The New Year has brought to light a significant vulnerability in processor architectures. In the desire to improve performance, memory isolation, which is one of the fundamental security features provided by modern processors, has been compromised. Meltdown and Spectre have shown us how the micro-architectural side effects of a processor’s out-of-order execution feature can be exploited to defeat the processor’s memory isolation. Meltdown demonstrated a simple way for a user process to read the entire kernel memory, including all of the physical memory mapped to the kernel region, with no permission or privilege. This is accomplished by exploiting the micro-architectural side effects of speculative execution combined with a privilege escalation vulnerability specific to Intel processors. Spectre demonstrated a similar attack on Intel, AMD and ARM processors that can read arbitrary memory from the victim processes by exploiting the micro-architectural side effects of speculative execution based on branch prediction. The security of memory isolation is the cornerstone of safe multitenant computing environments whether it be apps from multiple vendors on a smartphone or VMs belonging to different users on a single machine in the cloud. These attacks have shown us that security features implemented in processors are just as vulnerable as those implemented in software and can just as easily leave our data accessible to hackers.
The processor vulnerabilities such as those demonstrated by Meltdown and Spectre makes the job of protecting data in untrusted environments such as cloud particularly challenging. Even if the data is protected in-flight (SSL) and on-disk (TDE, SED), the data remains in the clear in memory when it is being processed by the database server and thus completely exposed to attacks like Meltdown and Spectre that allow sensitive data to be extracted from memory. A much more secure approach is to encrypt any data that leaves the trust boundary using a standard algorithm such as AES and keep it encrypted at all the times even when it is stored in machine memory or while being processed by the CPU. This can be done using Multi-Party Computation (MPC) techniques that guarantees that data is never decrypted even when it is operated on.
MPC is a well-established cryptography technique that splits a computation into multiple operations, known as shares, and distribute these shares among multiple parties such that attacks on individual shares do not leak information about the computation. In a classical enterprise application context, it would be a SQL query to a database that is then split into multiple operations at the database tier using MPC. The SQL query computation is performed using message passing between the database compute instance and the other compute instances holding the other shares. Another important definition is the trust boundary among the elements of an IT infrastructure. For an enterprise deployment, the machine running the application is usually trusted because that is where the data is input and visualized while the infrastructure such as the database server and the associated storage are potentially vulnerable.
In conclusion, if users of infrastructure encrypt their sensitive data before it leaves the trust boundary, they can guarantee that the data will not be in the clear even when it is being operated on as long as cryptography techniques such as MPC are used. This would ensure that even if hackers gain unauthorized access to memory contents, they will only be able to steal encrypted data which is useless unless they can find the keys required to decrypt it. By design, these keys are kept in a separate domain making their job significantly harder since it would require gaining access to multiple compute instances simultaneously. This demonstrates the power of MPC and its ability to secure sensitive data in spite of vulnerabilities such as Meltdown and Spectre.
At Baffle, we’ve developed a data protection solution that uses MPC to ensure that your data is secure at all times. If you are interested in learning more about how Baffle can protect your data, please contact us through our website or email us at firstname.lastname@example.org.