filewall implementing file access policies using dynamic
play

FileWall : Implementing File Access Policies Using Dynamic Access - PowerPoint PPT Presentation

Apr 06, 2023 •35 likes •525 views

FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer Science Rutgers University Workshop on Spontaneous Networking May 12, 2006

  1. FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer Science Rutgers University Workshop on Spontaneous Networking May 12, 2006

  2. Organization: Too many files, directories, servers Protection: Left to the discretion of the owner Dynamism: Cannot be incorporated without file system extension Workshop on Spontaneous Networking

  3. Organization: Too many files, directories, servers Protection: Left to the discretion of the owner Dynamism: Cannot be incorporated without file system extension Administrator has little control over file access policies Administrator has little control over file access policies Workshop on Spontaneous Networking

  4. File names are powerful Can be used to implement access policies All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information contained in messages Workshop on Spontaneous Networking

  5. File names are powerful Can be used to implement access policies All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information contained in messages Access policies can be implemented by interposition Access policies can be implemented by interposition and message transformation and message transformation Workshop on Spontaneous Networking

  6. Interposes on the client - server path Stores network flow history Evaluates each message against the firewall policies Passes - through, drops, or transforms network packets Workshop on Spontaneous Networking

  7. Interposes on client - server path Stores file access history Evaluates each message against FileWall policies Transforms file system messages Workshop on Spontaneous Networking

  8. Interposes on client - server path Stores file access history Evaluates each message against FileWall policies Transforms file system messages FileWall constructs virtual namespaces using file FileWall constructs virtual namespaces using file system namespaces and access policies through system namespaces and access policies through message transformation message transformation Workshop on Spontaneous Networking

  9. Access control Quality of Service (QoS) File system organization Intrusion detection Information Lifecycle Management (ILM) Data transformations Workshop on Spontaneous Networking

  10. Motivation Design Access Context FileWall Policies Implementation Evaluation Related Work Conclusions Workshop on Spontaneous Networking

  11. Access history Access statistics Sequence of accesses Describes user behavior Environment Time, available disk space, CPU load, etc. Workshop on Spontaneous Networking

  12. Requirements Compact representation Contain semantic information which describes user behavior Easy to understand and specify Soft state Workshop on Spontaneous Networking

  13. Node = file run Groups of accesses performed by same application Open to close or approximate using clustered accesses Attributes File name Type of run (READ, WRITE, etc.) Operation count Edge Run started after and ended before parent Depth-first traversal defines sequence of runs in an access tree Workshop on Spontaneous Networking

  14. Root Workshop on Spontaneous Networking

  15. Root 1 Read 1 Workshop on Spontaneous Networking

  16. Root 1 2 Read 1, Create/Delete 2 Workshop on Spontaneous Networking

  17. Root 1 3 2 Read 1, Create/Delete 2, Read/Write 3 Workshop on Spontaneous Networking

  18. Root 1 3 1 2 Read 1, Create/Delete 2, Read/Write 3, Write 1 Workshop on Spontaneous Networking

  19. Motivation Design Access Context FileWall Policies Implementation Evaluation Related Work Conclusions Workshop on Spontaneous Networking

  20. Transform messages (requests and replies) Sequence of rules INPUT and OUTPUT Use: Access context File attributes contained in messages Workshop on Spontaneous Networking

  21. Policy: Show files accessed today For each client-visible file: Access Time = TODAY Transform directory listing messages READDIR and READDIRPLUS Workshop on Spontaneous Networking

  22. Policies Access Context FileWall Workshop on Spontaneous Networking

  23. Policies M READDIR Access Context FileWall Workshop on Spontaneous Networking

  24. Policies READDIR Access Context FileWall Workshop on Spontaneous Networking

  25. Policies READDIR Access Context FileWall Workshop on Spontaneous Networking

  26. Policies READDIR READDIRPLUS Access Context FileWall Workshop on Spontaneous Networking

  27. Policies READDIRPLUS Access Context FileWall Workshop on Spontaneous Networking

  28. Policies READDIRPLUS Access Context FileWall Workshop on Spontaneous Networking

  29. Policies READDIRPLUS Access Context FileWall Workshop on Spontaneous Networking

  30. Policies READDIR READDIRPLUS Access Context FileWall Workshop on Spontaneous Networking

  31. OUTPUT Rule: INPUT Rule: int fwout ( rpc _ msg reply) { int fwin ( rpc _ msg request) { if (reply.proc == READDIRPLUS) { if (request.proc == READDIR) { FOREACH entp in reply { request.proc = READDIRPLUS; if (entp . atime == TODAY) return FORWARD; copy_entry( resp _ entp , entp ) } } } reply.entries = res _ entp ; reply.proc = READDIR ; return FORWARD; } } Specified as C programs and compiled as loadable Specified as C programs and compiled as loadable shared modules shared modules Workshop on Spontaneous Networking

  32. Motivation Design Access Context FileWall Policies Implementation Evaluation Related Work Conclusions Workshop on Spontaneous Networking

  33. FileWall: Click Modular Router NFS over UDP Workshop on Spontaneous Networking

  34. FileWall Click Modular Router NFS over UDP FileWall Client SFS toolkit Session establishment Bootstrapping Identify list of available file systems Workshop on Spontaneous Networking

  35. Motivation Design Access Context FileWall Policies Implementation Evaluation Related Work Conclusions Workshop on Spontaneous Networking

  36. Workshop on Spontaneous Networking

  37. General purpose server Email, user homes, web server Files mounted over NFS Web servers are prone to flash crowds Current policies Rate limit number of requests Disable web server Workshop on Spontaneous Networking

  38. Access context Rate of sequential file reads, directory listings, etc. Policy Hide files with rate greater than a threshold Show files again when rate falls below threshold Only the source of the flash crowd disappears from the namespace Workshop on Spontaneous Networking

  39. Workshop on Spontaneous Networking

  40. Infokernel [Arpaci-Dusseau 03], firewall/NAT Access Context Desktop search [ Soules 03] File system prefetching [ Amer 02, Lei 97] Enforcing enterprise -wide policies [He 05] Semantic file systems [Sheldon 91, Pike 93, Neuman 92, Rao 93] Extensible file systems [Zadok 00, Tewari 05] Workshop on Spontaneous Networking

  41. User study Real deployment Behavior models Workshop on Spontaneous Networking

  42. User study Real deployment Behavior models Policy language Constraints Debugging and logging Workshop on Spontaneous Networking

  43. User study Real deployment Behavior models Policy language Constraints Debugging and logging Data transformations Censorship Protocol translations NFS - > CIFS Recipe - based file system (CASPER) IP - > RDMA Video encoding Content adaptation Workshop on Spontaneous Networking

  44. Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required Workshop on Spontaneous Networking

  45. Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required Provides administrators the ability to define a wide variety of access policies Protect file systems Provide quality of service Workshop on Spontaneous Networking

  47. Dell Poweredge 2600 systems Dual 2.4GHz Intel Xeon processors 1GB RAM 36GB 15000 RPM SCSI disk Linux Gigabit Ethernet switch Workshop on Spontaneous Networking

  48. Workshop on Spontaneous Networking

  49. Expressive Deployable Scalable Available Workshop on Spontaneous Networking

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
Dynamic Memory Allocation Today Dynamic memory allocation mechanisms & policies

Dynamic Memory Allocation Today Dynamic memory allocation mechanisms & policies

Dynamic Memory Allocation Today Dynamic memory allocation mechanisms & policies Memory bugs Chris Riesbeck, Spring 2010 Original: Fabian Bustamante Wednesday, November 2, 2011 Dynamic memory allocation Application Dynamic

1.2k views • 47 slides
SELinux Example: I may chmod o+a the file containing 506 grades, which violates

SELinux Example: I may chmod o+a the file containing 506 grades, which violates

12/6/12 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) SELinux Example: I may chmod o+a the file containing 506 grades,

412 views • 5 slides
DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined somewhere else (another file in our project, a library, etc) In compiler-speak, we want symbols with external linkage I only really care

563 views • 39 slides
Drafting Records Retention Policies for Construction Projects Implementing Document Management

Drafting Records Retention Policies for Construction Projects Implementing Document Management

Presenting a live 90 minute webinar with interactive Q&A Drafting Records Retention Policies for Construction Projects Implementing Document Management Policies to Mitigate Risks, Reduce Costs and Minimize Discovery Challenges TUES DAY,

666 views • 27 slides
Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure File System Mounting File Sharing Protection Operating System Concepts Silberschatz, Galvin and Gagne 2002 11.1 File Concept

387 views • 15 slides
Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to

Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to

Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to Prevent and Crafting and Implementing Policies to Prevent and presents presents Respond to Inadvertent Disclosures A Live 90-Minute

1.06k views • 70 slides
Distributed-File Systems Background Naming and Transparency Remote File Access

Distributed-File Systems Background Naming and Transparency Remote File Access

Distributed-File Systems Background Naming and Transparency Remote File Access Stateful versus Stateless Service File Replication Example Systems Typeset by Foil T EX 1 Background Distributed file system (DFS)

1.1k views • 73 slides
= i P max n yh ( y ) dy u ( Q ) c ( Q )

= i P max n yh ( y ) dy u ( Q ) c ( Q )

Contents A public good model for p2p An Asymptotically Optimal Scheme Simple contribution policies with exclusions for P2P File Sharing An application to file sharing heterogeneous file popularity stability Panayotis

460 views • 5 slides
Data Access and File Management vanilladb.org Outline Storage engine and data access

Data Access and File Management vanilladb.org Outline Storage engine and data access

Data Access and File Management vanilladb.org Outline Storage engine and data access Disk access Block-level interface File-level interface File Management in VanillaCore BlockID Page FileMgr 2 Outline

891 views • 50 slides
The dynamic logic of policies and contingent planning Andreas Herzig CNRS, IRIT joint work with

The dynamic logic of policies and contingent planning Andreas Herzig CNRS, IRIT joint work with

Policies PDL Extending PDL Programs for policies The dynamic logic of policies and contingent planning Andreas Herzig CNRS, IRIT joint work with Thomas Bolander, Thorsten Engesser, Robert Mattm uller, Bernhard Nebel Journ es MAFTEC,

572 views • 27 slides
GTUG Why using Deduplicated-storage Fernand Lussier VP Research and Development Nonstop File

GTUG Why using Deduplicated-storage Fernand Lussier VP Research and Development Nonstop File

GTUG Why using Deduplicated-storage Fernand Lussier VP Research and Development Nonstop File type Hypothesis of simulation 1. Dynamic file : 1 or 2 % of dynamic file change every day. And represented 50% of the data. Ex Cardholder master

599 views • 15 slides
Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure Protection Consistency Semantics Silberschatz, Galvin, and Gagne 1999 Applied Operating System Concepts 11.1 File Concept Contiguous

755 views • 50 slides
Implementing Object-Oriented Languages Implementing instance variable access Key features: Key

Implementing Object-Oriented Languages Implementing instance variable access Key features: Key

Implementing Object-Oriented Languages Implementing instance variable access Key features: Key problem: subtype polymorphism inheritance (possibly multiple) Solution: prefixing subtyping & subtype polymorphism layout of

174 views • 5 slides
Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

667 views • 23 slides
BurnBox Self-Revocable Encryption in a World of Compelled Access Nirvan Tyagi Muhammad Haris

BurnBox Self-Revocable Encryption in a World of Compelled Access Nirvan Tyagi Muhammad Haris

BurnBox Self-Revocable Encryption in a World of Compelled Access Nirvan Tyagi Muhammad Haris Thomas Ristenpart Ian Miers Mughees Usenix Security 2018 1 Compelled Access Setting file 1 file 2 file 3 2 Compelled Access Setting file 1

787 views • 52 slides
Upper Limb Rheumatology Reasoning Who am I? @physiojack Other Resources Why Rheum? Case 35

Upper Limb Rheumatology Reasoning Who am I? @physiojack Other Resources Why Rheum? Case 35

Upper Limb Rheumatology Reasoning Who am I? @physiojack Other Resources Why Rheum? Case 35 year old male Right hand pain Observations high BMI, walks with a limp into clinic. Story Hand started hurting after a weekend of painting

169 views • 15 slides
Control and operation of dividing-wall columns with vapor split manipulation PhD Defense

Control and operation of dividing-wall columns with vapor split manipulation PhD Defense

1 Control and operation of dividing-wall columns with vapor split manipulation PhD Defense Presentation Deeptanshu Dwivedi Jan 18 th , 2013 Trondheim Dwivedi, D., PhD Defense Presentation January 18th, 2013 2 Outline Introduction

1.03k views • 61 slides
On Achievable Rates of the Two-user Symmetric Gaussian Interference Channel Omar Mehanna, John

On Achievable Rates of the Two-user Symmetric Gaussian Interference Channel Omar Mehanna, John

Introduction Optimized HK Sum-Rate Numerical Results High SNR Time Sharing Conclusions On Achievable Rates of the Two-user Symmetric Gaussian Interference Channel Omar Mehanna, John Marcos and Nihar Jindal University of Minnesota Allerton

563 views • 38 slides
Statewide High Speed Network networkMaryland Advisory Group Meeting September 19, 2006

Statewide High Speed Network networkMaryland Advisory Group Meeting September 19, 2006

Statewide High Speed Network networkMaryland Advisory Group Meeting September 19, 2006 Annapolis, Maryland MEETING AGENDA Welcome & Introductions State of the Network Status of Project Other Business 2 Welcome

421 views • 22 slides
EudraVigilance Components & Functionality Introduction Training Module EV-M2 This module

EudraVigilance Components & Functionality Introduction Training Module EV-M2 This module

EudraVigilance Components & Functionality Introduction Training Module EV-M2 This module outlines the EudraVigilance system components and system functionalities An agency of the European Union Content Summary Introduction EudraVigilance

542 views • 24 slides
1 Commented Slides / Earnings Conference Call Q2 2017 August 10, 2017 Participants Henkel

1 Commented Slides / Earnings Conference Call Q2 2017 August 10, 2017 Participants Henkel

1 Commented Slides / Earnings Conference Call Q2 2017 August 10, 2017 Participants Henkel representatives Hans Van Bylen; Henkel; CEO Carsten Knobel; Henkel; CFO & Investor Relations Team Participants Active in Q&A session

795 views • 52 slides
The Aggregate Demand for Treasury Debt Arvind Krishnamurthy, Northwestern University and NBER

The Aggregate Demand for Treasury Debt Arvind Krishnamurthy, Northwestern University and NBER

The Aggregate Demand for Treasury Debt Arvind Krishnamurthy, Northwestern University and NBER Annette Vissing-Jorgensen, Northwestern University, NBER and CEPR November 2011 Krishnamurthy, Vissing-Jorgensen (Northwestern ) The Aggregate Demand

994 views • 53 slides
BioMax Health Intelligent Bio-Medical Formula It is like having a Doctor in your body! Who is

BioMax Health Intelligent Bio-Medical Formula It is like having a Doctor in your body! Who is

BioMax Health Intelligent Bio-Medical Formula It is like having a Doctor in your body! Who is BioMax? What is Bio-Medical? Info@biomaxhealth.com.au www.biomaxhealth.com.au Company Projection Bio Max was established in 2018 for the

691 views • 31 slides

More recommend