PAVE: Information Flow Control for Privacy-preserving Online Data Processing Services
Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) 2025.
areas
Security,
Trusted Computing,
Operating Systems
abstract
In online data-processing services, a user typically hands over personal data to a remote server beyond the user's control. In such environments, the user cannot be assured that the data is protected from potential leaks. We introduce PAVE, a new framework to guarantee data privacy while being processed remotely. PAVE provides an arbitrary data-processing program with a sandboxed execution environment. The runtime monitor, PAVEBOX, intercepts all data flows into and out of the sandbox, allowing them only if they do not compromise user data. At the same time, it guarantees that the benign flows will not be hampered to preserve the program's functionality. As the PAVEBOX is built on top of Intel SGX, a user can verify the integrity and confidentiality of the PAVEBOX by remote attestation. We provide a formal model of PAVE and prove its security and carry out the quantitative analysis with prototype-based experiments.