Transcript Project Borg - Tolerant Systems

PASIS: Perpetually Available and
Secure Information Systems
http://PASIS.ices.cmu.edu/
Pradeep K. Khosla (PI) – [email protected]
Greg Ganger, Han Kiliccote
Jay Wylie, Michael Bigrigg, Xiaofeng Wang,
John Strunk, Qi He, Yaron Rachlin, Mehmet Bakkloglu,
Joe Ordia, Semih Oguz, Cory Williams, Mark-Eric Uldry, Matthias Wenk
David Dolan, Craig Soules, Garth Goodson, Shelby Davis
Department of Electrical and Computer Engineering
Institute for Complex Engineered Systems
Carnegie Mellon University
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS Objective
Create information storage systems that are
• Perpetually Available
– Information should always be available even when some system
components are down or unavailable
• Perpetually Secure
– Information integrity and confidentiality should always be
enforced even when some system components are
compromised
• Graceful in degradation
– Information access functionality and performance should
degrade gracefully as system components fail
Assumptions – Some components will fail, some components will be
compromised, some components will be inconsistent, BUT……….
surviving components allow the information storage system to survive
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS Overview
 Surviving “server-side” intrusions
 decentralization + threshold schemes
 provides for availability and security of storage
 Surviving “client-side” intrusions
 server-side data versioning and request auditing
 enables intrusion diagnosis and recovery
 Tradeoff management balances availability,
security, and performance
 maximize performance given other two
Survivable storage systems that are usable.
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Jay’s Questions
 What threats/attacks is PASIS addressing?
 compromises of storage nodes
 stored data manipulation via malicious “users”
 What assumptions are we making?
 only a subset of nodes will be compromised
 malicious user activity can be detected soon-ish
 What policies can PASIS enforce?
 Availability should survive up to X “failed” nodes
 Confidentiality and integrity should survive up to Y
collaborating compromised nodes
 Data and audit log changes should be kept for Z weeks
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Step #1: Decentralized storage systems
S to ra g e
N ode
R e p a ir
A g en t
C lien t
S yst em
C lien t
S yst em
Apps
Apps
IP C
IP C
P A S IS
A g en t
S to r a g e
P A S IS
A g en t
N etw o rk
R e p a ir
A g en t
R e p a ir
A g en t
S to r a g e
S to r a g e
S to ra g e
N ode
S to ra g e
N ode
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Step #2: Threshold Schemes
 Decimate Information
 Divide the information
into small chunks
 Replicate Information
 Disperse information
 Distribute the data to
n agents so that m of
them can reconstruct
the data but p cannot
 p<mn
•Agent 1: a1, b1
•Agent 2: a2, b2
•Agent 3: a3, b3
v
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS Agent Architecture
Client
Apps
PASIS
Storage
Nodes
Local
PASIS
Agent
User
Preferences
Client Applications
Tradeoff
Management
System
Characteristics
PASIS Storage Nodes
Dispersal &
Decimation
Agent
Communication
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Features of PASIS Architecture
• Security
– confidentiality: no single storage node can
expose data
– integrity: no single storage node can modify data
• Availability
– any M-of-N storage nodes can collectively
provide data
• Flexibility
– range of options in space of trade-offs among
availability, security, and performance
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS Demonstration
 A Notepad-like editor that guarantees
availability and security of information
 PASIS agent libraries simply linked into editor
 Files are decimated and dispersed across the
four machines
 2-of-4 scheme with cheater detection, by default
 No central authority or point-of-failure
 Implementation runs on NT, using Microsoft’s
Network Neighborhood to store the shares
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS-enhanced Editor
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
“About” screen for PASIS Editor
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS-enhanced Editor
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Each share looks like garbage
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
… but collectively contain info
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Tampering with shares detected
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
… and info still reconstructed
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Reads fail if too few survive
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
… but succeed when revived
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Engineering survivable systems
• Performance and manageability need to
approach that of conventional systems
– … to ensure significant acceptance
• Approach: exploit threshold scheme flexibility
– achieve maximum performance given desired levels
of availability and security
– requires quantification of the corresponding trade-offs
• Approach: exploit ability to use any M shares
– send requests to more than M and use quickest
responses
– send requests to “closest” servers first
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Space used as function of filesize
Total Storage Space Used for Shares (N=10, M=5)
250
Total Storage Space (KB)
200
150
SS
IDA
SSS
100
50
0
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16 17 18 19 20
File Size (KB)
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Space used versus security
Total Storage Space for a File of 8 KB (N=10)
90
80
Total Storage Space (KB)
70
60
SS
50
IDA
40
SSS
30
20
10
0
1
2
3
4
5
6
7
8
9
10
'M'
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Encode time versus security
Encoding Time for a File of 8000 bytes (N=10)
3
2.5
Seconds
2
SS
1.5
IDA
SSS
1
0.5
0
1
2
3
4
5
6
7
8
9
10
'M'
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Decode time versus security
Decoding Time for a File of 8000 bytes (N=10)
1.2
1
Seconds
0.8
SS
0.6
IDA
SSS
0.4
0.2
0
1
2
3
4
5
6
7
8
9
10
'M'
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Encode time versus filesize
Encoding Time (N=10, M=5)
3
2.5
Seconds
2
SS
IDA
1.5
SSS
DES
1
0.5
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
File Size (KB)
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Quality of Storage (Service)
Tradeoff Management
• Allow users to specify what they want rather
than how to do it
– System should automatically translate this into
settings of PASIS Agent parameters
• When can’t deliver all user desires
– Give feedback on the implications of user choices
based on system characteristics.
– Allow user to express the tradeoffs between
availability, performance, and security.
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Self-Securing Storage Nodes
 Goal: protect data from authorized but
malicious users
 both client-side intruders and insider attacks
 How: assume all clients are compromised
 keep all versions of all data
 audit all requests
 Benefits
 fast and complete recovery by preventing data
destruction and undetectable modifications
 enhanced detection and diagnosis of intrusions by
providing tamper-proof audit logs
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Where we’re at
• PASIS Architecture complete
• Basic agent implementation in place
– flexible dispersal library with several algorithms
– flexible communication library
• Basic multi-versioning storage node in place
– all data versioned
– all requests audited
• Trade-off quantification in progress
– initial measurements and calculations performed
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
Technology Transfer
• Transfer path via CMU Consortia (e.g., PDL)
– 15-20 storage and networking companies
• EMC, HP, IBM, Intel, 3Com, Veritas, Sun, Seagate,
Quantum, Infineon, CLARiiON, Novell, LSI Logic, Hitachi,
MTI, PANASAS, Procom
– 20+ embedded system & infrastructure companies
• Raytheon, Boeing, United Technologies, Hughes, Bosch,
AT&T, Adtranz, Emerson Electric, Ford, HP, Intel,
Motorola, NIIIP Consortium
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s
PASIS: Summary
 Decentralization + threshold schemes
 provides for availability and security of storage
 Tradeoff management balances availability,
security, and performance
 maximize performance given other two
 Data versioning to survive malicious users
 enables intrusion diagnosis and recovery
Survivable storage systems that are usable.
In s titu te
fo r C o m p le x
E n g in e e re d
S y s te m s