PASIS: P erpetually A vailable and S ecure I nformation S ystems

In s t itu tefo r C o m p lexEn g in eeredSys tem s

PASIS: Perpetually Available and Secure Information Systems

http://PASIS.ices.cmu.edu/

Pradeep K. Khosla (PI) – [email protected]

Greg Ganger, Han Kiliccote

Jay Wylie, Michael Bigrigg, Xiaofeng Wang,John Strunk, Qi He, Yaron Rachlin, Mehmet Bakkloglu,

Joe Ordia, Semih Oguz, Cory Williams, Mark-Eric Uldry, Matthias Wenk

David Dolan, Craig Soules, Garth Goodson, Shelby Davis

Department of Electrical and Computer Engineering

Institute for Complex Engineered Systems

Carnegie Mellon University


PASIS ObjectiveCreate information storage systems that are• Perpetually Available

– Information should always be available even when some system components are down or unavailable

• Perpetually Secure– Information integrity and confidentiality should always be enforced even when

some system components are compromised

• Graceful in degradation– Information access functionality and performance should degrade gracefully as

system components fail

Assumptions – Some components will fail, some components will be compromised, some components will be inconsistent, BUT……….

surviving components allow the information storage system to survive


PASIS Overview Surviving “server-side” intrusions

decentralization + threshold schemes provides for availability and security of storage

Surviving “client-side” intrusions server-side data versioning and request auditing enables intrusion diagnosis and recovery

Tradeoff management balances availability, security, and performance maximize performance given other two

Survivable storage systems that are usable.


Jay’s Questions What threats/attacks is PASIS addressing?

compromises of storage nodes stored data manipulation via malicious “users”

What assumptions are we making? only a subset of nodes will be compromised malicious user activity can be detected soon-ish

What policies can PASIS enforce? Availability should survive up to X “failed” nodes Confidentiality and integrity should survive up to Y

collaborating compromised nodes Data and audit log changes should be kept for Z weeks


Step #1: Decentralized storage systems Client

System

PASIS Agent

Apps

IPC

Storage Node

Network

Storage

Repair Agent

Storage Node

Client System

PASIS Agent

Apps

IPC

Storage Node

Storage

Repair Agent

Storage

Repair Agent


Step #2: Threshold Schemes Decimate Information

Divide the informationinto small chunks

Replicate Information Disperse information

Distribute the data to n agents so that m of them can reconstruct the data but p cannot

p < m nv

a1x+

b1

a2x+b2

a3x+b3

•Agent 1: a1, b1

•Agent 3: a3, b3

•Agent 2: a2, b2


PASIS Agent Architecture

ClientApps

LocalPASISAgent

PASISStorageNodes

TradeoffManagement

AgentCommunication

Dispersal &Decimation

Client ApplicationsPASIS Storage Nodes

SystemCharacteristics

UserPreferences


Features of PASIS Architecture• Security

– confidentiality: no single storage node can expose data

– integrity: no single storage node can modify data

• Availability– any M-of-N storage nodes can collectively

provide data

• Flexibility– range of options in space of trade-offs among

availability, security, and performance


PASIS Demonstration A Notepad-like editor that guarantees

availability and security of information PASIS agent libraries simply linked into editor

Files are decimated and dispersed across the four machines 2-of-4 scheme with cheater detection, by default No central authority or point-of-failure

Implementation runs on NT, using Microsoft’s Network Neighborhood to store the shares


PASIS-enhanced Editor


“About” screen for PASIS Editor


PASIS-enhanced Editor


Each share looks like garbage


… but collectively contain info


Tampering with shares detected


… and info still reconstructed


Reads fail if too few survive


… but succeed when revived


Engineering survivable systems• Performance and manageability need to

approach that of conventional systems– … to ensure significant acceptance

• Approach: exploit threshold scheme flexibility– achieve maximum performance given desired levels

of availability and security– requires quantification of the corresponding trade-offs

• Approach: exploit ability to use any M shares– send requests to more than M and use quickest

responses– send requests to “closest” servers first


Total Storage Space Used for Shares (N=10, M=5)

0

50

100

150

200

250

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

File Size (KB)

To

tal S

tora

ge

Sp

ace

(KB

)

SS

IDA

SSS

Space used as function of filesize


Total Storage Space for a File of 8 KB (N=10)

0

10

20

30

40

50

60

70

80

90

1 2 3 4 5 6 7 8 9 10

'M'

To

tal S

tora

ge

Sp

ace

(KB

)

SS

IDA

SSS

Space used versus security


Encoding Time for a File of 8000 bytes (N=10)

0

0.5

1

1.5

2

2.5

3

1 2 3 4 5 6 7 8 9 10

'M'

Sec

on

ds SS

IDA

SSS

Encode time versus security


Decoding Time for a File of 8000 bytes (N=10)

0

0.2

0.4

0.6

0.8

1

1.2

1 2 3 4 5 6 7 8 9 10

'M'

Sec

on

ds SS

IDA

SSS

Decode time versus security


Encoding Time (N=10, M=5)

0

0.5

1

1.5

2

2.5

3

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

File Size (KB)

Se

co

nd

s SS

IDA

SSS

DES

Encode time versus filesize


Quality of Storage (Service)Tradeoff Management

• Allow users to specify what they want rather than how to do it– System should automatically translate this into

settings of PASIS Agent parameters

• When can’t deliver all user desires– Give feedback on the implications of user choices

based on system characteristics.– Allow user to express the tradeoffs between

availability, performance, and security.


Self-Securing Storage Nodes Goal: protect data from authorized but

malicious users both client-side intruders and insider attacks

How: assume all clients are compromised keep all versions of all data audit all requests

Benefits fast and complete recovery by preventing data

destruction and undetectable modifications enhanced detection and diagnosis of intrusions by

providing tamper-proof audit logs


Where we’re at• PASIS Architecture complete• Basic agent implementation in place

– flexible dispersal library with several algorithms– flexible communication library

• Basic multi-versioning storage node in place– all data versioned– all requests audited

• Trade-off quantification in progress– initial measurements and calculations performed


Technology Transfer• Transfer path via CMU Consortia (e.g., PDL)

– 15-20 storage and networking companies• EMC, HP, IBM, Intel, 3Com, Veritas, Sun, Seagate,

Quantum, Infineon, CLARiiON, Novell, LSI Logic, Hitachi, MTI, PANASAS, Procom

– 20+ embedded system & infrastructure companies• Raytheon, Boeing, United Technologies, Hughes, Bosch,

AT&T, Adtranz, Emerson Electric, Ford, HP, Intel, Motorola, NIIIP Consortium


PASIS: Summary

Decentralization + threshold schemes provides for availability and security of storage

Tradeoff management balances availability, security, and performance maximize performance given other two

Data versioning to survive malicious users enables intrusion diagnosis and recovery

Survivable storage systems that are usable.

PASIS: P erpetually A vailable and S ecure I nformation S ystems

Documents

Transcript of PASIS: P erpetually A vailable and S ecure I nformation S ystems