SACK is a shielded framework that enables dynamic attribute-based access control for KV stores with shielded execution, while preserving the essential security guarantees including confidentiality (i.e., data remains inaccessible to unauthorized parties), integrity (i.e., data remains intact), and freshness (i.e., only up-to-date data is processed).
This repository contains the implementation of SACK and the baselines used in the evaluation.
src: include the implementation of SACK and the baselines.scripts: include the environment setup and evaluation scripts.libs: include the libraries used in the implementation of SACK.
For artifact evaluation, please refer to the artifact evaluation document.
- Those dependencies are required to be manually installed.
- The following dependencies can be automatically installed by the system package manager. Use Ubuntu as an example.
sudo apt-get install -y \
build-essential libssl-dev libclang-dev cmake unzip \
# The following packages are for baselines
libbz2-dev liblz4-dev libzstd-dev libaio-dev libconfig++-dev libconfig-dev clang-format flex bison libxxhash-dev libboost-all-dev libdb-dev libdb++-dev libleveldb-dev \
# The following packages are for SGX driver and sgxtop
linux-headers-$(uname -r) libncurses5-dev automake autoconf \
# The following packages are for TWEEZER
docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc \
# The following packages are for OpenABE
python3-pip python-pip libgmp-dev- First, install the Intel SGX driver that support
sgxtoptool.
cd libs/fortanix-linux-sgx-driver || exit
make
sudo mkdir -p "/lib/modules/"$(uname -r)"/kernel/drivers/intel/sgx"
sudo cp isgx.ko "/lib/modules/"$(uname -r)"/kernel/drivers/intel/sgx"
sudo sh -c "cat /etc/modules | grep -Fxq isgx || echo isgx >> /etc/modules"
sudo /sbin/depmod
sudo /sbin/modprobe isgx- Install the sgxtop tool.
cd libs/sgxtop || exit
./maintainer.sh- Install the Intel SGX SDK and SSL.
# Install packages for Intel SGX
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
sudo apt update
sudo apt-get install libsgx-launch libsgx-urts
sudo apt-get install libsgx-epid libsgx-urts
sudo apt-get install libsgx-quote-ex libsgx-urts
# install SGX SDK
wget https://download.01.org/intel-sgx/sgx-linux/2.21/distro/ubuntu18.04-server/sgx_linux_x64_sdk_2.21.100.1.bin
chmod +x sgx_linux_x64_sdk_2.21.100.1.bin
echo -e 'no\n/opt/intel' | sudo ./sgx_linux_x64_sdk_2.21.100.1.bin
# install mitigation tools
git clone https://github.com/intel/linux-sgx.git
cd linux-sgx && make preparation
sudo cp external/toolset/ubuntu18.04/* /usr/local/bin
which ar as ld objcopy objdump ranlib
cd ../
# install SGX SSL
wget https://github.com/intel/intel-sgx-ssl/archive/refs/tags/lin_2.21_1.1.1u.zip
unzip lin_2.21_1.1.1u.zip
cd intel-sgx-ssl-lin_2.21_1.1.1u/openssl_source || exit
wget https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1u/openssl-1.1.1u.tar.gz
cd ../Linux
make all test
sudo make install- Build and install the liburing.
# Install liburing
git clone https://github.com/axboe/liburing.git
cd liburing || exit
make
sudo make install
echo "/usr/lib" | sudo tee /etc/ld.so.conf.d/liburing.conf
sudo ldconfig
pkg-config --list-all | grep liburing
ldconfig -p | grep liburing
rm -rf liburing- Build the RocksDB.
# Build RocksDB
cd libs/rocksdb-6.14.5 || exit
make static_lib EXTRA_CXXFLAGS=-fPIC EXTRA_CFLAGS=-fPIC USE_RTTI=1 DEBUG_LEVEL=0- Build the SplinterDB
cd libs/splinterdb-main || exit
export COMPILER=gcc
export CC=$COMPILER
export LD=$COMPILER
make clean
make
make run-tests
sudo --preserve-env=CC,LD make install - Build and install the OpenABE.
wget --no-check-certificate https://github.com/zeutro/openabe/archive/refs/tags/v1.0.zip
unzip v1.0.zip
cd openabe-1.0/ || exit
sed -i 's/install_package python-pip/install_package python3-pip/' deps/install_pkgs.sh
sudo -E ./deps/install_pkgs.sh
sudo apt-get install -y libgtest-dev cmake
cd /usr/src/gtest || exit
sudo cmake CMakeLists.txt
sudo make
sudo cp *.a /usr/local/lib
mv deps/gtest/download_gtest.sh deps/gtest/download_gtest.sh.bkp
cd "path_to_openabe" || exit
sed -i 's|\./download_gtest.sh \$(VERSION)|#&|' deps/gtest/Makefile
sed -i 's/\(DEPS_PACKAGES = .* \)gtest\(.*\)/\1\2/' "Makefile.common"
. ./env
make
make test
sudo -E make install-
Build TWEEZER.
- Please install docker before proceeding. Install Docker
- Please register scone container registry to pull cross compiler.
- We have modified the original dockerfile to address the bugs, so please use the following command to build TWEEZER.
cd libs/tweezer || exit ./script/compile.sh
-
Build unencrypted baselines.
cd src/ycsbc || exit
make- Build the CP-ABE-based baseline.
cd src/cpabe || exit
makecd src/sack || exit
./scripts/build.sh Release- Run the unencrypted baselines.
cd src/ycsbc || exit
./ycsbc -db ${splinterdb|leveldb|berkeley_btree|berkeley_hash} -dbfilename ${path_to_the_loaded_db} -phase ${load|run|both} -threads 1 -P ${path_to_workload_file} -configpath .- Run the encrypted baselines (TWEEZER).
cd libs/tweezer/binary || exit
./tweezer_ycsb -db tweezer -dbfilename ${path_to_the_loaded_db} -phase ${load|run|both} -threads 1 -P ${path_to_workload_file}- Run the CP-ABE based baseline.
cd src/cpabe || exit
# Create a configuration file
config_file_path="config_file.txt"
echo "$ATTR_NUM" >"$config_file_path" # The number of attributes in use (all attributes are in use by default to build the access policy)
./ycsbc -db cpabe -dbfilename ${path_to_the_loaded_db} -phase ${load|run|both} -threads 1 -P ${path_to_workload_file} -configpath "$config_file_path"- Run SACK with different KV stores.
cd src/sack/bin || exit
# Create a configuration file
config_file_path="config_file.txt"
echo "RocksDB" >"$config_file_path" # It can be replaced with "SplinterDB", "LevelDB", "BerkeleyBTree", or "BerkeleyHash"
echo "attr1" >>"$config_file_path" # The default policy used to write data
echo "10" >>"$config_file_path" # Evaluation target attributes number in use
echo "100" >>"$config_file_path" # Evaluation target policy number in use
echo "100000" >>"$config_file_path" # Evaluation target KV pair number
./ycsbc -db sack -dbfilename ${path_to_the_loaded_db} -phase ${load|run|both} -threads 1 -P ${path_to_workload_file} -configpath "$config_file_path"We provide the scripts to reproduce the evaluations in the scripts/exp directory. Before running the scripts, you need to set up the environment parameter in scripts/exp/common.sh (line 15) as follows:
SUDO_PASSWD="" # Set your sudo password here to run sudo commands in the scriptEach script is named after the evaluation ID and scenario. After setting up the environment and building the dependencies and systems, you can run the scripts to reproduce the evaluations. For example:
cd scripts/exp || exit
./exp1_ycsb.shThe evaluation results (raw output of YCSB-C) will be stored in the Logs directory. You may manually move the logs to a specific directory for further analysis for each experiment. After that, you can run the analysis scripts (in scripts/analysis) to summarize the results. For example:
cd scripts/analysis || exit
./countExp1YCSB.sh ${path_to_the_logs_directory}The summarized results will be output to the terminal following the style below (the unit is Kop/s):
========== System Throughput Statistics ==========
(Mean ± 95% CI in kops)
System workloada workloadb workloadc workloadd workloade workloadf
------------------------------------------------------------------------------------------------------------------------------------
rocksdb 24.78±1.20 20.61±1.16 20.66±0.24 26.90±2.64 2.92±0.03 17.84±0.86
sack 4.00±0.01 5.24±0.02 6.25±0.02 6.80±0.02 0.14±0.00 3.54±0.01
···
For other experiments, please refer to the artifact evaluation document for more details.