filewall implementing file access policies using dynamic
play

FileWall : Implementing File Access Policies Using Dynamic Access - PowerPoint PPT Presentation

Apr 06, 2023 •35 likes •525 views

FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer Science Rutgers University Workshop on Spontaneous Networking May 12, 2006

  1. FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer Science Rutgers University Workshop on Spontaneous Networking May 12, 2006

  2. Organization: Too many files, directories, servers Protection: Left to the discretion of the owner Dynamism: Cannot be incorporated without file system extension Workshop on Spontaneous Networking

  3. Organization: Too many files, directories, servers Protection: Left to the discretion of the owner Dynamism: Cannot be incorporated without file system extension Administrator has little control over file access policies Administrator has little control over file access policies Workshop on Spontaneous Networking

  4. File names are powerful Can be used to implement access policies All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information contained in messages Workshop on Spontaneous Networking

  5. File names are powerful Can be used to implement access policies All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information contained in messages Access policies can be implemented by interposition Access policies can be implemented by interposition and message transformation and message transformation Workshop on Spontaneous Networking

  6. Interposes on the client - server path Stores network flow history Evaluates each message against the firewall policies Passes - through, drops, or transforms network packets Workshop on Spontaneous Networking

  7. Interposes on client - server path Stores file access history Evaluates each message against FileWall policies Transforms file system messages Workshop on Spontaneous Networking

  8. Interposes on client - server path Stores file access history Evaluates each message against FileWall policies Transforms file system messages FileWall constructs virtual namespaces using file FileWall constructs virtual namespaces using file system namespaces and access policies through system namespaces and access policies through message transformation message transformation Workshop on Spontaneous Networking

  9. Access control Quality of Service (QoS) File system organization Intrusion detection Information Lifecycle Management (ILM) Data transformations Workshop on Spontaneous Networking

  10. Motivation Design Access Context FileWall Policies Implementation Evaluation Related Work Conclusions Workshop on Spontaneous Networking

  11. Access history Access statistics Sequence of accesses Describes user behavior Environment Time, available disk space, CPU load, etc. Workshop on Spontaneous Networking

  12. Requirements Compact representation Contain semantic information which describes user behavior Easy to understand and specify Soft state Workshop on Spontaneous Networking

  13. Node = file run Groups of accesses performed by same application Open to close or approximate using clustered accesses Attributes File name Type of run (READ, WRITE, etc.) Operation count Edge Run started after and ended before parent Depth-first traversal defines sequence of runs in an access tree Workshop on Spontaneous Networking

  14. Root Workshop on Spontaneous Networking

  15. Root 1 Read 1 Workshop on Spontaneous Networking

  16. Root 1 2 Read 1, Create/Delete 2 Workshop on Spontaneous Networking

  17. Root 1 3 2 Read 1, Create/Delete 2, Read/Write 3 Workshop on Spontaneous Networking

  18. Root 1 3 1 2 Read 1, Create/Delete 2, Read/Write 3, Write 1 Workshop on Spontaneous Networking

  19. Motivation Design Access Context FileWall Policies Implementation Evaluation Related Work Conclusions Workshop on Spontaneous Networking

  20. Transform messages (requests and replies) Sequence of rules INPUT and OUTPUT Use: Access context File attributes contained in messages Workshop on Spontaneous Networking

  21. Policy: Show files accessed today For each client-visible file: Access Time = TODAY Transform directory listing messages READDIR and READDIRPLUS Workshop on Spontaneous Networking

  22. Policies Access Context FileWall Workshop on Spontaneous Networking

  23. Policies M READDIR Access Context FileWall Workshop on Spontaneous Networking

  24. Policies READDIR Access Context FileWall Workshop on Spontaneous Networking

  25. Policies READDIR Access Context FileWall Workshop on Spontaneous Networking

  26. Policies READDIR READDIRPLUS Access Context FileWall Workshop on Spontaneous Networking

  27. Policies READDIRPLUS Access Context FileWall Workshop on Spontaneous Networking

  28. Policies READDIRPLUS Access Context FileWall Workshop on Spontaneous Networking

  29. Policies READDIRPLUS Access Context FileWall Workshop on Spontaneous Networking

  30. Policies READDIR READDIRPLUS Access Context FileWall Workshop on Spontaneous Networking

  31. OUTPUT Rule: INPUT Rule: int fwout ( rpc _ msg reply) { int fwin ( rpc _ msg request) { if (reply.proc == READDIRPLUS) { if (request.proc == READDIR) { FOREACH entp in reply { request.proc = READDIRPLUS; if (entp . atime == TODAY) return FORWARD; copy_entry( resp _ entp , entp ) } } } reply.entries = res _ entp ; reply.proc = READDIR ; return FORWARD; } } Specified as C programs and compiled as loadable Specified as C programs and compiled as loadable shared modules shared modules Workshop on Spontaneous Networking

  32. Motivation Design Access Context FileWall Policies Implementation Evaluation Related Work Conclusions Workshop on Spontaneous Networking

  33. FileWall: Click Modular Router NFS over UDP Workshop on Spontaneous Networking

  34. FileWall Click Modular Router NFS over UDP FileWall Client SFS toolkit Session establishment Bootstrapping Identify list of available file systems Workshop on Spontaneous Networking

  35. Motivation Design Access Context FileWall Policies Implementation Evaluation Related Work Conclusions Workshop on Spontaneous Networking

  36. Workshop on Spontaneous Networking

  37. General purpose server Email, user homes, web server Files mounted over NFS Web servers are prone to flash crowds Current policies Rate limit number of requests Disable web server Workshop on Spontaneous Networking

  38. Access context Rate of sequential file reads, directory listings, etc. Policy Hide files with rate greater than a threshold Show files again when rate falls below threshold Only the source of the flash crowd disappears from the namespace Workshop on Spontaneous Networking

  39. Workshop on Spontaneous Networking

  40. Infokernel [Arpaci-Dusseau 03], firewall/NAT Access Context Desktop search [ Soules 03] File system prefetching [ Amer 02, Lei 97] Enforcing enterprise -wide policies [He 05] Semantic file systems [Sheldon 91, Pike 93, Neuman 92, Rao 93] Extensible file systems [Zadok 00, Tewari 05] Workshop on Spontaneous Networking

  41. User study Real deployment Behavior models Workshop on Spontaneous Networking

  42. User study Real deployment Behavior models Policy language Constraints Debugging and logging Workshop on Spontaneous Networking

  43. User study Real deployment Behavior models Policy language Constraints Debugging and logging Data transformations Censorship Protocol translations NFS - > CIFS Recipe - based file system (CASPER) IP - > RDMA Video encoding Content adaptation Workshop on Spontaneous Networking

  44. Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required Workshop on Spontaneous Networking

  45. Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required Provides administrators the ability to define a wide variety of access policies Protect file systems Provide quality of service Workshop on Spontaneous Networking

  47. Dell Poweredge 2600 systems Dual 2.4GHz Intel Xeon processors 1GB RAM 36GB 15000 RPM SCSI disk Linux Gigabit Ethernet switch Workshop on Spontaneous Networking

  48. Workshop on Spontaneous Networking

  49. Expressive Deployable Scalable Available Workshop on Spontaneous Networking

Recommend

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
Dynamic Memory Allocation Today Dynamic memory allocation mechanisms & policies

Dynamic Memory Allocation Today Dynamic memory allocation mechanisms & policies

Dynamic Memory Allocation Today Dynamic memory allocation mechanisms & policies Memory bugs Chris Riesbeck, Spring 2010 Original: Fabian Bustamante Wednesday, November 2, 2011 Dynamic memory allocation Application Dynamic

1.2k views • 47 slides
SELinux Example: I may chmod o+a the file containing 506 grades, which violates

SELinux Example: I may chmod o+a the file containing 506 grades, which violates

12/6/12 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) SELinux Example: I may chmod o+a the file containing 506 grades,

412 views • 5 slides
DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined somewhere else (another file in our project, a library, etc) In compiler-speak, we want symbols with external linkage I only really care

563 views • 39 slides
Drafting Records Retention Policies for Construction Projects Implementing Document Management

Drafting Records Retention Policies for Construction Projects Implementing Document Management

Presenting a live 90 minute webinar with interactive Q&A Drafting Records Retention Policies for Construction Projects Implementing Document Management Policies to Mitigate Risks, Reduce Costs and Minimize Discovery Challenges TUES DAY,

666 views • 27 slides
Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure File System Mounting File Sharing Protection Operating System Concepts Silberschatz, Galvin and Gagne 2002 11.1 File Concept

387 views • 15 slides
Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to

Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to

Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to Prevent and Crafting and Implementing Policies to Prevent and presents presents Respond to Inadvertent Disclosures A Live 90-Minute

1.06k views • 70 slides
Distributed-File Systems Background Naming and Transparency Remote File Access

Distributed-File Systems Background Naming and Transparency Remote File Access

Distributed-File Systems Background Naming and Transparency Remote File Access Stateful versus Stateless Service File Replication Example Systems Typeset by Foil T EX 1 Background Distributed file system (DFS)

1.1k views • 73 slides
= i P max n yh ( y ) dy u ( Q ) c ( Q )

= i P max n yh ( y ) dy u ( Q ) c ( Q )

Contents A public good model for p2p An Asymptotically Optimal Scheme Simple contribution policies with exclusions for P2P File Sharing An application to file sharing heterogeneous file popularity stability Panayotis

460 views • 5 slides
Data Access and File Management vanilladb.org Outline Storage engine and data access

Data Access and File Management vanilladb.org Outline Storage engine and data access

Data Access and File Management vanilladb.org Outline Storage engine and data access Disk access Block-level interface File-level interface File Management in VanillaCore BlockID Page FileMgr 2 Outline

891 views • 50 slides
The dynamic logic of policies and contingent planning Andreas Herzig CNRS, IRIT joint work with

The dynamic logic of policies and contingent planning Andreas Herzig CNRS, IRIT joint work with

Policies PDL Extending PDL Programs for policies The dynamic logic of policies and contingent planning Andreas Herzig CNRS, IRIT joint work with Thomas Bolander, Thorsten Engesser, Robert Mattm uller, Bernhard Nebel Journ es MAFTEC,

572 views • 27 slides
GTUG Why using Deduplicated-storage Fernand Lussier VP Research and Development Nonstop File

GTUG Why using Deduplicated-storage Fernand Lussier VP Research and Development Nonstop File

GTUG Why using Deduplicated-storage Fernand Lussier VP Research and Development Nonstop File type Hypothesis of simulation 1. Dynamic file : 1 or 2 % of dynamic file change every day. And represented 50% of the data. Ex Cardholder master

599 views • 15 slides
Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure Protection Consistency Semantics Silberschatz, Galvin, and Gagne 1999 Applied Operating System Concepts 11.1 File Concept Contiguous

755 views • 50 slides
Implementing Object-Oriented Languages Implementing instance variable access Key features: Key

Implementing Object-Oriented Languages Implementing instance variable access Key features: Key

Implementing Object-Oriented Languages Implementing instance variable access Key features: Key problem: subtype polymorphism inheritance (possibly multiple) Solution: prefixing subtyping & subtype polymorphism layout of

174 views • 5 slides
Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

667 views • 23 slides
BurnBox Self-Revocable Encryption in a World of Compelled Access Nirvan Tyagi Muhammad Haris

BurnBox Self-Revocable Encryption in a World of Compelled Access Nirvan Tyagi Muhammad Haris

BurnBox Self-Revocable Encryption in a World of Compelled Access Nirvan Tyagi Muhammad Haris Thomas Ristenpart Ian Miers Mughees Usenix Security 2018 1 Compelled Access Setting file 1 file 2 file 3 2 Compelled Access Setting file 1

787 views • 52 slides
Identifying Priority Strategies for Implementing Policies on Immediate Postpartum Long-Acting

Identifying Priority Strategies for Implementing Policies on Immediate Postpartum Long-Acting

Centers for Disease Control and Prevention Identifying Priority Strategies for Implementing Policies on Immediate Postpartum Long-Acting Reversible Contraception in the United States 10 th ANNUAL CONFERENCE ON THE SCIENCE OF DISSEMINATION AND

211 views • 19 slides
Week 5+ Oliver Kullmann Dynamic sets BinaryTrees Trees Implementing rooted trees Dynamic

Week 5+ Oliver Kullmann Dynamic sets BinaryTrees Trees Implementing rooted trees Dynamic

CS 270 Algorithms Week 5+ Oliver Kullmann Dynamic sets BinaryTrees Trees Implementing rooted trees Dynamic sets 1 The notion of binary search tree Trees 2 Queries in binary search trees Implementing rooted trees 3

833 views • 52 slides
Congressional Budget Office September 17, 2015 How CBO Is Implementing Dynamic Scoring

Congressional Budget Office September 17, 2015 How CBO Is Implementing Dynamic Scoring

Congressional Budget Office September 17, 2015 How CBO Is Implementing Dynamic Scoring Presentation to the Society of Government Economists Keith Hall, Director For additional information, see Congressional Budget Office, Dynamic

208 views • 17 slides
Fi Fingerprinting t g the C Check cker Po Policies of Pa Parallel File Systems Runzhou Han ,

Fi Fingerprinting t g the C Check cker Po Policies of Pa Parallel File Systems Runzhou Han ,

PDSW 2020:5TH INTERNATIONAL PARALLEL DATA SYSTEMS WORKSHOP Fi Fingerprinting t g the C Check cker Po Policies of Pa Parallel File Systems Runzhou Han , Duo Zhang, Mai Zheng Parallel File Systems (PFSes) PFS is the cornerstone of high

1.08k views • 59 slides
Access Control Lists Don Porter CSE 506 Background (1) If everything in Unix is a file

Access Control Lists Don Porter CSE 506 Background (1) If everything in Unix is a file

Access Control Lists Don Porter CSE 506 Background (1) If everything in Unix is a file Everything in Windows is an object Why not files? Not all OS abstractions make sense as a file Examples: Eject button on an optical drive

908 views • 22 slides
Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
Designing and Implementing an Emergency HOME TBRA Program Part 2: Developing Policies &

Designing and Implementing an Emergency HOME TBRA Program Part 2: Developing Policies &

Designing and Implementing an Emergency HOME TBRA Program Part 2: Developing Policies & Procedures June 17, 2020 1 Welcome & Introductions Sponsored by HUDs Office of Affordable Housing Programs ) Presenters Stephen

1.04k views • 44 slides
Case Study: Implementing Legally Defensible Policies p g g y f and Procedures for Disposing of

Case Study: Implementing Legally Defensible Policies p g g y f and Procedures for Disposing of

Case Study: Implementing Legally Defensible Policies p g g y f and Procedures for Disposing of Paper Records After Scanning Bob Guz CRM Bob Guz, CRM Sr. Business Process Consultant Katherine Cranford, CRM, CIP Corporate Records Analyst

594 views • 43 slides

More recommend