Selective versioning in a secure disk system
This presentation is the property of its rightful owner.
Sponsored Links
1 / 39

Selective Versioning in a Secure Disk System PowerPoint PPT Presentation


  • 64 Views
  • Uploaded on
  • Presentation posted in: General

Selective Versioning in a Secure Disk System. Swaminathan Sundararaman University of Wisconsin-Madison Gopalan Sivathanu Google Inc. Erez Zadok Stony Brook University. Securing Disk Data. Data protection is performed by Applications File systems

Download Presentation

Selective Versioning in a Secure Disk System

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Selective versioning in a secure disk system

Selective Versioning in a Secure Disk System

Swaminathan Sundararaman

University of Wisconsin-Madison

Gopalan Sivathanu

Google Inc.

Erez Zadok

Stony Brook University


Securing disk data

Securing Disk Data

  • Data protection is performed by

    • Applications

    • File systems

  • Existing data protection systems operate at the OS level

  • OS compromises

    • Root kit attacks, buffer overflow attacks, viruses, malware, …

    • Entire disk data vulnerable

  • Protecting data in the event of OS comprises

    • Difficult with existing solutions

Selective Versioning in a Secure Disk System


Aspects of data security

Aspects of Data Security

  • Confidentiality

    • Preventing unauthorized reads

  • Integrity

    • Detecting unauthorized writes

  • Recoverability

    • Protecting against data destruction

Selective Versioning in a Secure Disk System


Treat model

Treat Model

User Applications

File Systems

Security

Compromised

Mech.

OS

Data

Entire disk data vulnerable

Existing Systems

Selective Versioning in a Secure Disk System


Selective versioning in a secure disk system svsds

Selective Versioning in a Secure Disk System (SVSDS)

  • Makes stored data recoverable in the event of an OS compromise

  • Transparently versions data inside the disk

    • Applications cannot bypass versioning

  • Enforces operation-level constraints

    • Protects important file from being modified

  • Selectively versions user-chosen files

    • Reduces the space overhead

Selective Versioning in a Secure Disk System


Our solution

Our Solution

User Applications

File Systems

Compromised

OS

Data

Regular data

Versioned Data

Selective Versioning in a Secure Disk System


Versioning inside the disk

Versioning Inside the Disk

  • Why disk-level versioning is difficult ?

    • No information about higher level semantics

      • Narrow block-based interface

    • Versions all blocks

      • Higher space overheads

      • Fewer versions

      • Reverts all blocks

  • Should make use of higher level abstraction

    • Version at a more usable granularity

  • Leverage Type-Safe Disks (TSD) [OSDI’06]

Selective Versioning in a Secure Disk System


Background on tsd

Background on TSD

  • Pointers: primary mechanism of organizing stored data

  • Pointers define

    • Semantic dependencies between blocks

    • Logical groupings of blocks

    • Importance of blocks

  • File systems and databases use pointers extensively

    • b+trees, hashes, lists, indexes

  • TSDs track block relationship through pointers

Selective Versioning in a Secure Disk System


Ffs like file system

FFS Like File System

SB

SB

Super Block

Inode Block

IB

IB

Logical Grouping

Semantic Dependency

Importance of blocks

Directory Block

DirB

DirB

DirB

DirB

DB

Data Block

IB

IB

IB

IB

IB

Unreachable Blocks

DB

DB

DB

DB

DB

DirB

DB

Selective Versioning in a Secure Disk System


Overview

Overview

Overview

  • Motivation

  • Design

  • Related Work

  • Evaluation

  • Conclusion

* Block Allocation

* Pointer Management

* Securing Disk Data

* Selective Versioning

* Operation-level Constraints

* Data Recovery

Selective Versioning in a Secure Disk System


Securing disk data1

Securing Disk Data

  • Need to restrict access to versioned data

  • Virtualizes the disk address space

    • Prevents users from directly manipulating data stored inside the disk.

    • Two address space

      • logical and physical

      • Applications access data only through the logical address space

Selective Versioning in a Secure Disk System


Disk virtualization

Disk Virtualization

Mapping in internally maintained by SVSDS

Logical

Block #

Physical

Block #

Mapping Table

Applications

Logical

Blocks

1

2

3

3

4

5

1

2

2

4

3

3

1

1

Physical

Blocks

1

1

2

3

4

5

  • 9write_block(3)

  • lookup entry in mapping table

  • redirect write request to physical block 1

Selective Versioning in a Secure Disk System


Selective versioning

Selective Versioning

  • Versioning all blocks consumes more storage space

    • Shorter version histories

  • Blocks have varying levels of importance

    • Meta-data blocks (like inodes) define the reachability of their data blocks

    • Only some data blocks are important (/tmp files, program installers are not)

    • Importance changes with the number of outgoing pointers

  • By default SVSDS versions all meta-data blocks

Selective Versioning in a Secure Disk System


Identifying meta data

Identifying Meta-data

Super Block

Pointers help identify meta-data

SB

SB

Inode Block

Outgoing pointer implies

its a Meta-data block

IB

IB

Directory Block

DB

Data Block

DirB

DirB

DirB

DirB

IB

IB

IB

IB

IB

DB

DB

DB

DB

DB

DirB

DB

Selective Versioning in a Secure Disk System


Versioning selected data

Versioning Selected Data

  • Users would like to protect their files

  • Pointer information provides logical grouping of blocks

  • SVSDS does a BFS and marks the blocks for versioning

Selective Versioning in a Secure Disk System


Identifying files

Identifying Files

Super Block

Pointers help identify all files of a directory

SB

SB

Inode Block

* Mark all files in this particular Dir

IB

IB

Directory Block

DB

Data Block

DirB

DirB

DirB

DirB

IB

IB

IB

IB

IB

DB

DB

DB

DB

DB

DirB

DB

Selective Versioning in a Secure Disk System


Versioning policy

Versioning Policy

  • Versioning interval

    • Time interval between versions

    • Configurable by the administrator

    • Currently, one versioning interval for all blocks

Selective Versioning in a Secure Disk System


Versioning blocks

Versioning Blocks

Mapping Table

Applications

Logical

Block #

Logical

Block #

Physical

Block #

Physical

Block #

Logical

Blocks

1

3

2

1

2

3

4

5

2

4

3

1

Physical

Blocks

1

2

3

4

5

Version Table

  • 9write_block(1)

  • lookup entry in mapping table

  • version old mapping

  • allocate physical block 3

  • updates the entry in the mapping table

Ver.

#

1

2

1

Selective Versioning in a Secure Disk System


Operation level constraints

Operation-Level Constraints

  • Important to protect certain files from being modified or overwritten

    • Executable files, Library files, Log files, System configuration files

  • SVSDS allows users to specify operation-level constraints

    • Read-only

    • Append-only

  • Files marked for Read-only and Append-only cannot be deleted

Selective Versioning in a Secure Disk System


Operation level constraints1

Operation-level Constraints

  • Read-only constraint

    • Ensures that marked blocks are immutable

    • Protects against intruders, viruses, Trojan horses, malware, etc.

  • Append-only constraint

    • Ensures that entries in log files are not deleted or modified

    • Helps in forensic analysis after an intrusion

Selective Versioning in a Secure Disk System


Administrative interface

Administrative interface

  • Special hardware port on the disk

  • Authentication based on capability

  • Prevents users from reverting back to previous versions

  • Can be used to change the versioning frequency

Selective Versioning in a Secure Disk System


Issues

Issues

  • Currently revert at the granularity of time

    • Do not revert based on logical abstractions

  • Denial of Service attacks

    • Marking arbitrary files

      • Use administrative interface to mark files

    • Overwriting versioned blocks

      • Exponentially increase the versioning interval

    • Creating lots of bogus files

      • No perfect solution

      • Stop writes when disk fills up

Selective Versioning in a Secure Disk System


Overview1

Overview

Overview

  • Motivation

  • Design

  • Related Work

  • Evaluation

  • Conclusion

Application-level Versioning

File-system-level Versioning

Disk-level Versioning

Selective Versioning in a Secure Disk System


Versioning file systems

Versioning File Systems

  • Flexible

    • Allow per-file policies

  • Are only as secure as the OS

    • previous versions can be deleted if the OS is compromised

  • Users can bypass versioning

  • Ext3cow, VersionFS, Elephant, etc.

Selective Versioning in a Secure Disk System


Disk level versioning

Disk-Level Versioning

  • Operates at the granularity of blocks

  • Security is decoupled from the OS

  • Versions all blocks

  • Clotho, TRAP, and S4

Selective Versioning in a Secure Disk System


Disk level versioning contd

Disk-Level Versioning (contd.)

  • Self-Securing Storage System (S4)

    • Object-based disk

    • Internally audits all requests

    • Protects data in compromised systems

      • Combines log structuring with journal-based metadata versioning

    • Versions all requests for use in intrusion analysis.

    • No support for operation-based constraints

Selective Versioning in a Secure Disk System


Feature comparison

Feature Comparison

Our Hybrid Solutioncombines strong security of Disk-level versioning system with the flexibility of versioning file systems.

Selective Versioning in a Secure Disk System


Overview2

Overview

Overview

  • Motivation

  • Design

  • Issues

  • Related Work

  • Evaluation

  • Conclusion

Selective Versioning in a Secure Disk System


Prototype implementation

Prototype Implementation

User Application

File System

SVSDS Interface

SVSDS Pseudo-device Driver

Regular Block Interface

Block Driver

Disk / RAID

  • Pseudo-device driver in Linux kernel 2.6.15

  • 7,487 lines of kernel code

    • 3,600 from existing TSD prototype

Selective Versioning in a Secure Disk System


Evaluation

Evaluation

  • Test platform

    • Linux 2.6.15

    • 2.8GHz Xeon (single CPU)

    • 1GB of RAM

    • 74GB, 10Krpm, Ultra-320 SCSI disk

  • 95% confidence intervals within 5% of the mean

Selective Versioning in a Secure Disk System


Conventions used in figures

Conventions Used in Figures

  • Ext2: Ext2 on a regular disk

  • Ext2TSD: Ext2TSD on a TSD

  • Ext2Ver(M): Ext2TSD on a SVSDS (meta-data versioning)

  • Ext2Ver(A): Ext2TSD on a SVSDS

    (all blocks are versioned)

Selective Versioning in a Secure Disk System


Postmark

Postmark

Wait Time

User Time

System Time

Elapsed: S.I.

System: 4.3x

Wait: -20%

Elapsed: S.I.

System: 4.3x

Wait: -19.5%

Elapsed: S.I.

System: 1.4x

Wait: -8.8%

Elapsed Time (Seconds)

Postmark: IO Intensive Workload

Versioning Interval : 30 second Number of versions created : 27

Selective Versioning in a Secure Disk System


Space overhead

Space Overhead

Versioning Interval : 30 seconds Number of versions created : 27

Selective Versioning in a Secure Disk System


Kernel compile

Kernel Compile

Wait Time

User Time

System Time

Elapsed: S.I.

System: +4.6%

Wait: -5.6%

Elapsed: 0.8%

System: +10.1%

Wait: -0.8%

Elapsed: -0.3%

System: +3.6%

Wait: -24.0%

Elapsed Time (Seconds)

Kernel compile: Models user behavior

Versioning Interval : 30 seconds Number of versions created : 78

Selective Versioning in a Secure Disk System


Space overhead1

Space Overhead

Versioning Interval : 30 seconds Number of versions created : 78

Selective Versioning in a Secure Disk System


Overview3

Overview

Overview

  • Motivation

  • Design

  • Issues

  • Related Work

  • Evaluation

  • Conclusion

Selective Versioning in a Secure Disk System


Conclusion

Conclusion

  • Hybrid solution

    • Strong security and flexible versioning

  • Meta-data versioning

    • Protects important file system accessibility information

    • preserves namespace hierarchy

  • Versioning chosen data items

    • Enables flexible policies based on data importance

    • Widens window of recoverability

Selective Versioning in a Secure Disk System


Conclusion contd

Conclusion (Contd.)

  • Lazy reallocation of blocks

    • Implicit data versioning

  • Operation-based constraints

    • protects log files and executables

    • Enables easier intrusion detection

  • Acceptable space and performance overheads

Selective Versioning in a Secure Disk System


Selective versioning in a secure disk system1

Questions?

Selective Versioning in a Secure Disk System

Swaminathan Sundararaman,

Gopalan Sivathanu,

Erez Zadok

Stony Brook University

www.fsl.cs.sunysb.edu


  • Login