proving confidentiality in a file system using disksec
play

Proving Confidentiality in a File System Using DiskSec (Poster #2) - PowerPoint PPT Presentation

Apr 05, 2024 •547 likes •796 views

Proving Confidentiality in a File System Using DiskSec (Poster #2) OSDI 18 Atalay Mert leri, Tej Chajed, Adam Chlipala, Frans Kaashoek, Nickolai Zeldovich MIT CSAIL Storage Systems Contain Confidential Data Users rely on the storage

  1. Proving Confidentiality in a File System Using DiskSec (Poster #2) OSDI ‘18 Atalay Mert İleri, Tej Chajed, Adam Chlipala, Frans Kaashoek, Nickolai Zeldovich MIT CSAIL

  2. Storage Systems Contain Confidential Data Users rely on the storage system to maintain their confidentiality. ● A file system will be used as a case study in this talk. 2

  3. Confidentiality in a File System ● Alice and Bob share a file-system on the same machine ● Bob tries to learn the content of Alice’s files Threat model: Bob can call the file-system interface and cannot bypass it. ○ can’t steal the disk ○ can’t read or write directly to the disk etc. 3

  4. Bugs May Leak Confidential Data File-systems are also subject to confidentiality bugs. Examples ● Crash can expose deleted data (ext4 - 2017) ● Anyone can change POSIX ACLs (NFS - 2016) ● Truncated data can be accessed (btrfs - 2015) ● Crash can expose data (ext4 - 2014) ● Anyone can change POSIX ACLs (btrfs, gfs2 - 2010) ● ... 4

  5. Approach: Formal Verification ● Write a specification that captures the desired behavior of the system. ● Prove that implementation satisfies the specification. ● As long as specification accurately captures the desired behavior, implementation details are irrelevant. ● We have verified file systems with correctness specifications (e.g. DFSCQ [SOSP’17]). 5

  6. Functional Specifications Do Not Ensure Confidentiality Functional specifications ensure many security properties. (e.g. no memory corruption, no disk corruption etc.) Example: Specification for readdir readdir can return entries in any order. readdir (...) ⇒ dir_a, dir_b /dir_a /dir_b dir_b, dir_a 6

  7. Functional Specifications Do Not Ensure Confidentiality def readdir(...) dirs = get_dirlist(...) ● Meets specification if (alice.txt file contains ‘a’) return sort(dirs) ● Leaks confidential data else return reverse_sort(dirs) Nondeterministic functional specifications allow breach of confidentiality. Confidentiality requires better specifications. 7

  8. State of the Art in Verifying Confidentiality Existing Systems ● seL4 [SSP’13] ● Ironclad [OSDI’14] ● CertiKOS [PLDI’16] ● Komodo [SOSP’17] ● Nickel [OSDI‘18] Above systems use non-interference for their confidentiality specifications. Non-interference does not allow any data exposure from Alice to Bob. 8

  9. Non-interference is Not Suitable for File System Confidentiality. ● File systems have discretionary access control ● File systems intentionally expose metadata. 9

  10. Contributions DiskSec Framework for proving confidentiality of storage systems. ● File-system confidentiality specification. ● Proof technique to track ownership of the data. ● DiskSec implemented and proven in Coq Proof Assistant. Evaluation ● SFSCQ file system: extension of DFSCQ with confidentiality theorem ● Confidentiality for simple app on top of SFSCQ 10

  11. Bob Cannot Infer Alice’s Confidential Data World 1 World 2 Alice: Alice: write(f, b) write(f, a) Data is confidential: observes same results Bob Bob 11

  12. Confidentiality Means Other Users See Same Thing Regardless of Your Data World 1 p s 1 s’ 1 ) a ( e Bob t i r w Confidentiality ret 1 s requires that write(b) p s 2 s’ 2 ret 1 = ret 2 Bob ret 2 World 2 Two states are equivalent with respect to a user ( ≅ user ), if all the data visible to that user is the same in both states. 12

  13. Our Confidentiality Specification: Data Non-interference State Non-interference Return Non-interference p syscall s 0 s 1 s 2 Bob ret 1 = ≅ Bob ≅ Bob ret 2 p syscall s’ 0 s’ 1 s’ 2 Bob 13

  14. Data Non-interference is a Good Confidentiality Specification for File Systems Data non-interference ● allows discretionary access control, ● allows exposing of metadata, ● forbids exposing of user data ○ even indirectly (e.g. readdir) 14

  15. How can We Prove Data Non-interference? Data non-interference require more complicated proofs than functional correctness. ● Require reasoning about behavior of two executions. Insight: File systems mostly does not inspect user data. ● Suffices to reason about where user data is accessed in one execution. 15

  16. Our Approach: Sealed Blocks ● Pretend that all disk blocks are logically sealed. ● Function needs to request an unseal to access the data content. ● Functions can be analyzed to prove that they do not unseal user data. 16

  17. Standard Disk Infrastructure read(a: addr) -> data write(a: addr, b: data) File system implementation Disk data data data 17

  18. DiskSec Infrastructure owner sealed block ( sblock ) data read(a: addr) -> sblock read(a: addr) -> data write(a: addr, b: sblock) write(a: addr, b: data) File system implementation seal(d: data, u: user) -> sblock unseal(b: sblock) -> data Sec logical disk Disk unseal owner trace owner owner owner u 1 , u 2 , ... data data data 18

  19. How to Use DiskSec? 1. Developer instruments his code with seals, unseals and access control checks. Standard Implementation DiskSec Implementation def read(f,...) def read (f,...) data = read_disk(f,...) if (can_access(f)) return data sealed_data = read_disk(f,...) data = unseal(sealed_data) return data else return error 2. Developer proves that a certain property holds for the unseal trace of the implementation. 19

  20. Sealed Blocks Simplify Confidentiality Proofs Unseal Public Function only unseals data accessible to every user . Unseal Public ➙ Data Non-interference Unseal Secure Function only unseals data accessible to the current user Unseal Secure ➙ Return Non-interference In this case, state non-interference needs to be proven separately. 20

  21. DiskSec Summary ● Provides infrastructure for access control in storage systems. ● Formalizes data non-interference as a confidentiality specification. ● Simplifies proof effort by reducing data non-interference proofs to unseal trace proofs. 21

  22. Applying DiskSec: SFSCQ Overview ● Based on DFSCQ [SOSP’17] ● Supports multiple users ● Simplified permission model ○ All metadata, including file names, are public. ○ File contents may be public or private. ○ File owner is set upon creation. ● Fully implemented and verified in Coq Proof Assistant 22

  23. Evaluation ● Did we prove DFSCQ satisfies data non-interference? ○ Not completely. ○ Needed to remove an advanced feature. ● Is performance the same as DFSCQ? ○ SFSCQ code = DFSCQ code + access control checks ● How much effort did it require? ○ Took one author ~3 months 23

  24. Conclusions ● Correctness specifications are not enough for confidentiality. ● Data non-interference is a suitable confidentiality specification for file systems. ● We designed and implemented DiskSec, a framework for confidentiality proofs for storage systems. ● We implemented SFSCQ, the first file system with machine-checkable confidentiality proofs, using DiskSec. https://github.com/mit-pdos/fscq/tree/security 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage

On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage

On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage Aaram Yun , Chunhui Shi, Yongdae Kim University of Minnesota CCSW 2009, 13 Nov 2009 Cryptographic network file system How to achieve a

348 views • 16 slides
Encrypted File Systems Don Porter CSE 506 Goals Protect confidentiality of data at rest

Encrypted File Systems Don Porter CSE 506 Goals Protect confidentiality of data at rest

Encrypted File Systems Don Porter CSE 506 Goals Protect confidentiality of data at rest (i.e., on disk) Even if the media is lost or stolen Protecting confidentiality of in-memory data much harder Continue using file system features

227 views • 19 slides
Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira

Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira

Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira High Assurance Software Lab and Dept. Inform atica Universidade do Minho Braga, Portugal INFORUM 2010 Braga, Portugal, September 2010 Context

1.1k views • 73 slides
Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured File Systems

492 views • 47 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
CSE 120 File System Interface What the user/programmer sees File System Implementation

CSE 120 File System Interface What the user/programmer sees File System Implementation

Overview CSE 120 File System Interface What the user/programmer sees File System Implementation How it works Summer, 2006 Day 9 File Systems Instructor: Neil Rhodes 2 What is a File? Typical Filesystem Named collection of related

175 views • 5 slides
File System Implementation Summer 2016 Cornell University Today File allocation Unix

File System Implementation Summer 2016 Cornell University Today File allocation Unix

CS 4410 Operating Systems File System Implementation Summer 2016 Cornell University Today File allocation Unix file system Log-structured file system 2 File system: two design problems User interface: File, directory,

362 views • 21 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Unit OS8: File System 8.6. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Windows File System Efficiency and Stability of a file system are contradicting requirements. How can the

279 views • 11 slides
Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk class it is using It issues block read/write requests to the generic block layer Provide an abstraction Goals Implement an abstraction (files) for

389 views • 37 slides
FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion 11. Outline File-System Structure

516 views • 51 slides
Week 10: File Management What is a file? Elements of file management File

Week 10: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems Week 10: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

498 views • 13 slides
Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary Software is not perfect Bugs in kernel (File system, VM, Device Driver code) Hardware is not perfect Disk errors Memory errors File

613 views • 24 slides
Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure File System Mounting File Sharing Protection Operating System Concepts Silberschatz, Galvin and Gagne 2002 11.1 File Concept

387 views • 15 slides
Hierarchical Task Network (HTN) Planning Section 12.2 Sec. 12.2 p.1/23 Outline Primitive

Hierarchical Task Network (HTN) Planning Section 12.2 Sec. 12.2 p.1/23 Outline Primitive

Hierarchical Task Network (HTN) Planning Section 12.2 Sec. 12.2 p.1/23 Outline Primitive vs. non-primitive operators Example HTN planning algorithm Practical planners Additional references used for the slides: desJardins , M. (2001).

248 views • 23 slides
Off by Default! Hitesh Ballani, Yatin Chawathe, Sylvia Ratnasamy, Timothy Roscoe, Scott Shenker

Off by Default! Hitesh Ballani, Yatin Chawathe, Sylvia Ratnasamy, Timothy Roscoe, Scott Shenker

Off by Default! Hitesh Ballani, Yatin Chawathe, Sylvia Ratnasamy, Timothy Roscoe, Scott Shenker HotNets-IV, 2005 Internet, then and now Internet, circa 1975 Trust in the ends Universal reachability Routability implies reachability

767 views • 62 slides
The Enhanced Role of the U.S. Securities and Exchange Commission: An analysis of investigations

The Enhanced Role of the U.S. Securities and Exchange Commission: An analysis of investigations

Panel 2A The Enhanced Role of the U.S. Securities and Exchange Commission: An analysis of investigations in 2015, asset freezes, coordination with USCIS, notices to terminate Regional Centers, and other related issues John Tishler, Sheppard

412 views • 12 slides
MATH 12002 - CALCULUS I 2.3, 2.4, and 2.5: Computing Derivatives (Part 2) Professor

MATH 12002 - CALCULUS I 2.3, 2.4, and 2.5: Computing Derivatives (Part 2) Professor

MATH 12002 - CALCULUS I 2.3, 2.4, and 2.5: Computing Derivatives (Part 2) Professor Donald L. White Department of Mathematical Sciences Kent State University D.L. White (Kent State University) 1 / 12 Derivatives 10 f ( x ) = sin( x 2

328 views • 12 slides
Algorithms in HElib Shai Halevi and Victor Shoup http://eprint.iacr.org/2014/106 Whats HElib?

Algorithms in HElib Shai Halevi and Victor Shoup http://eprint.iacr.org/2014/106 Whats HElib?

Algorithms in HElib Shai Halevi and Victor Shoup http://eprint.iacr.org/2014/106 Whats HElib? A software library implementation of homomorphic encryption (HE) Implements the ring-LWE variant of [BGV12] Written in C++, uses NTL for

603 views • 8 slides
Run-Time Composite Event Recognition Alexander Artikis, Marek Sergot and George Paliouras

Run-Time Composite Event Recognition Alexander Artikis, Marek Sergot and George Paliouras

Run-Time Composite Event Recognition Alexander Artikis, Marek Sergot and George Paliouras Institute of Informatics & Telecommunications, NCSR Demokritos, Greece Department of Computing, Imperial College London, UK

477 views • 25 slides
david.hoff@umb.edu 617-287-4308 Twitter: @davidhoff10 David Hoff Project Director Institute

david.hoff@umb.edu 617-287-4308 Twitter: @davidhoff10 David Hoff Project Director Institute

david.hoff@umb.edu 617-287-4308 Twitter: @davidhoff10 David Hoff Project Director Institute for Community Inclusion UMass Boston www.communityinclusion.org CMS WIOA Settings Rule Employment Integration and Inclusion DOJ Employment

187 views • 18 slides
Enhanced Performance Benchmarking and Supply Chain Carbon Accounting Environmental Performance

Enhanced Performance Benchmarking and Supply Chain Carbon Accounting Environmental Performance

Enhanced Performance Benchmarking and Supply Chain Carbon Accounting Environmental Performance Metrics Workshop Sponsored by AAPA and EDF Virginia Port Authority, Norfolk Virginia October 10, 2012 Todays Discussion Transportation and

460 views • 19 slides

More recommend