ShieldStore: Shielded In-memory Key-value Storage with SGX

The shielded computation of hardware-based trusted execution environments such as Intel Software Guard Extensions (SGX) can provide secure cloud computing on remote systems under untrusted privileged system software. However, hardware overheads for securing protected memory restrict its capacity to a modest size of several tens of megabytes, and more demands for protected memory beyond the limit cause costly demand paging. Although one of the widely used applications benefiting from the enhanced security of SGX, is the in-memory key-value store, its memory requirements are far larger than the protected memory limit. Furthermore, the main data structures commonly use fine-grained data items such as pointers and keys, which do not match well with the coarse-grained paging of the SGX memory extension technique. To overcome the memory restriction, this paper proposes a new in-memory key-value store designed for SGX with application-specific data security management. The proposed key-value store, called ShieldStore, maintains the main data structures in unprotected memory with each key-value pair individually encrypted and integrity-protected by its secure component running inside an enclave. Based on the enclave protection by SGX, ShieldStore provides secure data operations much more efficiently than the baseline SGX key-value store, achieving 8--11 times higher throughput with 1 thread, and 24--30 times higher throughput with 4 threads.

• Publication year

  2019

• Venue

  European Conference on Computer Systems

• Publication date

  2019-03-25

• Fields of study

  Computer Science, Engineering

• Identifiers
  DOI 10.1145/3302424.3303951
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• SPEICHER: Securing LSM-based Key-Value Stores using Shielded Execution

  2019cited by this paper
• Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks

  2018cited by this paper
• SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution

  2018cited by this paper
• Switchless Calls Made Practical in Intel SGX

  2018cited by this paper
• EnclaveDB: A Secure Database Using SGX

  2018cited by this paper
• VAULT: Reducing Paging Overheads in SGX with Efficient Integrity Verification Structures

  2018cited by this paper
• ShieldBox: Secure Middleboxes using Shielded Execution

  2018cited by this paper
• Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution

  2018cited by this paper
• Pesos: policy enhanced secure object store

  2018cited by this paper
• T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs

  2017cited by this paper
• Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves

  2017cited by this paper
• ROTE: Rollback Protection for Trusted Execution

  2017cited by this paper
• Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu

  2017cited by this paper
• HardIDX: Practical and Secure Index with SGX

  2017cited by this paper
• SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs

  2017cited by this paper
• Panoply: Low-TCB Linux Applications With SGX Enclaves

  2017cited by this paper
• Rollback and Forking Detection for Trusted Execution Environments Using Lightweight Collective Memory

  2017cited by this paper
• Opaque: An Oblivious and Encrypted Distributed Analytics Platform

  2017cited by this paper
• Eleos: ExitLess OS Services for SGX Enclaves

  2017cited by this paper
• SGXBOUNDS: Memory Safety for Shielded Execution

  2017cited by this paper
• Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX

  2017cited by this paper
• A Memory Encryption Engine Suitable for General Purpose Processors

  2016influential reference
• Intel SGX Explained

  2016cited by this paper
• SecureKeeper: Confidential ZooKeeper using Intel SGX

  2016cited by this paper
• Preventing Page Faults from Telling Your Secrets

  2016cited by this paper
• M2R: Enabling Stronger Privacy in MapReduce Computation

  2015cited by this paper
• DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks

  2015cited by this paper
• Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems

  2015cited by this paper
• VC3: Trustworthy Data Analytics in the Cloud Using SGX

  2015cited by this paper
• Shielding Applications from an Untrusted Cloud with Haven

  2014cited by this paper
• Innovative instructions and software model for isolated execution

  2013cited by this paper
• Innovative Technology for CPU Based Attestation and Sealing

  2013cited by this paper
• Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks

  2013cited by this paper
• Architectural support for secure virtualization under a vulnerable hypervisor

  2011cited by this paper
• Benchmarking cloud serving systems with YCSB

  2010influential reference
• Lest we remember: cold-boot attacks on encryption keys

  2008cited by this paper
• AEGIS: architecture for tamper-evident and tamper-resistant processing

  2003cited by this paper
• Caches and hash trees for efficient memory integrity verification

  2003cited by this paper
• This paper is included in the Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’16).

  year unknowninfluential reference
• This Paper Is Included in the Proceedings of the 12th Usenix Symposium on Operating Systems Design and Implementation (osdi '16). Ryoan: a Distributed Sandbox for Untrusted Computation on Secret Data Ryoan: a Distributed Sandbox for Untrusted Computation on Secret Data

  year unknowncited by this paper
• This Paper Is Included in the Proceedings of the 11th Usenix Symposium on Networked Systems Design and Implementation (nsdi '14). Mica: a Holistic Approach to Fast In-memory Key-value Storage Mica: a Holistic Approach to Fast In-memory Key-value Storage

  year unknowncited by this paper

• The Design and Implementation of a Fine-Grained Shielded Data Reduction System

  2026cites this paper
• The Real Menace of Cloning Attacks on SGX Applications

  2026cites this paper
• Implementing a Persistent Key-Value Store in a Tamper-Resistant Device for SGX Enclave Applications

  2025cites this paper
• Towards High-performance and Trusted Cloud DBMSs

  2025cites this paper
• Fast Private Retrieval on Key-Value Store with Multiple Values per Key

  2025cites this paper
• Optimal Packing for Encrypted and Compressed Key-Value Stores With Pattern-Analysis Security

  2025cites this paper
• Gangi: Preventing Memory Tampering Cheats in Online Games

  2025cites this paper
• SHIELD: Encrypting Persistent Data of LSM-KVS from Monolithic to Disaggregated Storage

  2025cites this paper
• Adaptive and Efficient Dynamic Memory Management for Hardware Enclaves

  2025cites this paper
• XHarvest: Rethinking High-Performance and Cost-Efficient SSD Architecture with CXL-Driven Harvesting

  2025cites this paper
• What You Trust Is Insecure: Demystifying How Developers (Mis)Use Trusted Execution Environments in Practice

  2025cites this paper
• ArcEDB: An Arbitrary-Precision Encrypted Database via (Amortized) Modular Homomorphic Encryption

  2024cites this paper
• Tee-based key-value stores: a survey

  2024influential citation
• TEEMATE: Fast and Efficient Confidential Container using Shared Enclave

  2024cites this paper
• TEE-MR: Developer-friendly data oblivious programming for trusted execution environments

  2024cites this paper
• Toast: A Heterogeneous Memory Management System

  2024cites this paper
• S-ZAC: Hardening Access Control of Service Mesh Using Intel SGX for Zero Trust in Cloud

  2024cites this paper
• LSKV: A Confidential Distributed Datastore to Protect Critical Data in the Cloud

  2024cites this paper
• Supporting Trusted Virtual Machines with Hardware-Based Secure Remote Memory

  2024cites this paper
• FastSGX: A Message-Passing Based Runtime for SGX

  2024cites this paper
• Enc2DB: A Hybrid and Adaptive Encrypted Query Processing Framework

  2024cites this paper
• Benchmarking Analytical Query Processing in Intel SGXv2

  2024cites this paper
• Enclave Management Models for Safe Execution of Software Components

  2024cites this paper
• TEDA: a trusted execution environment-and-blockchain-based data protection architecture for Internet of Things

  2024cites this paper
• Optimal Compression for Encrypted Key-Value Store in Cloud Systems

  2024cites this paper
• Encrypted and Compressed Key-Value Store With Pattern-Analysis Security in Cloud Systems

  2024cites this paper
• Privacy Computing with Right to Be Forgotten in Trusted Execution Environment

  2023cites this paper
• A Survey of Secure Computation Using Trusted Execution Environments

  2023cites this paper
• VeDB: A Software and Hardware Enabled Trusted Relational Database

  2023cites this paper
• Cloud Key-Value Storage

  2023cites this paper
• Anchor: A Library for Building Secure Persistent Memory Systems

  2023cites this paper
• SymGX: Detecting Cross-boundary Pointer Vulnerabilities of SGX Applications via Static Symbolic Execution

  2023cites this paper
• Mind Your Enclave Pointers! Detecting Privacy Leaks for SGX Apps via Sparse Taint Analysis

  2023cites this paper
• FLARE: A Fast, Secure, and Memory-Efficient Distributed Analytics Framework (Flavor: Systems)

  2023cites this paper
• KVSEV: A Secure In-Memory Key-Value Store with Secure Encrypted Virtualization

  2023cites this paper
• Cryonics: Trustworthy Function-as-a-Service using Snapshot-based Enclaves

  2023cites this paper
• Confidential Consortium Framework: Secure Multiparty Applications with Confidentiality, Integrity, and High Availability

  2023cites this paper
• No Forking Way: Detecting Cloning Attacks on Intel SGX Applications

  2023cites this paper
• HE3DB: An Efficient and Elastic Encrypted Database Via Arithmetic-And-Logic Fully Homomorphic Encryption

  2023cites this paper
• A Distance Vector Hop-Based Secure and Robust Localization Algorithm for Wireless Sensor Networks

  2023cites this paper
• SoK: A Systematic Review of TEE Usage for Developing Trusted Applications

  2023cites this paper
• Pldb: Protecting LSM-based Key-Value Store using Trusted Execution Environment

  2023cites this paper
• FeatureSpy: Detecting Learning-Content Attacks via Feature Inspection in Secure Deduplicated Storage

  2023cites this paper
• Fuzzing SGX Enclaves via Host Program Mutations

  2023cites this paper
• SecDFS: A Secure and Decentralized File System

  2023cites this paper
• Intel Software Guard Extensions Applications: A Survey

  2023cites this paper
• SWAT: A System-Wide Approach to Tunable Leakage Mitigation in Encrypted Data Stores

  2023cites this paper
• Operon: An Encrypted Database for Ownership-Preserving Data Management

  2022cites this paper
• Omega: A Secure Event Ordering Service for the Edge

  2022influential citation
• SGX-Bundler: speeding up enclave transitions for IO-intensive applications

  2022cites this paper
• Secure and Policy-Compliant Query Processing on Heterogeneous Computational Storage Architectures

  2022cites this paper
• Unified Enclave Abstraction and Secure Enclave Migration on Heterogeneous Security Architectures

  2022cites this paper
• Supporting Insertion in an Encrypted Multi-Maps with Volume Hiding using Trusted Execution Environment

  2022cites this paper
• SplitBFT: Improving Byzantine Fault Tolerance Safety Using Trusted Compartments

  2022cites this paper
• XTENSTORE: Fast Shielded In-memory Key-Value Store on a Hybrid x86-FPGA System

  2022cites this paper
• Towards TEEs with Large Secure Memory and Integrity Protection Against HW Attacks

  2022cites this paper
• Treaty: Secure Distributed Transactions

  2022cites this paper
• Benchmarking the Second Generation of Intel SGX Hardware

  2022cites this paper
• SGXGauge: A Comprehensive Benchmark Suite for Intel SGX

  2022cites this paper
• STELLA: Sparse Taint Analysis for Enclave Leakage Detection

  2022cites this paper
• SCL: A Secure Concurrency Layer For Paranoid Stateful Lambdas

  2022cites this paper
• TEBDS: A Trusted Execution Environment-and-Blockchain-supported IoT data sharing system

  2022cites this paper
• Pantheon: Private Retrieval from Public Key-Value Store

  2022cites this paper
• Secure Content Distribution from Insecure Cloud Computing Systems

  2021cites this paper
• Privacy-Preserving Localization using Enclaves

  2021cites this paper
• Proof of Timely-Retrievability for Storage Systems at the Edge

  2021cites this paper
• Efficient and DoS-resistant Consensus for Permissioned Blockchains

  2021cites this paper
• Confidential Machine Learning Computation in Untrusted Environments: A Systems Security Perspective

  2021cites this paper
• Research on Routing Strategy in Cluster Deduplication System

  2021cites this paper
• PProx: efficient privacy for recommendation-as-a-service

  2021cites this paper
• Speeding up enclave transitions for IO-intensive applications

  2021cites this paper
• Precursor: a fast, client-centric and trusted key-value store using RDMA and Intel SGX

  2021influential citation
• IceClave: A Trusted Execution Environment for In-Storage Computing

  2021cites this paper
• State-free End-to-End Encrypted Storage and Chat Systems based on Searchable Encryption

  2021cites this paper
• Avocado: A Secure In-Memory Distributed Storage System

  2021influential citation
• Accelerating Encrypted Deduplication via SGX

  2021cites this paper
• Aria: Tolerating Skewed Workloads in Secure In-memory Key-value Stores

  2021influential citation
• Citadel: Protecting Data Privacy and Model Confidentiality for Collaborative Learning

  2021cites this paper
• Unified Enclave Abstraction and Secure Enclave Migration on Heterogeneous TEE Architectures

  2021cites this paper
• Building Enclave-Native Storage Engines for Practical Encrypted Databases

  2021influential citation
• CHANCEL: Efficient Multi-client Isolation Under Adversarial Programs

  2021influential citation
• Enclavisor: A Hardware-Software Co-Design for Enclaves on Untrusted Cloud

  2021cites this paper
• QShield: Protecting Outsourced Cloud Data Queries With Multi-User Access Control Based on SGX

  2021cites this paper
• Nested Enclave: Supporting Fine-grained Hierarchical Isolation with SGX

  2020cites this paper
• TRUSTORE: Side-Channel Resistant Storage for SGX using Intel Hybrid CPU-FPGA

  2020cites this paper
• Pbsx: A practical private boolean search using Intel SGX

  2020cites this paper
• sxKV: A Novel Secured and Bidirectional Key-Value Data Structure

  2020cites this paper
• Omega: a Secure Event Ordering Service for the Edge

  2020influential citation
• Enclave Computing Paradigm: Hardware-assisted Security Architectures & Applications

  2020cites this paper
• Bottom-up: A SGX-based Blockchain Trusted Startup and Verification Scheme

  2020cites this paper
• TEEMon: A continuous performance monitoring framework for TEEs

  2020cites this paper
• SGX-MR: Regulating Dataflows for Protecting Access Patterns of Data-Intensive SGX Applications

  2020cites this paper
• Jupiter: a modern federated learning platform for regional medical care

  2020cites this paper
• Safeguarding Data Consistency at the Edge

  2020cites this paper
• Uranus: Simple, Efficient SGX Programming and its Applications

  2020cites this paper
• SeGShare: Secure Group File Sharing in the Cloud using Enclaves

  2020cites this paper
• Practical Implications of Graphene-SGX Research Project 2 August 13 , 2019

  2019cites this paper
• Authenticated key-value stores with hardware enclaves

  2019cites this paper
• Heterogeneous Isolated Execution for Commodity GPUs

  2019cites this paper
• SPEICHER: Securing LSM-based Key-Value Stores using Shielded Execution

  2019influential citation