Project Borg - Tolerant Systems
Download
Report
Transcript Project Borg - Tolerant Systems
PASIS: Perpetually Available and
Secure Information Systems
http://PASIS.ices.cmu.edu/
Pradeep K. Khosla (PI) – [email protected]
Greg Ganger, Han Kiliccote
Jay Wylie, Michael Bigrigg, Xiaofeng Wang,
John Strunk, Qi He, Yaron Rachlin, Mehmet Bakkloglu,
Joe Ordia, Semih Oguz, Cory Williams, Mark-Eric Uldry, Matthias Wenk
David Dolan, Craig Soules, Garth Goodson, Shelby Davis
Department of Electrical and Computer Engineering
Institute for Complex Engineered Systems
Carnegie Mellon University
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS Objective
Create information storage systems that are
• Perpetually Available
– Information should always be available even when some system
components are down or unavailable
• Perpetually Secure
– Information integrity and confidentiality should always be
enforced even when some system components are
compromised
• Graceful in degradation
– Information access functionality and performance should
degrade gracefully as system components fail
Assumptions – Some components will fail, some components will be
compromised, some components will be inconsistent, BUT……….
surviving components allow the information storage system to survive
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS Overview
Surviving “server-side” intrusions
decentralization + threshold schemes
provides for availability and security of storage
Surviving “client-side” intrusions
server-side data versioning and request auditing
enables intrusion diagnosis and recovery
Tradeoff management balances availability,
security, and performance
maximize performance given other two
Survivable storage systems that are usable.
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Jay’s Questions
What threats/attacks is PASIS addressing?
compromises of storage nodes
stored data manipulation via malicious “users”
What assumptions are we making?
only a subset of nodes will be compromised
malicious user activity can be detected soon-ish
What policies can PASIS enforce?
Availability should survive up to X “failed” nodes
Confidentiality and integrity should survive up to Y
collaborating compromised nodes
Data and audit log changes should be kept for Z weeks
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Step #1: Decentralized storage systems
S to ra g e
N ode
R e p a ir
A g en t
C lien t
S yst em
C lien t
S yst em
Apps
Apps
IP C
IP C
P A S IS
A g en t
S to r a g e
P A S IS
A g en t
N etw o rk
R e p a ir
A g en t
R e p a ir
A g en t
S to r a g e
S to r a g e
S to ra g e
N ode
S to ra g e
N ode
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Step #2: Threshold Schemes
Decimate Information
Divide the information
into small chunks
Replicate Information
Disperse information
Distribute the data to
n agents so that m of
them can reconstruct
the data but p cannot
p<mn
•Agent 1: a1, b1
•Agent 2: a2, b2
•Agent 3: a3, b3
v
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS Agent Architecture
Client
Apps
PASIS
Storage
Nodes
Local
PASIS
Agent
User
Preferences
Client Applications
Tradeoff
Management
System
Characteristics
PASIS Storage Nodes
Dispersal &
Decimation
Agent
Communication
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Features of PASIS Architecture
• Security
– confidentiality: no single storage node can
expose data
– integrity: no single storage node can modify data
• Availability
– any M-of-N storage nodes can collectively
provide data
• Flexibility
– range of options in space of trade-offs among
availability, security, and performance
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS Demonstration
A Notepad-like editor that guarantees
availability and security of information
PASIS agent libraries simply linked into editor
Files are decimated and dispersed across the
four machines
2-of-4 scheme with cheater detection, by default
No central authority or point-of-failure
Implementation runs on NT, using Microsoft’s
Network Neighborhood to store the shares
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS-enhanced Editor
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
“About” screen for PASIS Editor
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS-enhanced Editor
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Each share looks like garbage
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
… but collectively contain info
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Tampering with shares detected
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
… and info still reconstructed
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Reads fail if too few survive
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
… but succeed when revived
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Engineering survivable systems
• Performance and manageability need to
approach that of conventional systems
– … to ensure significant acceptance
• Approach: exploit threshold scheme flexibility
– achieve maximum performance given desired levels
of availability and security
– requires quantification of the corresponding trade-offs
• Approach: exploit ability to use any M shares
– send requests to more than M and use quickest
responses
– send requests to “closest” servers first
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Space used as function of filesize
Total Storage Space Used for Shares (N=10, M=5)
250
Total Storage Space (KB)
200
150
SS
IDA
SSS
100
50
0
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16 17 18 19 20
File Size (KB)
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Space used versus security
Total Storage Space for a File of 8 KB (N=10)
90
80
Total Storage Space (KB)
70
60
SS
50
IDA
40
SSS
30
20
10
0
1
2
3
4
5
6
7
8
9
10
'M'
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Encode time versus security
Encoding Time for a File of 8000 bytes (N=10)
3
2.5
Seconds
2
SS
1.5
IDA
SSS
1
0.5
0
1
2
3
4
5
6
7
8
9
10
'M'
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Decode time versus security
Decoding Time for a File of 8000 bytes (N=10)
1.2
1
Seconds
0.8
SS
0.6
IDA
SSS
0.4
0.2
0
1
2
3
4
5
6
7
8
9
10
'M'
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Encode time versus filesize
Encoding Time (N=10, M=5)
3
2.5
Seconds
2
SS
IDA
1.5
SSS
DES
1
0.5
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
File Size (KB)
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Quality of Storage (Service)
Tradeoff Management
• Allow users to specify what they want rather
than how to do it
– System should automatically translate this into
settings of PASIS Agent parameters
• When can’t deliver all user desires
– Give feedback on the implications of user choices
based on system characteristics.
– Allow user to express the tradeoffs between
availability, performance, and security.
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Self-Securing Storage Nodes
Goal: protect data from authorized but
malicious users
both client-side intruders and insider attacks
How: assume all clients are compromised
keep all versions of all data
audit all requests
Benefits
fast and complete recovery by preventing data
destruction and undetectable modifications
enhanced detection and diagnosis of intrusions by
providing tamper-proof audit logs
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Where we’re at
• PASIS Architecture complete
• Basic agent implementation in place
– flexible dispersal library with several algorithms
– flexible communication library
• Basic multi-versioning storage node in place
– all data versioned
– all requests audited
• Trade-off quantification in progress
– initial measurements and calculations performed
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Technology Transfer
• Transfer path via CMU Consortia (e.g., PDL)
– 15-20 storage and networking companies
• EMC, HP, IBM, Intel, 3Com, Veritas, Sun, Seagate,
Quantum, Infineon, CLARiiON, Novell, LSI Logic, Hitachi,
MTI, PANASAS, Procom
– 20+ embedded system & infrastructure companies
• Raytheon, Boeing, United Technologies, Hughes, Bosch,
AT&T, Adtranz, Emerson Electric, Ford, HP, Intel,
Motorola, NIIIP Consortium
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS: Summary
Decentralization + threshold schemes
provides for availability and security of storage
Tradeoff management balances availability,
security, and performance
maximize performance given other two
Data versioning to survive malicious users
enables intrusion diagnosis and recovery
Survivable storage systems that are usable.
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s