Towards a privacy preserving serverless computing runtime
- Gaël Thomas, PDS team, Telecom SudParis – Institut Polytechnique de Paris
- Nicolas Anciaux, Petrus team, INRIA Saclay – Université Paris-Saclay
Nowadays, many online services (e.g., web search engines, location-based services, recommender systems) are being used by billions of users on a daily basis. Key to the success of these services is personalisation: online services return results that are close to the user interest. These preferences are generally computed by relying on user profiles learnt from past user queries. However, according to the underlying application, user profiles may contain sensitive information about end users. For instance, in the context of location-based services, user profiles contain user mobility data from which it is easy to infer information such as a user’s home and workplace, or even her sexual, religious or political preferences if she regularly visits gay bars, worship places or the head quarter of a political party.
User profiles might severely threaten user privacy if they end up into the hands of untrusted services. Recent events have shown that this risk of data privacy leakage is becoming a reality because cloud providers are becoming the target of devastating attacks. Examples of such attacks include hospital ransomware, millions of Dropbox account details leaked, other millions of snapchat accounts compromised to cite a few.
In this PhD thesis, we will study how we can design a privacy-preserving serverless computing runtime. Serverless computing is a futur cloud infrastructure in which the infrastructure transparently handles all aspects of resource management: allocation/deallocation of the storage and compute resources and dynamically scaling them, all of this in an energy-efficient manner. Relieved from the burden of managing the infrastructure, developers can focus on their core task that is writing applications per se.
Currently, serverless runtimes are based on classical system stacks (virtual machines, containers), but they are not tailored to enforce the privacy of the user. In this PhD thesis, we propose thus to study how we have to design the serverless runtime in order to ensure that user data cannot leak. We identify the following challenges that the PhD candidate will have to address:
- what are the programming interfaces that the serverless runtime has to expose to the developer in order to enforce privacy
- how the serverless runtime has to implement these interfaces in order to enforce the privacy by using the hardware encryption mechanisms provided by the modern processors (e.g., SGX or TrustZone)
The PhD candidate will start with an existing serverless runtime, and, driven by a use case, will modify it step by step in order to add privacy-preserving mechanisms. For the use case, the PhD candidate will reuse the privacy-preserving database developed by the INRIA Petrus team. This database runs inside an enclave and exposes an interface that ensures that the user data cannot leak. Currently, the prototype only handles a single database for a single user, which means that the prototype can only perform computation on a single user profile. The PhD candidate will thus study (i) how the serverless runtime can deploy multiple instances of the database (one instance per user), (ii) what are the mechanisms that the runtime has to provide in order to allow each the these instances to authenticate the others, (iii) how the developer can write requests that run on multiple databases, and (iv) how the runtime can ensure that the requests cannot lead to data leaks.