1 / 29

PASIS: P erpetually A vailable and S ecure I nformation S ystems

http://PASIS.ices.cmu.edu/ Pradeep K. Khosla (PI) – pkk@cs.cmu.edu Greg Ganger , Han Kiliccote Jay Wylie , Michael Bigrigg , Xiaofeng Wang, John Strunk, Qi He, Yaron Rachlin, Mehmet Bakkloglu, Joe Ordia, Semih Oguz, Cory Williams, Mark-Eric Uldry, Matthias Wenk

meagan
Télécharger la présentation

PASIS: P erpetually A vailable and S ecure I nformation S ystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. http://PASIS.ices.cmu.edu/ Pradeep K. Khosla (PI) – pkk@cs.cmu.edu Greg Ganger, Han Kiliccote Jay Wylie, Michael Bigrigg, Xiaofeng Wang,John Strunk, Qi He, Yaron Rachlin, Mehmet Bakkloglu, Joe Ordia, Semih Oguz, Cory Williams, Mark-Eric Uldry, Matthias Wenk David Dolan, Craig Soules, Garth Goodson, Shelby Davis Department of Electrical and Computer Engineering Institute for Complex Engineered Systems Carnegie Mellon University PASIS: Perpetually Available and Secure Information Systems

  2. PASIS Objective Create information storage systems that are • Perpetually Available • Information should always be available even when some system components are down or unavailable • Perpetually Secure • Information integrity and confidentiality should always be enforced even when some system components are compromised • Graceful in degradation • Information access functionality and performance should degrade gracefully as system components fail Assumptions – Some components will fail, some components will be compromised, some components will be inconsistent, BUT………. surviving components allow the information storage system to survive

  3. PASIS Overview • Surviving “server-side” intrusions • decentralization + threshold schemes • provides for availability and security of storage • Surviving “client-side” intrusions • server-side data versioning and request auditing • enables intrusion diagnosis and recovery • Tradeoff management balances availability, security, and performance • maximize performance given other two Survivable storage systems that are usable.

  4. Jay’s Questions • What threats/attacks is PASIS addressing? • compromises of storage nodes • stored data manipulation via malicious “users” • What assumptions are we making? • only a subset of nodes will be compromised • malicious user activity can be detected soon-ish • What policies can PASIS enforce? • Availability should survive up to X “failed” nodes • Confidentiality and integrity should survive up to Y collaborating compromised nodes • Data and audit log changes should be kept for Z weeks

  5. Step #1: Decentralized storage systems

  6. a1x+b1 • Agent 1: a1, b1 v a3x+b3 • Agent 2: a2, b2 a2x+b2 • Agent 3: a3, b3 Step #2: Threshold Schemes • Decimate Information • Divide the informationinto small chunks • Replicate Information • Disperse information • Distribute the data to n agents so that m of them can reconstruct the data but p cannot • p< m  n

  7. Client Apps PASIS Storage Nodes Local PASIS Agent PASIS Agent Architecture System Characteristics User Preferences Tradeoff Management PASIS Storage Nodes Client Applications Dispersal & Decimation Agent Communication

  8. Features of PASIS Architecture • Security • confidentiality: no single storage node can expose data • integrity: no single storage node can modify data • Availability • any M-of-N storage nodes can collectively provide data • Flexibility • range of options in space of trade-offs among availability, security, and performance

  9. PASIS Demonstration • A Notepad-like editor that guarantees availability and security of information • PASIS agent libraries simply linked into editor • Files are decimated and dispersed across the four machines • 2-of-4 scheme with cheater detection, by default • No central authority or point-of-failure • Implementation runs on NT, using Microsoft’s Network Neighborhood to store the shares

  10. PASIS-enhanced Editor

  11. “About” screen for PASIS Editor

  12. PASIS-enhanced Editor

  13. Each share looks like garbage

  14. … but collectively contain info

  15. Tampering with shares detected

  16. … and info still reconstructed

  17. Reads fail if too few survive

  18. … but succeed when revived

  19. Engineering survivable systems • Performance and manageability need to approach that of conventional systems • … to ensure significant acceptance • Approach: exploit threshold scheme flexibility • achieve maximum performance given desired levels of availability and security • requires quantification of the corresponding trade-offs • Approach: exploit ability to use any M shares • send requests to more than M and use quickest responses • send requests to “closest” servers first

  20. Space used as function of filesize

  21. Space used versus security

  22. Encode time versus security

  23. Decode time versus security

  24. Encode time versus filesize

  25. Quality of Storage (Service)Tradeoff Management • Allow users to specify what they want rather than how to do it • System should automatically translate this into settings of PASIS Agent parameters • When can’t deliver all user desires • Give feedback on the implications of user choices based on system characteristics. • Allow user to express the tradeoffs between availability, performance, and security.

  26. Self-Securing Storage Nodes • Goal: protect data from authorized but malicious users • both client-side intruders and insider attacks • How: assume all clients are compromised • keep all versions of all data • audit all requests • Benefits • fast and complete recovery by preventing data destruction and undetectable modifications • enhanced detection and diagnosis of intrusions by providing tamper-proof audit logs

  27. Where we’re at • PASIS Architecture complete • Basic agent implementation in place • flexible dispersal library with several algorithms • flexible communication library • Basic multi-versioning storage node in place • all data versioned • all requests audited • Trade-off quantification in progress • initial measurements and calculations performed

  28. Technology Transfer • Transfer path via CMU Consortia (e.g., PDL) • 15-20 storage and networking companies • EMC, HP, IBM, Intel, 3Com, Veritas, Sun, Seagate, Quantum, Infineon, CLARiiON, Novell, LSI Logic, Hitachi, MTI, PANASAS, Procom • 20+ embedded system & infrastructure companies • Raytheon, Boeing, United Technologies, Hughes, Bosch, AT&T, Adtranz, Emerson Electric, Ford, HP, Intel, Motorola, NIIIP Consortium

  29. PASIS: Summary • Decentralization + threshold schemes • provides for availability and security of storage • Tradeoff management balances availability, security, and performance • maximize performance given other two • Data versioning to survive malicious users • enables intrusion diagnosis and recovery Survivable storage systems that are usable.

More Related