Speicher: Securing LSM-Based Key-Value Stores Using Shielded Execution

Maurice Bailleu, Jörg Thalheim, Pramod Bhatotia, Christof Fetzer, Michio Honda, Kapil Vaswani

Research output: Chapter in Book/Report/Conference proceedingConference contribution


We introduce Speicher, a secure storage system that not only provides strong confidentiality and integrity properties, but also ensures data freshness to protect against rollback/forking attacks. Speicher exports a Key-Value (KV) interface backed by Log-Structured Merge Tree (LSM) for supporting secure data storage and query operations. Speicher enforces these security properties on an untrusted host by leveraging shielded execution based on a hardware-assisted trusted execution environment (TEE)—specifically, Intel SGX. However, the design of Speicher extends the trust in shielded execution beyond the secure SGX enclave memory region to ensure that the security properties are also preserved in the stateful (or non-volatile) setting of an untrusted storage medium, including system crash, reboot, or migration.

More specifically, we have designed an authenticated and confidentiality-preserving LSM data structure. We have further hardened the LSM data structure to ensure data freshness by designing asynchronous trusted counters. Lastly, we designed a direct I/O library for shielded execution based on Intel SPDK to overcome the I/O bottlenecks in the SGX enclave. We have implemented Speicher as a fully-functional storage system by extending RocksDB, and evaluated its performance using the RocksDB benchmark. Our experimental evaluation shows that Speicher incurs reasonable overheads for providing strong security guarantees, while keeping the trusted computing base (TCB) small.
Original languageEnglish
Title of host publicationProceedings of the 17th USENIX Conference on File and Storage Technologies
Place of PublicationUSA
PublisherUSENIX Association
Number of pages18
ISBN (Print)9781931971485
Publication statusPublished - 25 Feb 2019
Event17th USENIX Conference on File and Storage Technologies - Boston, United States
Duration: 25 Feb 201928 Feb 2019
Conference number: 17


Conference17th USENIX Conference on File and Storage Technologies
Abbreviated titleFast 2019
Country/TerritoryUnited States
Internet address


Dive into the research topics of 'Speicher: Securing LSM-Based Key-Value Stores Using Shielded Execution'. Together they form a unique fingerprint.

Cite this