Secure Data Preservers for Web Services Byung-Gon Chun Yahoo! - - PowerPoint PPT Presentation

secure data preservers for web services
SMART_READER_LITE
LIVE PREVIEW

Secure Data Preservers for Web Services Byung-Gon Chun Yahoo! - - PowerPoint PPT Presentation

May 13, 2023 167 likes •538 views

Secure Data Preservers for Web Services Byung-Gon Chun Yahoo! Research Joint work with Jayanthkumar Kannan (Google) and Petros Maniatis (Intel Labs) Users Entrust Web Services with Their Data Health Credit card records number Trading

slide-1
SLIDE 1

Secure Data Preservers for Web Services

Byung-Gon Chun Yahoo! Research

Joint work with Jayanthkumar Kannan (Google) and Petros Maniatis (Intel Labs)

slide-2
SLIDE 2

Users Entrust Web Services with Their Data

Credit card number Trading strategy Health records Web click logs

slide-3
SLIDE 3

Users Entrust Web Services with Their Data

Credit card number Trading strategy Health records Web click logs

  • How their data will be used
  • What parts will be shared
  • With whom they will be shared
slide-4
SLIDE 4

Exposure of Sensitive Data

  • dataloss.db lists 400 data loss incidents in

2009; on average exposed half-a-million customer records

slide-5
SLIDE 5

Exposure of Sensitive Data

  • dataloss.db lists 400 data loss incidents in

2009; on average exposed half-a-million customer records

slide-6
SLIDE 6

Exposure of Sensitive Data

  • dataloss.db lists 400 data loss incidents in

2009; on average exposed half-a-million customer records

slide-7
SLIDE 7

Exacerbated by Giving Up Data Usage Control

Individuals

Health records

slide-8
SLIDE 8

Exacerbated by Giving Up Data Usage Control

Individuals

Health records

slide-9
SLIDE 9

Exacerbated by Giving Up Data Usage Control

Individuals

Health records

  • How their data will be used
  • What parts will be shared
  • With whom they will be shared
slide-10
SLIDE 10

Give Control Back to Users

Individuals

Health records

  • How their data will be used
  • What parts will be shared
  • With whom they will be shared

Personalizable trust

slide-11
SLIDE 11

Roadmap

  • Motivation
  • Secure Data Preserver
  • Design
  • Evaluation
slide-12
SLIDE 12

Our Approach

  • Entrusting raw data violates least privilege
  • Encapsulate sensitive data and enforce well-

defined interface for service to access data

slide-13
SLIDE 13

Secure Data Preserver (SDaP)

(a) Service + User Data Service

Service Code OS HW User Data isolation boundary (b) Service + Preserver Service

Service Code OS HW Data Interface

Preserver

Preserver Code User Data access control

slide-14
SLIDE 14

Preserver Deployment Scenarios

Co-location

HW HW OS OS Service app SDaP

Trusted third party or client Faulty service app Faulty service operator

HW Mini- OS OS Service app SDaP VMM

Faulty service app

HW OS Service app SDaP

Secure co- processor

Faulty service app Faulty service operator

slide-15
SLIDE 15

What Apps Are Suitable?

  • Sensitive query

– User provides sensitive query, service provides data stream – E.g., Trading, Health

  • Analytics on sensitive data

– Service performs data mining on user’s sensitive data – E.g., Targeted advertising, Recommendation

  • Proxy

– User provides credentials to another service

slide-16
SLIDE 16

What Apps Are Suitable?

  • Sensitive query

– User provides sensitive query, service provides data stream – E.g., Trading, Health

  • Analytics on sensitive data

– Service performs data mining on user’s sensitive data – E.g., Targeted advertising, Recommendation

  • Proxy

– User provides credentials to another service

* Limitation Data-centric service reading and updating users’ data at fine granularity

  • E.g., Docs, Social networking apps
slide-17
SLIDE 17

Roadmap

  • Motivation
  • Secure Data Preserver
  • Design
  • Evaluation
slide-18
SLIDE 18

Preserver Design Goals

  • Simple Interface
  • Flexible deployment
  • Fine-grained use policy
  • Trust but mitigate risk
slide-19
SLIDE 19

Preserver Operational View

OS E*Trade app Preserver Policy Data

  • 2. Specify policy
  • 1. Pick Preserver
  • 3. Install Preserver
  • 4. API

Ticker()

slide-20
SLIDE 20

Preserver Architecture

Data Layer User Data P3 Policy Engine Base Layer Preserver 1 Service OS Service Client I n s t a l l P2 Interface I n s t a l l / x f

  • r

m Host Facilities H H Host Hub I n v

  • k

e Service Data Policy Data

Hosting Invocation Transformation

slide-21
SLIDE 21

Preserver Hosting

  • Which services can host users’ preservers
  • Hosting policy

– Declarative language based on SecPAL

  • 1. alice SAYS CanHost(M) IF OwnsMachine(amazon, M)
  • Hosting mechanism

– Hosting protocol based on Diffie-Hellman protocol

slide-22
SLIDE 22

Preserver Hosting

  • Which services can host users’ preservers
  • Hosting policy

– Declarative language based on SecPAL

  • Hosting mechanism

– Hosting protocol based on Diffie-Hellman protocol

  • 2. alice SAYS CanHost(M) IF TrustedService(S),

OwnsMachine(S,M), HasCoprocessor(M)

slide-23
SLIDE 23

Preserver Hosting

  • Which services can host users’ preservers
  • Hosting policy

– Declarative language based on SecPAL

  • Hosting mechanism

– Hosting protocol based on Diffie-Hellman protocol

  • 3. alice SAYS amazon CANSAY TrustedService(S)
slide-24
SLIDE 24

Preserver Invocation

  • Constrain interface invocation parameters with

SecPAL

  • Two kinds: stateless, stateful
  • 1. alice SAYS CanInvoke(amazon, A) IF LessThan(A, 50)
  • Transfer of invocation policies: exo-leasing
slide-25
SLIDE 25

Preserver Invocation

  • Constrain interface invocation parameters with

SecPAL

  • Two kinds: stateless, stateful
  • Transfer of invocation policies: exo-leasing
  • 2. alice SAYS CanInvoke(doubleclick,A) IF

LessThan(A,Limit), Between(Time,”01/01/10”,”01/31/10”) STATE (Limit=50,Update(Limit,A))

slide-26
SLIDE 26

Preserver Invocation

  • Constrain interface invocation parameters with

SecPAL

  • Two kinds: stateless, stateful
  • Transfer of invocation policies: exo-leasing
  • 3. alice SAYS amazon CANSAY CanInvoke(S,A) IF

LessThan(A,Limit) STATE (Limit=50,Update(Limit,A))

slide-27
SLIDE 27

Preserver Transformation

  • Filtering: retain a subset of data

– E.g., only the web history in the last six months

  • Aggregation: merging of raw data from

mutually trusting users of a service

– E.g., ad-click history of users

slide-28
SLIDE 28

Roadmap

  • Motivation
  • Secure Data Preserver
  • Design
  • Evaluation
slide-29
SLIDE 29

Evaluation

  • Deployment options:

– TTP, client, Xen-based co-location

  • Three sample preservers:

– Stock trading, targeted advertising, credit card xact

  • Main results:

– Cost of preserver – Comparison of deployment options – Security analysis: LS2-based theoretical analysis, Trusted Computing Base (TCB) comparison

slide-30
SLIDE 30

Cost of Basic Invocation (Latency)

slide-31
SLIDE 31

Cost of Stock Trading (Latency)

slide-32
SLIDE 32

Discussion

  • Find appropriate interfaces, verify them
  • Easy refactoring

– Even automated

  • Apps with rich interfaces

– Information flow control

slide-33
SLIDE 33

Related Work

  • Wilhelm’s mobile agent
  • CLAMP
  • BSTORE
  • Decentralized privacy frameworks
  • Information flow control
slide-34
SLIDE 34

Conclusion

  • Rearchitect web services around the principle
  • f giving data usage control back to users
  • Secure Data Preserver achieves this goal via

data encapsulation and interface-based access control

slide-35
SLIDE 35

Thank you! Q & A