PPD: Platform for Private Data

Mohit Tiwariwith Krste Asanović, Dawn Song,

Petros Maniatis*, Prashanth Mohan, Charalampos Papamanthou, Elaine Shi, Emil Stefanov, Nguyen Tran

UC Berkeley Intel*

The Age of Big Data

Plentiful, and Private

Rich Applications

Time

Richness

Vulnerable software

(Un) Intentional Misuse

Insider Attacks

Need Data Protection as a Service

Ideal: Privacy Preserving Cloud

End User Developer

privacy evidenceprivacy policy API App

Cloud provider

Ideal: Platform for Private Data

• Data protection as a service

• Users– control access to their data – access third-party applications

• Developers – save resources, need not be security experts– access personal data hitherto unavailable

Challenge #1Untrusted applications own users’ data.

End User Developer

API

Cloud provider

Challenge #2 Novice Users

PPD: Platform for Private DataEnd User Developer

privacy evidenceintuitiveprivacy policy API App

PPD Cloud provider

App +

Guest OS

private data vault sealed container

Outline of this talk

• PPD: Platform for Private Data

• PPD Architecture

• PPD Prototype and Evaluation

PPD Applications

Cloud Storage

Personal Documents

Real-time applications

E-commerce

Social applications

Miscellaneous:Browsing, peer-to-peer

userinitiated sharing

End-User

Hardware with TPM

PPD Cloud Provider

Untrusted Storage

Trusted User Interface

Protected Channel

ACLs

id o r wA.tax A A A

PPD Architecture: Users

Application Container

App

Untrusted Application

End-User Developer

Hardware with TPM

PPD Cloud Provider PPD Controller and ACL Manager

Cleartext data

Untrusted Storage

Trusted User Interface

PPD Architecture: Applications

uni-directional

per-capsule: RWper-user: R all, W flagged

App

Untrusted Application

End-Users Developers

Hardware with TPM

PPD Cloud Provider PPD Controller and ACL Manager

Dedup, Caching,

Replication,…

PPD Storage Proxy

App

Storage ContainerIntegrity

check

Untrusted Storage

Trusted User Interface

PPD Architecture: Storage

PPD Timeline #1: User attests Client

User Client Cloud Server

TPM.send(hw id)

Attest(code)Trusted PPD Server

Response (result) Separation kernel on client checkedsitekey

sitekeyClient attested

Alice

PPD Timeline #2: User launches App

User Client Cloud ServerAlice Launch trusted UI

Authentication

Trusted PPD Kernel

PPD UI,

Control

App+

Guest OSLaunch application

Trusted PPD Kernel

PPD UI,

Control

App+

Guest OSApp communication

User and Developer Interface

• User creates data capsules– personal by default and decides who to share it with– does not specify a lattice of security labels

• PPD System provides trusted UI to user – User conveys change of ACLs to PPD

• Developers can request– Application Containers: per-user, per-data-capsule – Storage Containers: per-application, per-system

Outline of this talk

• PPD: Platform for Private Data

• PPD Architecture

• PPD Prototype and Evaluation

PPD Building Blocks

• Data capsules– E.g. “tax documents”, “thanksgiving ”– System assigns ACL as private by default

• Protected Containers– Linux containers (LXC), Copy-on-write FS (UnionFS).– Stops all explicit communication, except channels.– Hardware side channels, timing leaks out of scope

PPD Building Blocks

• Protected Channels– iptables firewall rules for LXC containers– Encryption, integrity-checking (TLS/SSL for network)– Trusted Channel from User to PPD to change ACLs

• Storage Proxies– Key-value proxy: put, get, and setACL interface– File-system proxy: fuse-based layer on key-val proxy

PPD Building Blocks

• PPD Controller– manages containers and channels – dynamically creates containers based on user or

application requests– assigns iptables rules for all containers

• Remote Attestation– Intel TXT, TPM v1.2– attest correct PPD code on untrusted machines

PPD Applications

• Friendshare: online storage with de-duplication (like Dropbox)

• Git: repository version control server

• Etherpad: online, collaborative editing (like Google Docs)

PPD Prototype

TLS Proxy TLS Proxy

EtherPad Co

ntro

ller

ACL Store

K/V Proxy FS Proxy

DeDup

Secure Block DeviceStorage

FriendShare

TPM Chip (Remote Attestation)

LXCContainers

ACL changes

Linux KernelIPTables

ApplicationLayer

StorageLayer

End Users

Eval: Porting Apps for PPD

• Scripts to install and configure apps in containers

• Application v. Storage containers– Friendshare• Application: Scan directories, chunk files, change ACL• Storage: De-duplication

– Git, Etherpad• Application: entire functionality

Eval: PPD Application Performance

• Minimal effect on Friendshare throughput

Small Requests: 10 filenames Big Requests: 10KB images

PPD Application Performance

• Minimal effect on Friendshare latency

Summary

• PPD: New Data-Centric Cloud Platform– user controlled sharing– rich, mostly legacy applications

• PPD Architecture– untrusted application and storage components

• PPD Prototype and Evaluation– small performance and porting cost

The PPD Team

Current and Future Work

• Applications– medical applications, business data analytics

• Client-side PPD on Android– light-weight containers and channels on Nexus S

• Application initiated sharing– differential privacy

Related Approaches

• DIFC – PPD does not do fine-grained information flow tracking– Constrained containers + Dev API = simple system

• Capabilities– Can be used to implement containers and channels– Re-write legacy applications

• Android Security– Static, Coarse-grained permissions– User does not own data

Conclusion

End User Developer

privacy evidenceprivacy policy API App

PPD Cloud provider

Backups

PPD Insights

• Co-design UI and System software– User decisions are intuitive (“share doc with Bob”)– System manages untrusted apps and private data

• Developer API – Per-user functionality v. Cross-user Optimizations

• Privacy: Data owners’ access control policy – Apps ‘see’ data only in sealed containers

Summary

PPD Evaluation: Etherpad

PPD Evaluation: Git

PPD: Platform for Private Data

• PPD is a data-centric cloud platform– rich, untrusted applications – strong privacy guarantees for end user

• PPD will spark innovation– through apps from small developers– making more private data available

PPD Design

• Simplest: User + PPD – Data capsules + ACL: (UI)

• Next: User + Application (front-end) + PPD– Per-user, Sharing

• Next: + Backend Storage– Rich optimizations, integrity checked