How to build a secure database enclave using Conclave

Conclave Feb 18 2022 By: Sneha Damle
Comments

0 Comments

Views

2,251 Views

How to build a secure database enclave using Conclave
Sneha Damle
Sneha Damle Senior Developer Evangelist, Conclave
Share this post:
Copied

Cloud-based applications are becoming commonplace and bring many benefits for both users and developers. But a significant concern for deploying any cloud-based applications is privacy. 

How can you potentially guarantee data security and integrity when deploying your applications to untrusted environments like the OS or hypervisors, and against unknown cloud administrators or database administrators? The scary reality is that if you ask a cloud provider to process your data, you have no way of knowing if they did what you asked, and if one of their employees took a copy of your data, you’d never know.

Fortunately, Intel SGX’s confidential computing platform opens the gateway to a hardware security-based trusted execution environment (TEE) called the enclave. You can run your application code inside an enclave and protect this code and sensitive data so that even the hypervisor and operating system can’t access it. You can even verify that they didn’t change the business logic either!

This article shows how to use the R3 Conclave platform to run a relational database inside a secure enclave with minimal effort. This may sound easy but it turns out there are some subtle issues one has to address – particularly related to persistence of data – which Conclave really helps with.

Executing queries inside an enclave
Executing queries inside an enclave

The need for loading database from an enclave

Now, some of the problems you need to solve when building a secure database are well understood.  You can, of course, secure data when it’s at rest by encrypting it. And you can even secure it using TLS when data is in transit. But when data is in use, data processing applications need to decrypt sensitive data in memory during query processing. To avoid the leakage of this plain text data in use, the plain text data inside the database can be accessed securely by loading the database inside the enclave. Since no one, not even the underlying OS, can access this data, using a TEE becomes a good fit for loading the database inside an enclave and performing secure query processing without worrying about data privacy.

If you’ve looked at SGX in the past you might be thinking about memory constraints which had a 256 MB limit of the Intel E-2200 processors, but the good news is that the latest Xeon’s Ice Lake enclaves can now protect up to 1 TB of code and data while in use. 

To support running a database inside an enclave, you also need to think of persisting in the current enclave state. We want to make sure that the enclave starts with its correct previous state in the event of an enclave restart. Conclave 1.2 provides you with these necessary persistent capabilities to ensure that the correct previous database state is loaded back into the enclave. So now, as a Conclave developer, you can save the entire current state of your database running inside an enclave to persistent storage.

Modeling a database inside an enclave using Conclave SDK

Conclave SDK is a confidential computing platform built on top of Intel SGX’s SDK, which lets you interact with the enclave in higher-level languages such as Java and Kotlin. All the file I/O operations from the Conclave enclave are mapped to a persistent file system represented by a single file in the host file system. This persistent file is saved in an encrypted format, and hence the host can’t access this file and Conclave even randomises the write patterns so the host can’t use statistical techniques to guess what the enclave is doing. This is one of several ‘side channel’ mitigations that Conclave provides, which could otherwise cause unexpected security problems for the unwary. You can either use the root sealing key to encrypt this file or use a key provided by the Conclave KDS. Encrypting the file using the root sealing key ties the enclave code/data to a particular CPU. Whereas encrypting the file using a key derived from KDS lets you migrate your enclave data onto another physical system. Learn more about the KDS.

Example of H2 database in an enclave, using Conclave SDK

This example shows how persistence is used to create a database inside an enclave, create a table, insert records into it and select records from the table. It also shows how persisted records can be retrieved by the enclave once the host is restarted.


Class.forName("org.h2.Driver");
Connection conn = DriverManager.getConnection("jdbc:h2:~/test");
Statement st = conn.createStatement();
if (commandType == CommandType.CREATE) {
//This will create a table in the H2 database.
st.executeUpdate("CREATE TABLE IF NOT EXISTS USERS (name VARCHAR(20), password VARCHAR(20))");

reply = "Users table created in the database";

//encrypt the reply to be sent to the client using client’s public key
byte[] encryptedReply = postOffice(mail.getAuthenticatedSender()).
encryptMail(reply.getBytes());

//This will send the encrypted reply back to the host, and the host will forward the same to the client based off routing hint
postMail(encryptedReply, routingHint);
}

You will pass in the persistent file name while starting the host to run this sample. The above code snippet shows how to create a table in H2 loaded inside an enclave. As discussed above, Conclave will map all the database DDL/DML operations to this persistent file. As a Conclave developer, you will focus on writing your application code, and you don’t have to deal with mapping the I/O calls to a persistent file as the Conclave SDK handles this.

Clone the complete example from GitHub.

You know now how persistence can be used to load an entire H2 database in an enclave using Conclave SDK. Query processing can be performed securely without compromising the confidentiality of the data, thus in effect giving you access to a secure database enclave.

Sneha Damle
Sneha Damle Sneha Damle is a Developer Evangelist at R3, an enterprise blockchain software firm working with a global ecosystem of more than 350 participants across multiple industries from both the private and public sectors to develop on Corda, its open-source blockchain platform, Corda Enterprise, a commercial version of Corda for enterprise usage, and Conclave, a confidential computing platform.

Leave a Reply

Subscribe to our newsletter to stay up to date on the latest developer news, tools, and articles.