policy sealed data
play

Policy-Sealed Data: A New Abstraction for Building Trusted Cloud - PowerPoint PPT Presentation

Oct 12, 2023 •172 likes •373 views

Max Planck Institute for Software Systems Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services Nuno Santos 1 , Rodrigo Rodrigues 2 , Krishna P. Gummadi 1 , Stefan Saroiu 3 MPI-SWS 1 , CITI / Universidade Nova Lisboa 2 ,

  1. Max Planck Institute for Software Systems Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services Nuno Santos 1 , Rodrigo Rodrigues 2 , Krishna P. Gummadi 1 , Stefan Saroiu 3 MPI-SWS 1 , CITI / Universidade Nova Lisboa 2 , Microsoft Research 3

  2. Managing the Cloud is Complex & Error-Prone Is my data Data Customer properly managed? Cloud Software Administrator Cloud software admins. can Cloud Provider compromise customers’ data 2 Nuno Santos 11/5/15

  3. Trusted Computing Can Help Mitigate Threats Attest Customer Newer hypervisors can offer 1. protection from SW admins. } e.g., nested virtualization: CloudVisor [SOSP’11], Credo Customer [MSR-TR] VM Trusted computing can attest 2. Hypervisor cloud node runs “correct” hypervisor HW TPM } Trusted Platform Module (TPM) Cloud Node But, TPMs alone ill-suited for the Cloud Provider cloud 3 Nuno Santos 11/5/15

  4. TPMs Alone Are Ill-Suited for the Cloud Stifle VM and data migration across cloud nodes 1. } TPMs root-of-trust not transferable from one node to another Cloud providers hesitant to reveal low-level cloud details 2. } TPMs abstractions can reveal node’s identity and details of the node’s entire software stack Commodity TPMs can hinder the cloud’s ability to scale 3. } TPMs’ poor performance may introduce bottlenecks 4 Nuno Santos 11/5/15

  5. Our Contributions Policy-sealed data abstraction 1. } Data is handled only by nodes satisfying customer-chosen policy } Examples: } Handle data only by nodes running CloudVisor } Handle data only by nodes located in the EU Use attribute-based encryption (CP-ABE) to implement 2. abstraction efficiently } Binds policies and node attributes to node configurations } Ciphertext-Policy Attribute-Based Encryption [Bethencourt07] Excalibur incorporates both contributions 5 Nuno Santos 11/5/15

  6. Excalibur Addresses TPM Limitations in Cloud } Enables flexible data migration across cloud nodes } Customer data accessible to any node that satisfies the customer policy Policy-sealed data } Hides node’s identities and low- level details of the software } Only high-level attributes are revealed } Masks TPMs’ poor performance Attribute-based } Enforcing policies does not require encryption direct calls to TPMs 6 Nuno Santos 11/5/15

  7. Outline } Introduction } Threat model } Policy-sealed data } Design } Monitor } CP-ABE } Evaluation 7 Nuno Santos 11/5/15

  8. Threat Model The attacker can… The attacker cannot… } perform physical attacks } configure nodes remotely } e.g., scrape TPMs to learn its secrets } reboot nodes } compromise system’s TCB } install software platform } monitor } secure hypervisor } access disk } compromise CP-ABE } eavesdrop network 8 Nuno Santos 11/5/15

  9. Outline } Introduction } Threat model } Policy-sealed data } Design } Monitor } CP-ABE } Evaluation 9 Nuno Santos 11/5/15

  10. Policy-Sealed Data Unseal Seal + decrypt data iff encrypt and bind node meets policy Policy-Sealed Data data to policy Seal to: visor = “secure visor” Hypervisors Secure Customer Provider Commodity 10 Nuno Santos 11/5/15

  11. Policy-Sealed Data: Attributes & Policies } Node configurations expressed as Node Attributes set of attributes service : “EC2” hypervz : “CloudVisor” version : “1” } Attributes mapped to nodes’ country : “Germany” zone : “z1” identities and software config } node id à hardware attributes Data Policy } software config à software attributes service = “EC2” and and } Customers select trusted node hypervz = “CloudVisor” and and configurations in policies version >= “1” and and } Logic expressions over attributes (country = “Germany” or or country = “UK”) 11 Nuno Santos 11/5/15

  12. Outline } Introduction } Threat model } Policy-sealed data } Design } Monitor } CP-ABE } Evaluation 12 Nuno Santos 11/5/15

  13. Excalibur Architecture + } Check node Customer Policy-Sealed Data configurations seal } Monitor attests nodes in unseal attest & background send credential } Scalable policy enforcement } CP-ABE operations at client-side lib Monitor Datacenter 13 Nuno Santos 11/5/15

  14. Excalibur Mediates TPM Access w/ Monitor Monitor goals: } Track node ids + TPM-based Customer attestations } Hides low-level details from users } Track nodes’ attributes that cannot be attested via today’s TPMs } e.g., nodes’ locations (EU vs. US) TPM } Form the cloud’s root of trust Cloud Node Monitor } Customers only need to attest the monitor’s software configuration 14 Nuno Santos 11/5/15

  15. Attribute-based Encryption Is Key to Scalability Customers seal data to a policy with a CP-ABE encryption key Once each node attests its configuration, monitor hands CP-ABE decryption key Ciphertext-Policy Attribute-Based Encryption [Bethencourt07] } Encryption Seal ( , Data, Policy ) Key Decryption Key Policy-Sealed Master Unseal ( , ) ) à Data Data Key Attributes Monitor Node 15 Nuno Santos 11/5/15

  16. Outline } Introduction } Threat model } Policy-sealed data } Design } Monitor } CP-ABE } Evaluation 16 Nuno Santos 11/5/15

  17. Methodology } Two questions: } What is the overhead of policy-sealed data? } Is the monitor a scalability bottleneck? } Implemented cloud service akin to EC2 } Based on Eucalyptus / Xen cloud platform } Supports location attribute } Interposed seal / unseal in VM management operations } Testbed: single monitor and five nodes } Intel Xeon, 2.83Ghz 8-core CPU, 1.6 GB RAM, TPM v1.2 17 Nuno Santos 11/5/15

  18. What Is the Overhead of Seal / Unseal? Overhead of CP-ABE in Eucalyptus / Xen platform CP-ABE’s overhead could be significant However, VM operations are infrequent 18 Nuno Santos 11/5/15

  19. Is the Monitor a Scalability Bottleneck? } Monitor can attest a large number of nodes } Max throughput: 630 attestation-verifications/sec } E.g., 10K node cluster attests in ~15 seconds } Monitor can serve many attestation requests from customers } Max throughput: 4800 attestation-requests/sec } Increases throughput of standard TPM attestation } Batches multiple attestation requests into single TPM call } Speedup orders of magnitude over standard TPM attestation 19 Nuno Santos 11/5/15

  20. Conclusions } Excalibur overcomes TPM’s limitations in the cloud } Policy-sealed data : new trusted computing primitive } Flexible sealed storage } Reduce overexposure } CP-ABE makes Excalibur scale } Masks low performance of TPMs } Evaluation indicates that the system is practical 20 Nuno Santos 11/5/15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sealed Bids 58 Contents Invitation for Bids Bid Opening Contract Award 59

Sealed Bids 58 Contents Invitation for Bids Bid Opening Contract Award 59

6 CHAPTER Sealed Bids 58 Contents Invitation for Bids Bid Opening Contract Award 59 Introduction Sealed bids are used for purchases above small purchase threshold Solicitation process for sealed bids is designed to assist

184 views • 16 slides
Closed, Sealed & Secure Container Valve Systems Micro Matic - Closed, Sealed & Secure

Closed, Sealed & Secure Container Valve Systems Micro Matic - Closed, Sealed & Secure

Closed, Sealed & Secure Container Valve Systems Micro Matic - Closed, Sealed & Secure Container Valve Systems Delivering DEF Purity, Packaging Integrity & Operational Excellence Overview Points of Discussion How We Can Help You &

598 views • 34 slides
Taylor's 325th Anniversary Limited Edition Research into antique sealed bottles, led to the

Taylor's 325th Anniversary Limited Edition Research into antique sealed bottles, led to the

Taylor's 325th Anniversary Limited Edition Research into antique sealed bottles, led to the discovery of the oldest known example of a sealed bottle with a date, from a merchant, in this case the 4 and XX symbol still used as Taylors

56 views • 3 slides
Auctions Lirong Xia Sealed-Bid Auction One item A set of bidders 1,, n bidder j s

Auctions Lirong Xia Sealed-Bid Auction One item A set of bidders 1,, n bidder j s

Auctions Lirong Xia Sealed-Bid Auction One item A set of bidders 1,, n bidder j s true value v j bid profile b = ( b 1 ,, b n ) A sealed-bid auction has two parts allocation rule: x ( b ) {0,1} n , x j ( b )=1

428 views • 19 slides
Sealed Bid Sale Extended to July 31, 2020 Executive Summary Geneva Land Services, Inc. has been

Sealed Bid Sale Extended to July 31, 2020 Executive Summary Geneva Land Services, Inc. has been

Shearer Executive Compound Sealed Bid Auction Mims, Volusia County, Florida Sealed Bid Sale Extended to July 31, 2020 Executive Summary Geneva Land Services, Inc. has been retained to offer qualified buyers the opportunity to acquire the

449 views • 10 slides
Ghetto A ghe&o is a sealed off area of the city

Ghetto A ghe&o is a sealed off area of the city

Ghetto A ghe&o is a sealed off area of the city where Jews were forced to live. Generally ghe&os had horrible living condi:ons. This

595 views • 12 slides
Sealed Trees and the Perfect Subtree Property for Weakly Compact Cardinals Sandra M uller

Sealed Trees and the Perfect Subtree Property for Weakly Compact Cardinals Sandra M uller

Sealed Trees and the Perfect Subtree Property for Weakly Compact Cardinals Sandra M uller Universit at Wien November 1, 2019 Joint with Yair Hayut Rutgers MAMLS 2019 Sandra M uller (Universit at Wien) Sealed Trees and PSP for

1.05k views • 62 slides
Disposal of Sealed Sources April 17, 2009 Michael J. Zittle Assistant Radiation Safety Officer,

Disposal of Sealed Sources April 17, 2009 Michael J. Zittle Assistant Radiation Safety Officer,

Disposal of Sealed Sources April 17, 2009 Michael J. Zittle Assistant Radiation Safety Officer, Oregon State University, Campus Radiation Safety Officers (CRSO) Representative Sealed Source Generators Oregon State University (OSU)

639 views • 15 slides
Records and Sealed Types Coming Soon to a JVM Near You! Ben Evans (He / Him) Safe Harbor

Records and Sealed Types Coming Soon to a JVM Near You! Ben Evans (He / Him) Safe Harbor

Records and Sealed Types Coming Soon to a JVM Near You! Ben Evans (He / Him) Safe Harbor This presentation and the information herein (including any information that may be incorporated by reference) is provided for informational purposes

616 views • 35 slides
DEF A New Agricultural Chemical 2013 EPA Emissions Regulations Micro Matic - Closed, Sealed

DEF A New Agricultural Chemical 2013 EPA Emissions Regulations Micro Matic - Closed, Sealed

DEF A New Agricultural Chemical 2013 EPA Emissions Regulations Micro Matic - Closed, Sealed & Secure Container Valve Systems Delivering DEF Purity, Packaging Integrity & Operational Excellence Overview Points of Discussion EPA

468 views • 13 slides
Pre-Proposal Meeting Request for Competitive Sealed Proposal RFCSP752-20-239720-MM Music

Pre-Proposal Meeting Request for Competitive Sealed Proposal RFCSP752-20-239720-MM Music

Pre-Proposal Meeting Request for Competitive Sealed Proposal RFCSP752-20-239720-MM Music Building MEIT & Recital Renovation December 17, 2019 @ 2:00 PM Agenda Introductions Background Key dates/times Submittal instructions

758 views • 23 slides
Submitting Bids & Viewing Awards Procurement Overview The Competitive Sealed Bid Process

Submitting Bids & Viewing Awards Procurement Overview The Competitive Sealed Bid Process

Submitting Bids & Viewing Awards Procurement Overview The Competitive Sealed Bid Process (> $50,000) 1.Bid specifications are created by the using agency and posted on eMaryland Marketplace by DGS. 2.A pre-bid meeting/site visit is held

750 views • 47 slides
Sealed Corridor Concept Railr lroad oad Per erspecti spective Norfolk Southern Railway

Sealed Corridor Concept Railr lroad oad Per erspecti spective Norfolk Southern Railway

Sealed Corridor Concept Railr lroad oad Per erspecti spective Norfolk Southern Railway Company Overview Operat ates es approxi xima mately ely 19,500 00 route miles es in 22 states es and the District trict of Columb umbia

136 views • 9 slides
TOGGLE SWITCHES Series 01 Miniature Toggle Switch Series S1 Sealed Miniature Toggle Switch

TOGGLE SWITCHES Series 01 Miniature Toggle Switch Series S1 Sealed Miniature Toggle Switch

TOGGLE SWITCHES Series 01 Miniature Toggle Switch Series S1 Sealed Miniature Toggle Switch Series 02 Sub-Miniature Toggle Switch Series S2 Sealed Sub-Miniature Toggle Switch Series M2 Sealed Surface Mount Toggle Switch . . ROCKER

169 views • 13 slides
Balloons Hot-air balloons dont have to be sealed and most are not Helium balloons leak

Balloons Hot-air balloons dont have to be sealed and most are not Helium balloons leak

Balloons 1 Balloons 2 Observations about Balloons Balloons are held taut by the gases inside Some balloon float in air while others dont Balloons Hot-air balloons dont have to be sealed and most are not Helium balloons leak

296 views • 3 slides
Compact Sealed lithium target for accelerator-driven BNCT system Kazuki Tsuchida, Yoshiaki

Compact Sealed lithium target for accelerator-driven BNCT system Kazuki Tsuchida, Yoshiaki

th High Power Targetry Workshop 4 8 June 201 , FRIB Michigan State University Compact Sealed lithium target for accelerator-driven BNCT system Kazuki Tsuchida, Yoshiaki Kiyanagi Nagoya University 1 B oron N eutron C apture

510 views • 20 slides
A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B.

A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B.

A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B. Rasmussen, Gene Tsudik UC Irvine Overview Motivation Definition of Remote Attestation From Definition to Properties From Properties

452 views • 17 slides
A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E

A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E

A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E D F I G H J L M K O R N P S Q D2 D1 D3 D4 A T T E S T A T T E S T Testing Exposing externally visible internal stats /

485 views • 34 slides
CS 4110 Probabilistic Programming Probabilistic Programming It's not about writing software.

CS 4110 Probabilistic Programming Probabilistic Programming It's not about writing software.

CS 4110 Probabilistic Programming Probabilistic Programming It's not about writing software. Probabilistic Programming Probabilistic programming is a tool for statistical modeling. OR A probabilistic programming language is a plain old

688 views • 41 slides
Causal Inference and Experimentation Macartan Humphreys mh2245@columbia.edu November 15, 2011

Causal Inference and Experimentation Macartan Humphreys mh2245@columbia.edu November 15, 2011

Causal Inference Design Road Map Analysis Estimands and Estimators Troubleshooting Prospects and Limitations Causal Inference and Experimentation Macartan Humphreys mh2245@columbia.edu November 15, 2011 Macartan Humphreys

627 views • 51 slides
Making Adversaries Stick to their Word Presented by Chuan He 1 Talk Outline Introduction

Making Adversaries Stick to their Word Presented by Chuan He 1 Talk Outline Introduction

Attested Append-Only Memory: Making Adversaries Stick to their Word Presented by Chuan He 1 Talk Outline Introduction and Motivation Attested Append-Only Memory (A2M) A2M Protocols Evaluation Conclusion 2 Motivation

433 views • 21 slides
Trustees What is a Trustee? The Book of Discipline State Law THE BOOK OF DISCIPLINE 2016

Trustees What is a Trustee? The Book of Discipline State Law THE BOOK OF DISCIPLINE 2016

Baltimore-Washington Conference of the United Methodist Church Trustees What is a Trustee? The Book of Discipline State Law THE BOOK OF DISCIPLINE 2016 2533. Board of Trustees Powers and Limitations 1. Subject to the direction of

544 views • 27 slides
COVID-19 Office Hours RCC (Relay Conference Captioning) Participants can access real-time

COVID-19 Office Hours RCC (Relay Conference Captioning) Participants can access real-time

COVID-19 Office Hours RCC (Relay Conference Captioning) Participants can access real-time captioning for this webinar here: www.ncdhhs.gov/coronavirus https://www.captionedtext.com November 6, 2020 /client/event.aspx?EventID=463

522 views • 11 slides
Jesus and Money: A 21st Century Reading June 24, 2017 Rev. Douglas S. Abel Three Types of

Jesus and Money: A 21st Century Reading June 24, 2017 Rev. Douglas S. Abel Three Types of

Jesus and Money: A 21st Century Reading June 24, 2017 Rev. Douglas S. Abel Three Types of Gospel Money Texts Parable of the Talents Jesus using Money and Possessions Matt 25:14-30 Parable of Treasure in // Luke 19:11-27 to Illustrate

272 views • 16 slides

More recommend