WO2023195983A1 - Transformation de flux de données en flux de données sécurisés à l'aide d'environnements informatiques de confiance et isolés - Google Patents

Transformation de flux de données en flux de données sécurisés à l'aide d'environnements informatiques de confiance et isolés Download PDF

Info

Publication number
WO2023195983A1
WO2023195983A1 PCT/US2022/023671 US2022023671W WO2023195983A1 WO 2023195983 A1 WO2023195983 A1 WO 2023195983A1 US 2022023671 W US2022023671 W US 2022023671W WO 2023195983 A1 WO2023195983 A1 WO 2023195983A1
Authority
WO
WIPO (PCT)
Prior art keywords
trusted
computing environment
data
isolated
dataset
Prior art date
Application number
PCT/US2022/023671
Other languages
English (en)
Inventor
Shamim A. Naqvi
Pramod V. Koppol
Original Assignee
Safelishare, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Safelishare, Inc. filed Critical Safelishare, Inc.
Priority to PCT/US2022/023671 priority Critical patent/WO2023195983A1/fr
Publication of WO2023195983A1 publication Critical patent/WO2023195983A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Definitions

  • the present invention relates generally to protecting data privacy and intellectual property, and to provide plausible deniability to providers of computing services, thereby providing some measure of relief from privacy and data regulations.
  • the Internet/web supports an enormous number of devices that have the ability to collect data about consumers, their habits and actions, and their surrounding environments. Innumerable applications utilize such collected data to customize services and offerings, glean important trends, predict patterns, and train classifiers and pattern-matching computer programs.
  • a method for processing a dataset in a sequence of steps that define at least a portion of a data pipeline.
  • the method includes: providing a plurality of trusted and isolated computing environments, wherein a trusted computing environment is a computing environment whose computer code is able to be attested by comparing a digest of the computing environment to a baseline digest of the computing environment that is available to third parties to thereby verify computing environment integrity, an isolated computing environment being a computing environment in which only a specified maximum number of application processes and specified system processes implementing the computing environment are able to operate; providing one or more algorithms in each of the trusted and isolated computing environments, the one or more algorithms in each of the trusted and isolated computing environments being configured to process data in accordance with a different step in the data pipeline; receiving the dataset in a first of the trusted and isolated computing environments and causing the dataset to be processed by the one or more algorithms therein to produce a first processed output dataset; and causing the first processed output dataset to be processed in a
  • sequence of steps in the data pipeline performed in the plurality of trusted and isolated computing environments define a segment of a larger data pipeline that includes one or more additional data processing steps.
  • the plurality of trusted and isolated computing environments includes at least three trusted and isolated computing environments, the data pipeline processing the dataset in accordance with an E-T-L (Extraction-Transformation-Load) dataflow such that an extraction step, a transformation step and a load step are each performed in a different one of the trusted and isolated computing environments.
  • E-T-L extraction-Transformation-Load
  • the dataset provided in the first trusted and isolated computing environment is provided by a third party different from a third party providing the one or more algorithms provided in the first trusted and isolated computing environment, the third parties both being different from a system operator or operators of the plurality of trusted and isolated computing environments.
  • the extraction step obtains data for processing from user computing devices and stores the data in encrypted form.
  • a method for processing data in a sequence of steps that define at least a portion of a data pipeline.
  • the method includes: providing at least three trusted and isolated computing environments, wherein a trusted computing environment is a computing environment whose computer code is able to be attested by comparing a digest of the computing environment to a baseline digest of the computing environment that is available to third parties to thereby verify computing environment integrity, an isolated computing environment being a computing environment in which only a specified maximum number of application processes and specified system processes implementing the computing environment are able to operate; providing one or more algorithms in each of the trusted and isolated computing environments, the one or more algorithms in each of the trusted and isolated computing environments being configured to process data in accordance with a different step in the data pipeline; receiving a first dataset in a first of the trusted and isolated computing environments and causing the first dataset to be processed by the one or more algorithms therein to produce a first processed output dataset, at least one of the algorithms processing the first dataset in the first trusted and
  • the first and second processed output datasets include values for internal weights of the first and second DLNN programs.
  • At least one of the algorithms in the third trusted and isolated computing environment is a third DLNN program that combines the internal weights of the first and second DLNN programs and provides the combined internal weights to a fourth trusted and isolated computing environment that has a fourth DLNN program for processing the combined internal weights.
  • method for establishing an encryption/ decry ption process for communicating messages between at least one sending computing device and at least one receiving computing device over a data pipeline that includes a plurality of point of presence (POP) access points and a routing network.
  • POP point of presence
  • the method includes: negotiating use of one or more specified encryption/ decry ption keys between the sending computing device and a first algorithm operating in a first trusted and isolated computing environment that communicates with one of the POP access points, the one or more specified encryption/decryption keys being used to encrypt messages sent by the sending computing device to the receiving computing device, wherein a trusted computing environment is a computing environment whose computer code is able to be attested by comparing a digest of the computing environment to a baseline digest of the computing environment that is available to third parties to thereby verify computing environment integrity, an isolated computing environment being a computing environment in which only a specified maximum number of application processes and specified system processes implementing the computing environment are able to operate; and negotiating use of one or more specified decryption/encryption keys between the receiving computing device and a second algorithm operating in a second trusted and isolated computing environment that communicates with one of the POP access points, the one or more specified decryption/encryption keys being used to decrypt messages by the receiving computing device from the
  • FIG. 1 shows a data flow sequence representing an Extract-Transform -Load (ETL) dataflow.
  • ETL Extract-Transform -Load
  • FIG. 2 shows a data flow sequence representing an Extract-Load-Transform (ELT) dataflow.
  • EHT Extract-Load-Transform
  • FIG. 3 shows a sequence representing a Transform-Extract-Load (TEL) dataflow.
  • FIG. 4 shows a computing arrangement having a trusted computing environment.
  • FIG. 5 shows an example of method for trusting the computing environment of Fig. 4.
  • FIG. 6A shows one example of a single secure pipeline primitive, which is based on the secure computing environment described in connection with FIG. 4; and FIG. 6B shows a message flow diagram illustrating a method for creating a secure data pipeline such as shown in FIG. 6A.
  • FIG. 7A shows an arrangement in which a control plane creates a secure pipeline comprising two secure data plane environments
  • FIG. 7B shows a simplified representation of the secure pipeline depicted in FIG. 7A
  • FIG. 7C shows a further simplified representation of the secure pipeline depicted in FIG. 7A
  • FIG. 7D shows a simplified representation of an alternative secure pipeline that has a directed acyclic graph (DAG) inter-connection topology
  • DAG directed acyclic graph
  • FIG. 8A shows a simplified representation of the extraction step of a secure pipeline
  • FIG. 8B shows a simplified representation of the transformation step of a secure pipeline
  • FIG. 8C shows a simplified representation of the loading step of a secure pipeline.
  • FIG. 9A shows a data flow for a typical service offering concerning crowd sourced data (CSD) applications
  • FIG. 9B shows how the pipeline of FIG. 9 A can be transformed into a secure pipeline
  • FIG. 9C shows a simplified representation of the secure pipeline shown in FIG. 9B
  • FIG. 9D shows the secure pipeline of FIG. 9C but with two of the pipeline primitives being combined into a single pipeline primitive
  • FIG. 9E shows a simplified representation of the secure pipeline of FIG. 9 A.
  • FIG. 10A shows an example of a pipeline in which a dataset being provided to a computer program (e.g., an app) that produces a result (i.e., a trained model);
  • FIG. 10B shows the secure pipeline that corresponds to the pipeline of FIG. 10 A; and
  • FIG. 10C show the simplified pipeline representation of the secure pipeline of FIG. 10B.
  • FIG. 11 A shows another pipeline in which two data sets are made available to algorithm 1103 that produces a trained model as output;
  • FIG. 1 IB shows the corresponding secure pipeline and
  • FIG. 11C shows its simplified representation.
  • FIG. 12A shows another example of a pipeline that is data intensive and which receives the assets to be processed from two different customers
  • FIG. 12B shows another example of a data intensive pipeline in which the assets to be processed are received from two different customers in two different jurisdictions
  • FIG. 12C shows a secure pipeline implementation of the processes shown in FIG. 12B in which the computing environments are now secure computing environments.
  • FIG. 13 A shows a pipeline for a one-to-one message service offered by a messaging system in which a sender transmits a message from one user computing device to another user computing device;
  • FIG. 13B shows another messaging system pipeline for a group chat service;
  • FIG. 13C shows a group chat service pipeline that uses secure computing environments to ensure that the service provider remains oblivious to the message content being shared in a group chat.
  • Various mobile and nonmobile user computing devices such as smart phones, personal digital assistants, fitness monitoring devices, digital (surveillance) cameras, smart watches, loT devices such as smart thermostats and doorbells, etc., often contain one or more sensors to monitor and collect data on the actions, environment, surroundings, homes, and health status of users. Consumers routinely download numerous application software products (“apps”) onto their computing devices and use these apps during their daily lives. Consumers who contribute data concerning these activities while using these apps have expressed privacy concerns.
  • apps application software products
  • Service providers are entities that often use computer programs, datasets and computing machinery to provide services to their customers.
  • a growing number of regulations require the service providers to protect data privacy and intellectual property of assets. Movements of datasets across national boundaries may be prohibited. Revealing personal information may engender legal risk to an enterprise.
  • Certain regulations that have been enacted in recent years to offer such protections to data and other digital assets include HIPPA (Health Insurance Portability and Accountability Act 1996), GDPR (General Data Protection Regulations), PSD2 (Revised Payment Services Directive), CCPA (California Consumer Privacy Act 2018), etc.
  • FIG. 1 shows a sequence representing an Extract-Transform-Load (ETL) dataflow.
  • FIG. 2 shows a sequence representing an ELT dataflow.
  • FIG. 3 shows a sequence representing a TEL dataflow.
  • ETL Extract-Transform-Load
  • ETL is the general procedure of copying data from one or more sources into a destination system which represents the data differently from the source(s) or in a different context than the source(s). That is, in an ETL dataflow, data is extracted (e.g., from user computing devices or, as shown in FIGs. 1-3, a data storage system), transformed (e.g., personal information such as social security numbers may be removed) and loaded into e.g., a storage processing unit for use by another system (or another dataflow). As an example, a healthcare dataset may use the “extraction and transform” steps to clean or de-anonymize data collected from patients before “loading” it into a storage system for further processing. ETL dataflows are quite common in conventional service provisioning systems.
  • the ELT dataflow is a variation of the ETL dataflow in which the transformation step is performed after the data has been extracted and loaded.
  • data extracted from consumer devices may be loaded into a (e.g., cloudbased) data warehouse before being transformed for use by particular applications.
  • the TEL dataflow is another variation of the ETL dataflow wherein the data is transformed at its source before it is extracted and loaded for further use by applications.
  • cryptocurrency tokens may be “burned” at their source (e.g., on a blockchain) before relevant data is extracted and loaded into a new system for further processing.
  • Multiple ETL, ELT and TEL dataflows may be interconnected in a variety of ways to achieve a certain service provisioning and several variations of these dataflows may also be envisioned.
  • ETL, ELT and TEL dataflows occur in many commercial service provisioning infrastructures, it will be of commercial benefit to transform or design anew the dataflow infrastructures so that they protect data privacy, preserve intellectual assets and offer the service provider some level of relief from privacy and data regulations.
  • a dataflow is called a (data) pipeline (perhaps because sections of a pipeline may initiate a task before other sections of the pipeline have completed their tasks).
  • new primitive pipeline elements are presented which may be combined in a variety of ways to transform existing data pipelines into pipelines that are secure, which, roughly speaking, do not leak data or program code and do not reveal any information including the results of any computations to the operator of the pipeline.
  • the secure pipeline primitives may also be used to design new data pipelines that are secure.
  • service providers may transform their existing service offerings or design new service offerings that are secure against leaks, invasions of privacy and in which the service providers can conveniently satisfy privacy regulations.
  • oblivious computing To achieve such transformations of existing dataflows i.e., pipelines, or to design new pipelines that provide such guarantees of security, we define a new notion of computing called oblivious computing wherein the service provider (or, equivalently the operator) offers a service but remains unaware, i.e., is oblivious, to all its components (dataset, algorithm, platform) comprising the computation that engenders the service.
  • the term oblivious computing is inspired by Rabin’s Oblivious Transfer protocol in which the user receives exactly one database element without the server knowing which element was queried, and without the user knowing which other elements of the database were queried. See cf.
  • the computation in question is performed by a (cluster of) computers whose components may not be revealed to any person, including the operator.
  • Any result of the computation may be encrypted and made available only via possession of a decryption key, access to which may be controlled by using a key vault. Thus, only authorized personnel may have access to the results. In a certain sense, the computer itself knows but is unable to reveal the components of the computation.
  • user computing device refers to a broad and general class of devices used by consumers, which have one or more processors and generally have wired and/or wireless connectivity to one or more communication networks such as the Internet.
  • Examples of user computing device include, but are not limited, to smart phones, personal digital assistants, laptops, desktops, tablet computers, loT (Internet of Things) devices such as smart thermostats and doorbells, digital (surveillance) cameras, etc.
  • the term user computing device also includes devices that are able to communicate over one or more networks using a communication link (e.g., a short-range communication link such as Bluetooth) to another user computing device, which in turn is itself is able to communicate over a network. Examples of such devices include, smart watches, fitness bracelets, consumer health monitoring devices, environment monitoring devices, home monitoring devices such as smart thermostats, smart light bulbs, smart locks, smart home appliances, etc.
  • a computing environment is a term for a process created by software contained within the supervisory programs, e.g., the operating system of the computer (or a computing cluster), that is configured to represent and capture the state of computations, i.e., the execution of algorithms on data, and provide the resulting outputs to recipients as per its configured logic.
  • the software logic that creates computing environments (processes) may utilize the services provided by certain hardware elements of the underlying computer (or cluster of computers).
  • U.S. Patent Appl. Serial No. 17/094,118 creates computing environments which are guaranteed to be isolated and trusted.
  • an isolated computing environment is an environment that supports a fixed or maximum number of application processes and specified system processes.
  • a trusted computing environment is an environment in which the digest of the code running in the environment has been verified against a baseline digest.
  • a computing environment is created by the supervisory programs which are invoked by commands in the boot logic of a computer at boot time which then use the hash function, e.g., SHA-256 (available from the U.S. National Institute of Standards and Technology), to take a digest of the created computing environment. This digest may then be provided to an escrow service to be used as a baseline for future comparisons.
  • the hash function e.g., SHA-256 (available from the U.S. National Institute of Standards and Technology)
  • FIG. 4 shows an arrangement by which a computing environment 402 created in a computing cluster 405 can be trusted using the attestation module 406 and supervisory programs 404.
  • a computing cluster may refer to a single computer, a group of networked computers or computers that otherwise communicate and interact with one another, and/or a group of virtual machines. That is, a computing cluster refers to any combination and arrangement of computing entities.
  • FIG. 5 shows an example of method for trusting the computing environment 402.
  • Supervisory program 404 of a computer 405 provisioned with attestation module 406, installation script 401.
  • Provisioning step Boot the computer.
  • Boot logic is configured to invoke attestation method.
  • Digest is obtained and stored at escrow service as “baseline digest, B.”
  • Logic of computing environment requests Attestation Module to obtain a digest D (e.g., digest 403 in FIG. 4) of the created computing environment.
  • a digest D e.g., digest 403 in FIG. 4
  • Logic of computing environment requests escrow service to compare the digest D against the baseline digest, B.
  • Escrow service reports “Yes” or “No” accordingly to the logic of the computing environment which, in turn, informs the installation script.
  • the installation script is an application-level computer program. Any application program may request the supervisory programs to create a computing environment which then use the above method to verify if the created environment can be trusted. Boot logic of the computer may also be configured, as described above, to request the supervisory programs to create a computing environment.
  • the attestation method may be further enhanced to read the various PCRs (Platform Configuration Registers) and take a digest of their contents.
  • PCRs Plate Configuration Registers
  • we may concatenate the digest obtained from the PCRs with that obtained from a computing environment and use that as a baseline for ensuring trust in the boot software and the software running in the computing environment.
  • the attestation process which has been upgraded to include PCR attestation may be referred to as a measurement . Accordingly, in the examples presented below, all references to obtaining a digest of a computing environment are intended to refer to obtaining a measurement of the computing environment in alternative embodiments.
  • a successful measurement of a computer implies that the underlying supervisory program has been securely booted and its state and that of the computer as represented by data in the various PCR registers is the same as the original state, which is assumed to be valid since we may assume that the underlying computer(s) are free of intrusion at time of manufacturing.
  • Different manufacturers provide facilities that can be utilized by the Attestation Module to access the PCR registers. For example, some manufactures provide a hardware module called TPM (Trusted Platform Module) that can be queried to obtain data from PCR registers.
  • TPM Truste Module
  • U.S. Patent Appl. Serial No. 17/094,118 also creates computing environments which are guaranteed to be isolated in addition to being trusted.
  • the notion of isolation is useful to eliminate the possibility that an unknown and/or unauthorized process may be “snooping” while an algorithm is running in memory. That is, a concurrently running process may be “stealing” data or effecting the logic of the program running inside the computing environment.
  • An isolated computing environment can prevent this situation from occurring by using memory elements in which only one or more authorized (system and application) processes may be concurrently executed.
  • isolation depends on the type of process that is involved. As a general matter there are two types of processes that may be considered: system and application processes.
  • An isolated computing environment may thus be defined as any computing environment in which a specified maximum number of application processes and specified system processes implementing the computing environment are able to operate.
  • System processes are allowed access to an isolated memory segment if they provide the necessary keys. For example, Intel Software Guard Extension (SGX) technology uses hardware/firmware assistance to provide the necessary keys.
  • Application processes also allowed entry to an isolated memory segment based on keys controlled by hardware/firmware/software element called the Access Control Module, ACM (described later).
  • ACM Access Control Module
  • system processes needed to create a computing environment are known a priori to the supervisory program and can be configured to ask and be permitted to access isolated memory segments. Only these specific system processes can then be allowed to run in an isolated memory segment.
  • application processes such knowledge may not be known a priori.
  • developers may be allowed to specify the keys that an application process needs to gain entry to a memory segment.
  • a maximum number of application processes may be specified that can be allowed concurrent access to an isolated memory segment.
  • Computing environments are created by computer code available to supervisory programs of a computing cluster. This code may control which specific system processes are allowed to run in an isolated memory segment. On the other hand, as previously mentioned, access control of application processes is maintained by Access Control Modules.
  • An isolated computing environment is an environment that supports a fixed or maximum number of application processes and specified system processes.
  • a trusted computing environment is an environment in which the digest of the code running in the environment has been verified against a baseline digest.
  • isolated memory As an example of the use of isolated memory as an enabling technology, consider the creation of a computing environment as discussed above.
  • the computing environment needs to be configured to permit a maximum number of (application) processes for concurrent execution.
  • SGX or SEV technologies can be used to enforce isolation.
  • a hardware module holds cryptographic keys that are used to control access by system processes to the isolated memory. Any application process requesting access to the isolated memory is required to present the keys needed by the Access Control Module.
  • the supervisory program locks down the isolated memory and allows only a fixed or maximum number of application processes to execute concurrently.
  • VMs virtual machines
  • VMM Virtual Machine Monitor
  • the hypervisor allows one VM at a given instant to be resident in memory and have access to the processor(s) of the computer.
  • VMs are swapped in and out, thus achieving temporal isolation.
  • a hypervisor like operating system may be used to temporally isolate the VMs and, further, allow only specific system and a known (or maximum) number of application processes to run in a given VM.
  • ACM Access Control Modules
  • ACMs are hardware/firmware/software components that use public/private cryptographic key technology to control access.
  • An entity wishing to gain access to a computing environment must provide the needed keys. If it does not possess the keys, it will need to generate the keys to gain access which will require it to solve the intractable problem corresponding to the encryption technology deployed by the ACM, i.e., assumed to be a practical impossibility.
  • Access to certain regions of memory can also be controlled by software that encrypts the contents of memory that a CPU (Central Processing Unit) needs to load into its registers to execute, i.e., the so-called fetch-execute cycle.
  • the CPU then needs to be provided the corresponding decryption key before it can execute the data/instructions it had fetched from memory.
  • Such keys may then be stored in auxiliary hardware/firmware modules, e.g., Hardware Security Module (HSM).
  • HSM Hardware Security Module
  • a computing environment may be created by supervisory programs, e.g., operating system software, the latter may not have access to the computing environment. That is, mechanisms controlling access to a computing environment are independent of mechanisms that create said environments.
  • the contents of a computing environment may not be available to the supervisory or any other programs in the computing platform.
  • An item may only be known to an entity that deposits it in the computing environment.
  • a digest of an item may be made available outside the computing environment and it is known that digests are computationally irreversible.
  • Computing environments that have been prepared/created in the above manner can thus be trusted since they can be programmed to not reveal their contents to any party. Data and algorithms resident in such computing environments do not leak. In subsequent discussions, computing environments with this property are referred to as secure (computing) environments.
  • oblivious computing procedures as defined herein are procedures that are performed using secure computing environments in the manner described below.
  • an oblivious procedure is one that is performed using a secure pipeline to execute the steps or tasks in a dataflow.
  • the secure pipeline includes a series of interconnected computational units that are referred to herein as secure pipeline primitives.
  • each secure pipeline primitive is used to perform one step in the dataflow. For instance, in an ETL dataflow, each of the three steps - extract, transform and load - may be performed by a different secure pipeline primitive.
  • FIG. 6A shows one example of a single secure pipeline primitive, which is based on the secure computing environment described in connection with FIG. 4.
  • two different 3 rd party entities wish to contribute material that will be used to perform a computational task.
  • third party algorithm provider 601 may wish to provide one or more algorithms (e.g., embodied in computer programs) that will be used in the computational task.
  • the third party dataset provider 602 may wish to provide the dataset(s) on which the algorithms operate when performing the computational task.
  • the arrangements between and among the third party entities 601 and 602 as well as the platform operator 603 that provides the pipeline may be achieved by an out-of-band agreement between the various entities.
  • Controller 616 is responsive to user interface 696, which may be utilized by external programs to interact with it. Rather than detail the various commands available in user interface 696, we will describe the commands as they are used in the descriptions below.
  • algorithm provider 601 indicates (using e.g., commands of user interface 696) to Controller 616 that it wishes to deposit algorithm 609.
  • Controller 616 requests Key Manager 697 to generate a secret/public cryptographic key pair and provides the public key component to algorithm provider 601. The latter encrypts the link to its algorithm and transmits the encrypted link to Controller 616, which upon receipt deposits the received information in Policy Manager 617.
  • the algorithm provider 601 may optionally use user interface 696 to provide Controller 616 various policy statements that govern/control access to the algorithm.
  • Controller 616 various policy statements that govern/control access to the algorithm.
  • policies are described in the aforementioned U.S. Patent Appl. Serial Number 17/094,118. In the descriptions herein, we assume a policy that specifies that the operator is not allowed access to the algorithm, the dataset, etc. Policy Manager 617 manages the policies provided to it by various entities.
  • dataset provider 602 follows a similar procedure by which it provides the encrypted link to its dataset 610 to Controller 616 using a different cryptographic public key that is provided to it by the Key Manager 697.
  • Controller 616 may now invoke supervisory programs to create secure data plane environment 608 (using the method shown in FIG. 5) on computing cluster 640. It should be noted that computing clusters 640 and 660 need not be physically distinct but may share computing entities or may even both reside on a single physical computer. Controller 616 and secure data plane environment 608 communicate via a communication connection 695 using secure communication protocols and technologies such as, for example, Transport Layer Security (TLS) or IPS (InterProcess Communication), etc.
  • TLS Transport Layer Security
  • IPS InterProcess Communication
  • Controller 616 may now request and receive an attestation/measurement from secure data plane environment 608 to verify that secure data plane environment 608 is secure using the method of FIG. 5. This attestation/measurement, if successful, establishes that secure data plane environment 608 is secure since its code base is the same as the baseline code (which has presumably been placed in escrow). Once verified, Controller 616 may provide secure data plane environment 608 the encrypted links for accessing algorithm 609 and dataset 610. To use the links, secure data plane environment 608 needs to decrypt the respective links. To do this the secure data plane environment 608 requests and receives the secret keys from Controller 616 that allow it to decrypt the respective links and retrieve the algorithm 609 and dataset 610.
  • the, algorithm provider 601 and dataset provider 602 optionally may encrypt its respective assets, i.e., the algorithm 609 and dataset 610.
  • third party providers 601 and 602 need to provide the corresponding decryption keys to the Controller 616 which, in turn, must provide the same to the secure data plane environment 608.
  • third party providers 601 and 602 need to suitably manage and secure their secret keys used to encrypt their assets.
  • Secure data plane environment 608 may now decrypt the algorithm 609 and dataset 610. It should be noted that in other implementations the third party providers may encrypt both the assets and the link to those assets, in which case they will need to provide the appropriate decryption keys to Controller 616.
  • dataset 610 may be too large to fit in the memory available to secure data plane environment 608.
  • the dataset may be stored in an external storage system (not shown in FIG. 6) and a computer program, usually called a database processor, is used to make retrievals from the storage system over suitably secure communication links.
  • Controller 616 optionally may request secure data plane environment 608 to provide a measurement so that its contents (containing the computer code of the secure data plane environment 608, algorithm 608 and dataset 610 (or database processor) may be verified as being secure). This additional measurement, if verified, proves that the algorithm 609 is operating on dataset 610, assuming baseline versions of the algorithm and dataset/database processor are available externally, e.g., through an escrow service.
  • Controller 616 is now ready to trigger secure data plane environment 608 to begin the computation whose result will be stored in encrypted form in output storage system 619 using the key provided by the output recipient 604.
  • the output recipient 604 may now use its corresponding decryption key to retrieve and view the output results.
  • Control plane 699 requests and receives links for algorithm, dataset and encryption (public) key designated by output recipient.
  • Control Plane 699 creates secure data plane environment 608 (data plane 698).
  • Data plane 698 requests and receives various keys that enable it to acquire algorithm 609, dataset 610 and encryption key to be used to encrypt the output of the computation.
  • Control plane 699 triggers data plane 698 to initiate computation.
  • Data plane 698 stores encrypted result of computation in storage system 619 and informs control plane.
  • Control plane 699 informs output recipient 604 that the output is ready to be retrieved.
  • control plane may create multiple secure environments and configure them to be inter-connected in a variety of ways by suitably connecting their input and output storage systems. That is, the description so far has considered a single secure pipeline primitive, which may serve as the basis for a larger secure pipeline made up of a series of secure pipeline primitives that each perform one or more distinct steps in a dataflow.
  • FIG. 7A shows an arrangement in which control plane 799 creates a data plane comprising two secure data plane environments 712 and 732.
  • the dataset 713 is provided by storage system 702 to the first secure data plane environment 712
  • dataset 733 is provided by storage system 722 to the second secure data plane environment 732.
  • the output of storage system 702 provides input to the first secure data plane environment 712 in the form of a dataset 713 and the output of the first secure data plane environment 712 is provided to output storage system 722.
  • output storage system 722 serves as input to the second secure data plane environment 732 and the output of the second secure data plane environment 732 is provided to output storage system 741.
  • the secure pipeline consists of two secure pipeline primitives. Note that since secure pipelines satisfy the oblivious requirement they may also be referred to as oblivious pipelines.
  • FIG. 7B shows a simplified representation of the secure pipeline depicted in FIG. 7A, which will be useful in the following discussion and which better emphasizes the usage of the term pipeline. Note that we have obtained FIG. 7B by eliminating the details of the computer clusters, the details of the control plane and the algorithms/computer programs, and instead concentrate on the datasets and secure data plane environments. As in the example of FIG. 7A, this example consists of two secure pipeline primitives.
  • the first secure pipeline primitive includes the first secure data plane environment 752, which obtains its dataset from storage system 750.
  • the first secure pipeline primitive also includes the storage system 754, which stores the output that results from the computation performed in the first secure data plane environment 752.
  • the second secure pipeline primitive includes the second secure data plane environment 756, which obtains its dataset from storage system 754. That is, the input to the second secure data plane environment 756 is the output from the first secure data plane environment 752.
  • the second secure pipeline primitive also includes the storage system 758, which stores the output that results from the computation performed in the second secure data plane environment 756.
  • FIG. 7B the simplified representation of a secure pipeline as shown in FIG. 7B only depicts the dataflow in the pipelines.
  • various other components of the individual pipeline primitives that make up the secure pipeline are not shown in FIG. 7B. Rather, these details are shown in FIGs. 6A and 7A.
  • each individual secure data plane environment e.g., first and second data plane environments 752 and 756 in the example of FIG. 7B
  • FIG. 7C A further simplification of the pipeline representation shown in FIG. 7B (and the analogy to pipelines further strengthened) may be achieved as shown in FIG. 7C, where we do not show the control plane and the intermediate storage systems that serve to transfer the output dataset from one secure data plane environments to another data plane environment.
  • FIGs. 7A, 7B and 7C show secure pipelines with two secure pipeline primitives
  • pipelines may comprise of any number of primitives that may be interconnected.
  • the inter-connection topology in general, may be a directed acyclic graph (DAG) as shown in FIG. 7D with a control plane and FIG. 7E that shows the DAG of FIG. 7D without the control plane.
  • DAG directed acyclic graph
  • FIGs. 7B-7D may be used to depict the implementation of ETL, ELT and TEL dataflows using secure data pipelines. This depiction will be illustrated in connection with FIGs. 8 A, 8B and 8C.
  • FIG. 8A shows a simplified representation 802 of the extraction step of a secure pipeline.
  • unencrypted data in storage system 805 is processed in secure data plane environment 807 by a program Pl, which extracts and encrypts the data and stores it in storage system 809.
  • the simplified representation 802 may be further simplified as shown in the representation 803. Note that the symbol “U” in 803 denotes that the input to program Pl is unencrypted and the symbol “E” denotes that P3 produces encrypted output.
  • FIG. 8B shows a simplified representation 811 of the transformation step of a secure pipeline.
  • encrypted data in storage system 813 is processed in secure data plane environment 814 by a program P2, which decrypts the data, processes the data, the re-encrypts it and stores it in storage system 815
  • the simplified representation 811 may be further simplified as shown in the representation 812.
  • FIG. 8C shows a simplified representation 822 of the loading step of a secure pipeline whose simplified form is shown in 823. Note that the symbol “E” in 823 denotes that the input to program P3 is encrypted and the symbol “U” denotes that P3 produces unencrypted output.
  • Many user computing devices collect data that is provided to apps for processing.
  • the processing may be partly performed on the user computing device itself and partly by another app, e.g., in a cloud-based server arrangement.
  • digital camera devices capture facial, traffic and other images which may then be processed to identify consumers, members of the public wanted by the police, etc.
  • images of automobiles may be used to identify those that violate traffic regulations.
  • wearable devices, smart phones and devices connected to or associated with smart phones collect data from consumers concerning their health (e.g., level of activity, pulse, pulse oximeter data, etc.).
  • collected data is analyzed and/or monitored, and consumerspecific information in the form of advice or recommendations is communicated back to the consumer. Consumer activity may be monitored and general recommendations for fitness goals etc. may be transmitted to consumers.
  • the behavior of the client app may be modified on the basis of analyzing collected data.
  • a general name for such services offerings is crowd sourced data (CSD) applications.
  • FIG. 9 A shows a data flow for typical service offering concerning CSD applications.
  • a dataflow architecture is often used in which user computing devices 901 (often containing a computer program e.g., a client app, that may have been downloaded from a well- known website) generate data and provide it to data storage system 902.
  • user computing devices 901 (often containing a computer program e.g., a client app, that may have been downloaded from a well- known website) generate data and provide it to data storage system 902.
  • application software application software
  • the user computing devices 901 may contain secure computing environments wherein all or a part of the collected data may be processed.
  • app 903 may be a computer program (or a collection of computer programs) that process the data in storage system 902.
  • Results of the processing 904 may be provided to the service provider (e.g., meta-data concerning the service offering, audit logs, etc.) as output 904 or saved in data storage 902 for subsequent processing.
  • the data in storage system 902 may be processed to provide monitoring and recommendations to the user computing devices 901.
  • FIG. 9A actually shows two data pipelines pertaining to each user computing device and terminating at storage system 902.
  • the first pipeline comprises the data emanating from the user computing device (i.e., a member of the device group denoted by reference numeral 901) and terminating at the storage system 902.
  • the second data pipeline starts at storage system 902 and terminates at the user computing device.
  • This second data pipeline may return the results of processing the data by the app to the data storage 902, from which individual ones of the user computing devices can access their own respective portion of the processed data (and not the processed data associated with other users).
  • FIG. 9B shows how the pipelines of FIG. 9 A can be transformed into secure pipelines.
  • the pipeline from the user computing device 901 to the data storage 902 (FIG. 9 A) can be replaced by a secure extraction pipeline primitive in which a program Pl extracts the data from the user computing device 901 and stores it in the storage system 913 in encrypted form, (pipeline from data storage 902 to app 903 is replaced by the loading pipeline primitive (822 cf. FIG. 8B) using the program P2.
  • the pipeline from app 903 to output 904 (cf. FIG. 9A) is replaced by two transformation pipeline primitives (812 cf. FIG. 8B), represented by a program P2 that performs the loading in secure computing environment 914 and an app 916 or other computer program that performs the transforming in secure computing environment 915.
  • FIG. 9B can be further simplified by using the terminological convention described above in connection with the simplified representation 803 in FIG. 8A.
  • FIG. 9C shows the resulting simplified secure pipeline. Note, as explained earlier, that the symbols “U” and “E” denote “unencrypted” and “encrypted” input/output data, respectively.
  • FIG. 9C Note the secure pipeline shown in FIG. 9C is of type ELT. Also note that pipeline primitives 923 and 924 can be combined into a single pipeline primitive 934 as shown in FIG. 9D.
  • pipeline primitive 934 requires that the corresponding secure computing environment needs to run program P2 and the App with the indicated encrypted inputs and outputs. That is, FIG. 9D shows a possibly more efficient implementation of the pipeline of FIG. 9C since it uses one less secure computing environment.
  • FIG. 9E We may summarize the secure pipeline transformation of FIG. 9A as shown in FIG. 9E wherein a number of (non-secure) pipelines emanating from edge devices converge at pipeline primitive 943 from whence the data is processed by program Pl and further provided to pipeline primitive 944. Upon further processing at pipeline primitive 944 by program P2 and App, the pipeline generates an output.
  • Machine Learning (ML) and Big Data applications are known as data intensive applications because they depend critically on copious amounts of input data.
  • the learning capability of ML systems increases in general with the amount of training data provided to it.
  • FIG. 10A shows a simple example of a dataset 1002 being provided to a computer program (e.g., app 1003 in this example), which produces a result, i.e., a trained model 1004.
  • the data provider providing dataset 1002 may be concerned that its dataset be only made available to app 1003 and not to any other program. The enforcement of such policy restrictions are discussed in the aforementioned U.S. Patent Appl. No. 17/094,118.
  • the provider of the dataset 1002 may have further concern of protecting its dataset from the service provider. This may be achieved by using secure pipelines as a service infrastructure.
  • FIGs. 10B and 10C show the corresponding secure pipeline and the simplified pipeline representations.
  • FIG. 11 A shows a variation of the above case in which two datasets 1101 and 1102 are made available to algorithm 1103.
  • the datasets and the algorithm are each provided to app 1104 by a different third party.
  • the app 1104 processes the data and outputs a trained model 1105.
  • the corresponding secure pipeline infrastructure is shown in FIG. 1 IB and its simplified representation in FIG. 11C.
  • program Pl is used to perform a loading step in a secure environment and the processing performed by the app in another secure environment corresponds to the transforming step shown in FIGs. 1 IB and 11C.
  • FIG. 12A shows yet another variation of a data intensive application.
  • FIG. 12A shows a “getician” process in which program Pl (1201) is provided to customers 1 and 2 who use Pl to send datasets DI and D2, respectively, to computing environment 1204 where they are processed by program P2. The latter then produces two outputs 1205 and 1206 which are sent to customers 1 and 2, respectively.
  • a practical example of this use case involves restrictions in moving the datasets 1202 and 1203 (containing, e.g., customer records) across jurisdictional boundaries or due to concerns of security. For example, many banks have different branches in different countries and data residency regulations prevent datasets being sent across jurisdictional boundaries..
  • FIG. 12B proposes a different geNIC experiment using Deep Learning Neural Network (DLNN) programs XI, X2 and X3.
  • Program XI is provided to customer 1 (in a jurisdiction 1, for example) where it processes dataset DI.
  • Program XI is also provided to customer 2 in jurisdiction 2 where it processes dataset D2.
  • DI and D2 are the same datasets as 1202 and 1203, respectively, in FIG. 12A.
  • the learnings (results) obtained from the processing are contained in the internal weights of the respective programs.
  • program XI in jurisdiction 1 after processing dataset DI contains its learnings in its internal weights Wl.
  • program XI after running on dataset D2 in jurisdiction 2 contains its learnings in its internal weights W2.
  • Program X2 running in computing environment 1210 may then obtain new learnings by combining the weights matrices W 1 and W2 and associate the new learnings with customers/jurisdictions identified by anonymity-preserving identification numbers.
  • the combined new weight matrix, W3 may now be provided as input to a program, X3 operating in a computing environment 1220 residing in jurisdiction 4, which sorts the learnings by customer/jurisdiction and returns the learnt findings to customer jurisdictions 1 and 2.
  • FIG. 12C shows a secure pipeline implementation of the processes shown in FIG. 12B in which the computing environments are now secure computing environments. Since jurisdictions 1 and 2 process customer specific information in secure computing environments 1225 and 1226 need to secure pipelines that receive and output encrypted (E) information. Since the weights W 1 and W2 and other information incident to 1220 is anonymity-preserving, computing environment 1220 need not be necessarily a secure pipeline. It may thus receive and output unencrypted data. Computing environment 1230 receives unencrypted data but, since it needs to provide input to secure pipelines, outputs encrypted information to secure computing environments 1225 and 1226, respectively.
  • E encrypted
  • FIG. 12C serves to show a pipeline that uses both secure and nonsecure pipeline primitives to effectuate an overall process.
  • FIG. 13 A we consider the dataflow for a one-to-one chat service offered by many messaging systems in which a sender transmits a message from a user computing device 1301 to a receiving user computing device 1305.
  • Storage systems 1302 and 1304 are intermediary systems used by the service infrastructure. In the literature, storage systems 1302 and 1304 are sometimes referred to as points of presence (POP) access points
  • POP points of presence
  • a routing network 1303 connects the POP access points 1 and 2.
  • client devices 1301 and 1305 negotiate and settle on encryption and decryption keys in a provisioning step without informing the service provider (not shown in FIG. 13 A). Therefore, the service provider may claim that it is unaware of the content of the messages being shared between user computing devices 1301 and 1305 since the messages are encrypted and decrypted by the client devices.
  • a group chat service such as illustrated in the pipeline of FIG. 13B may be considered as a general case of a one-to-one messaging service such as shown in FIG. 13A.
  • user computing device 13011 sends a message to a group of user computing devices 13051.
  • group chat services generally do not because encryption/ decry ption keys would have to be individually negotiated for each sender/recipient pair, which is computationally expensive and cumbersome.
  • the service provider may choose a common encryption/ decry ption key for the group, but in this case the service provider may now no longer claim that it is unaware of the contents of the message.
  • FIG. 13C to preserve the claim of the service provider that it remains oblivious of the message content being shared in a group chat, we propose using a secure computing environment 13201, which is introduced between the user computing device 13012 and POP1 and wherein a computer program, say Pl in secure computing environment 13201, negotiates with the user computing device 13012 an encryption/ decry ption key for sending and receiving messages.
  • a secure computing environment 13202 between POP 2 and user computing devices 13052 wherein a program, say P2 I n secure computing environment 13202, negotiates decryption/ encryption keys with the respective client devices for receiving and sending messages in a provisioning step (i.e., when the group is formed).
  • secure computing environment 13201 may be provisioned with another computer program, say Z, which establishes a network connection with a service provider, say G (i.e., G may be different from the provider of the messaging/chat service).
  • Program Z may review a message being sent from user computing device 13012 and inform program Z if certain features are detected. For example, if program Z may be examining content for pornography and service provider G may be operating in conjunction with a law enforcement agency. In such a use case, the chat/messaging service provider remains oblivious of the message contents but is able to alert/inform relevant authorities or service providers when the content of a message triggers an alert condition.
  • service provider G may use program Z to gather statistics which it may then share with the chat/messaging service provider.
  • Service providers using secure ETL pipelines as described above to provide computational results to customers may optionally provide additional features as described in the following five embodiments.
  • a customer of the result of a secure data pipeline process may want to ascertain that the lineage of the results contains a specific and pre-determined asset (a program or a dataset). This can be provided, as described above, by providing (using a “forked” secure and isolated pipeline segment) cryptographic digests of the pre-determined assets to the customer.
  • a customer of the result of a secure data pipeline process may wish to ascertain that the lineage of the results contains a group of linked assets (e.g., a specific program, say P, operating on a specific dataset, D). This may be achieved by linking the cryptographic digests of the assets and providing the linked digests to the customer using a forked secure pipeline segment (as in embodiment 1 above). For example, we may take the digest of program P and then take the digest of D and P, i.e., digest (D, digest (P union “empty set”)).
  • the secure data pipeline operator may wish to add an additional asset to a pipeline.
  • a pipeline uses asset DI, but the operator may wish to also use asset D2.
  • the original secure data pipeline (using asset DI) remains unaltered.
  • the asset D2 may be provided by the customer (i.e., the recipient of the result of the pipeline).
  • an intended recipient may obtain customized results using assets specified by the recipient.
  • resulting datasets of a secure data pipeline process are provided to the customer as an “all you can eat” charging model. (The customer “owns” the result.)
  • the result of an ETL pipeline may be provided to the customer in a secure pipeline. That is, the final stage of the ETL pipeline may be a secure pipeline segment. For example, this final segment may be configured to respond to queries posed by the customer and the customer may be charged on a per query basis.
  • the original charging “all you can eat” model may be replaced by a “pay by the query” model.
  • aspects of the subject matter described herein may be described in the general context of computer-executable instructions, such as computer programs, being executed by a computer or a cluster of computers.
  • computer programs include routines, programs, objects, components, data structures, and so forth, which perform particular tasks or implement particular abstract data types.
  • aspects of the subject matter described herein may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote computer storage media including memory storage devices.
  • the claimed subject matter may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof to control a computer to implement the disclosed subject matter.
  • the claimed subject matter may be implemented as a computer-readable storage medium embedded with a computer executable program, which encompasses a computer program accessible from any computer-readable storage device or storage media.
  • computer readable storage media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips . . . ), optical disks (e.g., compact disk (CD), digital versatile disk (DVD) . . .
  • the terms “software,” computer programs,” “programs,” “computer code” and the like refer to a set of program instructions running on an arithmetical processing device such as a microprocessor or DSP chip, or as a set of logic operations implemented in circuitry such as a field-programmable gate array (FPGA) or in a semicustom or custom VLSI integrated circuit. That is, all such references to “software,” computer programs,” “programs,” “computer code,” as well as references to various “engines” and the like may be implemented in any form of logic embodied in hardware, a combination of hardware and software, software, or software in execution. Furthermore, logic embodied, for instance, exclusively in hardware may also be arranged in some embodiments to function as its own trusted execution environment.
  • FPGA field-programmable gate array
  • a component may be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer.
  • an application running on a controller and the controller can be a component.
  • One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Medical Informatics (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

Des systèmes et des procédés sont présentés pour traiter un ensemble de données dans une séquence d'étapes qui définissent au moins une partie d'un pipeline de données. Le procédé consiste : à fournir une pluralité d'environnements informatiques de confiance et isolés ; à fournir un ou plusieurs algorithmes dans chacun des environnements informatiques de confiance et isolés, le ou les algorithmes dans chacun des environnements informatiques de confiance et isolés étant configurés pour traiter des données conformément à une étape différente dans le pipeline de données ; à recevoir l'ensemble de données dans un premier environnement des environnements informatiques de confiance et isolés et à amener l'ensemble de données à être traité par le ou les algorithmes qui s'y trouvent afin de produire un premier ensemble de données de sortie traité ; et à amener le premier ensemble de données de sortie traité à être traité dans un second environnement des environnements informatiques de confiance et isolés par le ou les algorithmes qui s'y trouvent.
PCT/US2022/023671 2022-04-06 2022-04-06 Transformation de flux de données en flux de données sécurisés à l'aide d'environnements informatiques de confiance et isolés WO2023195983A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2022/023671 WO2023195983A1 (fr) 2022-04-06 2022-04-06 Transformation de flux de données en flux de données sécurisés à l'aide d'environnements informatiques de confiance et isolés

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2022/023671 WO2023195983A1 (fr) 2022-04-06 2022-04-06 Transformation de flux de données en flux de données sécurisés à l'aide d'environnements informatiques de confiance et isolés

Publications (1)

Publication Number Publication Date
WO2023195983A1 true WO2023195983A1 (fr) 2023-10-12

Family

ID=88243347

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2022/023671 WO2023195983A1 (fr) 2022-04-06 2022-04-06 Transformation de flux de données en flux de données sécurisés à l'aide d'environnements informatiques de confiance et isolés

Country Status (1)

Country Link
WO (1) WO2023195983A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200320340A1 (en) * 2019-04-08 2020-10-08 Ares Technologies, Inc. Systems, devices, and methods for machine learning using a distributed framework
US20210117249A1 (en) * 2020-10-03 2021-04-22 Intel Corporation Infrastructure processing unit
US20210141940A1 (en) * 2019-11-13 2021-05-13 Sensoriant, Inc. Method and system for enhancing the integrity of computing with shared data and algorithms

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200320340A1 (en) * 2019-04-08 2020-10-08 Ares Technologies, Inc. Systems, devices, and methods for machine learning using a distributed framework
US20210141940A1 (en) * 2019-11-13 2021-05-13 Sensoriant, Inc. Method and system for enhancing the integrity of computing with shared data and algorithms
US20210117249A1 (en) * 2020-10-03 2021-04-22 Intel Corporation Infrastructure processing unit

Similar Documents

Publication Publication Date Title
Al-Issa et al. eHealth cloud security challenges: a survey
Anciaux et al. Personal data management systems: The security and functionality standpoint
Ghorbel et al. Privacy in cloud computing environments: a survey and research challenges
Thota et al. Big data security framework for distributed cloud data centers
US20210141940A1 (en) Method and system for enhancing the integrity of computing with shared data and algorithms
Fabian et al. Collaborative and secure sharing of healthcare data in multi-clouds
Hardin et al. Amanuensis: Information provenance for health-data systems
CN105659238B (zh) 用于患者数据交换系统的数据驱动模式
Zala et al. PRMS: design and development of patients’ E-healthcare records management system for privacy preservation in third party cloud platforms
Almulhem Threat modeling for electronic health record systems
Fatima et al. An exhaustive review on security issues in cloud computing
Anitha Kumari et al. Securing Internet of Medical Things (IoMT) using private blockchain network
Asadi Saeed Abad et al. An architecture for security and protection of big data
Singh et al. Cloud computing security using blockchain technology
US20220318389A1 (en) Transforming dataflows into secure dataflows using trusted and isolated computing environments
Sujihelen An efficient chain code for access control in hyper ledger fabric healthcare system
Coppolino et al. Exploiting new CPU extensions for secure exchange of eHealth data at the EU level
Shree et al. Data protection in internet of medical things using blockchain and secret sharing method
Srikanth et al. Security issues in cloud and mobile cloud: A comprehensive survey
Kumar et al. Secure transfer of robust healthcare data using blockchain-based privacy
WO2023195983A1 (fr) Transformation de flux de données en flux de données sécurisés à l'aide d'environnements informatiques de confiance et isolés
Gattoju et al. Design of ChaApache framework for securing Hadoop application in big data
Hasimi Cost-effective solutions in cloud computing security
Atoum et al. Big data management: Security and privacy concerns
Marwan et al. Security in cloud-based medical image processing: requirements and approaches

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22936688

Country of ref document: EP

Kind code of ref document: A1