One key challenge for data owners to host their databases in the cloud is data privacy. In this paper, we first demonstrate that even with the most recent hardware-based security technology such as Intel SGX, a hypervisor can still sniff key database operations running in its guest virtual machine (VM) such as the frequency and type of SQL queries, by monitoring the access pattern of this VM’s main and secondary memory. To ensure security against such access pattern monitoring attacks, we then propose ProDB, a minimal adaptation of a conventional DBMS with both hardware enclave and Oblivious RAM protocol. To enhance its performance for practical use, we also design a SQL-aware Path ORAM protocol called SaP ORAM, which optimizes the classic Path ORAM protocol under practical database workload. Through security analysis and extensive experimental results, we prove and show ProDB achieves high security and throughput on commodity cloud hosting servers.

数据所有者将其数据库托管在云中的一项主要挑战是数据隐私。在本文中，我们首先证明，即使使用最新的基于硬件的安全技术（例如Intel SGX），虚拟机管理程序仍可以嗅探其来宾虚拟机（VM）中运行的关键数据库操作，例如SQL查询的频率和类型，通过监视此VM的主内存和辅助内存的访问模式。为了确保针对此类访问模式监视攻击的安全性，我们随后提出了ProDB，这是对具有硬件安全区和Oblivious RAM协议的常规DBMS的最小调整。为了提高其实用性能，我们还设计了一种SQL感知的Path ORAM协议SaP ORAM协议，该协议在实际数据库工作负载下优化了经典的Path ORAM协议。