pasis: perpetually available and secure information systems greg ganger, pradeep khosla, han...
TRANSCRIPT
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS: Perpetually Available and Secure Information Systems
http://PASIS.ices.cmu.edu/
Greg Ganger, Pradeep Khosla, Han Kiliccote
Jay Wylie, Michael Bigrigg, John Strunk, Joe Ordia, Semih Oguz,
Mehmet Bakkloglu, Vijay Pandurangan, Xiaofeng Wang,
Cory Williams, Mark-Eric Uldry, Matthias Wenk, David Dolan, Qi He,
Craig Soules, Garth Goodson, Andy Klosterman, Shuheng Zhou
Department of Electrical and Computer Engineering
Institute for Complex Engineered Systems
Parallel Data Laboratory
Carnegie Mellon University
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS ObjectiveCreate information storage systems that are• Perpetually Available
– Information should always be available even when some system components are down or unavailable
• Perpetually Secure– Information integrity and confidentiality should always be enforced even when
some system components are compromised
• Graceful in degradation– Information access functionality and performance should degrade gracefully as
system components fail
Assumptions – Some components will fail, some components will be compromised, some components will be inconsistent, BUT……….
surviving components allow the information storage system to survive
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS Overview Surviving “server-side” intrusions
decentralization + threshold schemes provides for availability and security of storage
Surviving “client-side” intrusions server-side data versioning and request auditing enables intrusion diagnosis and recovery
Tradeoff management balances availability, security, and performance maximize performance given other two
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Jay’s Questions What threats/attacks is PASIS addressing?
compromises of storage nodes stored data manipulation via malicious “users”
What assumptions are we making? only a subset of nodes will be compromised malicious user activity can be detected soon-ish
What policies can PASIS enforce? Availability should survive up to X “failed” nodes Confidentiality and integrity should survive up to Y
collaborating compromised nodes Data and audit log changes should be kept for Z weeks
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Step #1: Decentralized storage systems Client
System
PASIS Agent
Apps
IPC
Storage Node
Network
Storage
Repair Agent
Storage Node
Client System
PASIS Agent
Apps
IPC
Storage Node
Storage
Repair Agent
Storage
Repair Agent
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Step #2: Threshold Schemes Decimate Information
Divide the informationinto small chunks
Replicate Information Disperse information
Distribute the data to n agents so that m of them can reconstruct the data but p cannot
p < m nv
a1x+
b1
a2x+b2
a3x+b3
•Agent 1: a1, b1
•Agent 3: a3, b3
•Agent 2: a2, b2
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS Agent Architecture
ClientApps
LocalPASISAgent
PASISStorageNodes
TradeoffManagement
AgentCommunication
Dispersal &Decimation
Client ApplicationsPASIS Storage Nodes
SystemCharacteristics
UserPreferences
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Features of PASIS Architecture• Security
– confidentiality: no single storage node can expose data
– integrity: no single storage node can modify data
• Availability– any M-of-N storage nodes can collectively
provide data
• Flexibility– range of options in space of trade-offs among
availability, security, and performance
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Engineering survivable systems• Performance and manageability need to
approach that of conventional systems– … to ensure significant acceptance
• Approach: exploit threshold scheme flexibility– achieve maximum performance given desired levels
of availability and security– requires quantification of the corresponding trade-offs
• Approach: exploit ability to use any M shares– send requests to more than M and use quickest
responses– send requests to “closest” servers first
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Encode time versus security
Encoding Time for a File of 8000 bytes (N=10)
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
1 2 3 4 5 6 7 8 9 10
'M'
Sec
on
ds SS
IDA
SSS
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Space used versus security
Total Storage Space for a File of 8 KB (N=10)
0
10
20
30
40
50
60
70
80
90
1 2 3 4 5 6 7 8 9 10
'M'
To
tal S
tora
ge
Sp
ace
(KB
)
SS
IDA
SSS
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Encode time versus security
1 3 5 7 9
11 13 15 17 19
S1
S6
S11
S16
0
0.1
0.2
0.3
0.4
0.5
0.6
Time (s)
M
N
SS Encode time versus Security (8KB)
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Encode time versus security
1 3 5 7 9
11 13
15
17 19
S1
S6
S11
S16
0
0.005
0.01
0.015
0.02
0.025
0.03
Time (s)
M
N
IDA Encode versus Security (8KB)
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Encode time versus security1 3 5 7 9
11 13 15 17 19
S1
S6
S11
S16
0
0.1
0.2
0.3
0.4
0.5
0.6
Time (s)
M
N
SS Encode time versus Security (8KB)
1
3 5
7
9
11
13
15
17
19
S1
S6
S11
S16
0
0.005
0.01
0.015
0.02
0.025
0.03
Time (s)
M
N
IDA Encode versus Security (8KB)
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Quality of Storage (Service)Tradeoff Management
• Allow users to specify what they want rather than how to do it– System should automatically translate this into
settings of PASIS Agent parameters
• When can’t deliver all user desires– Give feedback on the implications of user choices
based on system characteristics.– Allow user to express the tradeoffs between
availability, performance, and security.
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Example trade-off space #1
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Example trade-off space #2
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Trade-off management challenges• Reasoning about security and availability
– specifically, need to translate settings into configuration rules and limitations
• e.g., M > 0.7*N, (N-M) > 2, M shares cannot be on same OS
• Finding best performing configuration– within the limitations imposed by first step and given
the expected workload and system components– configuration includes choices of threshold scheme,
values for M and N and P, degree of over-requesting, server selection algorithm, etc…
– 2-step approach: predict performance of any possible configuration and then search for optimal choice
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Self-Securing Storage Nodes Goal: protect data from authorized but
malicious users both client-side intruders and insider attacks
How: assume all clients are compromised keep all versions of all data audit all requests
Benefits fast and complete recovery by preventing data
destruction and undetectable modifications enhanced detection and diagnosis of intrusions by
providing tamper-proof audit logs
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Where we’re at• PASIS Architecture complete• Extended agent implementation in place
– flexible dispersal library with many algorithms– flexible communication library of several protocols
• Extended multi-versioning storage node in place– all data versioned efficiently– all requests audited
• Trade-off quantification in progress– measurements and calculations continue– initial modeling started
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Technology Transfer• Transfer path via CMU Consortia (e.g., PDL)
– 15-20 storage and networking companies• EMC, HP, IBM, Intel, 3Com, Veritas, Sun, Seagate,
Lucent, Quantum, Infineon, LSI Logic, Hitachi, MTI, PANASAS, Network Appliances, Platys
– 20+ embedded system & infrastructure companies• Raytheon, Boeing, United Technologies, Hughes, Bosch,
AT&T, Adtranz, Emerson Electric, Ford, HP, Intel, Motorola, NIIIP Consortium
• Joint Battlespace Infosphere (JBI)– working with AFRL researchers to understand how
PASIS technologies might fit into JBI infrastructures
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS: Summary
Decentralization + threshold schemes provides for availability and security of storage
Tradeoff management balances availability, security, and performance maximize performance given other two
Data versioning to survive malicious users enables intrusion diagnosis and recovery
Survivable storage systems that are usable.
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS Demonstration A Notepad-like editor that guarantees
availability and security of information PASIS agent libraries simply linked into editor
Files are decimated and dispersed across the four machines 2-of-4 scheme with cheater detection, by default No central authority or point-of-failure
Implementation runs on NT, using Microsoft’s Network Neighborhood to store the shares
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS-enhanced Editor
In s t itu tefo r C o m p lexEn g in eeredSys tem s
“About” screen for PASIS Editor
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS-enhanced Editor
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Each share looks like garbage
In s t itu tefo r C o m p lexEn g in eeredSys tem s
… but collectively contain info
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Tampering with shares detected
In s t itu tefo r C o m p lexEn g in eeredSys tem s
… and info still reconstructed
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Reads fail if too few survive
In s t itu tefo r C o m p lexEn g in eeredSys tem s
… but succeed when revived
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Space used as function of filesize
Total Storage Space Used for Shares (N=10, M=5)
0
50
100
150
200
250
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
File Size (KB)
To
tal S
tora
ge
Sp
ace
(KB
)
SS
IDA
SSS
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Decode time versus security
Decoding Time for a File of 8000 bytes (N=10)
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
1 2 3 4 5 6 7 8 9 10
'M'
Sec
on
ds SS
IDA
SSS
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Encode time versus filesizeEncoding Time (N=10, M=5)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
1 8193 16385 24577 32769 40961 49153 57345 65537
File Size
Sec
on
ds SS
IDA
SSS
DES