PASIS: P erpetually A vailable and S ecure I nformation S ystems
-
Upload
malachi-cooley -
Category
Documents
-
view
18 -
download
2
description
Transcript of PASIS: P erpetually A vailable and S ecure I nformation S ystems
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS: Perpetually Available and Secure Information Systems
http://PASIS.ices.cmu.edu/
Pradeep K. Khosla (PI) – [email protected]
Greg Ganger, Han Kiliccote
Jay Wylie, Michael Bigrigg, Xiaofeng Wang,John Strunk, Qi He, Yaron Rachlin, Mehmet Bakkloglu,
Joe Ordia, Semih Oguz, Cory Williams, Mark-Eric Uldry, Matthias Wenk
David Dolan, Craig Soules, Garth Goodson, Shelby Davis
Department of Electrical and Computer Engineering
Institute for Complex Engineered Systems
Carnegie Mellon University
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS ObjectiveCreate information storage systems that are• Perpetually Available
– Information should always be available even when some system components are down or unavailable
• Perpetually Secure– Information integrity and confidentiality should always be enforced even when
some system components are compromised
• Graceful in degradation– Information access functionality and performance should degrade gracefully as
system components fail
Assumptions – Some components will fail, some components will be compromised, some components will be inconsistent, BUT……….
surviving components allow the information storage system to survive
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS Overview Surviving “server-side” intrusions
decentralization + threshold schemes provides for availability and security of storage
Surviving “client-side” intrusions server-side data versioning and request auditing enables intrusion diagnosis and recovery
Tradeoff management balances availability, security, and performance maximize performance given other two
Survivable storage systems that are usable.
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Jay’s Questions What threats/attacks is PASIS addressing?
compromises of storage nodes stored data manipulation via malicious “users”
What assumptions are we making? only a subset of nodes will be compromised malicious user activity can be detected soon-ish
What policies can PASIS enforce? Availability should survive up to X “failed” nodes Confidentiality and integrity should survive up to Y
collaborating compromised nodes Data and audit log changes should be kept for Z weeks
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Step #1: Decentralized storage systems Client
System
PASIS Agent
Apps
IPC
Storage Node
Network
Storage
Repair Agent
Storage Node
Client System
PASIS Agent
Apps
IPC
Storage Node
Storage
Repair Agent
Storage
Repair Agent
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Step #2: Threshold Schemes Decimate Information
Divide the informationinto small chunks
Replicate Information Disperse information
Distribute the data to n agents so that m of them can reconstruct the data but p cannot
p < m nv
a1x+
b1
a2x+b2
a3x+b3
•Agent 1: a1, b1
•Agent 3: a3, b3
•Agent 2: a2, b2
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS Agent Architecture
ClientApps
LocalPASISAgent
PASISStorageNodes
TradeoffManagement
AgentCommunication
Dispersal &Decimation
Client ApplicationsPASIS Storage Nodes
SystemCharacteristics
UserPreferences
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Features of PASIS Architecture• Security
– confidentiality: no single storage node can expose data
– integrity: no single storage node can modify data
• Availability– any M-of-N storage nodes can collectively
provide data
• Flexibility– range of options in space of trade-offs among
availability, security, and performance
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS Demonstration A Notepad-like editor that guarantees
availability and security of information PASIS agent libraries simply linked into editor
Files are decimated and dispersed across the four machines 2-of-4 scheme with cheater detection, by default No central authority or point-of-failure
Implementation runs on NT, using Microsoft’s Network Neighborhood to store the shares
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Engineering survivable systems• Performance and manageability need to
approach that of conventional systems– … to ensure significant acceptance
• Approach: exploit threshold scheme flexibility– achieve maximum performance given desired levels
of availability and security– requires quantification of the corresponding trade-offs
• Approach: exploit ability to use any M shares– send requests to more than M and use quickest
responses– send requests to “closest” servers first
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Total Storage Space Used for Shares (N=10, M=5)
0
50
100
150
200
250
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
File Size (KB)
To
tal S
tora
ge
Sp
ace
(KB
)
SS
IDA
SSS
Space used as function of filesize
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Total Storage Space for a File of 8 KB (N=10)
0
10
20
30
40
50
60
70
80
90
1 2 3 4 5 6 7 8 9 10
'M'
To
tal S
tora
ge
Sp
ace
(KB
)
SS
IDA
SSS
Space used versus security
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Encoding Time for a File of 8000 bytes (N=10)
0
0.5
1
1.5
2
2.5
3
1 2 3 4 5 6 7 8 9 10
'M'
Sec
on
ds SS
IDA
SSS
Encode time versus security
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Decoding Time for a File of 8000 bytes (N=10)
0
0.2
0.4
0.6
0.8
1
1.2
1 2 3 4 5 6 7 8 9 10
'M'
Sec
on
ds SS
IDA
SSS
Decode time versus security
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Encoding Time (N=10, M=5)
0
0.5
1
1.5
2
2.5
3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
File Size (KB)
Se
co
nd
s SS
IDA
SSS
DES
Encode time versus filesize
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Quality of Storage (Service)Tradeoff Management
• Allow users to specify what they want rather than how to do it– System should automatically translate this into
settings of PASIS Agent parameters
• When can’t deliver all user desires– Give feedback on the implications of user choices
based on system characteristics.– Allow user to express the tradeoffs between
availability, performance, and security.
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Self-Securing Storage Nodes Goal: protect data from authorized but
malicious users both client-side intruders and insider attacks
How: assume all clients are compromised keep all versions of all data audit all requests
Benefits fast and complete recovery by preventing data
destruction and undetectable modifications enhanced detection and diagnosis of intrusions by
providing tamper-proof audit logs
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Where we’re at• PASIS Architecture complete• Basic agent implementation in place
– flexible dispersal library with several algorithms– flexible communication library
• Basic multi-versioning storage node in place– all data versioned– all requests audited
• Trade-off quantification in progress– initial measurements and calculations performed
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Technology Transfer• Transfer path via CMU Consortia (e.g., PDL)
– 15-20 storage and networking companies• EMC, HP, IBM, Intel, 3Com, Veritas, Sun, Seagate,
Quantum, Infineon, CLARiiON, Novell, LSI Logic, Hitachi, MTI, PANASAS, Procom
– 20+ embedded system & infrastructure companies• Raytheon, Boeing, United Technologies, Hughes, Bosch,
AT&T, Adtranz, Emerson Electric, Ford, HP, Intel, Motorola, NIIIP Consortium
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS: Summary
Decentralization + threshold schemes provides for availability and security of storage
Tradeoff management balances availability, security, and performance maximize performance given other two
Data versioning to survive malicious users enables intrusion diagnosis and recovery
Survivable storage systems that are usable.