asynchronous intrusion recovery for interconnected web
play

Asynchronous intrusion recovery for interconnected web services - PowerPoint PPT Presentation

Asynchronous intrusion recovery for interconnected web services Ramesh Chandra, Taesoo Kim , Nickolai Zeldovich MIT CSAIL Today's web services are highly interconnected Many web services provide APIs to other sites Many websites


  1. Asynchronous intrusion recovery for interconnected web services Ramesh Chandra, Taesoo Kim , Nickolai Zeldovich MIT CSAIL

  2. Today's web services are highly interconnected ● Many web services provide APIs to other sites ● Many websites integrate those APIs: — Authentication: Facebook Connect, Google+ ... — Data sharing: Dropbox ... — Business process management: Salesforce … — ...

  3. Example: online shopping mall ... Customer Relationship Management (CRM)

  4. Example: online shopping mall Adobe Echo Sign (E-Signature Service) ... Financial Force (Accounting Service) CRM Bill.ON (Invoices and Billing Service)

  5. Example: online shopping mall Facebook Twitter Allow Facebook users Adobe Echo Sign to buy our products (E-Signature Service) without registration ... Financial Force (Accounting Service) CRM Bill.ON (Invoices and Billing Service)

  6. Example: online shopping mall Facebook Twitter Allow Facebook users Adobe Echo Sign to buy our products (E-Signature Service) without registration ... Financial Force Address in Facebook (Accounting Service) CRM Bill.ON (Invoices and Billing Service)

  7. Attack in one service can spread between services Facebook Twitter Adobe Echo Sign (E-Signature Service) Ship purchased products to ... ... Address modifjed Financial Force by Attacker (Accounting Service) CRM Bill.ON (Invoices and Billing Service)

  8. Bugs in web services are commonplace ● Facebook (Mar 29 th 2013): — Attackers can intercept full permission access tokens

  9. Bugs in web services are commonplace ● Facebook (Mar 29 th 2013): — Attackers can intercept full permission access tokens ● Many web services have similar bugs Twitter (Aug 20 th 2013) — Instagram (May 2 nd 2013) — Microsoft Yammer (Aug 4 th 2013) —

  10. Goal ● Recovering integrity in interconnected services — Repair the state of afgected services as if the attack never occurred ● State-of-the-art: manual recovery — Admin doesn't trust other sites for recovery — Require manual interaction (e.g., email other admin)

  11. General plan for automatic recovery ● Use rollback-and-replay for recovering integrity in single machine — Prior works: Retro [OSDI '10], Warp [SOSP '11] ● Extend rollback-and-replay to many web services !

  12. Challenges ● Rollback-and-replay requires global coordinator — Each service cannot decide what to do for repair ● All services must be available during recovery — We want to repair some services even if others are down — Consistency problem: some services are not repaired yet

  13. Contributions Enable automatic intrusion recovery in distributed web services 1. Repair protocol between services • No central coordinator • Each service controls its repair 2. Asynchronous repair • Proceed repair even with unavailable services • Consistency in partially repair state

  14. Running example of an attack Facebook Twitter Adobe Echo Sign (E-Signature Service) Ship purchased products to ... ... Address modifjed Financial Force by Attacker (Accounting Service) CRM Bill.ON (Invoices and Billing Service)

  15. Running example of an attack Facebook ... CRM Bill.ON (Invoices and Billing Service)

  16. Running example of an attack Attacker Facebook ... Victim CRM http://bit.ly/1xoTn Bill.ON (Invoices and Billing Service)

  17. Running example of an attack Attacker Facebook ... Victim CRM http://bit.ly/1xoTn Bill.ON (Invoices and Billing Service)

  18. Running example of an attack Attacker Facebook ... Victim CRM http://bit.ly/1xoTn Bill.ON (Invoices and Billing Service)

  19. Running example of an attack Attacker Modify address Facebook ... Victim CRM http://bit.ly/1xoTn Bill.ON (Invoices and Billing Service)

  20. Running example of an attack Attacker Modify address Facebook ... Victim Address modifjed by Attacker CRM http://bit.ly/1xoTn Bill.ON (Invoices and Billing Service)

  21. Timeline of the attack Attacker Victim Facebook Shopping Mall Bill.ON

  22. Timeline of the attack Attacker Victim Facebook Shopping Mall Bill.ON Time

  23. Timeline of the attack Attacker Victim Facebook Shopping Mall Bill.ON Time

  24. Timeline of the attack Attacker Victim Facebook Shopping Mall Bill.ON Time

  25. Goal: attack did not take place Attacker Victim Facebook Shopping Mall Bill.ON Time

  26. Goal: attack did not take place Attacker Victim Facebook Shopping Mall Bill.ON Time

  27. Overview of system execution ● Normal execution : — Record enough information for rollback-and-replay ● Repair: — Identify an attack to initiate repair — Repair local state: rollback and replay recorded requests — Propagate repair whenever local repair afgects others

  28. Overview of system execution ● Normal execution : — Record enough information for rollback-and-replay ● Repair: — Identify an attack to initiate repair — Repair local state: rollback and replay recorded requests — Propagate repair whenever local repair afgects others

  29. Strawman: repair with global coordinator using rollback-and-replay Attacker Victim Facebook Identify an attack for repair Shopping Mall Bill.ON Time

  30. Strawman: repair with global coordinator using rollback-and-replay Attacker Victim Facebook Rollback state before the attack occurred Shopping Mall Bill.ON Time

  31. Strawman: repair with global coordinator using rollback-and-replay Attacker Victim Facebook Rollback state before the attack occurred Shopping Mall Bill.ON Error Time

  32. Strawman: repair with global coordinator using rollback-and-replay Attacker Victim Facebook Rollback state before the attack occurred Shopping Mall Bill.ON Error Error Time

  33. Strawman: repair with global coordinator using rollback-and-replay Attacker Victim Facebook Rollback state before the attack occurred Shopping Mall Bill.ON Error Error Original address Time

  34. Strawman: repair with global coordinator using rollback-and-replay Attacker Victim Facebook Rollback state before the attack occurred Shopping Mall Bill.ON Error Error Original address Time

  35. Strawman: repair with global coordinator using rollback-and-replay Attacker Victim Facebook Remove access token Restore victim's address Shopping Mall Bill.ON Error Error Time

  36. Problems in Strawman design ● P1. All services must be available → Support asynchronous repair with speculation ● P2. Require global coordinator → Defjne repair APIs between services

  37. Problems in Strawman design ● P1. All services must be available → Support asynchronous repair with speculation ● P2. Require global coordinator → Defjne repair APIs between services

  38. Challenge: cooperating with unavailable web services Attacker Victim Facebook Unavailable Offmine Shopping Mall Bill.ON Error Error Error Error Time Wait for other services to come up?

  39. Solution: asynchronous repair ● Asynchronously deliver repair requests ● Speculatively proceed local repair with past responses (or timeout responses) ● Expose repaired state after local repair ● Intuition: why asynchronous repair works? — Many web services are designed for independent operation, prepared for handling others failures

  40. Example: asynchronous repair Attacker Victim Facebook Repair queues Shopping Mall Bill.ON Error Error Error Error Time

  41. Example: asynchronous repair Attacker Victim Facebook Repair queues Shopping Mall Bill.ON Error Error Speculatively proceed Error Error with past request Time Asynchronously deliver new response

  42. Example: asynchronous repair Attacker Victim Facebook Repair queues Shopping Mall Bill.ON Error Error Speculatively proceed Error Error with past request Time Asynchronously deliver new response

  43. Example: asynchronous repair Attacker Victim Facebook Repair queues Shopping Mall Bill.ON Error Error Speculatively proceed Error Error with past request Time Asynchronously deliver new response

  44. Example: exposing state after local repair Attacker Victim Facebook Shopping Mall Bill.ON ... Another Time web service Two services are still repairing

  45. What if speculation fails? ● If service responds difgerently, — Restart local repair with the new response — In fact, it is not difgerent from initiating new repair ● Asynchronous repair will converge to the correctly repaired state at the end

  46. Example: speculation failure Facebook Shopping Mall Message: Mall Ready for shipping to: ok

  47. Example: speculation failure Facebook Shopping Mall Message: Mall Ready for shipping to: Following request depends on previous request ok

  48. Example: speculation failure Facebook Shopping Mall Message: Mall Ready for shipping to: ok

  49. Example: speculation failure Facebook Shopping Mall Message: Message: Mall Mall Ready for shipping to: Ready for shipping to: ok Respond with difgerent result

  50. Example: speculation failure Facebook Shopping Mall Message: Mall Ready for shipping to: ok

  51. Example: speculation failure Facebook Shopping Mall Message: Mall Ready for shipping to: ok

Recommend


More recommend