International audiencePersonal Data Management System (PDMS) solutions are currently flourishing, spurred by new privacy regulations such as GDPR and new legal concepts like data altruism. PDMSs aim to empower individuals by providing appropriate tools to collect and manage their personal data and share computed results with third parties, thus requiring (i) a secure platform protecting the user's privacy and delivering strong guarantees on the outputs of user's data processing, and (ii) an extensible solution that supports all types of data-driven computations. In previous works, we analyzed these requirements and proposed an Extensive and Secure PDMS (ES-PDMS) logical architecture. This demonstration presents the first ES-PDMS prototype based on SGX enclaves, focusing on its security properties with the help of several concrete scenarios and interactive games

Anciaux, Nicolas

Bouganim, Luc

Carpentier, Robin

Sandu Popa, Iulian

Thiant, Floris

National audiencePersonal Data Management System (PDMS) solutions are currently flourishing, spurred by new privacy regulations such as GDPR and new legal concepts like data altruism. PDMSs aim to empower individuals by providing appropriate tools to collect and manage their personal data and share computed results with third parties, thus requiring (i) a secure platform protecting the user's privacy and delivering strong guarantees on the outputs of user's data processing, and (ii) an extensible solution that supports all types of data-driven computations. In previous works, we analyzed these requirements and proposed an Extensive and Secure PDMS (ES-PDMS) logical architecture. This demonstration presents the first ES-PDMS prototype based on SGX enclaves, focusing on its security properties with the help of several concrete scenarios and interactive games

Popa, Iulian, Sandu

INRIA a CCSD electronic archive server

An Extensive and Secure Personal Data Management System Using SGX

International audiencePersonal Data Management System (PDMS) solutions are currently flourishing, spurred by new privacy regulations such as GDPR and new legal concepts like data altruism. PDMSs aim to empower individuals by providing appropriate tools to collect and manage their personal data and share computed results with third parties, thus requiring (i) a secure platform protecting the user’s privacy and delivering strong guarantees on the outputs of user’s data processing, and (ii) an extensible solution that supports all types of data-driven computation

HAL UVSQ

Outline: An Extensive and Secure Personal Data Management System Using SGX

HAL Descartes

HAL Id: hal-03763815https://hal.inria.fr/hal-03763815Submitted on 29 Aug 2022HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.Outline: An Extensive and Secure Personal DataManagement System Using SGXRobin Carpentier, Floris Thiant, Iulian Sandu Popa, Nicolas Anciaux, LucBouganimTo cite this version:Robin Carpentier, Floris Thiant, Iulian Sandu Popa, Nicolas Anciaux, Luc Bouganim. Outline: AnExtensive and Secure Personal Data Management System Using SGX. 1st CNIL International PrivacyResearch Day, Jun 2022, Paris, France. . ￿hal-03763815￿Outline: An Extensive and Secure Personal Data ManagementSystem Using SGXRobin CarpentierUniv. Versailles St-Q.-en-Yvelinesrobin.carpentier@uvsq.frFloris ThiantInria Saclayfloris.thiant@inria.frIulian Sandu PopaUniv. Versailles St-Q.-en-Yvelinesiulian.sandu-popa@uvsq.frNicolas AnciauxInria Saclaynicolas.anciaux@inria.frLuc BouganimInria Saclayluc.bouganim@inria.frThis outline was submitted alongside a demonstration paper [3] to beaccepted for a presentation at the 2022 CNIL’s International PrivacyResearch Day [4].1 ABSTRACTPersonal Data Management System (PDMS) solutions are currentlyflourishing, spurred by new privacy regulations such as GDPR andnew legal concepts like data altruism. PDMSs aim to empowerindividuals by providing appropriate tools to collect and managetheir personal data and share computed results with third parties,thus requiring (i) a secure platform protecting the user’s privacyand delivering strong guarantees on the outputs of user’s dataprocessing, and (ii) an extensible solution that supports all types ofdata-driven computations.2 GOALOur objective is to give individuals the means to benefit from dataportability in a greater way, by safeguarding their control on theretrieved data. Instead of transmitting the retrieved data to a thirdparty for further use, we want to provide solutions that allow theuser to securely retrieve the data and perform computations onbehalf of a third party, while controlling the result disclosed to thatthird party. On the one hand, individuals need automatic tools tocollect their data from the multiple data sources they use. On theother hand, after exercising their right to data portability, they needto allow third parties to carry out computations without givingaccess to the raw data. We want to provide an Extensive and SecurePDMS facilitating these aspects for layman users.3 SCENARIOSConsider the following two scenarios as examples of computationsrequiring the disclosure of aggregates to third parties:Green bonus example. Companies want to reward their employ-ees for having an ecological conduct. Thus, they monthly computea green bonus (financial incentive) based on the number of com-mutes by bike. A user-centered workflow is possible: GPS traces arecollected from a reliable service (e.g., Google Maps), then processedlocally (e.g., on the user’s PDMS) by a specific code provided by theemployer. The result is then delivered to the employer with a proofof compliance.Energy example. An energy supplier wishes to offer servicesprecisely calibrated to the energy consumption of its future cus-tomers. To establish a tailor-made offer, the supplier must evaluatevarious statistical computations on the customer’s consumption.Using the data collected from their energy supplier (or smart me-ter) and thanks to their PDMS offering confidentiality guarantees,customers agree to disclose these statistics but not their detailedconsumption and thus install a computation function sent by thesupplier. The attestations provided by the PDMS allow the supplierto commit to a quote since they get guarantees on the computationperformed.4 METHODOLOGYTo handle these scenarios, we built a PDMS architecture providing:i) confidentiality guarantees for the individual, so that the thirdparties will not have access to their raw data; ii) guarantees forthe third parties that the computation was performed by a specificprogram they specify, run on the required personal data, so that theuser cannot cheat and they can commit to the financial incentive(green bonus) or quote (energy) ; iii) extensibility, so that the com-putation code can provided by the third party is not constrainedand remains generic enough. We leverage Trusted Execution Envi-ronments (TEE) combined with sandboxing techniques to ensurethe security of any user device likely hosting the PDMS [1]. We alsorely on execution strategies that control execution flow and sizeof intermediate results to mitigate the leakage of large amounts ofinformation potentially sent to the third party, as detailed in previ-ous publication [2]. This demonstration paper describes a PDMSimplementation using Intel SGX and provides a set of games to easethe comprehension of the proposal.5 EXISTINGWORKSCurrent practical solutions would resort to web services to collectpersonal data and exploit it, which would raise privacy concernsand a perceived risk of mass surveillance. PDMS solutions (such asCozyCloud or Digi.me) would fail to provide the necessary securityand extensiveness properties, as they only rely on (community)semantic analysis of computation code to ensure security. Similarly,secure database outsourcing techniques, which rely on encryptingpersonal data before sending it to the third-party service to performcalculations on the encrypted data, would not allow any (generic)processing. Similarly, state of the art solutions in automatic infor-mation flow analysis (computation code/results analysis) wouldnot be applicable here, as they are based on an assumption of non-interference between any sensitive inputs and the computationresult, whereas in our scenarios, the aggregated (statistical) resultscan obviously depend on any personal input.REFERENCES[1] N. Anciaux, P. Bonnet, L. Bouganim, B. Nguyen, P. Pucheral, I. Sandu Popa, and G.Scerri. 2019. Personal Data Management Systems: The security and functionalitystandpoint. Inf. Syst. 80 (2019), 13–35.[2] R. Carpentier, I. Sandu Popa, and N. Anciaux. 2021. Poster: Reducing Data Leakageon Personal Data Management Systems. In 2021 IEEE European Symposium onSecurity and Privacy (EuroS&P). IEEE Computer Society, 716–718.[3] Robin Carpentier, Floris Thiant, Iulian Sandu Popa, Nicolas Anciaux, and LucBouganim. 2022. An Extensive and Secure Personal Data Management System Us-ing SGX. In Proceedings of the 25th International Conference on Extending DatabaseTechnology, EDBT 2022. 2:570–2:573. https://doi.org/10.48786/edbt.2022.53[4] Robin Carpentier, Floris Thiant, Iulian Sandu Popa, Nicolas Anciaux, and LucBouganim. 2022. An Extensive and Secure Personal Data Management System Us-ing SGX. Presentation at the 1st International Privacy Research Day, CommissionNationale de l’Informatique et des Libertés, Paris, France. https://www.cnil.fr/en/privacy-research-day-discover-program-first-cnils-international-conference2

https://hal.inria.fr/hal-03580286/document

An Extensive and Secure Personal Data Management System Using SGX

Abstract

Similar works

Full text

Available Versions

INRIA a CCSD electronic archive server

HAL UVSQ

INRIA a CCSD electronic archive server

HAL UVSQ

HAL Descartes

HAL UVSQ

INRIA a CCSD electronic archive server