Data-centric security - dhosa

gayheadtibburInternet and Web Development

Feb 5, 2013 (4 years and 8 months ago)

153 views

Data
-
Centric Security

Dawn Song

UC Berkeley

Collaboration with Lorenzo
Martignoni
, Stephen
McCamant
,
Pongsin

Poosankam
,

Matei

Zaharia
, Scott
Shenker
, Ion
Stoica
, Vern
Paxson
, Emil, Elaine Shi,
Petros
, David Evans

TRANSFORMATION

HARDWARE

SYSTEM

ARCHITECTURES

SVA

Binary translation
and

emulation

Formal methods

Hardware support for
isolation

Dealing with malicious
hardware

Cryptographic
secure computation

Data
-
centric security

Secure browser
appliance

Secure servers

WEB
-
BASED ARCHITECTURES

e.g., Enforce
properties


on a
malicious OS

e.g., Prevent


data

exfiltration

e.g., Enable complex
distributed


systems, with
resilience to hostile
OS’s

Outline


Data
-
centric security: protecting the data
directly instead of network or host
-
based
protection


Three examples


Cloud
-
terminal: providing trusted input/output


Platform for private data


Secure web applications:
GuardRails

The Cloud Terminal Architecture for
End
-
to
-
End Secure Applications

Dawn Song

with Lorenzo
Martignoni
, Stephen
McCamant
,
Pongsin

Poosankam
,
Matei

Zaharia
, Scott
Shenker
, Ion
Stoica
, Vern
Paxson



Motivation


Sample application: online banking



Quickly
switch your PC to a secure operation
mode



Application provides a normal
-
looking graphical
interface



But, information security
does not

depend on your primary
OS or any of its software


Application environment is known clean


Secure even
if commodity OS is compromised by malware

Strawman

Approach:
one VM per
app


Possible
approach: one VM per secure app


Pro: strong isolation


Cons:


Heavy weight


Management overhead


Multiple
general
-
pupose

VMs on one machine require complex
hardware virtualization (e.g.,
Xen
)


Must
be careful to keep secure VMs clean (e.g., roll back virtual
disk after
session)


How
can the bank know you're using a secure
VM?



Want to achieve similar isolation, but


Much lighter weight on client side


Centralize
the application logic and
administration


Enable a new security abstraction

Cloud Terminal
Architecture

General
-

purpose

OS

Secure

thin

terminal

Lightweight hypervisor

Trusted Computing
Hardware

Cloud
Rendering Engine

Application

Virtual desktop server

VM

Encrypted tunnel

Secure
Thin Terminal


Coexists with a general
-
purpose commodity OS


But completely stand
-
alone and isolated: when it runs,
the
untrusted

OS is suspended


Display output:


Reads
encrypted bitmaps from the network, and decrypts and
displays them


Inputs


Reads
keyboard and mouse events, encrypts and sends them
on the network


Lightweight hypervisor enforces isolation


Trusted boot using a TPM allows remote attestation,
proving the STT is running unmodified on the bare
hardware

Cloud
Rendering Engine


Move application logic to centralized servers for ease of
administration and protection



Each
user session has its own
VM with chosen application



Virtual
desktop server (e.g., VNC) plus encrypting proxy



Performance optimization


VMs
can share disk and memory copy
-
on
-
write to minimize
resource usage



Applications


Standalone


Browser applications

Initial Prototype

Results from
Initial Prototype


Secure Thin Terminal: only a few KLOC


VNC
client and drivers for input, graphics, and
network



Interactive
latency (e.g., keystroke echo) low, even with a
cloud server in another
state



Scalability for cloud rendering engine:


A
single commodity server can support more than 100
simultaneous rendering
VMs

Outline


Data
-
centric security: protecting the data
directly instead of network or host
-
based
protection


Three examples


Cloud
-
terminal: providing trusted input/output


Platform for private data


Secure web applications:
GuardRails

Motivating Applications

Protecting users’ data


is an intricate issue!


Apps selling your data



Inadvertent disclosure


AOL search log scandal


Netflix contest



Malware and software compromise


RockYou

password leakage



Insider attack


Google incident

Platform for Private Data


Provide desired services in the cloud while ensuring
security and privacy of customers’ data


Provide privacy & trust evidence


Customer does not just rely on trust on service provider


Provide trustworthy audit trails


For forensics, provenance, accountability, dispute


General architecture for broad applicability


Practical performance & usability


Platform for private data and privacy evidence

Platform for Private Data

Application:

Financial
advisor

Privacy evidence

Application:

Drug side
effect tracker

API

Architecture


Secure data capsule


Data encrypted at rest


Security policy attached to data


Trusted computing hardware provides root of trust


Secure execution environment


Data capsule only decrypted in secure execution environment


Only authorized code can access and operate on data


New programming model for privacy
-
aware applications


Support for legacy applications


Program analysis and information flow


Advanced engines for database queries and privacy
-
preserving data analytics


Secure auditing


Application

TPM &

Processor isolation

Platform for Private Data

(TCB)

Privacy

evidence

Diff.
Priv.

Engine

Application

Operations on
sensitive data

Info flow tracking



Secure data capsules

Query

Engine

Policy

Engine

Audit

Engine

Secure Execution Environment

Outline


Data
-
centric security: protecting the data
directly instead of network or host
-
based
protection


Three examples


Cloud
-
terminal: providing trusted input/output


Platform for private data


Secure web applications: guardrails

20

Ruby on
Rails Code

Policy Annotations

Secure Web
Application

Attach Policies to
Data


Little developer effort


Improved readability

and analyzability


Automatically enforce
policies throughout
application

Jonathan
Burket
, Patrick
Mutchler
, Michael Weaver,
Muzzammil

Zaveri
, David Evans.
GuardRails
:
A Data
-
Centric Web Application Security Framework.
To appear in USENIX
WebApps

2011.

OWASP
AppSec

DC

Example Policies

21

Annotation

Meaning

@
delete
,
:admin
,
:to login

Only

administrators can
delete this object

@
edit
,
pswrd
,


self.id == user.id
,
:to login

Only

the user may change
that user’s password

@
create
, User,


log_create
; true

Whenever

a User object
is created, write to log

Policies are attached to classes or individual fields.
Can perform arbitrary checking and actions based on
read
,
edit
,
append
,
create
,
destroy

events.

Conclusion


Data
-
centric security: protecting the data
directly instead of network or host
-
based
protection


Three examples


Cloud
-
terminal: providing trusted input/output


Platform for private data


Secure web applications:
GuardRails

Thank you!

dawnsong@cs.berkeley.edu