PASIS: Perpetually Available and Secure Information Systems

radiographerfictionΔιαχείριση Δεδομένων

31 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

75 εμφανίσεις

PASIS:
P
erpetually
A
vailable and
S
ecure
I
nformation
S
ystems

http://www.ices.cmu.edu/pasis/


Greg Ganger
, Pradeep Khosla

Mehmet Bakkaloglu, Michael Bigrigg, Garth Goodson,

Semih Oguz, Vijay Pandurangan, Craig Soules, John Strunk,

Ken Tew, Cory Williams, Ted Wong, Jay Wylie



Carnegie Mellon University

PASIS Objective


Create information storage systems that are


Perpetually Available


Information should always be available even when some system
components are down or unavailable


Perpetually Secure


Information integrity and confidentiality should always be
enforced even when some system components are
compromised


Graceful in degradation


Information access functionality and performance should
degrade gracefully as system components fail


Assumptions



Some components will fail, some components will be
compromised, some components will be inconsistent, BUT……….


surviving components allow the information storage system to survive


Survivable Storage Systems


Surviving “server
-
side” intrusions


decentralization + data distribution schemes


provides for availability and security of storage



Surviving “client
-
side” intrusions


server
-
side data versioning and request auditing


enables intrusion diagnosis and recovery



Tradeoff management balances availability,
security, and performance


maximize performance given other two

Step #1: Decentralized storage systems


Scheme =
Algorithm
+
<Parameters>


E.g., 3
-
fold replication =
replication + <n = 3>



1000s of possible choices


Many different algorithms


Cryptographic


Threshold (
n

shares, any
m

to reconstruct)


Hybrids and combinations


Many reasonable parameters

Step #2: Data distribution schemes

PASIS Agent Architecture

Client

Apps

Local

PASIS

Agent

PASIS

Storage

Nodes

Tradeoff

Management

Multi
-
read/write

Communication

Encode &

Decode

Client

Applications

PASIS

Storage Nodes

System

Characteristics

User

Preferences

Features of PASIS Architecture


Security


confidentiality: no single storage node can expose data


integrity: no single storage node can modify data



Availability


any M
-
of
-
N storage nodes can collectively provide data



Flexibility


range of options in space of trade
-
offs among
availability, security, and performance

Engineering survivable systems


Performance and manageability need to
approach that of conventional systems


… to ensure significant acceptance


Approach: exploit threshold scheme flexibility


achieve maximum performance given desired levels
of availability and security


requires quantification of the corresponding trade
-
offs


Approach: exploit ability to use any M shares


send requests to more than M and use quickest
responses


send requests to “closest” servers first

Trade
-
off management challenges


Reasoning about security and availability


specifically, need to translate settings into
configuration rules and limitations


e.g., M > 0.7*N, (N
-
M) > 2, M shares cannot be on same OS


Finding best performing configuration


within the limitations imposed by first step and given
the expected workload and system components


configuration includes choices of data distribution
scheme, values for M and N and P, degree of over
-
requesting, server selection algorithm, etc…


2
-
step approach: predict performance of any possible
configuration and then search for optimal choice

Trade
-
off space

Scheme Selection Surface

Quantifying the axes


Performance (MB/s)


based on simple performance model


computed with standard performance eval. techniques



Availability (“nines”)


standard fault tolerance math with independent failures


relative values are useful even if not independent



Security (Effort to defeat)


estimate effort involved with possible attack paths


overall effort is minimum of possible efforts

Generation of scheme selection surface


Quantify performance, security, and availability
of each algorithm+parameters


Select best performing scheme for each region

Replication + Encryption

Information Dispersal

Scheme selection surface

Secret Sharing

Scheme selection surface

Ramp

Replication

Short secret sharing

Splitting

Trade
-
off space

Scheme Selection Surface

Selection surface sensitivity


Models are insensitive to small
perturbations of configuration parameters



Scheme selection surface is different for
truly different configurations


Extreme read workload

50% Read

Workload

99% Read

Workload

Security Model Sensitivity

E
CircumventCrypto

=

E
BreakIn

E
CircumventCrypto

=

2.5

E
BreakIn

Self
-
Securing Storage Nodes


Goal: protect data from authorized but
malicious users


both client
-
side intruders and insider attacks


How: assume all clients are compromised


keep all versions of all data


audit all requests


Benefits


fast and complete recovery by preventing data
destruction and undetectable modifications


enhanced detection and diagnosis of intrusions by
providing tamper
-
proof audit logs

Where we’re at


PASIS architecture and first prototype complete


Re
-
implementation of agent in progress


more efficient, portable, flexible


and more data distribution schemes and storage protocols


based on lessons from initial prototype


Re
-
implemented multi
-
versioning storage node


working on internal space and time optimizations


investigating how it can be used for intrusion diagnosis


Trade
-
off quantification in progress


measurements and modeling continue

Technology Transfer


Transfer path via CMU Consortia (e.g., PDL)


15
-
20 storage and networking companies


EMC, HP, IBM, Intel, 3Com, Veritas, Sun, Seagate,
Lucent, Snap, LSI Logic, Hitachi, Panasas, Network
Appliances, Platys Communications


20+ embedded system & infrastructure companies


Raytheon, Boeing, United Technologies, Hughes, Bosch,
AT&T, Adtranz, Emerson Electric, Ford, HP, Intel,
Motorola, NIIIP Consortium


Joint Battlespace Infosphere (JBI)


working with AFRL researchers to understand how
PASIS technologies might fit into JBI infrastructures

PASIS: Summary


Decentralization + data distribution schemes


provides for availability and security of storage



Tradeoff management balances availability,
security, and performance


… and it is good engineering practice!



Data versioning to survive malicious users


enables intrusion diagnosis and recovery