In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS: Perpetually Available and Secure Information Systems
http://www.ices.cmu.edu/pasis/
Greg Ganger, Pradeep Khosla, Chenxi Wang,
Mehmet Bakkaloglu, Michael Bigrigg, Garth Goodson, Semih Oguz,
Vijay Pandurangan, John Strunk, Ken Tew, Ted Wong, Jay Wylie
Carnegie Mellon University
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Newest personnel
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS ObjectiveCreate information storage systems that are• Perpetually Available
– Information should always be available even when some system components are down or unavailable
• Perpetually Secure– Information integrity and confidentiality should always be enforced even when
some system components are compromised
• Graceful in degradation– Information access functionality and performance should degrade gracefully as
system components fail
Assumptions – Some components will fail, some components will be compromised, some components will be inconsistent, BUT……….
surviving components allow the information storage system to survive
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Survivable Storage Systems
Surviving “server-side” intrusions decentralization + data distribution schemes provides for availability and security of storage
Tradeoff management balances availability, security, and performance maximize performance given other two
Surviving “client-side” intrusions server-side data versioning and request auditing enables intrusion diagnosis and recovery
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Step #1: Decentralized storage systems Client
System
PASIS Agent
Apps
IPC
Storage Node
Network
Storage
Repair Agent
Storage Node
Client System
PASIS Agent
Apps
IPC
Storage Node
Storage
Repair Agent
Storage
Repair Agent
In s t itu tefo r C o m p lexEn g in eeredSys tem s
• Scheme = Algorithm + <Parameters>– E.g., 3-fold replication = replication + <n = 3>
• 1000s of possible choices– Many different algorithms
• Cryptographic• Threshold (n shares, any t to reconstruct)• Hybrids and combinations
– Many reasonable parameters
Step #2: Data distribution schemes
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS Agent Architecture
ClientApps
LocalPASISAgent
PASISStorageNodes
TradeoffManagement
Multi-read/writeCommunication
Encode &Decode
ClientApplications
PASISStorage Nodes
SystemCharacteristics
UserPreferences
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Features of PASIS Architecture
• Security– confidentiality: no single storage node can expose data– integrity: no single storage node can modify data
• Availability– any M-of-N storage nodes can collectively provide data
• Flexibility– range of options in space of trade-offs among
availability, security, and performance
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Recent PASIS Demo PASIS-enhanced NFS
NFS agent running on client machine PASIS I/O libraries linked into NFS agent
Files are encoded and distributed across the four machines 2-of-4 scheme with integrity checking, by default no central authority or point-of-failure
Implementation runs on linux, using NFSv3 servers to store the shares PASIS functionality is transparent to applications
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Technology Transfer• Transfer path via CMU Consortia (e.g., PDL)
– 10-15 storage and networking companies• EMC, HP, IBM, Intel, Veritas, Sun, Seagate, Hitachi,
Panasas, Network Appliance, Microsoft, Sony
– 10-15 embedded system & infrastructure companies• Raytheon, Boeing, United Technologies, Hughes, Bosch,
AT&T, Adtranz, Emerson Electric, Ford, HP, Intel, Motorola, NIIIP Consortium
• Joint Battlespace Infosphere (JBI)– working with AFRL researchers to understand how
PASIS technologies might fit into JBI infrastructures
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Major continuing threads
• Reasoning about trade-offs– towards engineering of survivable storage
• Device-embedded security functionality– surviving insiders & intrusions into client systems
• Self-repair over time– proactive and reactive; fully decentralized
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Trade-off management challenges• Reasoning about security and availability
– specifically, need to translate settings into configuration rules and limitations
• e.g., T > 0.7*N, (N-T) > 2, T shares cannot be on same OS
• Finding best performing configuration– within the limitations imposed by first step and given
the expected workload and system components– configuration includes choices of data distribution
scheme, values for T and N and P, degree of over-requesting, server selection algorithm, etc…
– 2-step approach: predict performance of any possible configuration and then search for optimal choice
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Trade-off spaceScheme Selection Surface
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Quantifying the axes
• Performance (MB/s)– based on (relatively) simple performance model– computed with standard performance eval. techniques
• Availability (“nines”)– standard fault tolerance math and new correlation model– relative values are useful even if not independent
• Security (Effort to defeat)– estimate effort involved with possible attack paths– overall effort is minimum of possible efforts
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Generation of scheme selection surface
• Quantify performance, security, and availability of each algorithm+parameters
• Select best performing scheme for each region
Replication + Encryption Information DispersalScheme selection surface Secret SharingScheme selection surface Ramp Replication
Short secret sharing Splitting
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Trade-off spaceScheme Selection Surface
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Selection surface sensitivity
• Scheme selections are largely insensitive to small perturbations of configuration parameters
• Scheme selection surface is different for truly different configurations
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Extreme read workload
50% ReadWorkload
99% ReadWorkload
In s t itu tefo r C o m p lexEn g in eeredSys tem s
Self-Securing Storage Nodes Goal: survive authorized but malicious users
both client-side intruders and insider attacks
How: assume all clients might be compromised keep all versions of all data audit all requests watch storage requests and trigger alarms
Benefits storage-based intrusion detection informed analysis of security compromises faster, better recovery
In s t itu tefo r C o m p lexEn g in eeredSys tem s
MotivationBetter
DefensiveStructure:
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS: Summary
Decentralization + data distribution schemes provides for availability and security of storage
Tradeoff management balances availability, security, and performance … and it is good engineering practice!
Data versioning to survive malicious users enables intrusion diagnosis and recovery
In s t itu tefo r C o m p lexEn g in eeredSys tem s
PASIS: Perpetually Available and Secure Information Systems
http://www.ices.cmu.edu/pasis/
Greg Ganger, Pradeep Khosla, Chenxi Wang,
Mehmet Bakkaloglu, Michael Bigrigg, Garth Goodson, Semih Oguz,
Vijay Pandurangan, John Strunk, Ken Tew, Ted Wong, Jay Wylie
Carnegie Mellon University