Post on 23-Feb-2016
description
transcript
Growing Secure Distributed Systems from a Spore
Yunus Basagalar, Vassilios Lekakis and Pete KeleherUniversity of Maryland, College Park
Problem
• Outsourcing data is trendyo geographically replicatedo no downtime
• Inherently insecureo implicit trust
Goal
• Remove implicit trusto Minimize server functionalityo Leverage wider range of resources as storage serviceo Less code Less bugs
o Use cryptographic techniques
Spore overviewObject X
Symmetric key for Object X
List of public keys allowed to modify
Object X
Assumptions
• No higher-level functionality in the server sideo put/get/list interface
• Immutable objects
• No trust assumptiono except Spore object
Everything starts with a single spore...
Creates spore object
Users
Bob
/.v1
Spore
Spore Objectroot GUID 5c90ba31
symmetric key U0T1BT13io
servers
S3 --> addr: spore_bucketAzure --> addr: spore_blobLocal --> addr: /home/user/sporeSFTP --> addr: trial.cs.umd.edu user: trial pass: trial...
trusted keys
EF6C847F4EAB62F34BAF2438669B4672C5386EEFC465AE4CC645938B8AD9A97E52329486DEF2E9E8CC1A3AC
...
... ...
Object graph
Users
Bob
/.v1
Bob's operations
1. mkdir /dir2. create /dir/foo3. edit /dir/foo4. create /dir/bar
mkdir /dir
GUID 5c90ba31
Filename /
Version 1
Entries -
... ...
mkdir /dir
GUID 5c90ba31
Filename /
Version 1
Entries -
... ...
GUID 7b610f93
Filename dir
Version 1
Entries -
... ...
1. put (7b610f93, dir_obj)
mkdir /dir
GUID 5c90ba31
Filename /
Version 1
Entries -
... ...
GUID 7b610f93
Filename dir
Version 1
Entries -
... ...
GUID 2ca142a9Computed using a deterministic, fast, collision resistant
function
mkdir /dir
GUID 5c90ba31
Filename /
Version 1
Entries -
... ...
1. put (7b610f93, dir_obj)2. put (2ca142a9, root_obj)
GUID 7b610f93
Filename dir
Version 1
Entries -
... ...
GUID 2ca142a9
Filename /
Version 2
Entries dir -> 7b610f93
... ...
Object graph
Users
Bob
/.v1 /.v2
dir.v1
Bob's operations
1. mkdir /dir2. create /dir/foo3. edit /dir/foo4. create /dir/bar
implicit edge: between versions of an object
explicit edge: between parent object and its children, directory entries
Object graph
Users
Bob
/.v1 /.v2
dir.v1 dir.v2
foo.v1
Bob's operations
1. mkdir /dir2. create /dir/foo3. edit /dir/foo4. create /dir/bar
Object graph
Users
Bob
/.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
Bob's operations
1. mkdir /dir2. create /dir/foo3. edit /dir/foo4. create /dir/bar
Object graph
Users
Bob
/.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
dir.v3
bar.v1
Bob's operations
1. mkdir /dir2. create /dir/foo3. edit /dir/foo4. create /dir/bar
Sharing the Spore
Users
Bob
Alice /.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
Alice's operations
1. read /dir/foo
dir.v3
bar.v1
Bob shares the spore with
Alice
Traversing the object graph
Users
Bob
Alice /.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
Alice's operations
1. read /dir/foo
dir.v3
bar.v1
Traversing the object graph
Users
Bob
Alice /.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
Alice's operations
1. read /dir/foo
dir.v3
bar.v1
Traversing the object graph
Users
Bob
Alice /.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
Alice's operations
1. read /dir/foo
dir.v3
bar.v1
Alice's operations
1. read /dir/foo
Spore overview
Forming trust region by induction
• In trust regiono data confidentialityo authentication of updateso self-consistent objects
Trust Region
Trust Region
Confidentiality
Users
Bob
Alice /.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
Alice's operations
1. read /dir/foo
dir.v3
bar.v1
Grant read access to Alice
/.v1 /.v2 dir.v1 dir.v2 dir.v3 foo.v1 foo.v2
Symmetric key for foo.v2 Alice’s public key
• How: Include the key encrypted with Alice’s public key
Authentication
Users
Bob
Alice /.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
Alice's operations
1. edit /dir/bar
dir.v3
bar.v1
Bob's operations
1. read /dir/bar
Authentication
Users
Bob
Alice /.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
Alice's operations
1. edit /dir/bar
dir.v3
bar.v1
Bob's operations
1. read /dir/bar
bar.v2
Authentication
Users
Bob
Alice /.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
Alice's operations
1. edit /dir/bar
dir.v3
bar.v1
Bob's operations
1. read /dir/bar
bar.v2
Bob realizes Alice has no rights to modify bar
Grant write permission to Alice
/.v1 /.v2 dir.v1 dir.v2 dir.v3 bar.v1
bar.v2: Alice’s public key
• How: Include Alice’s public key as a writer for bar
Self-consistent objects
Users
Bob
Alice
/.v1 /.v2
dir.v1 dir.v2
foo.v1 foo.v2
dir.v3
bar.v1 bar.v2.$HASH
bar.v2$HASH = H where H is a collision-resistant hash function
Spore overviewObject X
Symmetric key for Object X
List of public keys allowed to modify
Object X
Conclusion
• Growing a secure distributed system from a Sporeo authenticated writeso confidentialityo self-consistent objectso minimal server-side functionality