Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TEE-based Key-Value Stores: a Survey

Aghiles Ait Messaoud, Sonia Ben Mokhtar, Anthony Simonet-Boulogne

TL;DR

This survey analyzes SGX-based confidential KVSs, detailing how SGX enclaves are used to secure key-value data with limited secure memory. It presents a modular architecture covering data structures, I/O and networking optimizations, synchronization protocols, and cross-cutting security concerns, including attestation and secure channels. The work notes that while SGX delivers strong data protection, side-channel leakage and EPC memory limits pose practical challenges, and it reviews mitigation strategies across hardware, software, and system layers. The findings guide the design of scalable, secure KVSs by highlighting trade-offs between confidentiality, freshness, availability, and performance, and by identifying future research avenues in enclave architectures and SCA defenses.

Abstract

Key-Value Stores (KVSs) are No-SQL databases that store data as key-value pairs and have gained popularity due to their simplicity, scalability, and fast retrieval capabilities. However, storing sensitive data in KVSs requires strong security properties to prevent data leakage and unauthorized tampering. While software (SW)-based encryption techniques are commonly used to maintain data confidentiality and integrity, they suffer from several drawbacks. They strongly assume trust in the hosting system stack and do not secure data during processing unless using performance-heavy techniques (e.g., homomorphic encryption). Alternatively, Trusted Execution Environments (TEEs) provide a solution that enforces the confidentiality and integrity of code and data at the CPU level, allowing users to build trusted applications in an untrusted environment. They also secure data in use by providing an encapsulated processing environment called enclave. Nevertheless, TEEs come with their own set of drawbacks, including performance issues due to memory size limitations and CPU context switching. This paper examines the state of the art in TEE-based confidential KVSs and highlights common design strategies used in KVSs to leverage TEE security features while overcoming their inherent limitations. This work aims to provide a comprehensive understanding of the use of TEEs in KVSs and to identify research directions for future work.

TEE-based Key-Value Stores: a Survey

TL;DR

This survey analyzes SGX-based confidential KVSs, detailing how SGX enclaves are used to secure key-value data with limited secure memory. It presents a modular architecture covering data structures, I/O and networking optimizations, synchronization protocols, and cross-cutting security concerns, including attestation and secure channels. The work notes that while SGX delivers strong data protection, side-channel leakage and EPC memory limits pose practical challenges, and it reviews mitigation strategies across hardware, software, and system layers. The findings guide the design of scalable, secure KVSs by highlighting trade-offs between confidentiality, freshness, availability, and performance, and by identifying future research avenues in enclave architectures and SCA defenses.

Abstract

Key-Value Stores (KVSs) are No-SQL databases that store data as key-value pairs and have gained popularity due to their simplicity, scalability, and fast retrieval capabilities. However, storing sensitive data in KVSs requires strong security properties to prevent data leakage and unauthorized tampering. While software (SW)-based encryption techniques are commonly used to maintain data confidentiality and integrity, they suffer from several drawbacks. They strongly assume trust in the hosting system stack and do not secure data during processing unless using performance-heavy techniques (e.g., homomorphic encryption). Alternatively, Trusted Execution Environments (TEEs) provide a solution that enforces the confidentiality and integrity of code and data at the CPU level, allowing users to build trusted applications in an untrusted environment. They also secure data in use by providing an encapsulated processing environment called enclave. Nevertheless, TEEs come with their own set of drawbacks, including performance issues due to memory size limitations and CPU context switching. This paper examines the state of the art in TEE-based confidential KVSs and highlights common design strategies used in KVSs to leverage TEE security features while overcoming their inherent limitations. This work aims to provide a comprehensive understanding of the use of TEEs in KVSs and to identify research directions for future work.
Paper Structure (48 sections, 5 figures, 6 tables)

This paper contains 48 sections, 5 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Trusted Execution Environments
  4. Definition
  5. Implementations comparison
  6. Intel SGX
  7. Execution workflow.
  8. Memory layout.
  9. Remote Attestation.
  10. Sealing.
  11. SGX performance
  12. SGX versions
  13. TEE-based KVSs threat model
  14. TEE-based KVSs modules
  15. KVS' data structure module
  16. ...and 33 more sections

Figures (5)

  • Figure 1: Survey flow
  • Figure 2: High level SGX execution workflow
  • Figure 3: SGX Memory layout
  • Figure 4: TEE-based Key-value stores generic architecture
  • Figure 5: Direct storage and direct transfer technologies in SGX-based KVS