Towards a Secure and Efficient System for End-to-End Provenance - - PowerPoint PPT Presentation

Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

Towards a Secure and Efficient System for End-to-End Provenance

Patrick McDaniel, Kevin Butler, Stephen McLaughlin Penn State University Erez Zadok, Radu Sion, Stony Brook University Marianne Winslett, University of Illinois TaPP’10, San Jose, CA 22 February 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Provenance Rich Applications

2

• Scientific computing (myGrid)
• Supervisory Control and Data Acquisition
• National Academy “Hard Problem”
• Supply chains
• Government and military
• Digital repositories (MIT DSpace, Version Control)
• Characteristics:
• High assurance, distributed, high performance

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

End to End Provenance System

3

• Why another provenance collection system?

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

End to End Provenance System

• Why another provenance collection system?
• Strong security guarantees
• Distributed provenance collection
• Achieve the above two goals efficiently in high end

computing systems

4

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Secure Provenance Collection

• Provenance monitor (PM) analogous to reference

monitor concept

• Three guarantees
• Complete mediation
• Tamperproofness
• Verifiability
• Beyond authentication of records
• Integrity/Trustworthiness of recording instrument and

provenance-enhanced applications

5

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Achieving Security Goals

• PM and provenance records both protected from

monitored applications

• Two implementations:
• Kernel-level:
• More semantic information for mediation
• LSM implementation
• Device-level:
• Stronger tamperproofness guarantee
• Disk-level support for provenance collection, record

storage, and host interaction for semantics and policies. [Butler’07,’08]

6

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Distributed Environments

7

PM Host Host PM kernel Host PM Provenance Authority Provenance Authority PM PM PM Provenance Authority PM PM PM secure coprocessor intelligent storage

Org A Org B Org C

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Distributed PM

• Challenges in distributed provenance
• Domain specific policies for:
• Auditors - confidentiality considerations
• Cryptographic commitments [Hasan’09]
• Divergent modification histories
• Plausible version history
• If necessary, plausible history may be checked against previous

subjects in the ownership chain

8

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Distributed Example

9

Example: File transfer between hosts with untrusted OSes and trusted storage

Doc Disk Hybrid Drive Host A Flash Kernel scp FS Disk Hybrid Drive Host B Flash Kernel sshd FS PM SaF SaF PM P1

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Distributed Example

10

A program initiates a request for the file.

Doc Disk Hybrid Drive Host A Flash Kernel scp FS Disk Hybrid Drive Host B Flash Kernel sshd FS PM SaF SaF PM P1

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Distributed Example

11

A secure tunnel is established between disks through the untrusted OS.

Doc Disk Hybrid Drive Host A Flash Kernel scp FS Disk Hybrid Drive Host B Flash Kernel sshd FS PM SaF SaF PM P1 P1

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Distributed Example

12

The document is transferred as normal.

Doc Disk Hybrid Drive Host A Flash Kernel scp FS Doc Disk Hybrid Drive Host B Flash Kernel sshd FS PM SaF SaF PM Doc P1 P1

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Distributed Example

13

The destination disk checks the integrity once the write- through is completed and appends a new provenance entry.

Doc Disk Hybrid Drive Host A Flash Kernel scp FS Doc Disk Hybrid Drive Host B Flash Kernel sshd FS PM SaF SaF PM Doc P1 P1 P1|P2

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Distributed Provenance Overheads

• Overhead increases monotonically as data is shared.
• Two implications:
• Storage costs within a single domain
• High sharing factor: redundant provenance data
• Long per-host modification histories: higher redundancy factor
• Even though document size may remain constant!
• Audit costs between domains
• As sharing of a document increases, the computational cost of

sharing increases

14

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Performance Enhancements

• Provenance monitor profiling
• Enhanced profiling tools
• Profiling provenance collection for workloads from

scientific domains

• EEPS calibration for a particular environment
• LSM instrumentation
• Cost models for provenance collection
• Hardware and storage requirements ($/GB)
• New cost models based on types of provenance data

collected and system architectures

15

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Summary

• Existing provenance systems solve problems of data

management and organization

• EEPS:
• Secure collection and auditing
• Provenance Monitor
• Distributed provenance
• Distributed PM
• Performance considerations
• PM and application profiling and calibration

16

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

References

17

Kevin Butler, Stephen McLaughlin, and Patrick McDaniel, Rootkit-Resistant Disks. 15th ACM Conference on Computer and Communications Security (CCS'08), Alexandria, VA, USA. November 2008. Kevin Butler, Stephen McLaughlin, and Patrick McDaniel, Non-Volatile Memory and Disks: Avenues for Policy

• Architectures. 1st Computer Security Architecture

Workshop (CSAW 2007), Alexandria, VA, USA. November 2007. Ragib Hasan, Radu Sion, and Marianne Winslett, Preventing History Forgery with Secure Provenance. ACM Transactions

• n Storage, December 2009.

[Butler’08] [Butler’07] [Hasan’09]