towards a secure and efficient system for end to end
play

Towards a Secure and Efficient System for End-to-End Provenance - PowerPoint PPT Presentation

Towards a Secure and Efficient System for End-to-End Provenance Patrick McDaniel, Kevin Butler, Stephen McLaughlin Penn State University Erez Zadok, Radu Sion, Stony Brook University Marianne Winslett, University of Illinois TaPP10, San


  1. Towards a Secure and Efficient System for End-to-End Provenance Patrick McDaniel, Kevin Butler, Stephen McLaughlin Penn State University Erez Zadok, Radu Sion, Stony Brook University Marianne Winslett, University of Illinois TaPP’10, San Jose, CA 22 February 2010 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  2. Provenance Rich Applications • Scientific computing (myGrid) • Supervisory Control and Data Acquisition ‣ National Academy “Hard Problem” • Supply chains • Government and military • Digital repositories (MIT DSpace, Version Control) • Characteristics: ‣ High assurance, distributed, high performance Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  3. End to End Provenance System • Why another provenance collection system? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  4. End to End Provenance System • Why another provenance collection system? ‣ Strong security guarantees ‣ Distributed provenance collection ‣ Achieve the above two goals efficiently in high end computing systems Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4

  5. Secure Provenance Collection • Provenance monitor (PM) analogous to reference monitor concept • Three guarantees ‣ Complete mediation ‣ Tamperproofness ‣ Verifiability • Beyond authentication of records ‣ Integrity/Trustworthiness of recording instrument and provenance-enhanced applications Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5

  6. Achieving Security Goals • PM and provenance records both protected from monitored applications • Two implementations: • Kernel-level: ‣ More semantic information for mediation ‣ LSM implementation • Device-level: ‣ Stronger tamperproofness guarantee ‣ Disk-level support for provenance collection, record storage, and host interaction for semantics and policies. [Butler’07,’08] Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  7. Distributed Environments Org B Org A PM PM Host PM secure coprocessor Provenance Host Authority Provenance PM kernel Authority PM Provenance Host PM Authority intelligent storage PM PM PM Org C Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  8. Distributed PM • Challenges in distributed provenance • Domain specific policies for: ‣ Auditors - confidentiality considerations • Cryptographic commitments [Hasan’09] ‣ Divergent modification histories • Plausible version history • If necessary, plausible history may be checked against previous subjects in the ownership chain Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  9. Distributed Example scp sshd Kernel Kernel FS FS SaF SaF PM PM P1 Doc Disk Flash Disk Flash Hybrid Drive Hybrid Drive Host A Host B Example: File transfer between hosts with untrusted OSes and trusted storage Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9

  10. Distributed Example scp sshd Kernel Kernel FS FS SaF SaF PM PM P1 Doc Disk Flash Disk Flash Hybrid Drive Hybrid Drive Host A Host B A program initiates a request for the file. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10

  11. Distributed Example scp sshd Kernel Kernel FS FS P1 SaF SaF PM PM P1 Doc Disk Flash Disk Flash Hybrid Drive Hybrid Drive Host A Host B A secure tunnel is established between disks through the untrusted OS. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11

  12. Distributed Example scp Doc sshd Kernel Kernel FS FS P1 SaF SaF PM PM P1 Doc Doc Disk Flash Disk Flash Hybrid Drive Hybrid Drive Host A Host B The document is transferred as normal. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 12

  13. Distributed Example scp Doc sshd Kernel Kernel FS FS P1 SaF SaF PM PM P1 P1|P2 Doc Doc Disk Flash Disk Flash Hybrid Drive Hybrid Drive Host A Host B The destination disk checks the integrity once the write- through is completed and appends a new provenance entry. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  14. Distributed Provenance Overheads • Overhead increases monotonically as data is shared. • Two implications: ‣ Storage costs within a single domain • High sharing factor: redundant provenance data • Long per-host modification histories: higher redundancy factor • Even though document size may remain constant! ‣ Audit costs between domains • As sharing of a document increases, the computational cost of sharing increases Systems and Internet Infrastructure Security Laboratory (SIIS) Page 14

  15. Performance Enhancements • Provenance monitor profiling ‣ Enhanced profiling tools ‣ Profiling provenance collection for workloads from scientific domains ‣ EEPS calibration for a particular environment ‣ LSM instrumentation • Cost models for provenance collection ‣ Hardware and storage requirements ($/GB) ‣ New cost models based on types of provenance data collected and system architectures Systems and Internet Infrastructure Security Laboratory (SIIS) Page 15

  16. Summary • Existing provenance systems solve problems of data management and organization • EEPS: ‣ Secure collection and auditing • Provenance Monitor ‣ Distributed provenance • Distributed PM ‣ Performance considerations • PM and application profiling and calibration Systems and Internet Infrastructure Security Laboratory (SIIS) Page 16

  17. References [Butler’08] Kevin Butler, Stephen McLaughlin, and Patrick McDaniel, Rootkit-Resistant Disks. 15th ACM Conference on Computer and Communications Security (CCS'08), Alexandria, VA, USA. November 2008. [Butler’07] Kevin Butler, Stephen McLaughlin, and Patrick McDaniel, Non-Volatile Memory and Disks: Avenues for Policy Architectures. 1st Computer Security Architecture Workshop (CSAW 2007), Alexandria, VA, USA. November 2007. [Hasan’09] Ragib Hasan, Radu Sion, and Marianne Winslett, Preventing History Forgery with Secure Provenance. ACM Transactions on Storage, December 2009. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 17

Recommend


More recommend