Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 0 times |
TRANSFORMATION
HARDWARE SYSTEM ARCHITECTURES
SVA
Binary translation and
emulation
Formal methods
Hardware support for isolation
Dealing with malicious hardware
Cryptographic secure computation
Data-centric security
Secure browser appliance
Secure servers
WEB-BASED ARCHITECTURES
e.g., Enforce properties on a malicious OS
e.g., Prevent dataexfiltration
e.g., Enable complex distributed systems, with resilience to hostile OS’s
Mohit Tiwari, UC Berkeley
with Krste Asanović, Dawn Song, Petros Maniatis, Prashanth Mohan, Christoforos Papamanthou,
Elaine Shi, Emil Stefanov, Nguyen Tran
Platform for Private Data
Ideal: Privacy Preserving Cloud
End User Developer
privacy evidenceprivacy policy API App
Cloud provider
PPD: Platform for Private DataEnd User Developer
privacy evidenceprivacy policy API App
PPD Cloud provider
App
private data vault sealed container
Outline of this talk
• PPD: Platform for Private Data
• PPD Architecture
• PPD Prototype and Evaluation
PPD Insights
• Co-design UI and System software– User decisions are intuitive (“share doc with Bob”)– System manages untrusted apps and private data
• Developer API – Per-user functionality v. Cross-user Optimizations
• Privacy: Data owners’ access control policy – Apps ‘see’ data only in sealed containers
PPD Applications
Cloud Storage
Personal Documents
Real-time applications
E-commerce
Social applications
Miscellaneous:Browsing, peer-to-peer
userinitiated sharing
End-User
Hardware with TPM
PPD Cloud Provider
Untrusted Storage
Trusted User Interface
Protected Channel
ACLs
id o r w
A.tax A A A
PPD Architecture: Users
Application Container
App
Untrusted Application
End-User Developer
Hardware with TPM
PPD Cloud Provider PPD Controller and ACL Manager
Cleartext data
Untrusted Storage
Trusted User Interface
PPD Architecture: Applications
App
Untrusted Application
End-Users Developers
Hardware with TPM
PPD Cloud Provider PPD Controller and ACL Manager
Dedup, Caching,
Replication,…
PPD Storage Proxy
App
Storage ContainerIntegrity
check
Untrusted Storage
Trusted User Interface
PPD Architecture: Storage
PPD Timeline #1: User attests Client
User Client Cloud Server
TPM.send(hw id)
Attest(code)Trusted PPD Server
Response (result) Separation kernel on client checkedsitekey
sitekeyClient attested
Alice
PPD Timeline #2: User launches App
User Client Cloud ServerAlice Launch trusted UI
Authentication
Trusted PPD Kernel
PPD UI,
Control
AppContainerLaunch application
Trusted Kernel
PPD UI,
Control
AppContainer
App communication
User and Developer Interface
• User creates data – personal by default and decides who to share it with
• PPD System provides trusted UI to user – User conveys change of ACLs to PPD
• Developers can request– Application Containers: per-user, per-data-capsule – Storage Containers: per-application, per-system
Outline of this talk
• PPD: Platform for Private Data
• PPD Architecture
• PPD Prototype and Evaluation
PPD Building Blocks
• Data capsules– Capsule inferred based on user actions– E.g. “tax documents”, “thanksgiving album”– System assigns ACL as private by default
• Protected Containers– Linux containers (LXC), Copy-on-write FS (UnionFS).– Stops all explicit communication, except channels.– Hardware side channels, timing leaks out of scope
PPD Building Blocks
• Protected Channels– iptables firewall rules for LXC containers– Encryption, integrity-checking (TLS/SSL for network)– Trusted Channel from User to PPD to change ACLs
• Storage Proxies– Key-value proxy: put, get, and setACL interface– File-system proxy: fuse-based layer on key-val proxy
PPD Building Blocks
• PPD Controller– manages containers and channels – dynamically creates containers based on user or
application requests– assigns iptable rules for all containers
• Remote Attestation– Intel TXT, TPM v1.2– attest correct PPD code on untrusted machines
PPD Applications
• Friendshare: online storage with de-duplication (like Dropbox)
• Git: repository version control server
• Etherpad: online, collaborative editing (like Google Docs)
PPD Prototype
TLS Proxy TLS Proxy
EtherPad Co
ntro
ller
ACL Store
K/V Proxy FS Proxy
DeDup
Secure Block DeviceStorage
FriendShare
TPM Chip (Remote Attestation)
LXCContainers
ACL changes
Linux Kernel
IPTables
ApplicationLayer
StorageLayer
End Users
Writing & Porting Apps for PPD
• Scripts to install and configure apps in containers
• Application v. Storage containers– Friendshare• Application: Scan directories, chunk files, change ACL• Storage: De-duplication
– Git, Etherpad• Application: entire functionality
PPD Application Performance
• Minimal effect on Friendshare throughput
Small Requests: 10 filenames Big Requests: 10KB images
Current and Future Work
• Applications– medical applications, business data analytics
• Client-side PPD on Android– light-weight containers and channels on Nexus S
• Application initiated sharing– differential privacy
Related Approaches
• PPD v. DIFC – PPD does not do fine-grained sharing– Constrained containers: simple, yet most benefits of fine-grained
information flow tracking.– Developer API: reduce run-time exceptions
• PPD v. Capabilities– Can be used to implement containers and channels– Re-write legacy applications
• PPD v. Android Security– Static, Coarse-grained permissions– User does not own data
Summary
• PPD: New Data-Centric Cloud Platform– user controlled sharing– rich, mostly legacy applications
• PPD Architecture– untrusted application and storage components
• PPD Prototype and Evaluation– small performance and porting cost