Enforcing declara.ve data policies

Transcription

1 Enforcing declara.ve data policies Peter Druschel with Anjo Vahldiek, Eslam Elnikety, Aastha Mehta, Deepak Garg, MPI- SWS (with from Rodrigo Rodrigues Nova Lisboa, Johannes Gehrke Cornell/Microso>, Ansley Post Google)

2 Data integrity, compliance Increasing volume and value of digitally stored Loss or disclosure may lead to material, financial, privacy, security loss Data stored, processed by third Requirement: Policy compliance User preferences, enterprise/provider privacy policy Legal requirements for access, logging, removal Threats: Increasing complexity of sojware systems,

3 A safety net for data policy compliance Complex data processing system Guardat: mediate storage I/O Ø policies Ø AWached to data files Ø By data owner/subject, provider, designer Ø Enforced with a small TCB

4 Outline Guardat: Data policies at the storage layer Policy examples Guardat Thoth: Extending the safety net Conclusion

5 Guardat: Overview Trusted component (GDC) on the storage I/O path Enforces integrity, policies awached to files AWests the state of stored files Through an API (IOCTL calls) Framework system File system Net stack, drivers Services IO Bus or Network Object Policy Block device Guardat device GDC SSD

6 Guardat: Usage User, provider, developer Object akesta.on: Object id Path name Policy Content hash Size Guardat device Object policy: Access on: Principal s iden@ty Cer@fied facts (@me, loca@on, etc.) Current state of files Update content GDC SSD Untrusted code can migrate sealed,pickled file+policy among Guardat devices under policy control

7 Guardat: Design Principles Storage layer enforcement minimizes TCB/aWack surface All policy awached to data files Policy states what, untrusted code does the how Trusted Guardat Controller (GDC) Policy language interpreter Unique private/public key + cer@ficate Cer@ficates, secure sessions Metadata store (SSD) Guardat device GDC SSD

8 Guardat: Threat model AWacker does not 1. penetrate the GDC Private key is protected, firmware is correct 2. compromise external policy dependencies server, users private keys Guardat guarantee: All file accesses comply with the file s policy Guardat device GDC SSD

9 Outline Guardat: Data policies at the storage layer Policy examples Guardat Thoth: Extending the safety net Conclusion

10 Policy language A file policy has 4 rules of the form permission :- condi/on (constrained Datalog) permission = {read,update,destroy,setpolicy} condi/on is a boolean expression of atomic facts atomic facts contain a predicate that relates object ids, content, public keys, cer@ficates, etc. wide range of predicates: <, >, ==, session_is(key), object_is(o), (obj,off,len) says R, key_is(k, a), k signs (t 1, t n ) at t, etc.

11 Example: Backup file integrity Threat: SoJware bug, virus or operator error corrupts backup/snapshot data stored online Policy: No writes before the backup s expira@on date update :- key_is(k, TimeServer ) K signs /me(t) at T i /me_is(t j ) (T +T j T i > endt)

12 Example: Executable file integrity Threat: AWacker replaces executable file with a Trojan or rolls back to a vulnerable version Policy: Allow updates when signed by trusted vendor and version number is sufficiently high update :- object_name_is(o) new_length_is(l) (0,L) willhavehash N h key_is(k, Vendor ) K signs ok_hash(o,n,n h ) (N 10) setpolicy :- object_name_is(o) new_pol_hash_is(n ph ) k ad signs good_policy(o,n ph )

13 Example: Append- only log Threat: Intruder manipulates system log files Policy: Disallow in- place of log files except by sysadmin (k ad ) update :- session_is(kad) (old_length_is(l o ) new_length_is(l n ) (L n L o ) updated_loca/ons_are(m) disjoint(m, [0,L o ]))

14 Example: Mandatory access logging Threat: Unaccounted accesses to data (e.g., medical records, pay- per- view content, user s private data) Policy: Access allowed iff an appropriate entry is added to an append- only audit log file Content file has a seq#, increased during update read requires log entry <client, current seq#, off, len> update requires log entry with <client, new seq#, off, len, new- cont- hash>, must increment seq#

15 Outline Guardat: Data policies at the storage layer Policy examples Guardat results Thoth: Extending the safety net Conclusion

16 Guardat GDC /RAID controller Microcontroller on SCSI/SATA host adapter Trusted sojware component in storage server (SAN or NAS), VMM or OS protected by ARM TrustZone or Intel SGX secure enclave

17 Summary Guardat prototype in iscsi IET SAN server Micro benchmarks: Low bandwidth overhead (< 0.75%) Low (<0.5%) latency cost, except for reads/writes (2/7%) Web server: Guardat protects (with < 1% xput overhead) Content from unauthorized Binaries from unauthorized update Mandatory access logging: 11.5%/50.6% overhead for individual read/write over voluntary logging

18 Outline Guardat: Data policies at the storage layer Policy examples Guardat Thoth: Extending the safety net Conclusion

19 Guardat revisited Signed content Complex data processing system Trusted sources Sealed content users Supports policies for structural integrity (e.g., append- only) (MAL) for sealed data provenance for signed content NICTA SoJware Systems Summer School, 2014

20 But what about general data processing? Inputs Results Complex data processing system How to ensure confiden.ality, provenance when untrusted so>ware analyses/mutates data?

21 Thoth: Expanding the safety net Encapsulated processes or VMs Complex data processing system Thoth: mediates all I/O, tracks flow, supports policies: Ø Declassifica/on: constrains downstream data use Net GUI Ø Provenance: constrains upstream data origin

22 Thoth in search engine David s private post Indexer Update :- append- only Read :- only David s circle Declassify :- employees with MAL Logfile:.. admin read David s post at xx.xx Search Front End Index Read :- Update :- No content that is illegal in Bob s locale Read :- employees with MAL David s private post David s sex, drugs, rock & roll! Search: David Smith David s private post David s sex, drugs, rock & roll! David s web page David s web page Admin Bob

23 Guardat: Related work TCG storage work group spec [2012] Architecture for sessions, access control policies Concrete design, lej to vendors No object TC: [Haldar 2004], Excalibur [Santos 2012], Pasture [Kotla 2012] Integrity/confiden.ality: self- disks, capability NAS [Aguilera 2003], type- safe disks [Sivathanu 2006], [Quinlan 2002], S4 [Strunk 2000], NetApp SnapVault, PCFS[Garg 2010], PFS[Walsh 2012] Extended disk func.onality: hybrid disks, object- based storage [Mesnier 2003], disks [Riedel 2001], smart disks [Sivathanu 2003], storage [Mesnier 2011]

24 Related work: Trusted Property Trusted compu.ng Guardat Root of trust TPM GDC Motherboard Guardat device Storage property provided HW/SW (remote + Read integrity Proper@es expressed in Trusted sojware File state + policy file awesta@on) Confiden@ality + write integrity Policy language TCB TPM + trusted SW GDC (narrow API) Persistent secure state NVRAM En@re storage device Mostly complementary; can be combined, e.g., Remotely awested external verifier Tamper- resident persistent storage

25 Conclusions Guardat: data policies at the storage layer small TCB and low overhead possible Thoth: extents enforcement to general data processing Enables and provenance policies Challenges Trading off expressiveness of policy language (and scope of with TCB size Burden of policies and refactoring Loss in flexibility versus security/robustness