1 / 22

PASIS: P erpetually A vailable and S ecure I nformation S ystems

PASIS: P erpetually A vailable and S ecure I nformation S ystems. http://www.ices.cmu.edu/pasis/ Greg Ganger , Pradeep Khosla, Chenxi Wang, Mehmet Bakkaloglu, Michael Bigrigg, Garth Goodson, Semih Oguz, Vijay Pandurangan, John Strunk, Ken Tew, Ted Wong, Jay Wylie

sloane-nixon
Télécharger la présentation

PASIS: P erpetually A vailable and S ecure I nformation S ystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PASIS: Perpetually Available and Secure Information Systems http://www.ices.cmu.edu/pasis/ Greg Ganger, Pradeep Khosla, Chenxi Wang, Mehmet Bakkaloglu, Michael Bigrigg, Garth Goodson, Semih Oguz, Vijay Pandurangan, John Strunk, Ken Tew, Ted Wong, Jay Wylie Carnegie Mellon University

  2. Newest personnel

  3. PASIS Objective Create information storage systems that are • Perpetually Available • Information should always be available even when some system components are down or unavailable • Perpetually Secure • Information integrity and confidentiality should always be enforced even when some system components are compromised • Graceful in degradation • Information access functionality and performance should degrade gracefully as system components fail Assumptions – Some components will fail, some components will be compromised, some components will be inconsistent, BUT………. surviving components allow the information storage system to survive

  4. Survivable Storage Systems • Surviving “server-side” intrusions • decentralization + data distribution schemes • provides for availability and security of storage • Tradeoff management balances availability, security, and performance • maximize performance given other two • Surviving “client-side” intrusions • server-side data versioning and request auditing • enables intrusion diagnosis and recovery

  5. Step #1: Decentralized storage systems

  6. Step #2: Data distribution schemes • Scheme = Algorithm + <Parameters> • E.g., 3-fold replication = replication + <n = 3> • 1000s of possible choices • Many different algorithms • Cryptographic • Threshold (n shares, any t to reconstruct) • Hybrids and combinations • Many reasonable parameters

  7. Client Apps PASIS Storage Nodes Local PASIS Agent PASIS Agent Architecture System Characteristics User Preferences Tradeoff Management Client Applications PASIS Storage Nodes Encode & Decode Multi-read/write Communication

  8. Features of PASIS Architecture • Security • confidentiality: no single storage node can expose data • integrity: no single storage node can modify data • Availability • any M-of-N storage nodes can collectively provide data • Flexibility • range of options in space of trade-offs among availability, security, and performance

  9. Recent PASIS Demo • PASIS-enhanced NFS • NFS agent running on client machine • PASIS I/O libraries linked into NFS agent • Files are encoded and distributed across the four machines • 2-of-4 scheme with integrity checking, by default • no central authority or point-of-failure • Implementation runs on linux, using NFSv3 servers to store the shares • PASIS functionality is transparent to applications

  10. Technology Transfer • Transfer path via CMU Consortia (e.g., PDL) • 10-15 storage and networking companies • EMC, HP, IBM, Intel, Veritas, Sun, Seagate, Hitachi, Panasas, Network Appliance, Microsoft, Sony • 10-15 embedded system & infrastructure companies • Raytheon, Boeing, United Technologies, Hughes, Bosch, AT&T, Adtranz, Emerson Electric, Ford, HP, Intel, Motorola, NIIIP Consortium • Joint Battlespace Infosphere (JBI) • working with AFRL researchers to understand how PASIS technologies might fit into JBI infrastructures

  11. Major continuing threads • Reasoning about trade-offs • towards engineering of survivable storage • Device-embedded security functionality • surviving insiders & intrusions into client systems • Self-repair over time • proactive and reactive; fully decentralized

  12. Trade-off management challenges • Reasoning about security and availability • specifically, need to translate settings into configuration rules and limitations • e.g., T > 0.7*N, (N-T) > 2, T shares cannot be on same OS • Finding best performing configuration • within the limitations imposed by first step and given the expected workload and system components • configuration includes choices of data distribution scheme, values for T and N and P, degree of over-requesting, server selection algorithm, etc… • 2-step approach: predict performance of any possible configuration and then search for optimal choice

  13. Scheme Selection Surface Trade-off space

  14. Quantifying the axes • Performance (MB/s) • based on (relatively) simple performance model • computed with standard performance eval. techniques • Availability (“nines”) • standard fault tolerance math and new correlation model • relative values are useful even if not independent • Security (Effort to defeat) • estimate effort involved with possible attack paths • overall effort is minimum of possible efforts

  15. Scheme selection surface Scheme selection surface Secret Sharing Ramp Replication Replication + Encryption Information Dispersal Short secret sharing Splitting Generation of scheme selection surface • Quantify performance, security, and availability of each algorithm+parameters • Select best performing scheme for each region

  16. Scheme Selection Surface Trade-off space

  17. Selection surface sensitivity • Scheme selections are largely insensitive to small perturbations of configuration parameters • Scheme selection surface is different for truly different configurations

  18. Extreme read workload 50% Read Workload 99% Read Workload

  19. Self-Securing Storage Nodes • Goal: survive authorized but malicious users • both client-side intruders and insider attacks • How: assume all clients might be compromised • keep all versions of all data • audit all requests • watch storage requests and trigger alarms • Benefits • storage-based intrusion detection • informed analysis of security compromises • faster, better recovery

  20. Motivation Better Defensive Structure:

  21. PASIS: Summary • Decentralization + data distribution schemes • provides for availability and security of storage • Tradeoff management balances availability, security, and performance • … and it is good engineering practice! • Data versioning to survive malicious users • enables intrusion diagnosis and recovery

  22. PASIS: Perpetually Available and Secure Information Systems http://www.ices.cmu.edu/pasis/ Greg Ganger, Pradeep Khosla, Chenxi Wang, Mehmet Bakkaloglu, Michael Bigrigg, Garth Goodson, Semih Oguz, Vijay Pandurangan, John Strunk, Ken Tew, Ted Wong, Jay Wylie Carnegie Mellon University

More Related