1 / 38

Guardat: Enforcing data policies at the storage layer

Guardat: Enforcing data policies at the storage layer.

konen
Télécharger la présentation

Guardat: Enforcing data policies at the storage layer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Guardat: Enforcing data policies at the storage layer AnjoVahldiek-Oberwagner1, EslamElnikety1, Aastha Mehta1, Deepak Garg1, Peter Druschel1, Rodrigo Rodrigues2, Johannes Gehrke3,4, Ansley Post51MPI-SWS, 2NOVA LINCS/Nova University of Lisbon, 3Microsoft, 4Cornell, 5Google

  2. Web attacks and leaks

  3. Threat 1: Unauthorized Access Unauthorized access due to configuration errors, bugs, attacks. Web Server Host Clients Web Server State: Web Server App httpd.conf .htaccess Operating System File System users groups Content

  4. Threat 2: State Corruption State corruption due to configuration errors, bugs, attacks. Web Server Host Clients Web Server State: Web Server App httpd.conf .htaccess Operating System File System users groups Content

  5. Threat 3: Trojans & log manipulation Trojans & log manipulation due to attacks. Web Server Host Clients Web Server State: Web Server App Operating System File System Logs Executables

  6. Threat 4: Unaccounted Provider Access Providers bypass application access control protections. Web Server Host Clients Web Server State: Web Server App Operating System File System Provider employee Content

  7. Why is mitigation difficult? Confidentiality and integrity depend on large, fast evolving code base. Access control lists and access checks spread across system. Recovering corrupt persistent state is difficult.

  8. Guardat: Storage Layer Compliance Stakeholder: User, provider, developer, privacy officer File attestation Per file policy Application UNTRUSTED OS File System Guardat Storage Layer Trusted Controller

  9. Outline Design Principles 2 1 Enforcement File Attestation GuardatTransaction Implementation & Evaluation Declarative Policies

  10. Policy language in a nutshell permission:- Boolean expression over predicates read :- When to read a file update :- When to update the file setPolicy:- When to change policydestroy :- When to reuse the name

  11. Protecting files from unauthorized access Threat: Unauthorized access due to configuration error, bug or attack. Private files: read :- sessionIs(Alice) update :- … setPolicy:- sessionIs(Alice)destroy :- sessionIs(Alice) Assumption: Integrity of Alice’s key is maintained Guarantee: Protected files may only be read with an authenticated session.

  12. Protecting files from corruption Threat: State corruption due to configuration error, bug or attack. Private files: read :- … update :- sessionIs(Alice) setPolicy:- …destroy :- … Assumption: Integrity of Alice’s key is maintained. Guarantee: Protected files may only be updated within an authenticated session.

  13. Protecting executables Threat: Attack installing a trojan. Signed updates-only executables: read :- TRUE update :- fileNameIs(F) ∧ fileNewLenIs(L) ∧ (0, L) willHaveHashNh ∧ keyIs(K, “Vendor”) ∧ K signs okHash(F, N, Nh) setPolicy:- FALSE Assumption: Integrity of the vendor’s key is maintained. Guarantee: Protected files cannot be overwritten except with content signed by the vendor.

  14. Protecting log files from manipulation Threat: Attack manipulating logs. Append-only log files: read :- TRUE update :- [ fileCurrLenIs(Lc) ∧ fileNewLenIs(Ln) ∧ Ln ≥ Lc ∧ txUpdatedExAre(M) ∧ listsAreDisjoint(M, [0, Lc])] ∨ [sessionIs(Admin)]setPolicy:- FALSE destroy :- FALSE Assumption: Administrator key integrity Guarantee: Protected files cannot be overwritten, only appended.

  15. Protecting content from unaccounted provider access Threat: Provider accesses are not accounted for. Private files accounting for provider access: Log file with log entry check and append-only: read: - ((“profil”, SEQCNTLOC, _) says seqcnt(currseq)) ^ ((“acclog”, _, _) says read(currseq, _, offset, length)) ^ AccessOffIs(offset) ^ AccessLenIs(length)update:- ((“profil”, SEQCNTLOC, _) says seqcnt(currseq)) ^ ((“profil”, SEQCNTLOC, _) willSayseqcnt(nextseq)) ^ EQ(currseq+ 1, nextseq) ^ ((“acclog”, gennb, _, _) says write(nextseq, _, newhash, offsetlist)) ^ ((offsetlist) willHaveHashnewhash) ^ TxUpdateLocAre(offsetlist) setpolicy: FALSE destroy: FALSE Read :- TRUE update: [ FileCurrExAre(oe) ^ FileNewExAre(ne) ^ isPrefix(oe, ne) ^ ((“acclog”, neo, _) willSay_(nseq, _. _. _)) ^ ((“acclog”, neo - READENTRYLENGTH, _) says _(nseq-1, _, _, _)) ^ FileCurrLenIs(currlen) ^ LT(currlen, neo)] ∨ [FileCurrExAre(oe) ^ FileNewExAre(ne) ^ isPrefix(oe, ne) ^ ((“acclog”, neo, _) willSays_(nseq, _. _. _)) ^ ((“acclog”, gennb, neo - WRITEENTRYLENGTH, _) says _(nseq-1, _, _, _)) ^ FileCurrLenIs(currlen) ^ LT(currlen, neo) ] ∨ [ ((“acclog”, neo, nel) willSaywrite(nseq, _, _, _)) ^ ((“acclog”,,neo, nel) says write(nseq, _, _, _) ^ ((“profil”, gennb, SEQCNTLOC, _) says seqcnt(currseq)) ^ LT(currseq, nseq) ^ TxUpdateLocAre((neo, nel))] setpolicy:- FALSEdestroy:- FALSE Assumption: Auditor key integrity Guarantee: Protected files cannot be accessed without corresponding log entry in the access log.

  16. Outline Design Principles 2 1 Enforcement File Attestation GuardatTransaction Implementation & Evaluation Declarative Policies

  17. Storage Layer Enforcement Host Web Server App Library Operating System File System OS abstraction File System VMM Virtual device Storage Layer Decrease risk of circumvention Storage controller Disk Disk Disk

  18. Storage Layer Enforcement Host Web Server App Physically protected Machine Room Operating System File System UNTRUSTED Storage Area Network Server Network VMM Disk Disk Disk Disk Disk Disk UNTRUSTED

  19. Outline Design Principles 2 1 Enforcement File Attestation GuardatTransaction Implementation & Evaluation Declarative Policies

  20. File Attestation: Bridging gap between file and block level enforcement Stakeholder: User, provider, developer, policy officer Attests: • File name • Policy • State • Content Per file policy Application OS File System UNTRUSTED Guardat StorageLayer Trusted Controller Metadata: Data Disk NVM

  21. Outline Design Principles 2 1 Enforcement File Attestation GuardatTransaction Implementation & Evaluation Declarative Policies

  22. Introducing Guardat Transactions 2 1 Atomic update of file Bundle multiple accesses Delays evaluation to commit operation Transaction caches

  23. Guardat Transaction by Example Shifting burden of provingcomplex policy compliance to untrusted code keeping policies concise and policy evaluation efficient. Application N# Demonstrate policy compliance: 1. Download binary + certificate 2. Begin transaction tx (+ certificate) 3. Write new binary 4. Commit transaction tx` OS File System UNTRUSTED Guardat Device Trusted Controller Metadata: Transaction cache N# N#

  24. Outline Design Principles 2 1 Enforcement File Attestation GuardatTransaction Implementation & Evaluation Declarative Policies

  25. Implementation Guardat IETserver Trusted Controller(~ 20,000 LoC) Network Data Disk(HDD/SSD) Metadata(SSD) Alternatives: Hybrid Disk/RAID controller Microcontroller on SCSI/SATA adapter VMM Storage area Network (SAN) Trusted controller in iSCSI Enterprise Target (IET) server

  26. SSD Throughput overhead: < 2% Better 3.8 Million files 40,000 policies

  27. 512B Access Latency Latency in ms (log) Better Reads Writes Latency in ms Better Reads Writes HDD latency overhead: < 1% SSD latency overhead

  28. Protected Apache Web server 2% overhead at peak throughput. Better Protection: Append-only logs Vendor-only updateexecutables Owner-only update to content pages Scenario: Modified Apache (added 51 Lines of code) Hosting 220 GB English Wikipedia (~15M files) Replay an hourly access distribution of Wikipedia

  29. Conclusions Guardat guarantees confidentiality and integrity of persistent data and state of a system. No need to trust higher software layers. Guardat protects computer systems from unauthorized access, trojans and log manipulations. Efficient prototype implementation in SAN server.

  30. Guardat: Enforcing data policies at the storage layer Rodrigo Rodrigues EslamElnikety Peter Druschel Aastha Mehta AnjoVahldiek-Oberwagner vahldiek@mpi-sws.org

  31. Backup slides Backup slides

  32. Guardat: Related work • TCG storage work group spec [2012] • Architecture for sessions, access control policies • Concrete design, evaluation left to vendors • No object attestation • TC: Semantic attestation [Haldar 2004], Excalibur [Santos 2012], Pasture [Kotla 2012] • Integrity/confidentiality: self-encrypting disks, capability NAS [Aguilera 2003], type-safe disks [Sivathanu 2006], Venti [Quinlan 2002], S4 [Strunk 2000], NetAppSnapVault, PCFS[Garg 2010], PFS[Walsh 2012] • Extended disk functionality: hybrid disks, object-based storage [Mesnier 2003], active disks [Riedel 2001], semantically smart disks [Sivathanu2003], differentiated storage [Mesnier 2011] • VMM/OS data protection: Overshadow [Chen 2008], InkTag [Hofmann 2013], Nexus [Sirer 2011], DCAC [Xu 2014]

  33. Related work: Trusted Computing Mostly complementary; can be combined, e.g., Remotely attested external verifier Tamper-resident persistent storage

  34. Threats to persistent data This talk Storage media failure (deterioration, obsolescence) Natural disasters and physical attack Operator error and negligence Software/hardware bugs Cyber attack and sabotage Problem is real: Among most frequent causes of loss Human error is (close) second to device failure Software errors + viruses third

  35. Discussion: Enforcement layer

  36. Legacy FS

  37. Transaction API

  38. Stateful policies

More Related