efficient data structures for tamper evident logging
play

Efficient Data Structures for Tamper-Evident Logging Scott A. - PowerPoint PPT Presentation

Aug 24, 2023 •490 likes •1.32k views

Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice University Everyone has logs Tamper evident solutions Current commercial solutions Write only hardware appliances Security depends on

  1. Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice University

  2. Everyone has logs

  3. Tamper evident solutions • Current commercial solutions – ‘Write only’ hardware appliances – Security depends on correct operation • Would like cryptographic techniques – Logger proves correct behavior – Existing approaches too slow

  4. Our solution • History tree – Logarithmic for all operations – Benchmarks at >1,750 events/sec – Benchmarks at >8,000 audits/sec • In addition – Propose new threat model – Demonstrate the importance of auditing

  5. Threat model • Forward integrity – Events prior to Byzantine failure are tamper-evident • Don’t know when logger becomes evil – Clients are trusted • Strong insider attacks – Malicious administrator • Evil logger – Clients may be mostly evil • Only trusted during insertion protocol

  6. Limitations and Assumptions • Limitations – Detect misbehaviour, not prevent it – Cannot prevent ‘junk’ from being logged • Assumptions – Privacy is outside our scope • Data may encrypted – Crypto is secure

  7. System design Client • Logger – Stores events Client Logger – Never trusted Client • Clients Auditor – Little storage Auditor – Create events to be logged – Trusted only at time of event creation – Sends commitments to auditors • Auditors – Verify correct operation – Little storage – Trusted, at least one is honest

  8. This talk • Discuss the necessity of auditing • Describe the history tree • Evaluation • Scaling the log

  9. Tamper evident log • Events come in • Commitments go out – Each commits to the entire past X n-3 C n-3 C n-2 Logger X n-2 C n-1 X n-1

  10. Hash chain log • Existing approach [Kelsey,Schneier] – C n =H(C n-1 || X n ) – Logger signs C n C n-3 X n-5 X n-4 X n-3

  11. Hash chain log • Existing approach [Kelsey,Schneier] – C n =H(C n-1 || X n ) – Logger signs C n C n-2 X n-5 X n-4 X n-3 X n-2

  12. Hash chain log • Existing approach [Kelsey,Schneier] – C n =H(C n-1 || X n ) – Logger signs C n C n-1 X n-5 X n-4 X n-3 X n-2 X n-1

  13. Problem • We don’t trust the logger! X n-4 X n-3 X n-2 X n-1 X n C n Logger returns a stream of commitments C n Each corresponds to a log C n-2 C n-1

  14. Problem • We don’t trust the logger! X n-4 X n-3 X n-2 X n-1 X n C n Does really contain the just inserted X n ? C n Do and really commit the same historical events? C n-2 C n-1 Is the event at index i in log really X i ? C n

  15. Problem • We don’t trust the logger! – Logger signs stream of log heads – Each corresponds to some log Does really contain the just inserted X n-3 ? C n-3 Do and really commit the same historical events? C n-2 C n-1 Is the event at index i in log really X i ? C n

  16. Solution: Audit the logger • Only way to detect tampering – Check the returned commitments  • For consistency C n-2 C n-1 X n-3  • For correct event lookup C n-3 • Previously – Auditing = looking historical events • Assumed to infrequent • Performance was ignored

  17. Solution • Auditors check the returned commitments  – For consistency C n-2 C n-1 X n-3  – For correct event lookup C n-3 • Previously – Auditing = looking historical events • Assumed to infrequent • Performance was ignored

  18. Auditing is a frequent operation • If the logger knows this commitment will not be audited for consistency with a later commitment. C’ n-1 X’ n-3 X n-2 X n-1 C n-3 X n-6 X n-5 X n-4 X n-3

  19. Auditing is a frequent operation • Successfully tampered with a ‘tamper evident’ log • Auditing required in forward integrity threat model C’ n-1 X’ n-3 X n-2 X n-1 C n-3 X n-6 X n-5 X n-4 X n-3

  20. Auditing is a frequent operation • Every commitment must have a non-zero probability of being audited C’ n-1 X’ n-3 X n-2 X n-1 C n-3 X n-6 X n-5 X n-4 X n-3

  21. Forking the log • Rolls back the log and adds on different events – Attack requires two commitments on different forks disagree on the contents of one event. – If system has historical integrity, audits must fail or be skipped C’ n-1 X n-5 X’ n-4 X n-3 X n-2 X n-1 C n-3 X n-6 X n-5 X n-4 X n-3

  22. New paradigm • Auditing cannot be avoided • Audits should occur – On every event insertion – Between commitments returned by logger • How to make inserts and audits cheap – CPU – Communications complexity – Storage

  23. Two kinds of audits X i  • Membership auditing C n – Verify proper insertion – Lookup historical events • Incremental auditing  C i C n – Prove consistency between two commitments

  24. Membership auditing a hash chain X n-5  • Is ? C n-3 C n-3

  25. Membership auditing a hash chain X n-5  • Is ? C n-3 P X’ n-6 X’ n-5 X’ n-4 X’ n-3 C n-3 X n-5 X n-4 X n-3

  26. Membership auditing a hash chain X n-5  • Is ? C n-3 X’ n-6 X’ n-5 X’ n-4 X’ n-3 C n-3 X n-5 X n-4 X n-3

  27. Incremental auditing a hash chain  • Are ? C’’ n-5 C’ n-1

  28. Incremental auditing a hash chain P X n-6 X n-5 X n-4 X n-3 X n-2 X n-1 C’ n-1 X’ n-6 X’ n-5 X’ n-4 X’ n-3 X’ n-2 X’ n-1 X’’ n-6 X’’ n-5 C’’ n-5

  29. Incremental auditing a hash chain P C n-5 X n-6 X n-5 X n-4 X n-3 X n-2 X n-1 C’ n-1 X’ n-6 X’ n-5 X’ n-4 X’ n-3 X’ n-2 X’ n-1 X’’ n-6 X’’ n-5 C’’ n-5

  30. Incremental auditing a hash chain P C n-1 X n-6 X n-5 X n-4 X n-3 X n-2 X n-1 C’ n-1 X’ n-6 X’ n-5 X’ n-4 X’ n-3 X’ n-2 X’ n-1 X’’ n-6 X’’ n-5 C’’ n-5

  31. Incremental auditing a hash chain P C n-5 C n-1 X n-6 X n-5 X n-4 X n-3 X n-2 X n-1 C’ n-1 X’ n-6 X’ n-5 X’ n-4 X’ n-3 X’ n-2 X’ n-1 X’’ n-6 X’’ n-5 C’’ n-5

  32. Existing tamper evident log designs • Hash chain – Auditing is linear time – Historical lookups • Very inefficient • Skiplist history [Maniatis,Baker] – Auditing is still linear time – O(log n) historical lookups

  33. Our solution • History tree – O(log n) instead of O(n) for all operations – Variety of useful features • Write-once append-only storage format • Predicate queries + safe deletion • May probabilistically detect tampering – Auditing random subset of events – Not beneficial for skip-lists or hash chains

  34. History Tree • Merkle binary tree – Events stored on leaves – Logarithmic path length • Random access – Permits reconstruction of past version and past commitments

  35. History Tree C 2 X 1 X 2

  36. History Tree C 3 X 1 X 2 X 3

  37. History Tree C 4 X 1 X 2 X 3 X 4

  38. History Tree C 5 X 1 X 2 X 3 X 4 X 5

  39. History Tree C 6 X 1 X 2 X 3 X 4 X 5 X 6

  40. History Tree C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7

  41. History Tree X 1 X 2 X 3 X 4 X 5 X 6 X 7

  42. Incremental auditing

  43. Auditor C 3 C 3 X 1 X 2 X 3

  44. C 3 Auditor C 4 X 1 X 2 X 3 X 4

  45. C 3 Auditor C 5 X 1 X 2 X 3 X 4 X 5

  46. C 3 Auditor C 6 X 1 X 2 X 3 X 4 X 5 X 6

  47. C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7

  48. Incremental proof  C 3 C 7 C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7

  49. Incremental proof  C 3 C 7 C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • P is consistent with C 7 • P is consistent with C 3 • Therefore and are consistent. C 7 C 3

  50. Incremental proof  C 3 C 7 C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • P is consistent with C 7 • P is consistent with C 3 • Therefore and are consistent. C 7 C 3

  51. Incremental proof  C 3 C 7 C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • P is consistent with C 7 • P is consistent with C 3 • Therefore and are consistent. C 7 C 3

  52. Incremental proof  C 3 C 7 C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • P is consistent with C 7 • P is consistent with C 3 • Therefore and are consistent. C 7 C 3

  53. Pruned subtrees C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • Although not sent to auditor – Fixed by hashes above them – , fix the same (unknown) events C 3 C 7

  54. Membership proof that  X 3 C’’ 7 C’’ 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • Verify that has the same contents as P C’’ 7 • Read out event X 3

  55. Merkle aggregation

  56. Merkle aggregation • Annotate events with attributes $1 $8 $3 $2 $5 $2 $2

  57. Aggregate them up the tree • Max() $8 $5 $8 $8 $3 $5 $4 $1 $8 $3 $2 $5 $2 $4 Included in hashes and checked during audits

  58. Querying the tree • Max() $8 $5 $8 $8 $3 $5 $4 $1 $8 $3 $2 $5 $2 $4 Find all transactions over $6

  59. Safe deletion • Max() $8 $5 $8 $8 $3 $5 $4 $1 $8 $3 $3 $3 $3 $2 $2 $2 $5 $2 $4 Authorized to delete all transactions under $4

  60. Merkle aggregation is flexible • Many ways to map events to attributes – Arbitrary computable function • Many attributes – Timestamps, dollar values, flags, tags • Many aggregation strategies +, *, min(), max(), ranges, and/or, Bloom filters

Recommend

AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing G. Edward Suh, Dwaine

AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing G. Edward Suh, Dwaine

AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology L C S Cases for Physical Security Applications

519 views • 23 slides
TAMPER EVIDENT BYPASSES BY MOS AND BOO THE PACKAGING COUNCIL OF AUSTRALIA Packaging which

TAMPER EVIDENT BYPASSES BY MOS AND BOO THE PACKAGING COUNCIL OF AUSTRALIA Packaging which

TAMPER EVIDENT BYPASSES BY MOS AND BOO THE PACKAGING COUNCIL OF AUSTRALIA Packaging which possesses a barrier to entry which, if breached or missing, will provide visible evidence to consumers that tampering had occurred MESOPOTAMIAN

516 views • 30 slides
New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions (PUFs) Vincent

New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions (PUFs) Vincent

New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions (PUFs) Vincent Immler, Karthik Uppund Conference on Cryptographic Hardware and Embedded Systems, Atlanta, Aug 26, 2019 PUF in a Nutshell: Biometrics of Objects PUF

403 views • 21 slides
VoteBox: a verifiable, tamper-evident electronic voting system

VoteBox: a verifiable, tamper-evident electronic voting system

VoteBox: a verifiable, tamper-evident electronic voting system Daniel R. Sandler Rice University

1.38k views • 86 slides
MA Final Talk: Tamper-Evident Publication of Internet Measurements Max Helm Advisors: Oliver

MA Final Talk: Tamper-Evident Publication of Internet Measurements Max Helm Advisors: Oliver

Chair of Network Architectures and Services Department of Informatics Technical University of Munich MA Final Talk: Tamper-Evident Publication of Internet Measurements Max Helm Advisors: Oliver Gasser, Benjamin Hof, Quirin Scheitle July 16,

423 views • 26 slides
5/24/10 Modern Hardware is Complex Modern systems built on layers of hardware Tamper Evident

5/24/10 Modern Hardware is Complex Modern systems built on layers of hardware Tamper Evident

5/24/10 Modern Hardware is Complex Modern systems built on layers of hardware Tamper Evident Microprocessors Applications OS Hypervisor Motherboard/ Slave Chips Adam Waksman CPU Simha Sethumadhavan Complexity increases risk of

340 views • 4 slides
Publius: A robust, tamper-evident, censorship-resistant web publishing system M Waldman, A Rubin

Publius: A robust, tamper-evident, censorship-resistant web publishing system M Waldman, A Rubin

Publius: A robust, tamper-evident, censorship-resistant web publishing system M Waldman, A Rubin and L Cranor Ranjit Randhawa Department of Computer Science Virginia Tech Outline Overview of Publius Anonymity tools Publius in

414 views • 13 slides
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution Riccardo

Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution Riccardo

Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan, Adam Bates, Christopher W. Fletcher, Andrew Miller, Dave Tian Logs Are Useful 2 Custos: Practical

730 views • 58 slides
Space Efficient Data Structures and FM index Venkatesh Raman The Institute of Mathematical

Space Efficient Data Structures and FM index Venkatesh Raman The Institute of Mathematical

Space Efficient Data Structures and FM index Venkatesh Raman The Institute of Mathematical Sciences, Chennai NISER Bhubaneshwar, February 9, 2019 Introduction Data Structures Libraries Conclusions Overview Introduction Data Structures

1.92k views • 159 slides
Efficient Data Structures for the Factor Periodicity Problem Tomasz Kociumaka Jakub Radoszewski

Efficient Data Structures for the Factor Periodicity Problem Tomasz Kociumaka Jakub Radoszewski

Efficient Data Structures for the Factor Periodicity Problem Tomasz Kociumaka Jakub Radoszewski Wojciech Rytter Tomasz Wale University of Warsaw, Poland SPIRE 2012 Cartagena, October 23, 2012 Tomasz Kociumaka Efficient Data Structures

1.23k views • 64 slides
Space and Time-Efficient Data Structures for Massive Datasets Giulio Ermanno Pibiri

Space and Time-Efficient Data Structures for Massive Datasets Giulio Ermanno Pibiri

Space and Time-Efficient Data Structures for Massive Datasets Giulio Ermanno Pibiri giulio.pibiri@di.unipi.it Supervisor Rossano Venturini Computer Science Department University of Pisa 10/10/2017 1 High Level Thesis Data Structures +

1.16k views • 87 slides
Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience Antonio Faonio 1

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience Antonio Faonio 1

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience Antonio Faonio 1 Daniele Venturi 2 Department of Computer Science, Aarhus University, Aarhus, Denmark Department of Information Engineering and Computer Science,

763 views • 34 slides
Data Structures + BIG-O Notation Understanding the engineering trade-offs when storing data

Data Structures + BIG-O Notation Understanding the engineering trade-offs when storing data

CSSE 220 Data Structures + BIG-O Notation Understanding the engineering trade-offs when storing data Checkout LinkedListSimple project from public git Checkout SinglyLinkedList homework from git Data Structures Efficient ways to store data

239 views • 9 slides
Efficient Hardware-based Undo+Redo Logging for Persistent Memory Systems Matheus Ogleari Prof.

Efficient Hardware-based Undo+Redo Logging for Persistent Memory Systems Matheus Ogleari Prof.

Efficient Hardware-based Undo+Redo Logging for Persistent Memory Systems Matheus Ogleari Prof. Ethan Miller Prof. Jishen Zhao 1 Overview Background/Motivation Hardware-Driven Logging Design Evaluation 2 Background

232 views • 20 slides
Data Structures 1 / 27 Built-in Data Structures Values can be collected in data structures:

Data Structures 1 / 27 Built-in Data Structures Values can be collected in data structures:

Data Structures 1 / 27 Built-in Data Structures Values can be collected in data structures: Lists Tuples Dictionaries Sets This lecture just an overview. See the Python documentation for complete details. 2 / 27 Lists A list

396 views • 27 slides
Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory

Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory

Efficient Hardware-assisted Logging with Asynchronous and Direct Update for Persistent Memory Jungi Jeong , Chang Hyun Park, Jaehyuk Huh, and Seungryoul Maeng International Symposium on Microarchitecture (MICRO) 2018 Storage-Class Memory

1.95k views • 155 slides
I/O-Efficient Data Structures for Colored Range and Prefix Reporting Kasper Green Larsen,

I/O-Efficient Data Structures for Colored Range and Prefix Reporting Kasper Green Larsen,

I/O-Efficient Data Structures for Colored Range and Prefix Reporting Kasper Green Larsen, MADALGO, Aarhus University Rasmus Pagh, IT University of Copenhagen Presenter: Yakov Nekrich 1 Motivating example Jag ligger och ska somna, jag ser

700 views • 25 slides
Associative Graph Data Structures AGDS with an Efficient Access via AVB+trees Adrian Horzyk AGH

Associative Graph Data Structures AGDS with an Efficient Access via AVB+trees Adrian Horzyk AGH

Associative Graph Data Structures AGDS with an Efficient Access via AVB+trees Adrian Horzyk AGH University of Science and Technology horzyk@agh.edu.pl Krakow, Poland Brains and Neurons How do they really work? How we can use brain-like

428 views • 40 slides
Space- and Time-Efficient Data Structures for Massive Datasets Giulio Ermanno Pibiri

Space- and Time-Efficient Data Structures for Massive Datasets Giulio Ermanno Pibiri

Space- and Time-Efficient Data Structures for Massive Datasets Giulio Ermanno Pibiri giulio.pibiri@di.unipi.it Supervisor Rossano Venturini Department of Computer Science University of Pisa 15/11/2018 1 Evidence The increase of

1.05k views • 92 slides
Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business, one of the things that you have to do is to learn about heavy equipment. Robert VanNatta, Logging History of Columbia County Database Management

534 views • 26 slides
Search Lookaside Buffer: Efficient Caching for Index Data Structures Xingbo Wu, Fan Ni, Song

Search Lookaside Buffer: Efficient Caching for Index Data Structures Xingbo Wu, Fan Ni, Song

Search Lookaside Buffer: Efficient Caching for Index Data Structures Xingbo Wu, Fan Ni, Song Jiang Background Large-scale in-memory applications. In-memory databases In-memory NoSQL stores and caches Software routing tables

731 views • 36 slides
Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations: Search/Find Minimum/findMin Maximum/findMax Binary Search Trees Predecessor Successor Insert Delete/Remove ! All

83 views • 4 slides
DM207 I/O-Efficient Algorithms and Data Structures Fall 2011 Rolf Fagerberg IOEADS Fall 2011

DM207 I/O-Efficient Algorithms and Data Structures Fall 2011 Rolf Fagerberg IOEADS Fall 2011

DM207 I/O-Efficient Algorithms and Data Structures Fall 2011 Rolf Fagerberg IOEADS Fall 2011 Page 1 Prologue You are working for MegaHard R , a large software firm whose latest product is the programming language D . Your boss tells

498 views • 22 slides
CCHL: Compression-Consolidation Hardware Logging for Efficient Failure-Atomic Persistent Memory

CCHL: Compression-Consolidation Hardware Logging for Efficient Failure-Atomic Persistent Memory

CCHL: Compression-Consolidation Hardware Logging for Efficient Failure-Atomic Persistent Memory Updates Xueliang Wei, Dan Feng, Wei Tong, Jingning Liu, Chengning Wang, Liuqing Ye Huazhong University of Science and Technology Persistent Memory

817 views • 38 slides

More recommend