tiwari_dec2011x - dhosa

bluntmoaningMobile - Wireless

Dec 10, 2013 (3 years and 7 months ago)

66 views

TRANSFORMATION

HARDWARE

SYSTEM

ARCHITECTURES

SVA

Binary translation
and

emulation

Formal methods

Hardware support for
isolation

Dealing with malicious
hardware

Cryptographic
secure computation

Data
-
centric security

Secure browser
appliance

Secure servers

WEB
-
BASED ARCHITECTURES

e.g., Enforce
properties


on a
malicious OS

e.g., Prevent


data

exfiltration

e.g., Enable
complex
distributed
systems, with
resilience to
hostile OS’s

Mohit

Tiwari
, UC Berkeley


with
Krste

Asanović
,
Dawn
Song,

Petros

Maniatis
,
Prashanth

Mohan,
Christoforos

Papamanthou
,

Elaine Shi, Emil
Stefanov
, Nguyen Tran

Platform for Private Data

The Age of Big Data

Plentiful, and
Private

Rich Applications

Privacy

breaches










Vulnerable software


(Un) Intentional
Misuse


Insider Attacks

Ideal: Privacy Preserving Cloud

End User

Developer

p
rivacy evidence

p
rivacy policy

API

App

Cloud provider

Challenge #1










Untrusted

applications own users’ data.

End User

Developer

API

Cloud provider

Challenge #2











Novice
Users

PPD: Platform for Private Data

End User

Developer

p
rivacy evidence

p
rivacy policy

API

App

PPD
Cloud provider


App

p
rivate data vault

sealed container

Outline of this talk


PPD: Platform for Private Data




PPD Architecture




PPD Prototype and Evaluation

PPD Insights


Co
-
design

UI and System software


User decisions are intuitive (“share doc with Bob”)


System manages untrusted apps and private data



Developer API


Per
-
user functionality v. Cross
-
user Optimizations



Privacy:

Data owners’ access control policy


A
pps ‘see’ data only in sealed containers






PPD Applications

Cloud Storage
Personal Documents
Real-time applications
E-commerce
Social applications
Miscellaneous:Browsing,
peer-to-peer
user

initiated

sharing

End
-
User

H
ardware with
TPM

PPD

Cloud Provider

Untrusted Storage

Trusted

User Interface

Protected

Channel

ACLs

id

o

r

w

A.tax

A

A

A

PPD Architecture: Users

Application Container


App


Untrusted
Application

End
-
User

Developer

H
ardware with
TPM

PPD

Cloud Provider

PPD Controller and ACL Manager

Cleartext


data

Untrusted Storage

Trusted

User Interface

PPD Architecture: Applications


App


Untrusted
Application

End
-
Users

Developers

H
ardware with
TPM

PPD

Cloud Provider

PPD Controller and ACL Manager

Dedup
,
Caching,
Replication,…

PPD


Storage Proxy


App

Storage Container

Integrity

check

Untrusted Storage

Trusted

User Interface

PPD Architecture: Storage

PPD Timeline #1: User attests Client

User Client Cloud Server

TPM.send
(
hw

id)

Attest(code)

Trusted PPD Server

Response (result)

Separation kernel

on

client checked

sitekey

sitekey

Client

attested

Alice

PPD Timeline #2: User launches App

User Client Cloud Server

Alice


Launch trusted UI

Authentication

Trusted PPD Kernel

PPD


UI,
Control

App

Container

Launch application

Trusted Kernel

PPD

UI,
Control

App

Container

App communication

User and Developer Interface


User

creates data


personal by default and decides
who
to share it with



PPD System

provides trusted
UI to user


User conveys change of ACLs to
PPD



Developers

can request


Application Containers: per
-
user, per
-
data
-
capsule


Storage Containers: per
-
application, per
-
system

Outline of this talk


PPD: Platform for Private Data




PPD Architecture




PPD Prototype and Evaluation

PPD Building Blocks


Data capsules


Capsule inferred based on user actions


E.g. “tax documents”, “thanksgiving album”


System assigns ACL as private by default



Protected Containers


Linux containers (LXC), Copy
-
on
-
write FS (
UnionFS
).


Stops all explicit communication, except channels.


Hardware side channels, timing leaks out of scope


PPD Building Blocks


Protected Channels


iptables

firewall rules for LXC containers


Encryption, integrity
-
checking (TLS/SSL for network)


Trusted Channel
from User to PPD

to change ACLs



Storage Proxies


Key
-
value proxy: put, get, and
setACL

interface


File
-
system proxy: fuse
-
based layer on key
-
val

proxy





PPD Building Blocks


PPD Controller


manages containers and channels


dynamically creates containers based on user or
application requests


assigns
iptable

rules for all containers



Remote Attestation


Intel TXT, TPM v1.2


attest correct PPD code on untrusted machines



PPD Applications


Friendshare
: online storage with de
-
duplication (like
Dropbox
)



Git
:

repository version control server



Etherpad
:

online, collaborative editing (like
Google Docs)

PPD Prototype

TLS Proxy

TLS Proxy

Ether

Pad

Controller

ACL
Store

K/V Proxy

FS Proxy

DeDup

Secure Block Device

Storage

Friend

Share

TPM

Chip

(Remote Attestation)

LXC

Containers

ACL

changes

Linux Kernel

IPTables

Application

Layer

Storage

Layer

End Users

Writing & Porting Apps for PPD


Scripts to install and configure apps in containers




Application
v. Storage
containers


Friendshare


Application: Scan directories, chunk files, change ACL


Storage: De
-
duplication


Git
,
Etherpad


Application: entire functionality




PPD Application Performance


Minimal effect on
Friendshare

throughput

Small Requests: 10 filenames

Big Requests: 10KB images

PPD Application Performance


Minimal effect on

Friendshare

latency

Current and Future Work


Applications


medical applications, business
d
ata
a
nalytics



Client
-
side
PPD on Android


light
-
weight containers and channels on Nexus S



Application initiated sharing


differential privacy

Related Approaches


PPD v. DIFC



PPD does not do fine
-
grained sharing


Constrained containers: simple, yet most benefits of fine
-
grained information flow tracking.


Developer API: reduce run
-
time exceptions



PPD v. Capabilities


Can be used to implement containers and channels


Re
-
write legacy applications



PPD v. Android
Security


Static, Coarse
-
grained permissions


User does not own data



Summary


PPD: New Data
-
Centric
C
loud
P
latform


user controlled sharing


rich, mostly legacy applications



PPD Architecture


untrusted application and storage components



PPD Prototype and Evaluation


small performance and porting cost

The PPD Team

Conclusion

End User

Developer

p
rivacy evidence

p
rivacy policy

API

App

PPD Cloud provider

Backups

PPD Evaluation:
Etherpad

PPD Evaluation:
Git