Revisiting Definitional Foundations of Oblivious RAM for Secure
  Processor Implementations by Haider, Syed Kamran et al.
Revisiting Definitional Foundations of Oblivious RAM for
Secure Processor Implementations
Syed Kamran Haider
University of Connecticut
syed.haider@uconn.edu
Omer Khan
University of Connecticut
omer.khan@uconn.edu
Marten van Dijk
University of Connecticut
marten.van dijk@uconn.edu
ABSTRACT
Oblivious RAM (ORAM) is a renowned technique to hide the ac-
cess paerns of an application to an untrusted memory. According
to the standard ORAM denition presented by Goldreich and Os-
trovsky, two ORAM access sequences must be computationally
indistinguishable if the lengths of these sequences are identically
distributed. An artifact of this denition is that it does not apply
to modern ORAM implementations adapted in current secure pro-
cessors technology because of their arbitrary lengths of memory
access sequences depending on programs’ behaviors (their termi-
nation times). As a result, the ORAM denition does not directly
apply; the theoretical foundations of ORAM do not clearly argue
about the timing and termination channels.
is paper conducts a rst rigorous study of the standard
Goldreich-Ostrovsky ORAM denition in view of modern prac-
tical ORAMs (e.g., Path ORAM) and demonstrates the gap between
theoretical foundations and real implementations. A new ORAM
formulation which clearly separates out termination channel leak-
age is proposed. It is shown how this denition implies the standard
ORAM denition (for nite length input access sequences) and bet-
ter ts the modern practical ORAM implementations. e proposed
denition relaxes the constraints around the stash size and overow
probability for Path ORAM, and essentially transforms its security
argument into a performance consideration problem. To mitigate
internal side channel leakages, a generic framework for dynamic re-
source partitioning has been proposed to achieve a balance between
performance and leakage via contention on shared resources.
Finally, a ‘strong’ ORAM formulation which clearly includes ob-
fuscation of termination leakage is shown to imply our new ORAM
formulation and applies to ORAM for outsourced disk storage. In
this strong formulation constraints are not relaxed and the security
argument for Path ORAM remains complex as one needs to prove
that the stash overows with negligible probability.
KEYWORDS
Privacy leakage; Oblivious RAM; Secure Processors
1 INTRODUCTION
Security of private data storage and computation in an untrusted
cloud server is a critical problem that has received considerable
research aention. A popular solution to this problem is to
use tamper-resistant hardware based secure processors including
TPM [2, 38, 46], TPM+TXT [21], Bastion [8], eXecute Only Memory
,
© 2017 Copyright held by the owner/author(s). is is the author’s version of the
work. It is posted here for your personal use. Not for redistribution. e denitive
Version of Record was published in Proceedings of , , hp://dx.doi.org/10.475/123 4.
(XOM) [28–30], Aegis [43, 44], Ascend [15], Phantom [31], Intel
SGX [32], and Sanctum [9]. In this seing, a user’s encrypted data
is sent to the secure processor in the cloud, inside which the data
is decrypted and computed upon. e nal results are encrypted
and sent back to the user. e secure processor chip is assumed to
be tamper-resistant, i.e., an adversary is not able to look inside the
chip to learn any information.
While an adversary cannot access the internal state of the secure
processor, sensitive information can still be leaked through the
processor’s interactions with the (untrusted) main memory. Al-
though all the data stored in the external memory can be encrypted
to hide the data values, the memory access paern (i.e., address
sequence) may leak information. For example, existing work [23]
demonstrates that by observing accesses to an encrypted email
repository, an adversary can infer as much as 80% of the search
queries. Similarly, [55] shows that the control ow of a program can
be learned by observing the main memory access paerns which
may leak the sensitive private data.
Oblivious RAM (ORAM), rst proposed by Goldreich and Ostro-
vsky [17], is a cryptographic primitive that completely obfuscates
the memory access paern thereby preventing leakage via memory
access paerns. Signicant research eort over the past decade
has resulted in more and more ecient ORAM schemes [7, 10, 18–
20, 33, 34, 39, 41, 42, 50].
Generally speaking, an ORAM interface translates a single logi-
cal read/write into accesses to multiple randomized locations. As a
result, the locations touched in successive logical reads/writes have
exactly the same distribution and are indistinguishable to an adver-
sary. More precisely, according to the original denition of ORAM
introduced by Goldreich and Ostrovsky [17], the ORAM access
sequences ORAM(A1) and ORAM(A2) generated by the ORAM for
any two logical access sequences A1 and A2 respectively are com-
putationally indistinguishable if ORAM(A1) and ORAM(A2) have
the same length distribution (where the distribution is over the coin
ips used in the ORAM interface). Almost all follow-up ORAM
proposals claim to follow the same denition of ORAM security.
A crucial subtlety regarding the above mentioned ORAM secu-
rity denition is that it is only applicable to the class of ORAM
access sequences whose length is identically distributed. Specically,
two ORAM access sequences ORAM(A1) and ORAM(A2) may in
fact be distinguishable if they have dierent length distributions. In
modern secure processors [15, 31], a conventional DRAM controller
is replaced with a functionally-equivalent ORAM controller that
makes ORAM requests on last-level cache (LLC) misses. Since a
program can have dierent number of LLC misses for dierent in-
puts, the lengths of their corresponding ORAM access sequences is
not identically distributed, and can leak sensitive information (e.g.,
locality) via the program’s termination channel by revealing when
ar
X
iv
:1
70
6.
03
85
2v
3 
 [c
s.C
R]
  2
1 O
ct 
20
17
, , Syed Kamran Haider, Omer Khan, and Marten van Dijk
the program terminates. Furthermore, the specic ORAM imple-
mentations also introduce further variance in the length of ORAM
access sequences due to the additional caching/buering used for
performance reasons, e.g., a Path ORAM [42] caching the position
map blocks for future reuse [13]. Hence, the original ORAM de-
nition ([17]) does not apply to practical ORAM implementations
embraced by the modern secure processors due to their arbitrary
distributions of lengths of ORAM access sequences. In other words,
this denition does not clearly separates or includes leakage over
the program’s termination channel.
Another source of leakage under Goldreich and Ostrovsky’s
ORAM is the ORAM access timing, i.e., when an ORAM access is
made. Since the ORAM requests are issued upon LLC misses, the
ORAM access timing strongly correlates with the program’s locality
and can potentially leak sensitive information via the ORAM timing
channel. Periodic ORAM access schemes have been proposed to
protect ORAM timing channel [14, 15]. Notice, however, that these
schemes essentially transform the timing channel leakage into the
termination channel leakage. Completely preventing termination
channel leakage without sacricing performance is a hard prob-
lem. Instead, the leakage can be bounded to only a few number of
bits [14].
In this work, we show that Goldreich and Ostrovsky’s ORAM
appropriately interpreted for innite length input access sequences
not only implies the standard ORAM denition ([17]) for nite
length input access paerns, but also separates out termination
channel leakage via ORAM access sequences. e proposed de-
nition bridges the gap between theory and practice in the ORAM
paradigm for secure processor technology and also simplies prov-
ing the security of practical ORAM constructions. Specically, for
Path ORAM [42], by leveraging the background eviction [36] tech-
nique, our denition relaxes the bounds on stash size and stash
overow probability while greatly simplifying the security proof
presented in [42] and yet oering similar security properties.
We also analyze a ‘strong’ ORAM denition stating that two
sequences ORAM(A1) and ORAM(A2) must be computationally
indistinguishable if the lengths of the input sequences A1 and A2
are equal. is denition implicitly includes a form of termination
channel obfuscation and is applicable for ORAMs used for remote
disk storage. Path ORAM satises this stronger denition – its
security proof must now show that the stash over ow probability
is negligible (a complex analysis).
e paper makes the following contributions:
(1) A rst rigorous study of the original ORAM denition
presented by Goldreich and Ostrovsky, in view of modern
practical ORAMs (e.g., Path ORAM), demonstrating the gap
between theoretical foundations and real implementations
in secure processor architectures.
(2) We show that the Goldreich and Ostrovsky ORAM de-
nition interpreted for innite length input sequences sep-
arates out leakage over the ORAM termination channel
leakage. We show how this denition implies the Gol-
dreich and Ostrovsky ORAM denition for nite length
input sequences, ts the modern practical ORAM imple-
mentations in secure processor architectures, and greatly
simplies the Path ORAM security analysis by relaxing the
constraints around the stash size and overow probability,
and essentially transforms the security argument into a
performance consideration problem.
(3) A generic framework for dynamic resource partitioning in
secure processor architectures is proposed to control leak-
age via contention on shared resources, allowing leakage
vs. performance trade-os. In particular, this can be used
to reason analyse termination channel leakage.
(4) We analyze a ‘strong’ ORAM denition which implies the
Goldreich and Ostrovsky ORAM denition interpreted for
innite length input sequence. e ‘strong’ ORAM deni-
tion implicitly includes obfuscation of the ORAM termina-
tion channel and this is useful in ORAM for remote disk
storage (in order to prove that Path ORAM satises this
denition one now needs to show a negligible probability
of stash overow).
2 BACKGROUND
2.1 Leakage Types via Address Bus Snooping
Privacy of user’s sensitive data stored in the cloud has become a
serious concern in computation outsourcing. Even though all the
data stored in the untrusted storage can be encrypted, an adver-
sary snooping the memory address bus in order to monitor the
user’s interactions with the encrypted storage can potentially learn
sensitive information about the user’s computation/data [23, 55].
In particular, such an adversary can potentially learn secret infor-
mation about the user’s program/data by observing the following
three behaviors:
(1) e addresses sent to the main memory to read/write data
(i.e., the address channel).
(2) e time when each memory access is made (i.e., the timing
channel).
(3) e total runtime of the program (i.e., the termination chan-
nel).
e countermeasures to prevent leakage via the above mentioned
channels are orthogonal to each other and can be implemented as
needed.
2.2 Oblivious RAM
Oblivious RAM is a renowned technique that obfuscates a user’s
access paern to an untrusted storage so that an adversary moni-
toring the access sequence to the storage cannot learn any informa-
tion about the user’s application or data. Informally speaking, the
ORAM interface translates the user’s access sequence of program
addresses A = (a1, a2, . . . , an ) into a sequence of ORAM accesses
S = (s1, s2, . . . , sm ) such that for any two access sequences A1
and A2, the resulting ORAM access sequences S1 and S2 are com-
putationally indistinguishable given that S1 and S2 are of same
length. In other words, the ORAM physical access paern (S) is
independent of the logical access paern (A), except the lengths of
the two access paerns which are correlated. Precisely, an ORAM
protects against leakage via the memory address channel only (cf.
Section 2.1). e data stored in ORAMs should be encrypted using
probabilistic encryption to conceal the data content and also hide
Revisiting Definitional Foundations of Oblivious RAM for Secure Processor Implementations , ,
Position MapStash
1
Data ORAM Controller
Program Address ‘a’
Get Leaf  s=5
3
Return Data
4
Tr
u
st
ed
 D
o
m
ai
n
 
(O
n
 C
h
ip
)
0 1 2 3 4 5 6 7Leaf
Write Path
5
U
n
tr
u
st
ed
 D
o
m
ai
n
 
(E
xt
er
n
al
 D
R
A
M
)
2
Read Path
Remap
Figure 1: A Path ORAM for L = 3 levels. Path s = 5 is ac-
cessed.
which memory location, if any, is updated. With ORAM, an adver-
sary is not able to tell (a) whether a given ORAM access is a read or
write, (b) which logical address in ORAM is accessed, or (c) what
data is read from/wrien to that location. We revisit the formal
denition of ORAM presented by Goldreich and Ovstrofsky [17]
and discuss it in more detail in Section 3.
2.3 Path ORAM
Path ORAM [42] is currently the most ecient and simplied
ORAM scheme for limited client (processor) storage. Over the
past few years, several crucial optimizations to basic Path ORAM
have been proposed which have resulted in practical ORAM imple-
mentations for secure processor seing.
Path ORAM [42] has two main hardware components: the binary
tree storage and the ORAM controller (cf. Figure 1).
Binary tree stores the data content of the ORAM and is imple-
mented on DRAM. Each node in the tree is dened as a bucket
which holds up to Z data blocks. Buckets with less than Z blocks
are lled with dummy blocks. To be secure, all blocks (real or
dummy) are encrypted and cannot be distinguished. e root of the
tree is referred to as level 0, and the leafs as level L. Each leaf node
has a unique leaf label s . e path from the root to leaf s is dened
as path s . e binary tree can be observed by any adversary and is
in this sense not trusted.
ORAM controller is a piece of trusted hardware that controls
the tree structure. Besides necessary logic circuits, the ORAM
controller contains two main structures, a position map and a stash.
e position map is a lookup table that associates the program
address of a data block (a) with a path in the ORAM tree (path s).
e stash is a piece of memory that stores up to a small number of
data blocks at a time.
At any time, each data block in Path ORAM is mapped (randomly)
to some path s via the position map. Path ORAM maintains the
following invariant: if data block a is currently mapped to path s ,
then a must be stored either on path s , or in the stash (see Figure 1).
Path ORAM follows the following steps when a request on block a
is issued by the processor.
(1) Look up the position map with the block’s program address
a, yielding the corresponding leaf label s .
(2) Read all the buckets on path s . Decrypt all blocks within
the ORAM controller and add them to the stash if they are
real (i.e., not dummy) blocks.
(3) Return block a to the secure processor.
(4) Assign a new random leaf s ′ to a (update the position map).
(5) Encrypt and evict as many blocks as possible from the
stash to path s . Fill any remaining space on path s with
encrypted dummy blocks.
Step 4 is the key to Path ORAM’s security. is guarantees
that a random path will be accessed when block a is accessed later
and this path is independent of any previously accessed random
paths (unlinkability). As a result, each ORAM access is random and
unlinkable regardless of the request paern.
Although, unlinkability property follows trivially from the con-
struction of Path ORAM, another crucial property to be proven is
the negligible stash overow probability for a small sized stash, i.e.,
O(λ) sized stash for λ being the security parameter.
2.4 Recursive Path ORAM
In practice, the position map is usually too large to be stored in
the trusted processor. Recursive ORAM has been proposed to solve
this problem [39]. In a 2-level recursive Path ORAM, for instance,
the original position map is stored in a second ORAM, and the
second ORAM’s position map is stored in the trusted processor.
e above trick can be repeated, i.e., adding more levels of ORAMs
to further reduce the nal position map size at the expense of
increased latency. e recursive ORAM has a similar organization
as OS page tables.
2.5 Background Eviction
In Steps 4 and 5 of the basic Path ORAM operation, the accessed
data block is remapped from the old leaf s to a new random leaf s ′,
making it likely to stay in the stash for a while. In practice, this may
cause blocks to accumulate in the stash and nally overow the
stash. It has been proven in [42] that the stash overow probability
is negligible for Z ≥ 6. For smaller Z , background eviction [36] has
been proposed to prevent stash overow.
e ORAM controller stops serving real requests and issues
background evictions (dummy accesses) when the stash is full. A
background eviction reads and writes a random path sr in the binary
tree, but does not remap any block. During the writing back phase
(Step 5 in Section 2.3) of Path ORAM access, all blocks that are
just read in can at least go back to their original places on sr , so
the stash occupancy cannot increase. In addition, the blocks that
were originally in the stash are also likely to be wrien back to the
tree as they may share a common bucket with sr that is not full
of blocks. Background eviction is proven secure in terms of the
unlinkability property in [36].
3 GOLDREICH’S OBLIVIOUS RAM
Oblivious RAM was rst proposed by Goldreich and Ostrofsky [17].
In this section, we rst revisit their denition of ORAM and then
discuss its implications on modern real ORAM implementations
for secure processor architectures, specically Path ORAM.
, , Syed Kamran Haider, Omer Khan, and Marten van Dijk
3.1 Formal Denition
LetA be a sequence of program addresses1 a1, · · · ,ai , · · · requested
by the CPU during a program execution, and let ORAM(A) be a
probabilistic access sequence to the actual storage such that it
yields the correct data corresponding to A. en ORAM is called an
oblivious RAM if it is a probabilitic RAM and satises the following
denition.
Denition 3.1 (Oblivious RAM). [17] For every two logical ac-
cess sequences A1 and A2 and their corresponding probabilistic
access sequences ORAM(A1) and ORAM(A2), if |ORAM(A1)| and
|ORAM(A2)| are identically distributed, then so are ORAM(A1) and
ORAM(A2).
Intuitively, according to Denition 3.1, the sequence of memory
accesses generated by an oblivious RAM does not reveal any in-
formation about the original program access sequence other than
its length distribution. Specically, this denition only protects
against the leakage over memory address channel (cf. Section 2.1).
In the above denition we usually interpret A1 and A2 as nite
length sequences implying that |ORAM(A1)| and |ORAM(A2)| will
also be nite length. If innite length input sequencesA are allowed,
then the orginal ORAM denition (i.e. Denition 3.1) turns out to
be equivalent to Denition 4.1 in Section 4. We will argue below
why it is important to admit innite length input sequences.
3.2 A Bogus ORAM
Explained below, Denition 3.1 for nite length input sequences
invites the construction of a strange ‘bogus’ ORAM in which the
access sequence of any probabilistic RAM – even if it is not obliv-
ious – can be padded with additional accesses so that it becomes
oblivious. Since the access sequence of a non-oblivious probabilis-
tic RAM is only padded, this reveals information about the input
access sequence to the probabilistic RAM. is, of course, breaks
our intuitive understanding of what oblivious means. e reason
why our construction is oblivious is that the additional padding
creates a 1-1 correspondence between the access sequence of the
probabilistic RAM and the nal length of the access sequence aer
padding; this allows us to abuse Denition 3.1 as we essentially
code all the information about the access sequence of the proba-
bilistic RAM in the termination channel (the length of the ORAM
sequence). is means that each access paern A will produce a
unique length |ORAM(A)| – so, there are no two dierent sequences
in Denition 3.1 for our ‘bogus’ construction that will be compared.
e bogus construction does not introduce any smartness, it eec-
tively pushes all the work of making the access paern oblivious
to making the termination channel oblivious. is observation will
lead to a slightly stronger ORAM denition in Section 4 which
is independent of the concept of a termination channel, i.e., the
length of an ORAM access sequence does not play a role in the new
denition (which turns out to be equivalent to Denition 3.1 for
unrestricted and possibly innite length input sequences).
Algorithm 1 shows how a (non-oblivious) probablistic RAM
RAMf (.) can be padded in order to create an ORAM: Here an in-
put access sequence A to RAMf (.) is nite so that a nite length
1Actually, triples (oi , ai , di ) representing write/read/halt, address, and data send to
memory.
output sequence RAMf (A) is created which can be uniquely in-
terpreted as an integer x in line 3.2 e resulting padded
ORAM sequence has length x , see line 4. is means that
if |ORAMWrapper(RAMf )(A1)| and |ORAMWrapper(RAMf )(A2)|
are identically distributed, then so are RAMf (A1) and RAMf (A2)
(this already shows that only very specic A1 and A2 will
result in identically distributed |ORAMWrapper(RAMf )(A1)|
and |ORAMWrapper(RAMf )(A2)|). Since line 4 only padds
RAMf (A1) and RAMf (A2) with an access sequence taken from
some a-priori xed distribution, the padded access sequences
ORAMWrapper(RAMf )(A1) and ORAMWrapper(RAMf )(A2) are
identically distributed. We conclude that the bogus ORAM satises
Denition 3.1 for nite length input sequences.
e above shows the importance of allowing innite length input
sequences in the ORAM denition.
3.3 Applicability for Secure Processors
Modern secure processors [15, 31] have embraced Path ORAM in-
terface as a part of their trusted computing base (TCB). In these
implementations, the ORAM controller serves the last level cache
(LLC) misses by making ORAM requests to the main memory. Con-
sider the LLC misses sequence of an execution to be the input (A) to
the ORAM interface dened in Denition 3.1. In order to conclude
indistinguishability (as per the above denition) of two ORAM ac-
cess sequences generated as a result of two dierent LLC misses
sequences (i.e., by running dierent programs, or running same
program with dierent inputs), the ORAM access sequences must
have the same length distribution. However, since the LLC misses
paern changes dynamically across various programs and dierent
inputs to the same program [24], it is very unlikely that the corre-
sponding ORAM access sequences of two dierent executions will
have the same length distribution. In particular, this would leak
information about the program behavior through the total runtime
of the application (i.e., the termination channel).
Another perspective to look at this fact is that Denition 3.1
is completely satised by only a small class of ORAM access se-
quences whose lengths are identically distributed. However, in
practice, under the secure processor seing, the lengths of ORAM
access sequences can have arbitrary dierent distributions as dis-
cussed earlier. Furthermore, several optimizations and extensions
proposed in the literature for Path ORAM, resulting in beer per-
formance/security, introduce further probabilistic variance in the
total runtime of the program, i.e., the termination channel. is, as
a result, prevents the ORAM denition under consideration from
being directly applicable to secure processors.
3.4 ORAM Optimizations vs. Program Runtime
In the following discussion, we briey talk about various optimiza-
tions and tricks proposed in the literature that have resulted in
more and more ecient and secure Path ORAM implementations.
Each of these techniques typically introduces some amount of vari-
ance in the length of the ORAM access sequence as function of
2A memory access in A is a triple (op, address, data) where op represents a
read/fetch/load, write/store, or halt. op can be coded using a non-zero bit sequence of
length 2.
Revisiting Definitional Foundations of Oblivious RAM for Secure Processor Implementations , ,
Algorithm 1 Bogus ORAM
1: procedure ORAMWrapper(RAMf )(A)
2: Access memory according to RAMf (A)
3: Represent RAMf (A) as a binary bit string and interpret as an integer x which is ≥ the number of accesses in RAMf (A)
4: Access memory according to another sequence A′ (taken from some a-priori xed distribution) such that the number of accesses in
RAMf (A) combined with A′ is equal to x
5: end procedure
the program input, hence, modifying the total runtime of the pro-
gram that essentially correlates with the given input will leak some
information about it.
3.4.1 Unified Path ORAM & PLB. Unied ORAM [13] is an
improved and state-of-the-art recursion technique to recursively
store a large position map. It leverages the fact that each block in a
position map ORAM stores the leaf labels for multiple data blocks
that are consecutive in the address space. In other words, we can
nd position maps of several blocks in a single access to the position
map ORAM, although only one of them is of interest. erefore,
Unied ORAM caches position map ORAM blocks in a small cache
called position map lookaside buer (PLB) to exploit locality (similar
to the TLB exploiting locality in page tables). To hide whether a
position map access hits or misses in the cache, Unied ORAM
stores both data and position map blocks in the same binary tree.
Having good locality in position map blocks would result in more
PLB hits and overall less number of position map accesses to the
Unied ORAM tree, and vice versa.
3.4.2 ORAM Prefetching. In order to exploit data locality in
programs under Path ORAM, ORAM prefetchers have been pro-
posed [36, 52]. At rst glance, exploiting data locality and obfusca-
tion seem contradictory: on one hand, obfuscation requires that all
data blocks are mapped to random locations in the memory. On the
other hand, locality requires that certain groups of data blocks can
be eciently accessed together. However, Path ORAM prefetchers
address this problem by (statically/dynamically) creating “super
blocks” of data blocks exhibiting locality, and mapping the whole
super block on the same path. As a result, a single path read for
accessing one particular block yields the corresponding super block
which is loaded into the LLC, eectively resulting in a prefetch.
Consequently, good data locality in the program results in more
prefetch hits and overall less number of ORAM accesses, and vice
versa.
3.4.3 Timing Channel Protection. As noted earlier, the ORAM
denition does not protect against leakage over timing channel (cf.
Section 2.1), i.e., when an ORAM access is made. Periodic ORAM
schemes have been proposed to protect the timing channel [14,
15]. A periodic ORAM always makes an access at strict periodic
intervals, where the time interval Oint between two consecutive
accesses is public. If there is no pending memory request when
an ORAM access needs to happen due to periodicity, a dummy
access will be issued (the same operation as background eviction).
Whereas, if a real request arrives before the next ORAM access time,
it waits until the next ORAM access time to enforce a deterministic
behavior. Hence, periodic ORAMs essentially transform the timing
channel leakage to the termination channel leakage by potentially
introducing extra ORAM accesses due to periodicity.
3.5 Implications on Path ORAM Stash Size
Proving that the stash overow probability is negligible implies
Path ORAM’s correctness and security. e stash overow proba-
bility drops exponentially in the stash size. A signicantly complex
proof presented in [42] shows that, for Z ≥ 6, a negligible stash
overow probability can be achieved by conguring the stash size
appropriately, where Z represents the number of blocks per node
in Path ORAM’s binary tree. ese parameter seings might be
well suited for asymptotic analysis, however, real implementations
might choose a dierent set of parameters to optimize various de-
sign points. For example, a smaller stash size is desired to save
hardware area overhead. Similarly, studies [36] have shown that
Z = 3 yields the best performance for Path ORAM.
For smaller stash sizes and/or Z < 6, the stash overow can
be prevented through background eviction (cf. Section 2.5) which
essentially adds ‘extra’ dummy accesses in the original ORAM
access sequence. Notice, however, that satisfying Denition 3.1
requires restricting the ORAM access sequences to have identical
length distributions, and hence does not apply to background evic-
tion which would probabilistically modify the lengths of ORAM
sequences depending upon the stash occupancy which is program
input correlated.
As an example, consider a 2-level recursive Path ORAM where
the original position map is stored in a second ORAM, and the
second ORAM’s position map is stored in the trusted processor (cf.
Section 2.4). Let A1 and A2 be two program address sequences and
let ORAM(A1) and ORAM(A2) be their corresponding ORAM ac-
cess sequences. Notice that each entry of the sequence ORAM(Ai )
consists of two accesses corresponding to the position map ORAM
and data ORAM respectively, and is therefore likely to increases
the stash occupancy by 2. Further notice that by denition of re-
cursive ORAM structure, each position map ORAM block contains
path/leaf labels of several data ORAM blocks consecutively located
in the program’s address space.
Assume that A1 accesses consecutive data blocks in the pro-
gram’s address space, whereas A2 accesses random data blocks.
en, subsequent accesses from sequence ORAM(A1) will exhibit
higher temporal locality for position map blocks. is is because
several position map accesses – corresponding to data blocks con-
secutive in the program’s address space – will access the same
position map block which is likely to be present already in the
stash. erefore, the stash occupancy will grow at a rate of < 2
blocks per recursive access. Whereas, subsequent accesses from
, , Syed Kamran Haider, Omer Khan, and Marten van Dijk
ORAM(A2) exhibit extremely poor temporal locality among po-
sition map blocks due to the randomized sequence A2, therefore
the stash occupancy will grow at a rate of ≈ 2 blocks per recur-
sive access. Consequently, two ORAM accesses sequences exhibit
two dierent stash occupancies due to the underlying program’s
behavior.
4 PROPOSED DEFINITION
In order to argue about indistinguishability of ORAM access se-
quences, we interpret Goldreich and Ostrovsky’s ORAM denition
to also incorporate innite length input access sequences and this
implicitly obfuscates termination channel leakage so that the ter-
mination channel cannot be used for leakage in the denition (this
separates out the termination channel and invalidates our bogus
ORAM as an ORAM).
Denition 4.1 (Oblivious RAM for innite access sequences). For
every two logical access sequences A1 and A2 of innite length,
their corresponding (innite length) probabilistic access sequences
ORAM(A1) and ORAM(A2) are identically distributed in the fol-
lowing sense: For all positive integers n, if we truncate ORAM(A1)
and ORAM(A2) to their rst n accesses, then the truncations
[ORAM(A1)]n and [ORAM(A2)]n are identically distributed.
Concrete ORAM constructions to-date have the property that
future memory accesses in A do not inuence how the oblivious
RAM interface accesses memory now:
Denition 4.2 (Causality). For all n, ORAM(A) extends the access
sequence ORAM([A]n ), where [A]n is the truncation of A to the
rst n accesses.
Assuming causality, Denition 4.1 implies Denition 3.1 for
nite length input sequences A1 and A2: Suppose that lengths
|ORAM(A1)| and |ORAM(A2)| are identically distributed. Since
A1 and A2 are nite length, also ORAM(A1) and ORAM(A2) are
nite length. Because they are identically distributed there exists a
maximum possible length n, i.e., |ORAM(A1)| and |ORAM(A2)|
will be ≤ n. We may padd A1 and A2 to innite length
sequences A′1 and A
′
2. Assuming Denition 4.1 teaches that
ORAM(A′1) and ORAM(A′2) are identically distributed, in particular,[ORAM(A′1)]n and [ORAM(A′2)]n are identically distributed. Due
to causality, [ORAM(A′1)]n and [ORAM(A′2)]n extend ORAM(A1)
and ORAM(A2). is implies that ORAM(A1) and ORAM(A2)must
be identically distributed, hence, Denition 3.1 holds for nite
length input sequences A1 and A2.
If in Denition 3.1 we use the interpretation of ‘identically dis-
tributed for innite length sequences ORAM(A1) and ORAM(A2)’
given in Denition 4.1, then we may conclude that Denition 4.1 is
equivalent to Denition 3.1 for unrestricted and possibly innite
length input sequences A1 and A2.
4.1 A Stronger Denition
We can strengthen Denition 3.1 by requiring that |A1 | and |A2 |
are identically distributed instead of |ORAM(A1)| and |ORAM(A2)|
being identically distributed:
Denition 4.3 (‘Strong’ Oblivious RAM). For every two logical
access sequences A1 and A2 and their corresponding probabilistic
access sequences ORAM(A1) and ORAM(A2), if |A1 | and |A2 | are
equal, then so are ORAM(A1) and ORAM(A2).
Clearly, this strong denition for unrestricted and possibly in-
nite length input sequences A1 and A2 implies Denition 4.1 since
it covers the case where |A1 | = |A2 | = ∞.
Assuming causality, it turns out that the strong Denition
4.3 restricted to nite length input sequences A1 and A2 also
implies Denition 4.1: Suppose that Denition 4.1 does not
hold and there exist innite length access sequences A′1 and
A′2 and there exists an integer n such that [ORAM(A′1)]n and[ORAM(A′2)]n are not identically distributed. Causality implies
that [ORAM(A′1)]n = [ORAM([A′1]i )]n and [ORAM(A′2)]n =[ORAM([A′2]j )]n for some (nite) integers i and j . Letk = max{i, j}.
en (by using causality) [ORAM(A′1)]n = [ORAM([A′1]k )]n
and [ORAM(A′2)]n = [ORAM([A′2]k )]n . We conclude that
ORAM([A′1]k ) and ORAM([A′2]k ) are not identically distributed.
is contradicts Denition 4.3 for A1 = [A′1]k and A2 = [A′2]k
which both have length k .
e next theorem enumerates our ndings:
Theorem 4.4. Suppose causality. en, the ‘strong’ ORAM Def-
inition 4.3 for nite length input sequences implies Goldreich and
Ostrovsky’s ORAM Denition 3.1 phrased for innite length input
sequences (as in Denition 4.1) and this in turn implies Goldreich and
Ostrovsky’s ORAM Denition 3.1 restricted to nite length input se-
quences. Our bogus ORAM satises Goldreich and Ostrovsky’s ORAM
Denition 3.1 restricted to nite length input sequences.
Finally, we notice that the above denitions can also be adopted
in a Universal Composability framework as in [16].
4.2 Application
In the secure processor seing an input sequence A represent the
LLC misses sequence. In practice, we may think of the processor
to continuously access memory (DRAM) and therefore produce
an innite length input access sequence A. is sequence is pro-
duced by several programs being contexed switched in and out,
some programs terminating and new ones starting. is shows
that for an ORAM denition to be useful in the secure processor
architecture seing we require Goldreich and Ostrovsky’s ORAM
Denition 3.1 phrased for innite length input sequences. e ter-
mination channel is separated out as the ORAM interface does not
terminate and keeps on executing. If a program (module) P termi-
nates it will communicate over a dierent I/O channel its computed
result.3 e moment at which this happens leaks information to
an observing adversary – in fact, the adversary can be another
program running on the secure processor whose own termination
channel leaks into what extent P has slowed down the adversarial
program by using shared resources. In Section 5 we propose a
framework for analysing leakage over covert channels induced by
shared resources.
In the secure processor architecture seing we do not need the
‘strong’ ORAM denition. It turns out, see Sections 4.3-4.4, that
PathORAM + background eviction (and other optimizations) satis-
es Goldreich and Ostrovsky’s ORAM Denition 3.1 phrased for
3Or request input for continuing executing a next program module.
Revisiting Definitional Foundations of Oblivious RAM for Secure Processor Implementations , ,
innite length input sequences and its security proof is straightfor-
ward. However, PathORAM + background eviction does not satisfy
the ‘strong’ ORAM denition. We notice that PathORAM without
optimizations such as background eviction does satisfy the ‘strong’
ORAM denition and proving this requires a much more complex
analysis (as one needs to show that the stash only overows with
negligible probability).
e ‘strong’ ORAM denition makes sense and is useful in the
remote disk storage seing because we will access the remote stor-
age in bursts of requests and we wish the ORAM interface to only
reveal the length of the burst and nothing more – in this way
the ‘strong’ ORAM implicitly provides a useful characterization of
leakage through the timing channel (i.e., when accesses happen).
e above denitions translate to write-only ORAM: HIVE [6]
and Li et al. [27] essentially use the ‘strong’ write-only ORAM
denition since these papers discuss the remote disk storage seing.
Flat ORAM [22], on the other hand, is designed and optimized for
the secure processor seing and is secure under the Goldreich and
Ostrovsky equivalent of a write-only ORAM denition for innite
length input sequences. Flat ORAM does not (and does not need
to) satisfy the ‘strong’ write-only ORAM.
4.3 Adapting ORAM Optimizations
An ORAM interface satisfying Denition 4.1 “automatically” caters
for the arbitrary and dynamically changing rate of ORAM(A) ac-
cesses to memory per input access in A, and is therefore naturally
a beer t for practical ORAM implementations (e.g., Path ORAM)
in the secure processor seing when compared to Goldreich and
Ostrovsky’s ORAM Denition 3.1 for nite length input sequences:
e cumulative eect of various performance optimizations out-
lined in Section 3.4 on the termination channel can be incorporated
in the proposed ORAM by denition. E.g., the additional accesses
added by the periodic ORAM schemes in order to hide the ORAM
access timing, or ORAM prefetching resulting in a reduced number
of accesses only results in an altered access sequence, which still
remains innite length.
4.4 Simplied Stash Analysis
Another crucial advantage of the proposed denition is that it
greatly simplies the stash size analysis for Path ORAM. As men-
tioned earlier, the stash must never overow for the correctness
or security of Path ORAM under the ‘strong’ ORAM Denition
4.3, which imposes certain restrictions on the minimum stash size
and ORAM parameters, e.g., Z ≥ 6. Whereas, according to Deni-
tion 4.1, it is totally acceptable to have a substantial percentage of
background eviction accesses among the overall ORAM accesses, if
needed, in order to prevent stash overow for arbitrary parameter
seings. However, the impact of this relaxed ORAM denition with
any chosen parameter seings is reected in the overall perfor-
mance of the system. e system performance can then essentially
be benchmarked to tune the optimum seings for desired design
points depending upon the application.
5 PRIVACY LEAKAGE ANALYSIS
Recall from Section 3.1 that a standard oblivious RAM protects only
against leakage over the memory address channel. In this section,
we rst discuss common mitigation techniques for other leakage
sources, e.g., the ORAM timing channel and termination channel.
Later, we present a generic framework, called PRAXEN, that of-
fers security vs. performance trade-os against a wide range of
hardware side channel aacks in a secure processing environment.
5.1 Timing Channel
5.1.1 Static Periodic Behavior. A straightforward approach to
hide the ORAM timing behavior is to use a periodic ORAM
scheme [15], as introduced in Section 3.4.3. An ORAM access is
made strictly aer predened periods, whereas the access period is
statically dened oine, i.e., before the program runs.
e security of this approach follows trivially as it completely
trades o the timing channel leakage with the total runtime of the
program, i.e., altering the termination channel behavior. Notice
that even if the periodic ORAM controller dynamically changes
some internal performance parameters, such as prefetching rate and
threshold to control background evictions rate, the resultant ORAM
access sequence being strictly periodic only alters the termination
time of a program.
5.1.2 Dynamic Periodic Behavior. While the static periodic ap-
proach discussed above is secure, studies have shown that this
approach can potentially result in signicant performance over-
heads across a range of programs [14]. On one hand, a constant rate
of ORAM accesses throughout the program execution is desirable
for security, whereas on the other hand, a dynamically varying ac-
cess rate is desirable for performance. In order to achieve a balance
between the two extremes, [14] proposes a framework that splits
the program execution into coarse grained (logical) time epochs,
and enforces, within each epoch, a strict ORAM access rate that is
selected dynamically at the start of each epoch.
Let Lmax be the maximum program runtime in terms of the
number of ORAM accesses such that all programs can complete
with ≤ Lmax ORAM accesses. Let E denote the list of epochs of
a program execution, or the epoch schedule, where each epoch is
characterized by its number of ORAM accesses, and let R denote
the list of allowed ORAM access rates. While running a program
during a given epoch, the secure processor is restricted to use a
single ORAM access rate, and picks a new rate conguration at
the start of the next epoch. Given |E | epochs and |R | rates, there
are |R | |E | possible epoch schedules – which can potentially reveal
the dynamic behavior of the program. us, the timing channel
leakage alone can be upper bounded by log2(|R| |E |) = |E | log2 |R |
bits. To control the amount of leakage, |E | can be set to a small
value, e.g., |E | = log2 Lmax , resulting in only log2 Lmax · log2 |R |
bits leakage while achieving good performance.
5.2 Termination Channel
If the results of a program are sent back as soon as the application
actually terminates, i.e., the actual termination time is visible to
the adversary, sensitive information about the application’s input
can be leaked by this behavior. Given the maximum number of
ORAM accesses Lmax within which all programs can terminate, the
maximum number of termination traces/lengths that any program
can possibly have is upper bounded by Lmax , i.e., one trace per
termination point. erefore, applying the information theoretic
, , Syed Kamran Haider, Omer Khan, and Marten van Dijk
argument from [14, 40], at most log2 Lmax bits about the inputs
can leak through the termination time alone per execution. In prac-
tice, due to the logarithmic dependence on Lmax , termination time
leakage is small. For example, log2 Lmax = 62 should work for all
programs, which is very small if the user’s input is at least a few
kilobytes. Further, we can reduce this leakage through discretiza-
tion of runtime. For example, if we “round up” the termination time
to the next 230 accesses, the leakage is reduced to lg 262 − 30 = 32
bits. e overall leakage by both timing and termination channels
can be given by log2 Lmax · log2 |R | + log2 Lmax bits.
5.3 Other Hardware Side Channels
While an outside adversary can only monitor an ORAM’s exter-
nal side channels, such as timing/termination channels; in a mod-
ern multi-core secure processor, there also exist several internal
hardware-based side channels due to the inevitable sharing of var-
ious structures. SVF [11] experimentally measured information
leakage in a processor and showed that any “shared structure” can
leak information. In particular, privacy leakage over a shared cache
has been explicitly demonstrated in [1, 54] for two VMs sharing a
cache (without TEE support) showing that secret key bits can leak
from one VM to the other, even if the VMs are placed on dierent
cores in the same machine.
Researchers have explored how to counter timing channel at-
tacks due to cache interference [12, 48] where solutions either
rely on static or dynamic cache partitioning. e static approach
lowers processor eciency but has a strong security guarantee:
no information leakage. Current solutions based on the dynamic
cache partitioning approach improve processor eciency but do
not guarantee bounds on information leakage. We note that ef-
cient cache partitioning is important as it improves processor
eciency [5, 25, 26, 35, 37, 45, 51].
Researchers have also explored how to counter timing channel
aacks due to network-on-chip interference in multi-cores [47,
49]. Both these schemes use static network partitioning to enable
information-leak protection through the processor communication
paerns.
Finally, the most important shared resource channel in the
ORAM context that leaks information from the hardware layer
is the shared ORAM controller that connects (via a traditional mem-
ory controller) the processor to the o-chip memory. A recent
work [4] shows that, under Path ORAM, an adversary running a
malicious thread at one of the cores of the multi-core system can
learn sensitive information about the behavior of user thread(s)
running on other core(s) by introducing contention at the shared
ORAM controller and observing the service times of its own re-
quests. Again, a static partitioning scheme for this information
leakage channel can be used at the cost of eciency.
We want to design a generic dynamic resource partitioning
scheme, applicable to any shared resource(s), based on the insight
that leakage can be quantied using information theory [3, 40, 53],
in order for achieving a balance between security and performance.
5.4 PRAXEN: A PRivacy Aware eXecution
ENvironment
In order to control privacy leakage while still dynamically sharing
resources for eciency, we propose a generic resource scheduling
strategy which only takes a small, yet a sucient, amount of infor-
mation about the current and past execution of application threads
into account.
Each application thread i ∈ A is associated with a conguration
ci which serves as input to the resource scheduler for allocating
resources to each thread, i.e., the scheduler assigns resources to
each thread according to some (probabilistic) algorithm
Alloc((ci )i ∈A).
For example, based on the collection of congurations (c j )j ∈A, the
resource scheduler may rst, by using interpolation and extrapola-
tion, reconstruct a complete approximate picture of all performance
indicators which measure how all resources are being used by each
of the threads. is rough picture is used to allocate the current re-
sources to each thread – this allocation will not change (it is static)
until one of the application thread’s congurations ci changes.
e reason not to use current measured performance indicators
(as an input in Alloc) for scheduling is because these dynamically
change with respect to execution decisions based on each applica-
tion thread’s state and this gives an uncontrolled amount of leakage.
As we will see, the above static allocation allows precise control of
privacy leakage from one application to another.
We call a change of thread i’s conguration from a current con-
guration ci to a new conguration c ′i a decision point for i . Each
decision point is associated with an actual time ti . At a decision
point, the scheduler takes the real, i.e. actual measured, perfor-
mance indicators of thread i in combination with its history of
resource allocations to select a new conguration c ′i together with
• A future time t ′i at which the next decision point for i
occurs, as well as
• A set of future congurations C ′i from which the next
conguration for i will be taken.
We record the tuples (i, ci , ti ,Ci , t ′i ) in a history ordered by
time ti . Notice that according to this ordering (i, ci , ti ,Ci , t ′i ) <(i, c ′i , t ′i ,C ′i , t ′′i ) and the above requirements state
c ′i ∈ Ci . (1)
So, at time ti a decision has been made about what conguration for
i can be selected at the next decision point, and when this decision
is applied.
For a current time t we can extract from the past history PastHist
of decision points the most recent tuples (i, ci , ti ,Ci , t ′i ) with ti < t
for i ∈ A. We compute the time of the next upcoming decision
point NextDecisionPoint as
Next(PastHist , t) = min
i ∈A,t ′i ≥t
t ′i .
Let i be the application thread which corresponds to the upcoming
decision point. At this decision point the scheduler is allowed to
only change i’s conguration: e scheduler computes
(i, c ′i , t ′i ,C ′i , t ′′i ) ← F (PastHisti ,NextDecisionPoint , Per f Indi )
(2)
Revisiting Definitional Foundations of Oblivious RAM for Secure Processor Implementations , ,
Algorithm 2 Resource Scheduling
1: procedure PrivacyAwareScheduler(F )
2: while True do
3: if Time ∈ [NextDecisionPoint ,NextDecisionPoint + δ ] then . δ makes the approach reliable
4: Obtain Per f Indi for thread i corresponding to NextDecisionPoint
5: x ← F(PastHist ,NextDecisionPoint , Per f Indi )
6: PastHist+ = {x}
7: Change conguration ci to the one indicated in x at time NextDecisionPoint + δ
8: NextDecisionPoint = Next(PastHist ,Time)
9: end if
10: end while
11: end procedure
where PastHisti represents the past history of decision points of
thread i and Per f Indi represent the (history of) measured per-
formance indicators of only thread i . Here F satises (1) and
t ′i = NextDecisionPoint . If the scheduler decides not to change i’s
conguration, then c ′i = ci in (2). Our approach is formalized in
Algorithm 2.
Leakage Analysis: In the worst case all cores/threads, except for
one, can collaborate (i.e., act as malicious threads) to observe one
specic (victim) thread i (and, in particular, observe its congura-
tion changes). Note that the collaborating threads can only observe
the victim thread i through changes in resource allocation. We
argue that this information is fully captured by i’s conguration
changes and the times when these changes happened: e rea-
son is that each epoch has (1) a static resource allocation among
threads – e.g., DRAM bandwidth, ORAM access rate etc. – pre-
venting internal side channel leakages within an epoch, and (2)
indistinguishability of real vs. dummy ORAM accesses – prevent-
ing external side channel leakages within an epoch. erefore,
accros time the collaborating threads can only observe and use
the output of Alloc((c j )j ∈A) in order to extract information about
thread i . Hence, the privacy leakage of thread i is at most the
information about thread i contained in PastHist which includes
the history of congurations (that form the inputs to Alloc). We
notice that each decision point at time t in PastHist is the result of
an algorithm F which only takes as inputs a history PastHistj of
past decision points before time t together with the corresponding
NextDecisionPoint (which is also a function of past decision points
before time t ), and Per f Indj . erefore, by using induction on t ,
we can prove that only the decision points corresponding to thread
i in PastHist contribute to leakage (through Per f Indi ) of thread i .
We conclude that privacy leakage of a specic thread i is at most
the information about thread i given by the history of i’s decision
points (i.e., conguration changes and the times at which these
happen): e number of leaked bits is at most Shannon entropy
H (PastHisti ) = H ({(i, c(j)i , t
(j)
i ,C
(j)
i , t
(j+1)
i )} ⊂ PastHist)
and can be bounded as follows:
In order to compute (2) assume that F
• First computes the new conguration c ′i based on inputs
PastHisti , NextDecisionPoint , and Per f Indi and
• Next computes the new sets of possible future congu-
rations C ′i and possible future decision points t
′′
i based
on inputs PastHisti , NextDecisionPoint , and c ′i (but not
Per f Indi otherwise an upper bound cannot be proven).
We may order the random variables {(i, c(j)i , t
(j)
i ,C
(j)
i , t
(j+1)
i )} in
PastHist as follows:
H ({(i, c(j)i , t
(j)
i ,C
(j)
i , t
(j+1)
i )} ⊂ PastHist)
= H
(
(C(n)i , t
(n+1)
i ), c(n), (C
(n−1)
i , t
(n)
i ), c(n−1), . . . ,
. . . , (C(0)i , t
(1)
i ), c(0)
)
=
n∑
j=0
H
(
(C(j)i , t
(j+1)
i )|c(j), (C
(j−1)
i , t
(j)
i ), c(j−1), . . . ,
. . . , (C(0)i , t
(1)
i ), c(0)
)
+
n∑
j=0
H
(
c(j) |(C(j−1)i , t
(j)
i ), c(j−1), . . . , (C
(0)
i , t
(1)
i ), c(0)
)
≤ 0 +
n∑
j=0
log |C(j−1) |
where the rst sum equals 0 because F computes (C(j)i , t
(j+1)
i ) as a
function of c(j) and PastHisti (up to moment t (j)i ); and the second
sum is upper bounded by log |C(j−1) | because c(j) ∈ C(j−1). Let
λj = log |C(j−1) | then the ith thread leaks at most
∑
j λj bits.
Given that algorithms F and Alloc have enough freedom to
reallocate resources, our framework oers a controlled leakage
model while maintaining optimum performance. is methodology
can be used on almost all resource sharing paradigms. It particularly
has applications in seings where there is a nite bounded leakage
budget.
6 CONCLUSION
We present a rst rigorous study of the original oblivious RAM
denition presented by Goldreich and Ostrovsky, in view of mod-
ern practical ORAMs (e.g., Path ORAM), and demonstrate the gap
between theoretical foundations and real ORAM implementations.
Goldreich and Ostrovsky’s ORAM denition appropriately inter-
preted for innite length input access sequebces separates out the
ORAM termination channel and ts modern practical ORAM imple-
mentations in the secure processor seing. e proposed denition
greatly simplies the Path ORAM security analysis by relaxing
, , Syed Kamran Haider, Omer Khan, and Marten van Dijk
the constraints around the stash size and overow probability, and
essentially transforms the security argument into a performance
consideration problem. A generic framework for dynamic resource
partitioning has also been proposed, which mitigates the sensitive
information leakage via internal hardware based side channels –
such as contention on shared resources – with minimal performance
loss.
ACKNOWLEDGMENTS
e work is partially supported by NSF grant CNS-1413996 for
MACS: A Modular Approach to Cloud Security.
REFERENCES
[1] Gorka Irazoqui Apecechea, Mehmet Sinan Inci, omas Eisenbarth, and Berk
Sunar. 2014. Fine grain Cross-VM Aacks on Xen and VMware are possible!
Cryptology ePrint Archive, Report 2014/248. (2014). hp://eprint.iacr.org/.
[2] W. Arbaugh, D. Farber, and J. Smith. 1997. A Secure and Reliable Bootstrap
Architecture. In Proceedings of the 1997 IEEE Symposium on Security and Privacy.
65–71. citeseer.nj.nec.com/arbaugh97secure.html
[3] Aslan Askarov, Danfeng Zhang, and Andrew C. Myers. 2010. Predictive Black-
box Mitigation of Timing Channels. In Proceedings of the 17th ACM Conference
on Computer and Communications Security (CCS ’10). ACM, New York, NY, USA,
297–307. hps://doi.org/10.1145/1866307.1866341
[4] C. Bao and A. Srivastava. 2017. Exploring Timing Side-channel Aacks on
Path-ORAMs. International Symposium on Hardware Oriented Security and Trust
(HOST). (2017).
[5] Nathan Beckmann and Daniel Sanchez. 2013. Jigsaw: Scalable Soware-dened
Caches. In Proceedings of the 22Nd International Conference on Parallel Architec-
tures and Compilation Techniques (PACT ’13). IEEE Press, Piscataway, NJ, USA,
213–224. hp://dl.acm.org/citation.cfm?id=2523721.2523752
[6] Erik-Oliver Blass, Travis Mayberry, Guevara Noubir, and Kaan Onarlioglu. 2014.
Toward robust hidden volumes using write-only oblivious RAM. In Proceedings
of the 2014 ACM SIGSAC Conference on Computer and Communications Security.
ACM, 203–214.
[7] Dan Boneh, David Mazieres, and Raluca Ada Popa. 2011. Remote Oblivious
Storage: Making Oblivious RAM practical. Manuscript, hp://dspace.mit.edu/
bitstream/handle/1721.1/62006/MIT-CSAIL-TR-2011-018.pdf. (2011).
[8] David Champagne and Ruby B Lee. 2010. Scalable architectural support for
trusted soware. In High Performance Computer Architecture (HPCA), 2010 IEEE
16th International Symposium on. IEEE, 1–12.
[9] Victor Costan, Ilia Lebedev, and Srinivas Devadas. 2016. Sanctum: Mini-
mal Hardware Extensions for Strong Soware Isolation. In 25th USENIX Se-
curity Symposium (USENIX Security 16). USENIX Association, Austin, TX, 857–
874. hps://www.usenix.org/conference/usenixsecurity16/technical-sessions/
presentation/costan
[10] Ivan Damga˚rd, Sigurd Meldgaard, and Jesper Buus Nielsen. 2011. Perfectly
Secure Oblivious RAM without Random Oracles. In TCC.
[11] J. Demme, R. Martin, A. Waksman, and S. Sethumadhavan. 2012. Side-channel
vulnerability factor: A metric for measuring information leakage. In Computer
Architecture (ISCA), 2012 39th Annual International Symposium on. 106–117. hps:
//doi.org/10.1109/ISCA.2012.6237010
[12] Leonid Domnitser, Aamer Jaleel, Jason Loew, Nael Abu-Ghazaleh, and Dmitry
Ponomarev. 2012. Non-monopolizable Caches: Low-complexity Mitigation of
Cache Side Channel Aacks. ACM Trans. Archit. Code Optim. 8, 4, Article 35
(Jan. 2012), 21 pages. hps://doi.org/10.1145/2086696.2086714
[13] Christopher Fletcher, Ling Ren, Albert Kwon, Marten van Dijk, and Srinivas
Devadas. 2015. Freecursive ORAM: [Nearly] Free Recursion and Integrity Ver-
ication for Position-based Oblivious RAM. In Proceedings of the 20th Int’l
Conference on Architectural Support for Programming Languages and Operating
Systems (ASPLOS).
[14] Christopher Fletcher, Ling Ren, Xiangyao Yu, Marten Van Dijk, Omer Khan, and
Srinivas Devadas. 2014. Suppressing the Oblivious RAM Timing Channel While
Making Information Leakage and Program Eciency Trade-os. In Proceedings
of the Int’l Symposium On High Performance Computer Architecture.
[15] Christopher Fletcher, Marten van Dijk, and Srinivas Devadas. 2012. Secure Pro-
cessor Architecture for Encrypted Computation on Untrusted Programs. In Pro-
ceedings of the 7th ACMCCSWorkshop on Scalable Trusted Computing; an extended
version is located at hp://csg.csail.mit.edu/pubs/memos/Memo508/memo508.pdf
(Master’s thesis). 3–8.
[16] Christopher Wardlaw Fletcher. 2016. Oblivious RAM: from theory to practice.
Ph.D. Dissertation. Massachuses Institute of Technology.
[17] O. Goldreich and R. Ostrovsky. 1996. Soware protection and simulation on
oblivious RAMs. In J. ACM.
[18] Michael T. Goodrich, Michael Mitzenmacher, Olga Ohrimenko, and Roberto
Tamassia. 2011. Oblivious RAM simulation with ecient worst-case access
overhead. In Proceedings of the 3rd ACM workshop on Cloud computing security
workshop (CCSW ’11). ACM, New York, NY, USA, 95–100. hps://doi.org/10.
1145/2046660.2046680
[19] Michael T. Goodrich, Michael Mitzenmacher, Olga Ohrimenko, and Roberto
Tamassia. 2012. Practical oblivious storage. In Proceedings of the second ACM
conference on Data and Application Security and Privacy (CODASPY ’12). ACM,
New York, NY, USA, 13–24. hps://doi.org/10.1145/2133601.2133604
[20] Michael T. Goodrich, Michael Mitzenmacher, Olga Ohrimenko, and Roberto
Tamassia. 2012. Privacy-preserving group data access via stateless oblivious
RAM simulation. In SODA.
[21] David Grawrock. 2006. e Intel Safer Computing Initiative: Building Blocks for
Trusted Computing. Intel Press.
[22] Syed Kamran Haider and Marten van Dijk. 2016. Flat ORAM: A Simplied Write-
Only Oblivious RAM Construction for Secure Processor Architectures. arXiv
preprint arXiv:1611.01571 (2016).
[23] Mohammad Islam, Mehmet Kuzu, and Murat Kantarcioglu. 2012. Access Paern
disclosure on Searchable Encryption: Ramication, Aack and Mitigation. In
Network and Distributed System Security Symposium (NDSS).
[24] Aamer Jaleel. 2010. Memory characterization of workloads using
instrumentation-driven simulation. Web Copy: hp://www. glue. umd.
edu/ajaleel/workload (2010).
[25] Harshad Kasture and Daniel Sanchez. 2014. Ubik: Efcient Cache Sharing with
Strict QoS for Latency-Critical Workloads. In Proceedings of the International
Conference on Architectural Support for Programming Languages and Operating
Systems (ASPLOS ’14).
[26] Hyunjin Lee, Sangyeun Cho, and B.R. Childers. 2011. CloudCache: Expanding
and shrinking private caches. In High Performance Computer Architecture (HPCA),
2011 IEEE 17th International Symposium on. 219–230. hps://doi.org/10.1109/
HPCA.2011.5749731
[27] Lichun Li and Anwitaman Daa. 2013. Write-only oblivious RAM-based privacy-
preserved access of outsourced data. International Journal of Information Security
(2013), 1–20.
[28] D. Lie, J. Mitchell, C. ekkath, and M. Horwitz. 2003. Specifying and Verifying
Hardware for Tamper-Resistant Soware. In Proceedings of the IEEE Symposium
on Security and Privacy.
[29] D. Lie, C. ekkath, and M. Horowitz. 2003. Implementing an Untrusted Op-
erating System on Trusted Hardware. In Proceedings of the Nineteenth ACM
Symposium on Operating Systems Principles. 178–192.
[30] David Lie, Chandramohan ekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh,
John Mitchell, and Mark Horowitz. 2000. Architectural Support for Copy and
Tamper Resistant Soware. In Proceedings of the 9th Int’l Conference on Architec-
tural Support for Programming Languages and Operating Systems (ASPLOS-IX).
168–177.
[31] Martin Maas, Eric Love, Emil Stefanov, Mohit Tiwari, Elaine Shi, Krste Asanovic,
John Kubiatowicz, and Dawn Song. 2013. Phantom: Practical oblivious computa-
tion in a secure processor. In Proceedings of the 2013 ACM SIGSAC conference on
Computer & communications security. ACM, 311–324.
[32] Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Sha,
Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative instructions
and soware model for isolated execution.. In HASP@ ISCA. 10.
[33] R. Ostrovsky. 1990. Ecient computation on oblivious RAMs. In STOC.
[34] Rafail Ostrovsky and Victor Shoup. 1997. Private Information Storage (Extended
Abstract). In STOC. 294–303.
[35] Moinuddin K. reshi and Yale N. Pa. 2006. Utility-Based Cache Partitioning:
A Low-Overhead, High-Performance, Runtime Mechanism to Partition Shared
Caches. In Proceedings of the 39th Annual IEEE/ACM International Symposium on
Microarchitecture (MICRO 39). IEEE Computer Society, Washington, DC, USA,
423–432. hps://doi.org/10.1109/MICRO.2006.49
[36] Ling Ren, Xiangyao Yu, Christopher Fletcher, Marten van Dijk, and Srinivas
Devadas. 2013. Design Space Exploration and Optimization of Path Oblivious
RAM in Secure Processors. In Proceedings of the Int’l Symposium on Computer
Architecture. Available at Cryptology ePrint Archive, Report 2013/76.
[37] Daniel Sanchez and Christos Kozyrakis. 2012. Scalable and Ecient Fine-Grained
Cache Partitioning with Vantage. IEEE Micro 32, 3 (2012), 26–37. hps://doi.org/
10.1109/MM.2012.19
[38] Luis F. G. Sarmenta, Marten van Dijk, Charles W. O’Donnell, Jonathan Rhodes,
and Srinivas Devadas. 2006. Virtual Monotonic Counters and Count-Limited
Objects using a TPM without a Trusted OS. In Proceedings of the 1st STC’06.
[39] E. Shi, T.-H. H. Chan, E. Stefanov, and M. Li. 2011. Oblivious RAM with
O ((logN )3)Worst-Case Cost. In Asiacrypt. 197–214.
[40] Georey Smith. 2009. On the Foundations of antitative Information Flow. In
Proceedings of the 12th International Conference on Foundations of Soware Science
and Computational Structures: Held As Part of the Joint European Conferences
on eory and Practice of Soware, ETAPS 2009 (FOSSACS ’09). Springer-Verlag,
Berlin, Heidelberg, 288–302. hps://doi.org/10.1007/978-3-642-00596-1 21
Revisiting Definitional Foundations of Oblivious RAM for Secure Processor Implementations , ,
[41] E. Stefanov, E. Shi, and D. Song. 2012. Towards practical oblivious RAM. In
NDSS.
[42] Emil Stefanov, Marten van Dijk, Elaine Shi, Christopher Fletcher, Ling Ren,
Xiangyao Yu, and Srinivas Devadas. 2013. Path ORAM: An Extremely Simple
Oblivious RAM Protocol. In Proceedings of the ACMComputer and Communication
Security Conference.
[43] G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, and Srinivas
Devadas. 2003. aegis: Architecture for Tamper-Evident and Tamper-Resistant
Processing. In Proceedings of the 17th ICS (MIT-CSAIL-CSG-Memo-474 is an up-
dated version). ACM, New-York. hp://csg.csail.mit.edu/pubs/memos/Memo-474/
Memo-474.pdf(revisedone)
[44] G. Edward Suh, Charles W. O’Donnell, Ishan Sachdev, and Srinivas Devadas.
2005. Design and Implementation of the aegis Single-Chip Secure Processor
Using Physical Random Functions. In Proceedings of the 32nd ISCA’05. ACM,
New-York. hp://csg.csail.mit.edu/pubs/memos/Memo-483/Memo-483.pdf
[45] G. E. Suh, L. Rudolph, and S. Devadas. 2004. Dynamic Partitioning of Shared
Cache Memory. J. Supercomput. 28, 1 (April 2004), 7–26. hps://doi.org/10.1023/B:
SUPE.0000014800.27383.8f
[46] Trusted Computing Group. 2004. TCG Specication Architecture Overview
Revision 1.2.
hp://www.trustedcomputinggroup.com/home. (2004).
[47] Yao Wang and G. Edward Suh. 2012. Ecient Timing Channel Protection for
On-Chip Networks. In Proceedings of the 2012 IEEE/ACM Sixth International Sym-
posium on Networks-on-Chip (NOCS ’12). IEEE Computer Society, Washington,
DC, USA, 142–151. hps://doi.org/10.1109/NOCS.2012.24
[48] Zhenghong Wang and Ruby B. Lee. 2007. New Cache Designs for warting
Soware Cache-based Side Channel Aacks. In Proceedings of the 34th Annual
International Symposium on Computer Architecture (ISCA ’07). ACM, New York,
NY, USA, 494–505. hps://doi.org/10.1145/1250662.1250723
[49] Hassan M. G. Wassel, Ying Gao, Jason K. Oberg, Ted Humire, Ryan Kastner,
Frederic T. Chong, and Timothy Sherwood. 2013. SurfNoC: A Low Latency
and Provably Non-interfering Approach to Secure Networks-on-chip. SIGARCH
Comput. Archit. News 41, 3 (June 2013), 583–594. hps://doi.org/10.1145/2508148.
2485972
[50] Peter Williams and Radu Sion. 2012. Single round access privacy on out-
sourced storage. In Proceedings of the 2012 ACM conference on Computer and
communications security (CCS ’12). ACM, New York, NY, USA, 293–304. hps:
//doi.org/10.1145/2382196.2382229
[51] Yuejian Xie and Gabriel H. Loh. 2009. PIPP: Promotion/Insertion Pseudo-
partitioning of Multi-core Shared Caches. In Proceedings of the 36th Annual
International Symposium on Computer Architecture (ISCA ’09). ACM, New York,
NY, USA, 174–183. hps://doi.org/10.1145/1555754.1555778
[52] Xiangyao Yu, Syed Kamran Haider, Ling Ren, Christopher Fletcher, Albert Kwon,
Marten van Dijk, and Srinivas Devadas. 2015. Proram: dynamic prefetcher for
oblivious ram. In Proceedings of the 42nd Annual International Symposium on
Computer Architecture. ACM, 616–628.
[53] Danfeng Zhang, Aslan Askarov, and Andrew C. Myers. 2011. Predictive Mitiga-
tion of Timing Channels in Interactive Systems. In Proceedings of the 18th ACM
Conference on Computer and Communications Security (CCS ’11). ACM, New York,
NY, USA, 563–574. hps://doi.org/10.1145/2046707.2046772
[54] Yinqian Zhang, Ari Juels, Michael K Reiter, and omas Ristenpart. 2012. Cross-
VM side channels and their use to extract private keys. In Proceedings of the 2012
ACM conference on Computer and communications security. ACM, 305–316.
[55] Xiaotong Zhuang, Tao Zhang, and Santosh Pande. 2004. HIDE: an infrastructure
for eciently protecting information leakage on the address bus. In Proceedings
of the 11th ASPLOS. hps://doi.org/10.1145/1024393.1024403
