Search

US-12626002-B2 - Logical log generation in enclave database

US12626002B2US 12626002 B2US12626002 B2US 12626002B2US-12626002-B2

Abstract

A database management system (DBMS) in an enclave for a data privacy preservation database is provided. The system comprising a DBMS engine configured to parse a database command for execution, set an access control status to a first status for a field of the data privacy preservation database when the parsed database command includes the field corresponding to a record in a system catalog table, and log the database command into a logical log. When the access control status is set to the first status and the database command includes a content of the field, the DBMS engine is further configured to log a predetermined identifier, an identification of the field, and a length of the content immediately before the content in the logical log.

Inventors

  • Xinying Yang

Assignees

  • BEIJING VOLCANO ENGINE TECHNOLOGY CO., LTD.

Dates

Publication Date
20260512
Application Date
20240118

Claims (20)

  1. 1 . A database management system (DBMS) in an enclave, the DBMS comprising: a DBMS engine configured to: parse a database command for execution; set an access control status to a first status for a field of a system catalog table of a data privacy preservation database when the parsed database command includes the field corresponding to a record in the system catalog table; log the database command into a logical log; and when the access control status is set to the first status and the database command includes a content of the field, log, in the logical log, a predetermined identifier, an identification of the field, and a length of the content of the field, for data privacy preservation.
  2. 2 . The DBMS of claim 1 , wherein the first status for the field corresponds to the field being a private field, the first status is indicative of the private field being invisible to a user, the database command is configured to access the content of the field, and the logical log is configured to log the database command.
  3. 3 . The DBMS of claim 2 , wherein the record in the system catalog table includes the identification of the field and a secret level, the DBMS engine is configured to set the access control status to the first status for the field when the secret level corresponding to the field is a predetermined value.
  4. 4 . The DBMS of claim 3 , wherein upon receiving a request to set the field as the private field, the DBMS engine is configured to generate or update the record in the system catalog table to set the secret level corresponding to the field to the predetermined value after the request, and wherein the request is independent to the database command.
  5. 5 . The DBMS of claim 1 , wherein the length of the content of the field corresponds to a size of the content of the field in the logical log.
  6. 6 . The DBMS of claim 1 , wherein the predetermined identifier has a unique value different from identifiers of database commands to be logged in the logical log.
  7. 7 . The DBMS of claim 1 , wherein an entirety of the DBMS is in the enclave for runtime execution.
  8. 8 . A method, the method comprising: parsing, by a database management system (DBMS) engine of a DBMS, a database command for execution; setting an access control status to a first status for a field of a system catalog table of a data privacy preservation database when the parsed database command includes the field corresponding to a record in the system catalog table; logging the database command into a logical log; and when the access control status is set to the first status and the database command includes a content of the field, logging, in the logical log, a predetermined identifier, an identification of the field, and a length of the content, for data privacy preservation.
  9. 9 . The method of claim 8 , wherein the first status for the field corresponds to the field being a private field, the first status is indicative of the private field being invisible to a user, the database command is configured to access the content of the field, and the logical log is configured to log the database command.
  10. 10 . The method of claim 9 , wherein the record in the system catalog table includes the identification of the field and a secret level, the method further comprises: setting the access control status to the first status for the field when the secret level corresponding to the field is a predetermined value.
  11. 11 . The method of claim 10 , wherein the method further comprises: upon receiving a request to set the field as the private field, generating or updating the record in the system catalog table to set the secret level corresponding to the field to the predetermined value after the request, wherein the request is independent to the database command.
  12. 12 . The method of claim 8 , wherein the length of the content of the field corresponds to a size of the content of the field in the logical log.
  13. 13 . The method of claim 8 , wherein the predetermined identifier has a unique value different from identifiers of database commands to be logged in the logical log.
  14. 14 . The method of claim 8 , wherein an entirety of the DBMS is in an enclave for runtime execution.
  15. 15 . A non-transitory computer-readable medium having computer-executable instructions stored thereon that, upon execution, cause one or more processors to perform operations comprising: parsing, by a database management system (DBMS) engine of a DBMS, a database command for execution; setting an access control status to a first status for a field of a system catalog table of a data privacy preservation database when the parsed database command includes the field corresponding to a record in the system catalog table; logging the database command into a logical log; and when the access control status is set to the first status and the database command includes a content of the field, logging, in the logical log, a predetermined identifier, an identification of the field, and a length of the content, for data privacy preservation.
  16. 16 . The non-transitory computer-readable medium of claim 15 , wherein the first status for the field corresponds to the field being a private field, the first status is indicative of the private field being invisible to a user, the database command is configured to access the content of the field, and the logical log is configured to log the database command.
  17. 17 . The non-transitory computer-readable medium of claim 16 , wherein the record in the system catalog table includes the identification of the field and a secret level, the operations further comprise: setting the access control status to the first status for the field when the secret level corresponding to the field is a predetermined value.
  18. 18 . The non-transitory computer-readable medium of claim 17 , wherein the operations further comprise: upon receiving a request to set the field as the private field, generating or updating the record in the system catalog table to set the secret level corresponding to the field to the predetermined value after the request, wherein the request is independent to the database command.
  19. 19 . The non-transitory computer-readable medium of claim 15 , wherein the predetermined identifier has a unique value different from identifiers of database commands to be logged in the logical log.
  20. 20 . The non-transitory computer-readable medium of claim 15 , wherein an entirety of the DBMS is in an enclave for runtime execution.

Description

FIELD The embodiments described herein pertain generally to a data privacy control for a database. More specifically, the embodiments described herein pertain to generating, encoding, and/or updating a logical log for a data privacy preservation database through a database management system (DBMS) in an enclave. BACKGROUND Conventional hardware-enabled encrypted database (H-EDB) systems support more operations (e.g., database operations using Structured Query Language (SQL), etc.) compared to software-oriented encrypted database (S-EDB) systems, but still far less than general database systems (e.g., SQL database systems, etc.). Conventional H-EDB systems typically have a partially hardware encrypted (P-HE) architecture that shares a client-side private key using Remote Attestation (RA) mechanism and registers authenticated DBMS operator code within the enclave. Once cipher-text from an end (e.g., a user end, etc.) is delivered (e.g., through the DBMS, etc.) to the enclave, the enclave first decrypts the cipher-text to plaintext, performs computations or operations on the plaintext, and then encrypts the computed plaintext (if needed) before replying to the DBMS. Typically P-HE databases are designed based on the constraint of the enclave, e.g., the constraint of the trusted execution environment (TEE) memory limitation or restrictions. Therefore, it may be impractical to authenticate the entire DBMS into an enclave to achieve a fully hardware encrypted (F-HE) database system for runtime execution, and the input/output (I/O) cost in the P-HE database between the enclave and the DBMS may affect the system performance significantly. SUMMARY Recent emergence of increased TEE memory may enable creation of an F-HE architecture. Features in the embodiments disclosed herein may provide and otherwise implement an “in-enclave” (i.e., F-HE) database system (e.g., a relational database system, etc.) to support the data privacy-preserving and verifiable functionalities by residing the entire DBMS (or the entire database system) into the TEE (e.g., the TEE memory, etc.), which may reform the current P-HE model. It is to be understood that, in the F-HE database architecture, the mechanism may provide security and/or protect privacy by preventing data leaks for all memory, processor(s) such as central processing units (CPUs), and I/O. As such, the DBMS-internally-used data structures and data stores that do not have explicit retrieval interfaces (e.g., system and physical logs), may be prevented from being viewed by adversaries. For example, a redo log of a database system, which is a physical log, stores all changes made to a database in log files. Thus, operations involving the redo log may include the redo log being loaded into the memory and participating in the processor (such as the CPU, etc.) computation, being written and read by disk I/O as a log file, and being transmitted between replicas through the network I/O. None of the operations pertaining to the redo log leak data in the F-HE paradigm because the enclave memory and the CPU are protected to ensure security and privacy; further, data may be encrypted by the enclave or TEE before written on the disk, and the network transmission may be secured e.g., by Remote Attestation—Transport Layer Security (RA-TLS) protocol. It is also to be understood that in the F-HE database architecture, for data structures and data stores (e.g., logical log, etc.) that have some explicit retrieval interfaces, additional security and/or privacy protections need to be in place. Features in the embodiments disclosed herein may provide a logical log encoding or generation for e.g., a mask-enabled visibility control to achieve efficient privacy-preserving database logical log in the F-HE, which may reform the client-side cryptography (e.g., using the RA mechanism, etc.) in the conventional P-HE databases. That is, features in the embodiments disclosed herein may achieve the secure and/or privacy protection without the need of the client-side cryptography and the corresponding processes related to the client-side cryptography. In one example embodiment, a database management system (DBMS) in an enclave for a data privacy preservation database is provided. The system comprising a DBMS engine configured to parse a database command for execution, set an access control status to a first status for a field of the data privacy preservation database when the parsed database command includes the field corresponding to a record in a system catalog table, and log the database command into a logical log. When the access control status is set to the first status and the database command includes a content of the field, the DBMS engine is further configured to log a predetermined identifier, an identification of the field, and a length of the content immediately before the content in the logical log. In another example embodiment, a method for logical logging for a data privacy preservation databa