working set based access control for based access control
play

Working Set- -Based Access Control for Based Access Control for - PowerPoint PPT Presentation

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University


  1. Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University of New Jersey { smaldone, vinodg, iftode }@cs.rutgers.edu

  2. Mobile Access to Network File Systems Increasing Mobile Access to Network File Systems Increasing Corporate Intranet Alice @Trusted Alice @Untrusted Personal Device VPN File Server Accesses VPN Firewall Internet Network File Servers 5/19/2007 Rutgers WINLAB IAB Meeting 2

  3. WSBAC: Working Set- -Based Access Control Based Access Control WSBAC: Working Set Process Alice’s Active Working Set File Set Process Alice’s File Set Virtual Memory 5/19/2007 Rutgers WINLAB IAB Meeting 3

  4. Outline Outline • Introduction • WSBAC Design – POLEX and POLEN Design • WSBAC Implementation – Background: FileWall – POLEX and POLEN Implementations – Policy View Namespace (PVN) • Related Work • Conclusions and Future Work 5/19/2007 Rutgers WINLAB IAB Meeting 4

  5. WSBAC Overview WSBAC Overview Trusted Network Domain (Corporate Intranet) 1 1 File Server 1 Trusted POLEX Devices 2 Working Sets Untrusted Devices 3 2 POLEN POLEN Vault Area 3 5/19/2007 Rutgers WINLAB IAB Meeting 5

  6. POLEX: POL POLicy icy EX EXtraction traction for Network File Systems for Network File Systems POLEX: Trusted Devices Switch Policy View File Server POLEX Namespace (PVN) Administrator Working Sets 5/19/2007 Rutgers WINLAB IAB Meeting 6

  7. Policy View Namespace (PVN) Policy View Namespace (PVN) PVN Root PVN1 Control Shadow • Start / Stop Collection • Modify Collection Parameters Shadow File Contents • Modify View Parameters FILE METADATA EFFECTIVE AC Mirrored FS Namespace 5/19/2007 Rutgers WINLAB IAB Meeting 7

  8. POLEN: POL POLicy icy EN ENforcement forcement for Network File for Network File POLEN: Systems Systems WSBAC Virtual Untrusted Namespace Devices POLEN File Server Working Reliable Sets Secondary Authentication Mechanism 5/19/2007 Rutgers WINLAB IAB Meeting 8

  9. Background: FileWall FileWall Background: Scheduler Request Handler File Server … FS Client Forwarder Response Access Handler Context FileWall Policy FileWall: A Firewall for Network File System, S. Smaldone, A. Bohra, and L. Iftode. In the Proceedings of the 3rd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'07). 5/19/2007 Rutgers WINLAB IAB Meeting 9

  10. The POLEX Implementation The POLEX Implementation Scheduler Network Extraction File System Handler Stream Forwarder View Access Handlers Context Policy Administrator Working Set Definition Summaries (Bloom Filters) 5/19/2007 Rutgers WINLAB IAB Meeting 10

  11. Outline Outline • Introduction • WSBAC Design • WSBAC Implementation • Evaluation and Results • Related Work • Conclusions 5/19/2007 Rutgers WINLAB IAB Meeting 11

  12. Evaluation Evaluation • Goals – Measure accuracy of a working set extraction: w.r.t. errors and over-estimations – Measure overheads imposed network file system access – See paper for full evaluation and results • Setup – Systems: Dell systems, Dual 2.4 GHz CPUs, 3 GB RAM, running Linux 2.6 – Perform offline analysis using Harvard File System Traces [Ellard’03] – OpenSSH compilation as application performance benchmark 5/19/2007 Rutgers WINLAB IAB Meeting 12

  13. Evaluation: POLEX Accuracy Evaluation: POLEX Accuracy Average Error Rate Over-Estimation Rate Run 1 1.08% 31.6% Run 2 0.76% 41.2% Run 3 1.02% 42.5% Run 4 0.79% 36.5% Run 5 0.97% 42.9% Average 0.92% 38.9% 5/19/2007 Rutgers WINLAB IAB Meeting 13

  14. Evaluation: POLEN Application Benchmark Evaluation: POLEN Application Benchmark 70 60 50 Time (sec) 40 NFS POLEN 30 20 10 0 untar configure compile install remove Benchmark Phase 5/19/2007 Rutgers WINLAB IAB Meeting 14

  15. Related Work Related Work • Policy Extraction and Inference – RBAC Role Mining [Kuhlmann’03, Schlegelmilch’05] – XACML AC Property Inference [Anderson’04, Martin’06] – Firewall Policy Inference [Golnabi’06, Tongaonkar’07] – Gray-Box Systems [Arpaci-Dusseau’01] • Context-Aware Access Control – Secure Collaborations in Mobile Computing [Toninelli’06] – Ubiquitous Services [Corradi’04, Yokotama’06] – Ad-Hoc Networks [Saidane’07] – Web Services [Bhatti’05, Kapsalis’06] 5/19/2007 Rutgers WINLAB IAB Meeting 15

  16. Conclusions Conclusions • WSBAC: Working Set-Based Access Control for Network File Systems – Access control technique that estimates per-user working sets to formulate access control policy for accesses from untrusted devices – Prototype design and implementation of POLEX and POLEN – Empirical evaluation suggests that WSBAC is highly effective, exhibiting low error rates • Conference Paper – Working Set-Based Access Control for Network File Systems, S. Smaldone, V. Ganapathy, and L. Iftode To appear in the Proceedings of the 14 th ACM Symposium on Access Control Models and Technologies (SACMAT 2009), June 2009. 5/19/2007 Rutgers WINLAB IAB Meeting 16

  17. Thank You! Thank You! http://discolab.rutgers.edu

  18. Evaluation: POLEX Time and Storage Requirements Evaluation: POLEX Time and Storage Requirements Size of Trace Time to Analyze State Size 1 Day (~3.3 GB - 6,308,023 Req/Res Pairs) 52 min 154MB 1 Hour (~140 MB - 262,834 Req/Res Pairs) 2.49 min 154MB 5/19/2007 Rutgers WINLAB IAB Meeting 18

  19. Evaluation: POLEX Sensitivity Evaluation: POLEX Sensitivity Day 1 Day 2 Day 3 Day 4 Day 5 User 1 0.26% 0.03% 0.02% 0.01% 0.01% User 2 0.31% 4.4% 0.0% 3.3% 0.27% User 3 0.37% 0.36% 0.82% 2.5% 0.61% User 4 0.48% 1.8% 0.55% 0.66% 0.11% User 5 0.18% 0.28% 0.18% 0.34% 0.27% Average 0.32% 1.4% 0.31% 1.4% 0.27% 5/19/2007 Rutgers WINLAB IAB Meeting 19

  20. Evaluation: Speculation Rates Evaluation: Speculation Rates Average Min Max 1.4% 2.4% 0.028% • For Heavy Users (~500 rqst/day): Average Min Max 7 speculative rqst/day 12 speculative rqst/day >1 speculative rqst/day 5/19/2007 Rutgers WINLAB IAB Meeting 20

  21. Evaluation: POLEN Performance Microbenchmark Microbenchmark Evaluation: POLEN Performance 700 600 Response Latency (usec) 500 NFS-minimal 400 POLEN-minimal NFS-LAN 300 POLEN-LAN 200 100 0 getattr lookup access read write create NFS Operation 5/19/2007 Rutgers WINLAB IAB Meeting 21

  22. Contributions Contributions Add after slide 4 5/19/2007 Rutgers WINLAB IAB Meeting 22

  23. The POLEN Implementation The POLEN Implementation Add after slide 11 5/19/2007 Rutgers WINLAB IAB Meeting 23

Recommend


More recommend