380 likes | 398 Views
Guardat ensures protection against unauthorized access, state corruption, trojans, and unaccounted provider access by implementing file attestation and trusted controllers. Learn about its design principles and enforcement mechanisms.
E N D
Guardat: Enforcing data policies at the storage layer AnjoVahldiek-Oberwagner1, EslamElnikety1, Aastha Mehta1, Deepak Garg1, Peter Druschel1, Rodrigo Rodrigues2, Johannes Gehrke3,4, Ansley Post51MPI-SWS, 2NOVA LINCS/Nova University of Lisbon, 3Microsoft, 4Cornell, 5Google
Threat 1: Unauthorized Access Unauthorized access due to configuration errors, bugs, attacks. Web Server Host Clients Web Server State: Web Server App httpd.conf .htaccess Operating System File System users groups Content
Threat 2: State Corruption State corruption due to configuration errors, bugs, attacks. Web Server Host Clients Web Server State: Web Server App httpd.conf .htaccess Operating System File System users groups Content
Threat 3: Trojans & log manipulation Trojans & log manipulation due to attacks. Web Server Host Clients Web Server State: Web Server App Operating System File System Logs Executables
Threat 4: Unaccounted Provider Access Providers bypass application access control protections. Web Server Host Clients Web Server State: Web Server App Operating System File System Provider employee Content
Why is mitigation difficult? Confidentiality and integrity depend on large, fast evolving code base. Access control lists and access checks spread across system. Recovering corrupt persistent state is difficult.
Guardat: Storage Layer Compliance Stakeholder: User, provider, developer, privacy officer File attestation Per file policy Application UNTRUSTED OS File System Guardat Storage Layer Trusted Controller
Outline Design Principles 2 1 Enforcement File Attestation GuardatTransaction Implementation & Evaluation Declarative Policies
Policy language in a nutshell permission:- Boolean expression over predicates read :- When to read a file update :- When to update the file setPolicy:- When to change policydestroy :- When to reuse the name
Protecting files from unauthorized access Threat: Unauthorized access due to configuration error, bug or attack. Private files: read :- sessionIs(Alice) update :- … setPolicy:- sessionIs(Alice)destroy :- sessionIs(Alice) Assumption: Integrity of Alice’s key is maintained Guarantee: Protected files may only be read with an authenticated session.
Protecting files from corruption Threat: State corruption due to configuration error, bug or attack. Private files: read :- … update :- sessionIs(Alice) setPolicy:- …destroy :- … Assumption: Integrity of Alice’s key is maintained. Guarantee: Protected files may only be updated within an authenticated session.
Protecting executables Threat: Attack installing a trojan. Signed updates-only executables: read :- TRUE update :- fileNameIs(F) ∧ fileNewLenIs(L) ∧ (0, L) willHaveHashNh ∧ keyIs(K, “Vendor”) ∧ K signs okHash(F, N, Nh) setPolicy:- FALSE Assumption: Integrity of the vendor’s key is maintained. Guarantee: Protected files cannot be overwritten except with content signed by the vendor.
Protecting log files from manipulation Threat: Attack manipulating logs. Append-only log files: read :- TRUE update :- [ fileCurrLenIs(Lc) ∧ fileNewLenIs(Ln) ∧ Ln ≥ Lc ∧ txUpdatedExAre(M) ∧ listsAreDisjoint(M, [0, Lc])] ∨ [sessionIs(Admin)]setPolicy:- FALSE destroy :- FALSE Assumption: Administrator key integrity Guarantee: Protected files cannot be overwritten, only appended.
Protecting content from unaccounted provider access Threat: Provider accesses are not accounted for. Private files accounting for provider access: Log file with log entry check and append-only: read: - ((“profil”, SEQCNTLOC, _) says seqcnt(currseq)) ^ ((“acclog”, _, _) says read(currseq, _, offset, length)) ^ AccessOffIs(offset) ^ AccessLenIs(length)update:- ((“profil”, SEQCNTLOC, _) says seqcnt(currseq)) ^ ((“profil”, SEQCNTLOC, _) willSayseqcnt(nextseq)) ^ EQ(currseq+ 1, nextseq) ^ ((“acclog”, gennb, _, _) says write(nextseq, _, newhash, offsetlist)) ^ ((offsetlist) willHaveHashnewhash) ^ TxUpdateLocAre(offsetlist) setpolicy: FALSE destroy: FALSE Read :- TRUE update: [ FileCurrExAre(oe) ^ FileNewExAre(ne) ^ isPrefix(oe, ne) ^ ((“acclog”, neo, _) willSay_(nseq, _. _. _)) ^ ((“acclog”, neo - READENTRYLENGTH, _) says _(nseq-1, _, _, _)) ^ FileCurrLenIs(currlen) ^ LT(currlen, neo)] ∨ [FileCurrExAre(oe) ^ FileNewExAre(ne) ^ isPrefix(oe, ne) ^ ((“acclog”, neo, _) willSays_(nseq, _. _. _)) ^ ((“acclog”, gennb, neo - WRITEENTRYLENGTH, _) says _(nseq-1, _, _, _)) ^ FileCurrLenIs(currlen) ^ LT(currlen, neo) ] ∨ [ ((“acclog”, neo, nel) willSaywrite(nseq, _, _, _)) ^ ((“acclog”,,neo, nel) says write(nseq, _, _, _) ^ ((“profil”, gennb, SEQCNTLOC, _) says seqcnt(currseq)) ^ LT(currseq, nseq) ^ TxUpdateLocAre((neo, nel))] setpolicy:- FALSEdestroy:- FALSE Assumption: Auditor key integrity Guarantee: Protected files cannot be accessed without corresponding log entry in the access log.
Outline Design Principles 2 1 Enforcement File Attestation GuardatTransaction Implementation & Evaluation Declarative Policies
Storage Layer Enforcement Host Web Server App Library Operating System File System OS abstraction File System VMM Virtual device Storage Layer Decrease risk of circumvention Storage controller Disk Disk Disk
Storage Layer Enforcement Host Web Server App Physically protected Machine Room Operating System File System UNTRUSTED Storage Area Network Server Network VMM Disk Disk Disk Disk Disk Disk UNTRUSTED
Outline Design Principles 2 1 Enforcement File Attestation GuardatTransaction Implementation & Evaluation Declarative Policies
File Attestation: Bridging gap between file and block level enforcement Stakeholder: User, provider, developer, policy officer Attests: • File name • Policy • State • Content Per file policy Application OS File System UNTRUSTED Guardat StorageLayer Trusted Controller Metadata: Data Disk NVM
Outline Design Principles 2 1 Enforcement File Attestation GuardatTransaction Implementation & Evaluation Declarative Policies
Introducing Guardat Transactions 2 1 Atomic update of file Bundle multiple accesses Delays evaluation to commit operation Transaction caches
Guardat Transaction by Example Shifting burden of provingcomplex policy compliance to untrusted code keeping policies concise and policy evaluation efficient. Application N# Demonstrate policy compliance: 1. Download binary + certificate 2. Begin transaction tx (+ certificate) 3. Write new binary 4. Commit transaction tx` OS File System UNTRUSTED Guardat Device Trusted Controller Metadata: Transaction cache N# N#
Outline Design Principles 2 1 Enforcement File Attestation GuardatTransaction Implementation & Evaluation Declarative Policies
Implementation Guardat IETserver Trusted Controller(~ 20,000 LoC) Network Data Disk(HDD/SSD) Metadata(SSD) Alternatives: Hybrid Disk/RAID controller Microcontroller on SCSI/SATA adapter VMM Storage area Network (SAN) Trusted controller in iSCSI Enterprise Target (IET) server
SSD Throughput overhead: < 2% Better 3.8 Million files 40,000 policies
512B Access Latency Latency in ms (log) Better Reads Writes Latency in ms Better Reads Writes HDD latency overhead: < 1% SSD latency overhead
Protected Apache Web server 2% overhead at peak throughput. Better Protection: Append-only logs Vendor-only updateexecutables Owner-only update to content pages Scenario: Modified Apache (added 51 Lines of code) Hosting 220 GB English Wikipedia (~15M files) Replay an hourly access distribution of Wikipedia
Conclusions Guardat guarantees confidentiality and integrity of persistent data and state of a system. No need to trust higher software layers. Guardat protects computer systems from unauthorized access, trojans and log manipulations. Efficient prototype implementation in SAN server.
Guardat: Enforcing data policies at the storage layer Rodrigo Rodrigues EslamElnikety Peter Druschel Aastha Mehta AnjoVahldiek-Oberwagner vahldiek@mpi-sws.org
Backup slides Backup slides
Guardat: Related work • TCG storage work group spec [2012] • Architecture for sessions, access control policies • Concrete design, evaluation left to vendors • No object attestation • TC: Semantic attestation [Haldar 2004], Excalibur [Santos 2012], Pasture [Kotla 2012] • Integrity/confidentiality: self-encrypting disks, capability NAS [Aguilera 2003], type-safe disks [Sivathanu 2006], Venti [Quinlan 2002], S4 [Strunk 2000], NetAppSnapVault, PCFS[Garg 2010], PFS[Walsh 2012] • Extended disk functionality: hybrid disks, object-based storage [Mesnier 2003], active disks [Riedel 2001], semantically smart disks [Sivathanu2003], differentiated storage [Mesnier 2011] • VMM/OS data protection: Overshadow [Chen 2008], InkTag [Hofmann 2013], Nexus [Sirer 2011], DCAC [Xu 2014]
Related work: Trusted Computing Mostly complementary; can be combined, e.g., Remotely attested external verifier Tamper-resident persistent storage
Threats to persistent data This talk Storage media failure (deterioration, obsolescence) Natural disasters and physical attack Operator error and negligence Software/hardware bugs Cyber attack and sabotage Problem is real: Among most frequent causes of loss Human error is (close) second to device failure Software errors + viruses third