1 / 39

Selective Versioning in a Secure Disk System

Selective Versioning in a Secure Disk System. Swaminathan Sundararaman University of Wisconsin-Madison Gopalan Sivathanu Google Inc. Erez Zadok Stony Brook University. Securing Disk Data. Data protection is performed by Applications File systems

lisbet
Télécharger la présentation

Selective Versioning in a Secure Disk System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Selective Versioning in a Secure Disk System Swaminathan Sundararaman University of Wisconsin-Madison Gopalan Sivathanu Google Inc. Erez Zadok Stony Brook University

  2. Securing Disk Data • Data protection is performed by • Applications • File systems • Existing data protection systems operate at the OS level • OS compromises • Root kit attacks, buffer overflow attacks, viruses, malware, … • Entire disk data vulnerable • Protecting data in the event of OS comprises • Difficult with existing solutions Selective Versioning in a Secure Disk System

  3. Aspects of Data Security • Confidentiality • Preventing unauthorized reads • Integrity • Detecting unauthorized writes • Recoverability • Protecting against data destruction Selective Versioning in a Secure Disk System

  4. Treat Model User Applications File Systems Security Compromised Mech. OS Data Entire disk data vulnerable Existing Systems Selective Versioning in a Secure Disk System

  5. Selective Versioning in a Secure Disk System (SVSDS) • Makes stored data recoverable in the event of an OS compromise • Transparently versions data inside the disk • Applications cannot bypass versioning • Enforces operation-level constraints • Protects important file from being modified • Selectively versions user-chosen files • Reduces the space overhead Selective Versioning in a Secure Disk System

  6. Our Solution User Applications File Systems Compromised OS Data Regular data Versioned Data Selective Versioning in a Secure Disk System

  7. Versioning Inside the Disk • Why disk-level versioning is difficult ? • No information about higher level semantics • Narrow block-based interface • Versions all blocks • Higher space overheads • Fewer versions • Reverts all blocks • Should make use of higher level abstraction • Version at a more usable granularity • Leverage Type-Safe Disks (TSD) [OSDI’06] Selective Versioning in a Secure Disk System

  8. Background on TSD • Pointers: primary mechanism of organizing stored data • Pointers define • Semantic dependencies between blocks • Logical groupings of blocks • Importance of blocks • File systems and databases use pointers extensively • b+trees, hashes, lists, indexes • TSDs track block relationship through pointers Selective Versioning in a Secure Disk System

  9. FFS Like File System SB SB Super Block Inode Block IB IB Logical Grouping Semantic Dependency Importance of blocks Directory Block DirB DirB DirB DirB DB Data Block IB IB IB IB IB Unreachable Blocks DB DB DB DB DB DirB DB Selective Versioning in a Secure Disk System

  10. Overview Overview • Motivation • Design • Related Work • Evaluation • Conclusion * Block Allocation * Pointer Management * Securing Disk Data * Selective Versioning * Operation-level Constraints * Data Recovery Selective Versioning in a Secure Disk System

  11. Securing Disk Data • Need to restrict access to versioned data • Virtualizes the disk address space • Prevents users from directly manipulating data stored inside the disk. • Two address space • logical and physical • Applications access data only through the logical address space Selective Versioning in a Secure Disk System

  12. Disk Virtualization Mapping in internally maintained by SVSDS Logical Block # Physical Block # Mapping Table Applications Logical Blocks 1 2 3 3 4 5 1 2 2 4 3 3 1 1 Physical Blocks 1 1 2 3 4 5 • 9write_block(3) • lookup entry in mapping table • redirect write request to physical block 1 Selective Versioning in a Secure Disk System

  13. Selective Versioning • Versioning all blocks consumes more storage space • Shorter version histories • Blocks have varying levels of importance • Meta-data blocks (like inodes) define the reachability of their data blocks • Only some data blocks are important (/tmp files, program installers are not) • Importance changes with the number of outgoing pointers • By default SVSDS versions all meta-data blocks Selective Versioning in a Secure Disk System

  14. Identifying Meta-data Super Block Pointers help identify meta-data SB SB Inode Block Outgoing pointer implies its a Meta-data block IB IB Directory Block DB Data Block DirB DirB DirB DirB IB IB IB IB IB DB DB DB DB DB DirB DB Selective Versioning in a Secure Disk System

  15. Versioning Selected Data • Users would like to protect their files • Pointer information provides logical grouping of blocks • SVSDS does a BFS and marks the blocks for versioning Selective Versioning in a Secure Disk System

  16. Identifying Files Super Block Pointers help identify all files of a directory SB SB Inode Block * Mark all files in this particular Dir IB IB Directory Block DB Data Block DirB DirB DirB DirB IB IB IB IB IB DB DB DB DB DB DirB DB Selective Versioning in a Secure Disk System

  17. Versioning Policy • Versioning interval • Time interval between versions • Configurable by the administrator • Currently, one versioning interval for all blocks Selective Versioning in a Secure Disk System

  18. Versioning Blocks Mapping Table Applications Logical Block # Logical Block # Physical Block # Physical Block # Logical Blocks 1 3 2 1 2 3 4 5 2 4 3 1 Physical Blocks 1 2 3 4 5 Version Table • 9write_block(1) • lookup entry in mapping table • version old mapping • allocate physical block 3 • updates the entry in the mapping table Ver. # 1 2 1 Selective Versioning in a Secure Disk System

  19. Operation-Level Constraints • Important to protect certain files from being modified or overwritten • Executable files, Library files, Log files, System configuration files • SVSDS allows users to specify operation-level constraints • Read-only • Append-only • Files marked for Read-only and Append-only cannot be deleted Selective Versioning in a Secure Disk System

  20. Operation-level Constraints • Read-only constraint • Ensures that marked blocks are immutable • Protects against intruders, viruses, Trojan horses, malware, etc. • Append-only constraint • Ensures that entries in log files are not deleted or modified • Helps in forensic analysis after an intrusion Selective Versioning in a Secure Disk System

  21. Administrative interface • Special hardware port on the disk • Authentication based on capability • Prevents users from reverting back to previous versions • Can be used to change the versioning frequency Selective Versioning in a Secure Disk System

  22. Issues • Currently revert at the granularity of time • Do not revert based on logical abstractions • Denial of Service attacks • Marking arbitrary files • Use administrative interface to mark files • Overwriting versioned blocks • Exponentially increase the versioning interval • Creating lots of bogus files • No perfect solution • Stop writes when disk fills up Selective Versioning in a Secure Disk System

  23. Overview Overview • Motivation • Design • Related Work • Evaluation • Conclusion Application-level Versioning File-system-level Versioning Disk-level Versioning Selective Versioning in a Secure Disk System

  24. Versioning File Systems • Flexible • Allow per-file policies • Are only as secure as the OS • previous versions can be deleted if the OS is compromised • Users can bypass versioning • Ext3cow, VersionFS, Elephant, etc. Selective Versioning in a Secure Disk System

  25. Disk-Level Versioning • Operates at the granularity of blocks • Security is decoupled from the OS • Versions all blocks • Clotho, TRAP, and S4 Selective Versioning in a Secure Disk System

  26. Disk-Level Versioning (contd.) • Self-Securing Storage System (S4) • Object-based disk • Internally audits all requests • Protects data in compromised systems • Combines log structuring with journal-based metadata versioning • Versions all requests for use in intrusion analysis. • No support for operation-based constraints Selective Versioning in a Secure Disk System

  27. Feature Comparison Our Hybrid Solutioncombines strong security of Disk-level versioning system with the flexibility of versioning file systems. Selective Versioning in a Secure Disk System

  28. Overview Overview • Motivation • Design • Issues • Related Work • Evaluation • Conclusion Selective Versioning in a Secure Disk System

  29. Prototype Implementation User Application File System SVSDS Interface SVSDS Pseudo-device Driver Regular Block Interface Block Driver Disk / RAID • Pseudo-device driver in Linux kernel 2.6.15 • 7,487 lines of kernel code • 3,600 from existing TSD prototype Selective Versioning in a Secure Disk System

  30. Evaluation • Test platform • Linux 2.6.15 • 2.8GHz Xeon (single CPU) • 1GB of RAM • 74GB, 10Krpm, Ultra-320 SCSI disk • 95% confidence intervals within 5% of the mean Selective Versioning in a Secure Disk System

  31. Conventions Used in Figures • Ext2: Ext2 on a regular disk • Ext2TSD: Ext2TSD on a TSD • Ext2Ver(M): Ext2TSD on a SVSDS (meta-data versioning) • Ext2Ver(A): Ext2TSD on a SVSDS (all blocks are versioned) Selective Versioning in a Secure Disk System

  32. Postmark Wait Time User Time System Time Elapsed: S.I. System: 4.3x Wait: -20% Elapsed: S.I. System: 4.3x Wait: -19.5% Elapsed: S.I. System: 1.4x Wait: -8.8% Elapsed Time (Seconds) Postmark: IO Intensive Workload Versioning Interval : 30 second Number of versions created : 27 Selective Versioning in a Secure Disk System

  33. Space Overhead Versioning Interval : 30 seconds Number of versions created : 27 Selective Versioning in a Secure Disk System

  34. Kernel Compile Wait Time User Time System Time Elapsed: S.I. System: +4.6% Wait: -5.6% Elapsed: 0.8% System: +10.1% Wait: -0.8% Elapsed: -0.3% System: +3.6% Wait: -24.0% Elapsed Time (Seconds) Kernel compile: Models user behavior Versioning Interval : 30 seconds Number of versions created : 78 Selective Versioning in a Secure Disk System

  35. Space Overhead Versioning Interval : 30 seconds Number of versions created : 78 Selective Versioning in a Secure Disk System

  36. Overview Overview • Motivation • Design • Issues • Related Work • Evaluation • Conclusion Selective Versioning in a Secure Disk System

  37. Conclusion • Hybrid solution • Strong security and flexible versioning • Meta-data versioning • Protects important file system accessibility information • preserves namespace hierarchy • Versioning chosen data items • Enables flexible policies based on data importance • Widens window of recoverability Selective Versioning in a Secure Disk System

  38. Conclusion (Contd.) • Lazy reallocation of blocks • Implicit data versioning • Operation-based constraints • protects log files and executables • Enables easier intrusion detection • Acceptable space and performance overheads Selective Versioning in a Secure Disk System

  39. Questions? Selective Versioning in a Secure Disk System Swaminathan Sundararaman, Gopalan Sivathanu, Erez Zadok Stony Brook University www.fsl.cs.sunysb.edu

More Related