Working Set- -Based Access Control for Based Access Control for - - PowerPoint PPT Presentation

working set based access control for based access control
SMART_READER_LITE
LIVE PREVIEW

Working Set- -Based Access Control for Based Access Control for - - PowerPoint PPT Presentation

Oct 04, 2022 430 likes •667 views

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

slide-1
SLIDE 1

Working Set Working Set-

  • Based Access Control for

Based Access Control for Network File Systems Network File Systems

Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode

DiscoLab - Department of Computer Science Rutgers, The State University of New Jersey { smaldone, vinodg, iftode }@cs.rutgers.edu

slide-2
SLIDE 2

5/19/2007 Rutgers WINLAB IAB Meeting 2

Mobile Access to Network File Systems Increasing Mobile Access to Network File Systems Increasing

Alice @Trusted Network File Servers Alice @Untrusted Personal Device Corporate Intranet

VPN Server Firewall Internet VPN

File Accesses

slide-3
SLIDE 3

5/19/2007 Rutgers WINLAB IAB Meeting 3

WSBAC: Working Set WSBAC: Working Set-

  • Based Access Control

Based Access Control

Alice’s File Set Alice’s Active File Set Process Virtual Memory Process Working Set

slide-4
SLIDE 4

5/19/2007 Rutgers WINLAB IAB Meeting 4

Outline Outline

  • Introduction
  • WSBAC Design

– POLEX and POLEN Design

  • WSBAC Implementation

– Background: FileWall – POLEX and POLEN Implementations – Policy View Namespace (PVN)

  • Related Work
  • Conclusions and Future Work
slide-5
SLIDE 5

5/19/2007 Rutgers WINLAB IAB Meeting 5

WSBAC Overview WSBAC Overview

POLEX POLEN File Server

1 2 1 1 2 3 3

Untrusted Devices Working Sets Trusted Network Domain (Corporate Intranet) POLEN Vault Area Trusted Devices

slide-6
SLIDE 6

5/19/2007 Rutgers WINLAB IAB Meeting 6

Working Sets Switch

POLEX: POLEX: POL POLicy icy EX EXtraction traction for Network File Systems for Network File Systems

File Server Policy View Namespace (PVN) POLEX Administrator

Trusted Devices

slide-7
SLIDE 7

5/19/2007 Rutgers WINLAB IAB Meeting 7

Policy View Namespace (PVN) Policy View Namespace (PVN)

PVN Root PVN1 Control Shadow

Mirrored FS Namespace

FILE METADATA EFFECTIVE AC

Shadow File Contents

  • Start / Stop Collection
  • Modify Collection Parameters
  • Modify View Parameters
slide-8
SLIDE 8

5/19/2007 Rutgers WINLAB IAB Meeting 8

POLEN: POLEN: POL POLicy icy EN ENforcement forcement for Network File for Network File Systems Systems

Working Sets File Server POLEN

Untrusted Devices

Reliable Secondary Authentication Mechanism WSBAC Virtual Namespace

slide-9
SLIDE 9

5/19/2007 Rutgers WINLAB IAB Meeting 9

Background: Background: FileWall FileWall

FileWall: A Firewall for Network File System, S. Smaldone, A. Bohra, and L. Iftode. In the Proceedings of the 3rd IEEE International Symposium

  • n Dependable, Autonomic and Secure Computing (DASC'07).

Scheduler

Forwarder Access Context FileWall Policy Request Handler

File Server

FS Client

Response Handler

slide-10
SLIDE 10

5/19/2007 Rutgers WINLAB IAB Meeting 10

The POLEX Implementation The POLEX Implementation

Forwarder Access Context

Policy Definition

Extraction Handler

Scheduler Network File System Stream Administrator

View Handlers Working Set Summaries (Bloom Filters)

slide-11
SLIDE 11

5/19/2007 Rutgers WINLAB IAB Meeting 11

Outline Outline

  • Introduction
  • WSBAC Design
  • WSBAC Implementation
  • Evaluation and Results
  • Related Work
  • Conclusions
slide-12
SLIDE 12

5/19/2007 Rutgers WINLAB IAB Meeting 12

Evaluation Evaluation

  • Goals

– Measure accuracy of a working set extraction: w.r.t. errors and

  • ver-estimations

– Measure overheads imposed network file system access – See paper for full evaluation and results

  • Setup

– Systems: Dell systems, Dual 2.4 GHz CPUs, 3 GB RAM, running Linux 2.6 – Perform offline analysis using Harvard File System Traces [Ellard’03] – OpenSSH compilation as application performance benchmark

slide-13
SLIDE 13

5/19/2007 Rutgers WINLAB IAB Meeting 13

Evaluation: POLEX Accuracy Evaluation: POLEX Accuracy

Average Error Rate Over-Estimation Rate Run 1 1.08% 31.6% Run 2 0.76% 41.2% Run 3 1.02% 42.5% Run 4 0.79% 36.5% Run 5 0.97% 42.9% Average 0.92% 38.9%

slide-14
SLIDE 14

5/19/2007 Rutgers WINLAB IAB Meeting 14

Evaluation: POLEN Application Benchmark Evaluation: POLEN Application Benchmark

10 20 30 40 50 60 70 untar configure compile install remove

Benchmark Phase Time (sec) NFS POLEN

slide-15
SLIDE 15

5/19/2007 Rutgers WINLAB IAB Meeting 15

Related Work Related Work

  • Policy Extraction and Inference

– RBAC Role Mining [Kuhlmann’03, Schlegelmilch’05] – XACML AC Property Inference [Anderson’04, Martin’06] – Firewall Policy Inference [Golnabi’06, Tongaonkar’07] – Gray-Box Systems [Arpaci-Dusseau’01]

  • Context-Aware Access Control

– Secure Collaborations in Mobile Computing [Toninelli’06] – Ubiquitous Services [Corradi’04, Yokotama’06] – Ad-Hoc Networks [Saidane’07] – Web Services [Bhatti’05, Kapsalis’06]

slide-16
SLIDE 16

5/19/2007 Rutgers WINLAB IAB Meeting 16

Conclusions Conclusions

  • WSBAC: Working Set-Based Access Control for Network File

Systems

– Access control technique that estimates per-user working sets to formulate access control policy for accesses from untrusted devices – Prototype design and implementation of POLEX and POLEN – Empirical evaluation suggests that WSBAC is highly effective, exhibiting low error rates

  • Conference Paper

– Working Set-Based Access Control for Network File Systems,

  • S. Smaldone, V. Ganapathy, and L. Iftode

To appear in the Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT 2009), June 2009.

slide-17
SLIDE 17

Thank You! Thank You!

http://discolab.rutgers.edu

slide-18
SLIDE 18

5/19/2007 Rutgers WINLAB IAB Meeting 18

Evaluation: POLEX Time and Storage Requirements Evaluation: POLEX Time and Storage Requirements

Size of Trace Time to Analyze State Size 1 Day (~3.3 GB - 6,308,023 Req/Res Pairs) 52 min 154MB 1 Hour (~140 MB - 262,834 Req/Res Pairs) 2.49 min 154MB

slide-19
SLIDE 19

5/19/2007 Rutgers WINLAB IAB Meeting 19

Evaluation: POLEX Sensitivity Evaluation: POLEX Sensitivity

Day 1 Day 2 Day 3 Day 4 Day 5 User 1 0.26% 0.03% 0.02% 0.01% 0.01% User 2 0.31% 4.4% 0.0% 3.3% 0.27% User 3 0.37% 0.36% 0.82% 2.5% 0.61% User 4 0.48% 1.8% 0.55% 0.66% 0.11% User 5 0.18% 0.28% 0.18% 0.34% 0.27% Average 0.32% 1.4% 0.31% 1.4% 0.27%

slide-20
SLIDE 20

5/19/2007 Rutgers WINLAB IAB Meeting 20

Evaluation: Speculation Rates Evaluation: Speculation Rates

Average Min Max 1.4% 2.4% 0.028% Average Min Max 7 speculative rqst/day 12 speculative rqst/day >1 speculative rqst/day

  • For Heavy Users (~500 rqst/day):
slide-21
SLIDE 21

5/19/2007 Rutgers WINLAB IAB Meeting 21

Evaluation: POLEN Performance Evaluation: POLEN Performance Microbenchmark Microbenchmark

100 200 300 400 500 600 700 getattr lookup access read write create

NFS Operation Response Latency (usec)

NFS-minimal POLEN-minimal NFS-LAN POLEN-LAN

slide-22
SLIDE 22

5/19/2007 Rutgers WINLAB IAB Meeting 22

Contributions Contributions

Add after slide 4

slide-23
SLIDE 23

5/19/2007 Rutgers WINLAB IAB Meeting 23

The POLEN Implementation The POLEN Implementation

Add after slide 11