back to article Microsoft and boffins cook up hardware-secured database

At the IEEE Symposium on Security and Privacy in San Francisco, Calif., this week, researchers from Imperial College London and Microsoft presented an experimental database engine called EnclaveDB that aims to keep data and database queries secure even when the host system has been compromised. As described in a research paper …

  1. Pascal Monett Silver badge
    Trollface

    What's that ?

    "aims to keep data and database queries secure even when the host system has been compromised"

    When you say compromised, does that include running on Windows Telemetry Version ?

    Because Microsoft ain't offering the NONE setting on that.

    1. Doctor Syntax Silver badge

      Re: What's that ?

      The Microsoft downvoting shills are pretty active these days.

  2. Doctor Syntax Silver badge

    So the idea is to use a trusted server to enable an untrusted database server to be trusted. So how does one trust the trusted server and if it can be truly trusted why not apply the same to the database server so that it can be trusted directly?

  3. johnnyblaze

    Flaws

    If it was devised by humans (and Microsoft in this case), it will have flaws, security holes and other bugs (alongside Microsoft's telemetry collection, which will be set to FULL by default!)

  4. NiceCuppaTea

    "Unlike a conventional database, EnclaveDB compiles queries on sensitive data to native code using an ahead-of-time compiler on a trusted client machine,"

    This sounds a lot to me like the branch prediction algo's that have caused Spectre/Meltdown.

  5. Anonymous Coward
    Anonymous Coward

    So how do you replicate this, or move it to another server?

  6. Nate Amsden

    banks and fraud detection

    If this level of security is so important it would be interesting to know specifically what approaches a bank might take with today's technology to accomplish the same thing(assuming they even protect at that level).

    Besides, even if you make the database ultra super protected, those queries have to come from somewhere, most likely an application of sorts, and applications I'd wager are generally compromised on a 100:1 ratio to databases.

  7. donk1

    Sounds like "Always Encrypted with Enclaves http://smooth1.co.uk/sqlbits2018/sqlbits2018roundup.html#2

    1. Is this protected against https://www.theregister.co.uk/2018/03/28/intel_shrugs_off_new_sidechannel_attacks_on_branch_prediction_units_and_sgx/ with "utilization of an appropriate side channel attack-resistant crypto implementation inside the enclave"

    2. has it been rebuilt with https://www.theregister.co.uk/2018/03/01/us_researchers_apply_spectrestyle_tricks_to_break_intels_sgx/ " Enclave code will need to be rebuilt and redeployed using the updated development kit to be protected from malicious sysadmins."

    3. As per my blog entry above "On first use the client driver and enclave negotiate a shared secret and then setup the secure tunnel" Surely to negotiate a shared secret there is a small initial window where you first have to trust the hypervisor?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020