290 likes | 391 Views
http://PASIS.ices.cmu.edu/ Pradeep K. Khosla (PI) – pkk@cs.cmu.edu Greg Ganger , Han Kiliccote Jay Wylie , Michael Bigrigg , Xiaofeng Wang, John Strunk, Qi He, Yaron Rachlin, Mehmet Bakkloglu, Joe Ordia, Semih Oguz, Cory Williams, Mark-Eric Uldry, Matthias Wenk
E N D
http://PASIS.ices.cmu.edu/ Pradeep K. Khosla (PI) – pkk@cs.cmu.edu Greg Ganger, Han Kiliccote Jay Wylie, Michael Bigrigg, Xiaofeng Wang,John Strunk, Qi He, Yaron Rachlin, Mehmet Bakkloglu, Joe Ordia, Semih Oguz, Cory Williams, Mark-Eric Uldry, Matthias Wenk David Dolan, Craig Soules, Garth Goodson, Shelby Davis Department of Electrical and Computer Engineering Institute for Complex Engineered Systems Carnegie Mellon University PASIS: Perpetually Available and Secure Information Systems
PASIS Objective Create information storage systems that are • Perpetually Available • Information should always be available even when some system components are down or unavailable • Perpetually Secure • Information integrity and confidentiality should always be enforced even when some system components are compromised • Graceful in degradation • Information access functionality and performance should degrade gracefully as system components fail Assumptions – Some components will fail, some components will be compromised, some components will be inconsistent, BUT………. surviving components allow the information storage system to survive
PASIS Overview • Surviving “server-side” intrusions • decentralization + threshold schemes • provides for availability and security of storage • Surviving “client-side” intrusions • server-side data versioning and request auditing • enables intrusion diagnosis and recovery • Tradeoff management balances availability, security, and performance • maximize performance given other two Survivable storage systems that are usable.
Jay’s Questions • What threats/attacks is PASIS addressing? • compromises of storage nodes • stored data manipulation via malicious “users” • What assumptions are we making? • only a subset of nodes will be compromised • malicious user activity can be detected soon-ish • What policies can PASIS enforce? • Availability should survive up to X “failed” nodes • Confidentiality and integrity should survive up to Y collaborating compromised nodes • Data and audit log changes should be kept for Z weeks
a1x+b1 • Agent 1: a1, b1 v a3x+b3 • Agent 2: a2, b2 a2x+b2 • Agent 3: a3, b3 Step #2: Threshold Schemes • Decimate Information • Divide the informationinto small chunks • Replicate Information • Disperse information • Distribute the data to n agents so that m of them can reconstruct the data but p cannot • p< m n
Client Apps PASIS Storage Nodes Local PASIS Agent PASIS Agent Architecture System Characteristics User Preferences Tradeoff Management PASIS Storage Nodes Client Applications Dispersal & Decimation Agent Communication
Features of PASIS Architecture • Security • confidentiality: no single storage node can expose data • integrity: no single storage node can modify data • Availability • any M-of-N storage nodes can collectively provide data • Flexibility • range of options in space of trade-offs among availability, security, and performance
PASIS Demonstration • A Notepad-like editor that guarantees availability and security of information • PASIS agent libraries simply linked into editor • Files are decimated and dispersed across the four machines • 2-of-4 scheme with cheater detection, by default • No central authority or point-of-failure • Implementation runs on NT, using Microsoft’s Network Neighborhood to store the shares
Engineering survivable systems • Performance and manageability need to approach that of conventional systems • … to ensure significant acceptance • Approach: exploit threshold scheme flexibility • achieve maximum performance given desired levels of availability and security • requires quantification of the corresponding trade-offs • Approach: exploit ability to use any M shares • send requests to more than M and use quickest responses • send requests to “closest” servers first
Quality of Storage (Service)Tradeoff Management • Allow users to specify what they want rather than how to do it • System should automatically translate this into settings of PASIS Agent parameters • When can’t deliver all user desires • Give feedback on the implications of user choices based on system characteristics. • Allow user to express the tradeoffs between availability, performance, and security.
Self-Securing Storage Nodes • Goal: protect data from authorized but malicious users • both client-side intruders and insider attacks • How: assume all clients are compromised • keep all versions of all data • audit all requests • Benefits • fast and complete recovery by preventing data destruction and undetectable modifications • enhanced detection and diagnosis of intrusions by providing tamper-proof audit logs
Where we’re at • PASIS Architecture complete • Basic agent implementation in place • flexible dispersal library with several algorithms • flexible communication library • Basic multi-versioning storage node in place • all data versioned • all requests audited • Trade-off quantification in progress • initial measurements and calculations performed
Technology Transfer • Transfer path via CMU Consortia (e.g., PDL) • 15-20 storage and networking companies • EMC, HP, IBM, Intel, 3Com, Veritas, Sun, Seagate, Quantum, Infineon, CLARiiON, Novell, LSI Logic, Hitachi, MTI, PANASAS, Procom • 20+ embedded system & infrastructure companies • Raytheon, Boeing, United Technologies, Hughes, Bosch, AT&T, Adtranz, Emerson Electric, Ford, HP, Intel, Motorola, NIIIP Consortium
PASIS: Summary • Decentralization + threshold schemes • provides for availability and security of storage • Tradeoff management balances availability, security, and performance • maximize performance given other two • Data versioning to survive malicious users • enables intrusion diagnosis and recovery Survivable storage systems that are usable.