TEE-based Key-Value Stores: a Survey

TL;DR

This survey reviews how Trusted Execution Environments are used to enhance security in key-value stores, discussing design strategies, benefits, limitations, and future research directions.

Contribution

It provides a comprehensive overview of TEE-based KVSs, highlighting common design approaches and identifying challenges and future research opportunities.

Findings

TEEs improve data confidentiality and integrity in KVSs

Design strategies balance security and performance trade-offs

Identifies open challenges and future research directions

Abstract

Key-Value Stores (KVSs) are No-SQL databases that store data as key-value pairs and have gained popularity due to their simplicity, scalability, and fast retrieval capabilities. However, storing sensitive data in KVSs requires strong security properties to prevent data leakage and unauthorized tampering. While software (SW)-based encryption techniques are commonly used to maintain data confidentiality and integrity, they suffer from several drawbacks. They strongly assume trust in the hosting system stack and do not secure data during processing unless using performance-heavy techniques (e.g., homomorphic encryption). Alternatively, Trusted Execution Environments (TEEs) provide a solution that enforces the confidentiality and integrity of code and data at the CPU level, allowing users to build trusted applications in an untrusted environment. They also secure data in use by providing an encapsulated processing environment called enclave. Nevertheless, TEEs come with their own set of drawbacks, including performance issues due to memory size limitations and CPU context switching. This paper examines the state of the art in TEE-based confidential KVSs and highlights common design strategies used in KVSs to leverage TEE security features while overcoming their inherent limitations. This work aims to provide a comprehensive understanding of the use of TEEs in KVSs and to identify research directions for future work.