390 likes | 512 Views
Selective Versioning in a Secure Disk System. Swaminathan Sundararaman University of Wisconsin-Madison Gopalan Sivathanu Google Inc. Erez Zadok Stony Brook University. Securing Disk Data. Data protection is performed by Applications File systems
E N D
Selective Versioning in a Secure Disk System Swaminathan Sundararaman University of Wisconsin-Madison Gopalan Sivathanu Google Inc. Erez Zadok Stony Brook University
Securing Disk Data • Data protection is performed by • Applications • File systems • Existing data protection systems operate at the OS level • OS compromises • Root kit attacks, buffer overflow attacks, viruses, malware, … • Entire disk data vulnerable • Protecting data in the event of OS comprises • Difficult with existing solutions Selective Versioning in a Secure Disk System
Aspects of Data Security • Confidentiality • Preventing unauthorized reads • Integrity • Detecting unauthorized writes • Recoverability • Protecting against data destruction Selective Versioning in a Secure Disk System
Treat Model User Applications File Systems Security Compromised Mech. OS Data Entire disk data vulnerable Existing Systems Selective Versioning in a Secure Disk System
Selective Versioning in a Secure Disk System (SVSDS) • Makes stored data recoverable in the event of an OS compromise • Transparently versions data inside the disk • Applications cannot bypass versioning • Enforces operation-level constraints • Protects important file from being modified • Selectively versions user-chosen files • Reduces the space overhead Selective Versioning in a Secure Disk System
Our Solution User Applications File Systems Compromised OS Data Regular data Versioned Data Selective Versioning in a Secure Disk System
Versioning Inside the Disk • Why disk-level versioning is difficult ? • No information about higher level semantics • Narrow block-based interface • Versions all blocks • Higher space overheads • Fewer versions • Reverts all blocks • Should make use of higher level abstraction • Version at a more usable granularity • Leverage Type-Safe Disks (TSD) [OSDI’06] Selective Versioning in a Secure Disk System
Background on TSD • Pointers: primary mechanism of organizing stored data • Pointers define • Semantic dependencies between blocks • Logical groupings of blocks • Importance of blocks • File systems and databases use pointers extensively • b+trees, hashes, lists, indexes • TSDs track block relationship through pointers Selective Versioning in a Secure Disk System
FFS Like File System SB SB Super Block Inode Block IB IB Logical Grouping Semantic Dependency Importance of blocks Directory Block DirB DirB DirB DirB DB Data Block IB IB IB IB IB Unreachable Blocks DB DB DB DB DB DirB DB Selective Versioning in a Secure Disk System
Overview Overview • Motivation • Design • Related Work • Evaluation • Conclusion * Block Allocation * Pointer Management * Securing Disk Data * Selective Versioning * Operation-level Constraints * Data Recovery Selective Versioning in a Secure Disk System
Securing Disk Data • Need to restrict access to versioned data • Virtualizes the disk address space • Prevents users from directly manipulating data stored inside the disk. • Two address space • logical and physical • Applications access data only through the logical address space Selective Versioning in a Secure Disk System
Disk Virtualization Mapping in internally maintained by SVSDS Logical Block # Physical Block # Mapping Table Applications Logical Blocks 1 2 3 3 4 5 1 2 2 4 3 3 1 1 Physical Blocks 1 1 2 3 4 5 • 9write_block(3) • lookup entry in mapping table • redirect write request to physical block 1 Selective Versioning in a Secure Disk System
Selective Versioning • Versioning all blocks consumes more storage space • Shorter version histories • Blocks have varying levels of importance • Meta-data blocks (like inodes) define the reachability of their data blocks • Only some data blocks are important (/tmp files, program installers are not) • Importance changes with the number of outgoing pointers • By default SVSDS versions all meta-data blocks Selective Versioning in a Secure Disk System
Identifying Meta-data Super Block Pointers help identify meta-data SB SB Inode Block Outgoing pointer implies its a Meta-data block IB IB Directory Block DB Data Block DirB DirB DirB DirB IB IB IB IB IB DB DB DB DB DB DirB DB Selective Versioning in a Secure Disk System
Versioning Selected Data • Users would like to protect their files • Pointer information provides logical grouping of blocks • SVSDS does a BFS and marks the blocks for versioning Selective Versioning in a Secure Disk System
Identifying Files Super Block Pointers help identify all files of a directory SB SB Inode Block * Mark all files in this particular Dir IB IB Directory Block DB Data Block DirB DirB DirB DirB IB IB IB IB IB DB DB DB DB DB DirB DB Selective Versioning in a Secure Disk System
Versioning Policy • Versioning interval • Time interval between versions • Configurable by the administrator • Currently, one versioning interval for all blocks Selective Versioning in a Secure Disk System
Versioning Blocks Mapping Table Applications Logical Block # Logical Block # Physical Block # Physical Block # Logical Blocks 1 3 2 1 2 3 4 5 2 4 3 1 Physical Blocks 1 2 3 4 5 Version Table • 9write_block(1) • lookup entry in mapping table • version old mapping • allocate physical block 3 • updates the entry in the mapping table Ver. # 1 2 1 Selective Versioning in a Secure Disk System
Operation-Level Constraints • Important to protect certain files from being modified or overwritten • Executable files, Library files, Log files, System configuration files • SVSDS allows users to specify operation-level constraints • Read-only • Append-only • Files marked for Read-only and Append-only cannot be deleted Selective Versioning in a Secure Disk System
Operation-level Constraints • Read-only constraint • Ensures that marked blocks are immutable • Protects against intruders, viruses, Trojan horses, malware, etc. • Append-only constraint • Ensures that entries in log files are not deleted or modified • Helps in forensic analysis after an intrusion Selective Versioning in a Secure Disk System
Administrative interface • Special hardware port on the disk • Authentication based on capability • Prevents users from reverting back to previous versions • Can be used to change the versioning frequency Selective Versioning in a Secure Disk System
Issues • Currently revert at the granularity of time • Do not revert based on logical abstractions • Denial of Service attacks • Marking arbitrary files • Use administrative interface to mark files • Overwriting versioned blocks • Exponentially increase the versioning interval • Creating lots of bogus files • No perfect solution • Stop writes when disk fills up Selective Versioning in a Secure Disk System
Overview Overview • Motivation • Design • Related Work • Evaluation • Conclusion Application-level Versioning File-system-level Versioning Disk-level Versioning Selective Versioning in a Secure Disk System
Versioning File Systems • Flexible • Allow per-file policies • Are only as secure as the OS • previous versions can be deleted if the OS is compromised • Users can bypass versioning • Ext3cow, VersionFS, Elephant, etc. Selective Versioning in a Secure Disk System
Disk-Level Versioning • Operates at the granularity of blocks • Security is decoupled from the OS • Versions all blocks • Clotho, TRAP, and S4 Selective Versioning in a Secure Disk System
Disk-Level Versioning (contd.) • Self-Securing Storage System (S4) • Object-based disk • Internally audits all requests • Protects data in compromised systems • Combines log structuring with journal-based metadata versioning • Versions all requests for use in intrusion analysis. • No support for operation-based constraints Selective Versioning in a Secure Disk System
Feature Comparison Our Hybrid Solutioncombines strong security of Disk-level versioning system with the flexibility of versioning file systems. Selective Versioning in a Secure Disk System
Overview Overview • Motivation • Design • Issues • Related Work • Evaluation • Conclusion Selective Versioning in a Secure Disk System
Prototype Implementation User Application File System SVSDS Interface SVSDS Pseudo-device Driver Regular Block Interface Block Driver Disk / RAID • Pseudo-device driver in Linux kernel 2.6.15 • 7,487 lines of kernel code • 3,600 from existing TSD prototype Selective Versioning in a Secure Disk System
Evaluation • Test platform • Linux 2.6.15 • 2.8GHz Xeon (single CPU) • 1GB of RAM • 74GB, 10Krpm, Ultra-320 SCSI disk • 95% confidence intervals within 5% of the mean Selective Versioning in a Secure Disk System
Conventions Used in Figures • Ext2: Ext2 on a regular disk • Ext2TSD: Ext2TSD on a TSD • Ext2Ver(M): Ext2TSD on a SVSDS (meta-data versioning) • Ext2Ver(A): Ext2TSD on a SVSDS (all blocks are versioned) Selective Versioning in a Secure Disk System
Postmark Wait Time User Time System Time Elapsed: S.I. System: 4.3x Wait: -20% Elapsed: S.I. System: 4.3x Wait: -19.5% Elapsed: S.I. System: 1.4x Wait: -8.8% Elapsed Time (Seconds) Postmark: IO Intensive Workload Versioning Interval : 30 second Number of versions created : 27 Selective Versioning in a Secure Disk System
Space Overhead Versioning Interval : 30 seconds Number of versions created : 27 Selective Versioning in a Secure Disk System
Kernel Compile Wait Time User Time System Time Elapsed: S.I. System: +4.6% Wait: -5.6% Elapsed: 0.8% System: +10.1% Wait: -0.8% Elapsed: -0.3% System: +3.6% Wait: -24.0% Elapsed Time (Seconds) Kernel compile: Models user behavior Versioning Interval : 30 seconds Number of versions created : 78 Selective Versioning in a Secure Disk System
Space Overhead Versioning Interval : 30 seconds Number of versions created : 78 Selective Versioning in a Secure Disk System
Overview Overview • Motivation • Design • Issues • Related Work • Evaluation • Conclusion Selective Versioning in a Secure Disk System
Conclusion • Hybrid solution • Strong security and flexible versioning • Meta-data versioning • Protects important file system accessibility information • preserves namespace hierarchy • Versioning chosen data items • Enables flexible policies based on data importance • Widens window of recoverability Selective Versioning in a Secure Disk System
Conclusion (Contd.) • Lazy reallocation of blocks • Implicit data versioning • Operation-based constraints • protects log files and executables • Enables easier intrusion detection • Acceptable space and performance overheads Selective Versioning in a Secure Disk System
Questions? Selective Versioning in a Secure Disk System Swaminathan Sundararaman, Gopalan Sivathanu, Erez Zadok Stony Brook University www.fsl.cs.sunysb.edu