society
  funderid: 10.13039/100010682
GroupedDBID --Z
-DZ
-~X
.DC
0R~
29I
4.4
5GY
6IK
85S
97E
AAJGR
AASAJ
ABQJQ
ABVLG
ACGFO
ACIWK
ACNCT
AENEX
AETEA
AKJIK
ALMA_UNASSIGNED_HOLDINGS
ASUFR
ATWAV
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
CS3
DU5
EBS
EJD
HZ~
IEDLZ
IFIPE
IPLJI
JAVBF
LAI
M43
MS~
O9-
OCL
P2P
PQQKQ
RIA
RIC
RIE
RNS
RXW
TAE
TN5
TWZ
UHB
UPT
XZL
YZZ
AAYXX
CITATION
7SC
7SP
8FD
JQ2
L7M
L~C
L~D
ID FETCH-LOGICAL-c330t-235d63614ee66815bb0aaf262287745bbbcccca99f408397316e37484a062a9a3
IEDL.DBID RIE
ISSN 0018-9340
IngestDate Thu Oct 10 14:50:17 EDT 2024
Thu Sep 26 16:18:23 EDT 2024
Wed Jun 26 19:27:03 EDT 2024
IsDoiOpenAccess false
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 5
Language English
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c330t-235d63614ee66815bb0aaf262287745bbbcccca99f408397316e37484a062a9a3
ORCID 0000-0002-0238-5616
0000-0003-2571-8572
0000-0002-2079-8713
OpenAccessLink https://doi.org/10.1109/tc.2020.2995638
PQID 2510432497
PQPubID 85452
PageCount 14
ParticipantIDs ieee_primary_9095418
crossref_primary_10_1109_TC_2020_2995638
proquest_journals_2510432497
PublicationCentury 2000
PublicationDate 2021-05-01
PublicationDateYYYYMMDD 2021-05-01
PublicationDate_xml – month: 05
  year: 2021
  text: 2021-05-01
  day: 01
PublicationDecade 2020
PublicationPlace New York
PublicationPlace_xml – name: New York
PublicationTitle IEEE transactions on computers
PublicationTitleAbbrev TC
PublicationYear 2021
Publisher IEEE
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Publisher_xml – name: IEEE
– name: The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
References ref35
ref34
ref12
ref37
ref15
ref36
ref33
wang (ref40) 0
weis (ref3) 2014
ref32
ref2
ref39
ref17
ref38
(ref14) 0
ref19
ref18
(ref31) 2019
mitchell (ref1) 2007
(ref13) 2017
costan (ref11) 2016
(ref16) 2019
ref24
ref23
ref26
ref20
ref41
ref22
ref21
chialva (ref10) 2018
(ref30) 2019
ref28
ref27
ref29
ref8
anati (ref25) 0
ref7
ref9
ref4
ref6
ref5
References_xml – ident: ref36
  doi: 10.1007/978-3-319-45744-4_22
– ident: ref6
  doi: 10.1016/j.compeleceng.2016.03.004
– ident: ref26
  doi: 10.1109/SERVICES.2016.23
– year: 2019
  ident: ref16
– ident: ref34
  doi: 10.1109/QRS.2015.44
– year: 0
  ident: ref25
  article-title: Innovative technology for cpu based attestation and sealing
  contributor:
    fullname: anati
– year: 2014
  ident: ref3
  article-title: Protecting data in-use from firmware and physical attacks
  contributor:
    fullname: weis
– year: 0
  ident: ref14
  article-title: CSA releases new research - Top threats to cloud computing: Egregious eleven
– ident: ref39
  doi: 10.1109/TCBB.2018.2829760
– ident: ref20
  doi: 10.1007/978-3-319-70694-8_15
– year: 2017
  ident: ref13
  article-title: A secure cloud-based SCADA application: The use case of a water supply network, IOS Press
– ident: ref28
  doi: 10.1109/DSN.2018.00031
– ident: ref22
  doi: 10.1007/s00145-019-09319-x
– ident: ref5
  doi: 10.1109/COMPSAC.2012.113
– ident: ref4
  doi: 10.1109/TrustCom.2012.188
– ident: ref8
  doi: 10.1145/1536414.1536440
– ident: ref29
  doi: 10.1016/j.future.2019.03.018
– ident: ref41
  doi: 10.22667/JOWUA.2018.03.31.086
– ident: ref23
  doi: 10.1002/sat.1019
– year: 2019
  ident: ref30
– year: 2018
  ident: ref10
  article-title: Conditionals in homomorphic encryption and machine learning applications
  contributor:
    fullname: chialva
– ident: ref9
  doi: 10.1145/2046660.2046682
– ident: ref38
  doi: 10.1007/s10676-014-9348-3
– ident: ref32
  doi: 10.1145/3309697.3331480
– ident: ref19
  doi: 10.1109/SP.2015.45
– year: 0
  ident: ref40
  article-title: Toward scalable fully homomorphic encryption through light trusted computing assistance
  publication-title: CoRR
  contributor:
    fullname: wang
– ident: ref2
  doi: 10.1016/j.jnca.2016.01.008
– ident: ref27
  doi: 10.1109/DSN.2017.37
– ident: ref17
  doi: 10.1145/2490301.2451145
– year: 2007
  ident: ref1
  publication-title: Multi-sensor data fusion An introduction
  contributor:
    fullname: mitchell
– year: 2019
  ident: ref31
– year: 2016
  ident: ref11
  article-title: Intel SGX explained
  publication-title: Cryptology-eprint-archive
  contributor:
    fullname: costan
– ident: ref21
  doi: 10.1007/978-3-642-13190-5_2
– ident: ref18
  doi: 10.1145/3065913.3065915
– ident: ref33
  doi: 10.1109/TSE.2010.60
– ident: ref15
  doi: 10.6028/NIST.IR.8221
– ident: ref12
  doi: 10.1145/1506409.1506429
– ident: ref37
  doi: 10.1109/WiMOB.2016.7763177
– ident: ref35
  doi: 10.1145/2659651.2659692
– ident: ref24
  doi: 10.1109/TC.2017.2647955
– ident: ref7
  doi: 10.1145/2487726.2488368
SSID ssj0006209
Score 2.4961433
Snippet Protecting data-in-use from privileged attackers is challenging. New CPU extensions (notably: Intel SGX ) and cryptographic techniques (specifically:...
SourceID proquest
crossref
ieee
SourceType Aggregation Database
Publisher
StartPage 711
SubjectTerms Algorithms
Cloud computing
cloud security
Containers
Control systems
Cryptography
Data processing
Encryption
homomorphic encryption
Industrial control
industrial control systems
Industrial electronics
Integrated circuits
Intel SGX
Monitoring
Security
Sensors
Servers
Trusted computing
Title VISE: Combining Intel SGX and Homomorphic Encryption for Cloud Industrial Control Systems
URI https://ieeexplore.ieee.org/document/9095418
https://www.proquest.com/docview/2510432497
Volume 70
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1BT8IwFH5BTnoQBY0omh48eHCwrdug3swCogleAIOnpS2PxKjDIBz01_vabUjUg1uWbEmXNH19fe-1730fwLkvJdITOB6a3SoyGE5HeMrRLoaIHa3R0r0N7qP-OLibhJMSXK5rYRDRJp9h07zas_zpXK_MVllLkD8QeJ0t2GoLkdVqrVfdqEjn8EiBeeDmMD6eK1qjmOJA3236porTFKJsWCBLqfJrHbbGpVeBQdGtLKfkublaqqb-_IHY-N9-78Fu7mWy62xa7EMJ0ypUCgYHlit0FXY24Ahr8PhwO-xeMWqmLG0EszUmbHgzYTKdsv78lW6Sy5Nm3VQvPuxqw8jrZfHLfDVl3zQgLM4y4FkOiH4A4153FPednHrB0Zy7S8fn4TTiZLoRo6jjhUq5Us78yKcAqx3Qp9J0SSFmAflwlv4KDZBNIEkQUkh-COV0nuIRMJ8rrYQ2IDUUvHEUQShdoTHSmiv0ZB0uCnEkbxnCRmIjE1ckozgxkktyydWhZgZ33Swf1zo0CvEluQa-J-S3WbRB0T7--68T2PZNfopNXmxAeblY4Sk5GEt1ZmfWF2eMzFY
link.rule.ids 315,783,787,799,27936,27937,55086
linkProvider IEEE
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV09T8MwED1BGYCBAgVRPj0wMJCSxEmI2VDUUj7apQWVKbLdq4SAFEE7wK_n7CQFAQOJIiVSIlk-2_fOuXsP4NCXEukKHA_NbhU5DCcWnnK0iyFirDVaubdON2rfBleDcDAHx7NaGES0yWfYMLf2X_5wrKdmq-xEEB4IvHgeFghXx1FerTVbd6MyocOjKcwDtyDy8Vxx0k8oEvTdhm_qOE0pyjcfZEVVfq3E1r20qtApG5ZnlTw2phPV0B8_OBv_2_JVWClwJjvPB8YazGG2DtVSw4EVU3odlr8REtbg_u6y1zxj9JqywhHMVpmw3sWAyWzI2uNnOskyD5o1M_36btcbRriXJU_j6ZB9CYGwJM-BZwUl-gbctpr9pO0U4guO5tydOD4PhxEn540YRbEXKuVKOfIjn0Ks04AelaZDCjEKCMVZASw0VDaBJENIIfkmVLJxhlvAfK60EtrQ1FD4xlEEoXSFxkhrrtCTdTgqzZG-5BwbqY1NXJH2k9RYLi0sV4ea6dzZa0W_1mG3NF9azMG3lJCb5RsUp9t_f3UAi-1-5ya9uexe78CSb7JVbCrjLlQmr1PcI7gxUft2lH0CQqDPoQ
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=VISE+%3A+Combining+Intel+SGX+and+Homomorphic+Encryption+for+Cloud+Industrial+Control+Systems&rft.jtitle=IEEE+transactions+on+computers&rft.au=Coppolino%2C+Luigi&rft.au=D%27Antonio%2C+Salvatore&rft.au=micola%2C+Valerio&rft.au=Mazzeo%2C+Giovanni&rft.date=2021-05-01&rft.pub=The+Institute+of+Electrical+and+Electronics+Engineers%2C+Inc.+%28IEEE%29&rft.issn=0018-9340&rft.eissn=1557-9956&rft.volume=70&rft.issue=5&rft.spage=711&rft_id=info:doi/10.1109%2FTC.2020.2995638&rft.externalDBID=NO_FULL_TEXT
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0018-9340&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0018-9340&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0018-9340&client=summon