1 / 24

Securing Disk-Resident Data through Application Level Encryption

Securing Disk-Resident Data through Application Level Encryption. Ramya Prabhakar, Seung Woo Son, Christina Patrick, Sri Hari Krishna Narayanan, Mahmut Kandemir Pennsylvania State University 4th International IEEE Security in Storage Workshop ‘07 27 th September, 2007.

lavanya-bimal
Download Presentation

Securing Disk-Resident Data through Application Level Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Disk-Resident Data through Application Level Encryption Ramya Prabhakar, Seung Woo Son, Christina Patrick, Sri Hari Krishna Narayanan, MahmutKandemir Pennsylvania State University 4th International IEEE Security in Storage Workshop ‘07 27th September, 2007 Ramya Prabhakar

  2. Outline

  3. Motivation

  4. Data Reuse in Applications = X Eg. Matrix – Matrix Multiplication A X B = C Matrix B is read every time an element of C is computed

  5. Reuse Potential • Reuse potential is a measure of amount of data read/written repeatedly by the application • Different applications have different reuse potentials

  6. The Two Extremes… Always Encrypt/Decrypt Never Encrypt/Decrypt • Minimum Vulnerability Factor • Maximum security • Maximum I/O Time • Significant Performance overhead • Minimum I/O Time • Significant Performance improvement • Maximum exposure • Maximum Vulnerability Factor

  7. Reuse oriented approach plain_write(…, offset) write_encrypt (…, offset) write_encrypt (…, offset) read_decrypt (…, offset) read_decrypt (…, offset) read_decrypt (…, offset) write_encrypt (…, offset) read_decrypt (…, offset) read_decrypt (…, offset) δ threshold δ threshold Reuse distance(δ) plain_read(…, offset)

  8. Distribution of Reuse

  9. Metrics of Interest • I/O Time (IOT) • I/O latency when encryption/ decryption is included. • Normalized to base version • Vulnerability Factor (VF) • percentage of data stored in plain text during execution • Two variants: • Average Vulnerability Factor (AVF) • Maximum Vulnerability Factor (MVF) Ideal case reduce both IOT and VF

  10. Metrics Vs Reuse Distance NED DES scheme reduces IOT over AED DES by 74% NED DES scheme reduces IOT over AED DES by 26%

  11. But… • Reuse oriented approach is idealistic • Analysis is perfect; derives maximum benefit • Requires knowledge of future references • Not possible to implement

  12. Profile Guided Approach • Profiling • Collect statistical information • Obtain dynamic behavior of each static call • An implementable method to approximate reuse-oriented approach • Static I/O call results in many dynamic instances of the same call

  13. Profile Guided Approach

  14. Profile Guided Approach • Profiler inserts hints to every static call • Three types of static calls: • Group I • Always interpreted as read_decrypt / write_encrypt • Group II • Always interpreted as plain_read / plain_write • Group III • Decision varies dynamically. Non-deterministic

  15. Profile Guided Approach • Distribution of static I/O calls among groups

  16. I/O Call Splitting

  17. I/O Call Splitting

  18. I/O Call Splitting • Group III references optimized in two ways • Performance oriented approach (PO) • Profiles with higher δthreshold • Performance is favored in the tradeoff • Security oriented approach (SO) • Profiles with higher δthreshold • Performance is favored in the tradeoff

  19. Results • Variation of IOT(DES) with different approaches

  20. Results • Variation of IOT(AES) with different approaches

  21. Results • Variation of AVF with different approaches

  22. Results • Variation of MVF with different approaches

  23. Guidelines for suitable δthreshold • Performance ratio for δk is IOT for lowest δ divided by IOT for δk • Security ratio for δk is portion of secure data at δk divided by portion of secure data for highest δ • Combined metric is Performance ratio divided by security ratio • At δk represents unit gain in performance for unit loss in security • CM is less than, equal to or greater than 1

  24. Conclusion • Quantitative analysis of performance and confidentiality tradeoff • Disk resident data remains secured • Encryption/decryption overheads significantly reduced • 46.5% with 3-DES • 30.63% with AES

More Related