Securing the Frisbee Multicast Disk Loader

Similar documents
Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

Engineering Fault-Tolerant TCP/IP servers using FT-TCP. Dmitrii Zagorodnov University of California San Diego

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

Experiment Isolation in a Secure Cluster Testbed

Authenticated Storage Using Small Trusted Hardware Hsin-Jung Yang, Victor Costan, Nickolai Zeldovich, and Srini Devadas

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

An Integrated Experimental

The DETER Testbed: Overview 25 August 2004

File Protection using rsync. Setup guide

Oasis: An Active Storage Framework for Object Storage Platform

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

CS 416: Operating Systems Design April 22, 2015

SentinelOne Technical Brief

Networking interview questions

Clotho: Transparent Data Versioning at the Block I/O Level

Network File System (NFS)

Security Fundamentals

IBM Proventia Management SiteProtector Installation Guide

Network File System (NFS)

Separating Access Control Policy, Enforcement, and Functionality in Extensible Systems. Robert Grimm University of Washington

Overview. SSL Cryptography Overview CHAPTER 1

IBM ^ iseries Logical Partition Isolation and Integrity

Veeam Cloud Connect. Version 8.0. Administrator Guide

Scaling Acceleration Capacity from 5 to 50 Gbps and Beyond with Intel QuickAssist Technology

GTRC Hosting Infrastructure Reports

BUILDING A NEXT-GENERATION FIREWALL

e-commerce Study Guide Test 2. Security Chapter 10

Network Security and Cryptography. 2 September Marking Scheme

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN. Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef

PASSWORDS & ENCRYPTION

Distributed Systems. Fall 2017 Exam 3 Review. Paul Krzyzanowski. Rutgers University. Fall 2017

Operating Systems. Lecture File system implementation. Master of Computer Science PUF - Hồ Chí Minh 2016/2017

Enabling High Performance Bulk Data Transfers With SSH

Profiling Grid Data Transfer Protocols and Servers. George Kola, Tevfik Kosar and Miron Livny University of Wisconsin-Madison USA

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Supra-linear Packet Processing Performance with Intel Multi-core Processors

Persistent key, value storage

OPERATING SYSTEM. Chapter 12: File System Implementation

Chapter 11: Implementing File

EMUSTORE: LARGE SCALE DISK IMAGE STORAGE AND DEPLOYMENT IN THE EMULAB NETWORK TESTBED

CIS 21 Final Study Guide. Final covers ch. 1-20, except for 17. Need to know:

Chapter 11: Implementing File Systems. Operating System Concepts 9 9h Edition

Chapter 11: Implementing File Systems

Security in NVMe Enterprise SSDs

SSH Bulk Transfer Performance. Allan Jude --

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Who s Protecting Your Keys? August 2018

Case Study II: A Web Server

This release of the product includes these new features that have been added since NGFW 5.5.

User Manual. Admin Report Kit for IIS 7 (ARKIIS)

Operating Systems Design Exam 3 Review: Spring 2011

A Virtual Circuit Multicast Transport Protocol (VCMTP) for Scientific Data Distribution

Student ID: CS457: Computer Networking Date: 5/8/2007 Name:

A practical integrated device for lowoverhead, secure communications.

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

WHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group

Chapter 5.6 Network and Multiplayer

Cryptographic Concepts

This release of the product includes these new features that have been added since NGFW 5.5.

COS 318: Operating Systems. NSF, Snapshot, Dedup and Review

Staggeringly Large Filesystems

Distributed File Systems Issues. NFS (Network File System) AFS: Namespace. The Andrew File System (AFS) Operating Systems 11/19/2012 CSC 256/456 1

Operating system hardening

Computer Networks. Wenzhong Li. Nanjing University

PARDA: Proportional Allocation of Resources for Distributed Storage Access

File Protection using rsync. User guide

Strategic Infrastructure Security

Ultra high-speed transmission technology for wide area data movement

CS408 Cryptography & Internet Security

Installing Cisco APIC-EM on a Virtual Machine

IX: A Protected Dataplane Operating System for High Throughput and Low Latency

Requirements and Dependencies

This release of the product includes these new features that have been added since NGFW 5.5.

Mesh-Based Content Routing Using XML

Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances

Track Join. Distributed Joins with Minimal Network Traffic. Orestis Polychroniou! Rajkumar Sen! Kenneth A. Ross

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Benchmarking results of SMIP project software components

UNDERSTANDING SENETAS LAYER 2 ENCRYPTION TECHNICAL-PAPER

MINIMUM HARDWARE AND OS SPECIFICATIONS File Stream Document Management Software - System Requirements for V4.2

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

IBM V7000 Unified R1.4.2 Asynchronous Replication Performance Reference Guide

Fabric Security (Securing the SAN Infrastructure) Daniel Cohen Solutioneer Brocade Communications Systems, Inc

Firewalls, Tunnels, and Network Intrusion Detection

KALASALINGAM UNIVERSITY

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

WebSphere Application Server Base Performance

CIS 5373 Systems Security

File systems: management 1

CS /29/17. Paul Krzyzanowski 1. Fall 2016: Question 2. Distributed Systems. Fall 2016: Question 2 (cont.) Fall 2016: Question 3

Transcription:

Securing the Frisbee Multicast Disk Loader Robert Ricci, Jonathon Duerig University of Utah 1

What is Frisbee? 2

Frisbee is Emulab s tool to install whole disk images from a server to many clients using multicast 3

What is our goal? 4

Motivation Frisbee was developed for a relatively trusting environment Existing features were to prevent accidents Changing Environment More users More sensitive experiments More private images 5

Security Goals Confidentiality Integrity Protection Authentication Ensure that an image is authentic Use cases Public images Private images 6

Our Contribution Analyze and describe a new and interesting threat model Protect against those threats while preserving Frisbee s essential strengths 7

Outline Motivation Frisbee Background Threat Model Protecting Frisbee Evaluation 8

Frisbee & Emulab 9

Emulab 10

Control Plane 11

Frisbee s Strengths 12

Frisbee s Strengths Disk Imaging System General and versatile Robust Fast Loads a machine in 2 minutes Scalable Loads dozens of machines in 2 minutes Hibler et al. (USENIX 2003) 13

How Does Frisbee Work? 14

Frisbee Life Cycle Control Server Creation Storage Source Fileserver Distribution Installation Targets 15

Image Layout Source Disk Allocated Blocks Free Blocks Stored Image Header Compressed Data Header Compressed Data Chunk Image is divide into chunks Each chunk is independently installable Start receiving chunks at any point Chunks are multicast 16

Outline Motivation Frisbee Background Threat Model Protecting Frisbee Evaluation 17

Potential Attackers 18

Potential Attackers Firewall Frisbee traffic can t leave control network Forged Frisbee traffic can t enter control network Any attackers are inside Emulab Compromised Emulab node Infiltrated Emulab server Emulab user 19

Vectors for Attack in Emulab Space Shared Multiple users on the testbed at the same time Shared control network Frisbee runs on control network No software solution to limit users Users have full root access to their nodes 20

What do attackers want? 21

What do attackers want? Steal your data Malicious software (security research) Unreleased software (trade secrets) Modify your image Denial of Service Add a backdoor /etc/passwd ssh daemon Tainting results 22

Frisbee Weakpoints 23

Frisbee Weakpoints Control Server Steal & Modify Storage Steal & Modify Fileserver Distribution Installation Targets 24

How do the attacks work? 25

Storage Attack Images are stored on a common fileserver All users have shell access on this server Images are protected by UNIX permissions Any escalation of privilege attacks compromise images 26

Distribution Attack Emulab is space shared A single control network is used to communicate with all nodes Join multicast group No security protection in IP multicast Receive copies of packets Inject packets into stream 27

Multicast Frisbee Server Targets 28

Outline Motivation Frisbee Background Threat Model Protecting Frisbee Evaluation 29

Storage and Distribution Attacks Two birds with one stone End-to-end encryption & authentication Image creation: Encrypt & Sign Image installation: Decrypt & Verify Same techniques prevent both attacks Distribution protocol remains identical 30

Confidentiality Encrypted at image creation Remains encrypted on fileserver Decrypted only at image installation Details Encryption algorithm: Blowfish Encrypt after compression 31

Integrity Protection & Authentication Calculate cryptographic hash Breaks backwards compatibility Sign hash using public-key cryptography (RSA) 32

Chunk by Chunk Header Compressed Data Header Compressed Data Header Encrypted Data Header Encrypted Data Chunk Each chunk is selfdescribing Hash & sign each chunk independently CBC restarts at each chunk Each header must have Digital Signature Initialization Vector 33

Image Authentication Weakness Cut and paste attacks Give each image a unique UUID and put that in chunk headers UUID is a 128 bit universal identifier Can be selected randomly 34

Key Distribution Through secure control channel Already part of Emulab Encrypted using SSL with well-known certificate TCP spoofing prevented by Utah Emulab s network setup No forged MAC addresses No forged IP addresses Key can come from user Flexible policy for images Not yet integrated into Emulab 35

Outline Motivation Frisbee Background Threat Model Protecting Frisbee Evaluation 36

Experimental Procedure Machine Specs 3 GHz Pentium IV Xeon 2 GB RAM Measurement CPU time Network and disk usage unaffected Per chunk Typical Image has 300 chunks (300 MB) 37

Performance Create Install 34.3 44.5 53.8 187.9 198.5 208.8 Base Signed Hash Signed Hash + {En,De}cryption 0 50 100 150 200 250 Time per chunk (ms) 38

Conclusion 39

Conclusion Frisbee faces an unusual set of attacks Cause: Space sharing of infrastructure Frisbee can be secured against these attacks Cost: An extra 6 seconds for an average image 40

Emulab http://www.emulab.net 41

42

Preventing Disk Leakage 43

Disk Leakage Disks are time shared Frisbee is aware of filesystem Does not write free blocks Old image will not be completely overwritten Another user could read the unwritten parts 44

Fixing Disk Leakage Zero out disks on next disk load Implemented in Frisbee Much slower 45

Comparison to Symantec Ghost 46

47

Image Creation (CPU per chunk) Time (ms) Overhead (ms) Overhead (%) Base 187.9 Signed Hash 198.5 10.5 5.6% Signed Hash + Encryption 208.8 20.9 11.1% 48

Image Installation (CPU per chunk) Time (ms) Overhead (ms) Overhead (%) Base 34.3 Signed Hash 44.5 10.2 29.5% Signed Hash + Decryption 53.8 19.5 56.8% 49

Disk Imaging Matters Data on a disk or partition, rather than file, granularity Uses OS installation Catastrophe recovery Environments Enterprise Clusters Utility computing Research/education environments 50

Key Design Aspects Domain-specific data compression Two-level data segmentation LAN-optimized custom multicast protocol High levels of concurrency in the client 51

Image Creation Segments images into self-describing chunks Compresses with zlib Can create raw images with opaque contents Optimizes some common filesystems ext2, FFS, NTFS Skips free blocks 52

Image Distribution Environment LAN environment Low latency, high bandwidth IP multicast Low packet loss Dedicated clients Consuming all bandwidth and CPU OK 53

Custom Multicast Protocol Receiver-driven Server is stateless Server consumes no bandwidth when idle Reliable, unordered delivery Application-level framing Requests block ranges within 1MB chunk 54

Client Operation Joins multicast channel One per image Asks server for image size Starts requesting blocks Requests are multicast Client start not synchronized 55

Client Requests Request 56

Client Requests Block 57

Tuning is Crucial Client side Timeouts Read-ahead amount Server side Burst size Inter-burst gap 58

Image Installation Distribution Decompression Disk Writer Blocks Chunk Decompressed Data Pipelined with distribution Can install chunks in any order Segmented data makes this possible Three threads for overlapping tasks Disk write speed the bottleneck Can skip or zero free blocks 59

Evaluation 60

Performance Disk image FreeBSD installation used on Emulab 3 GB filesystem, 642 MB of data 80% free space Compressed image size is 180 MB Client PCs 850 MHz CPU, 100 MHz memory bus UDMA 33 IDE disks, 21.4 MB/sec write speed 100 Mbps Ethernet, server has Gigabit 61

Speed and Scaling 62

FS-Aware Compression 63

Packet Loss 64

Related Work Disk imagers without multicast Partition Image [www.partimage.org] Disk imagers with multicast PowerQuest Drive Image Pro Symantec Ghost Differential Update rsync 5x slower with secure checksums Reliable multicast SRM [Floyd 97] RMTP [Lin 96] 65

Ghost with Packet Loss 66

How Frisbee Changed our Lives (on Emulab, at least) Made disk loading between experiments practical Made large experiments possible Unicast loader maxed out at 12 Made swapping possible Much more efficient resource usage 67

The Real Bottom Line I used to be able to go to lunch while I loaded a disk, now I can t even go to the bathroom! - Mike Hibler (first author) 68

Conclusion Frisbee is Fast Scalable Proven Careful domain-specific design from top to bottom is key Source available at www.emulab.net 69

70

Comparison to rsync rsync: Timestamps rsync: Checksum Timestamps not robust Checksums slow Conclusion: Bulk writes beat data comparison Frisbee: Write 0 50 100 150 200 Seconds 71

How to Synchronize Disks Differential update - rsync Operates through filesystem + Only transfers/writes changes + Saves bandwidth Whole-disk imaging Operates below filesystem + General + Robust + Versatile Whole-disk imaging essential for our task 72

Image Distribution Performance: Skewed Starts 73

Future Server pacing Self tuning 74

The Frisbee Protocol Start No Send REQUEST Outstanding Requests? Yes Yes Timeout BLOCK Received Wait for BLOCKs No No More Chunks Left? Yes Chunk Finished? Finished 75

The Evolution of Frisbee First disk imager: Feb, 1999 Started with NFS distribution Added compression Naive FS-aware Overlapping I/O Multicast 30 minutes down to 34 seconds! Seconds 2000 1800 1600 1400 1200 1000 800 600 400 200 0 Generation 76

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback