Trusted data path protecting shared data in virtualized distributed systems

While sharing data across distributed machines is critical for modern IT applications, it also raises issues of maintaining desired data privacy and protecting data from inappropriate disclosure. However, it is difficult to retain controls on the data that is being shared in environments where services can be composed and deployed dynamically across distributed providers. To protect sensitive information against potential risks of inappropriate disclosures, access rights of applications to data should not only depend on their functional characteristics, but also on their as well as the underlying systems’ behaviors. Stated more explicitly, applications that are suspected of faulty, erroneous, or malicious behaviors, or that run on systems that may be compromised, should not be able to gain access to protected data or entrusted with the same data access rights as others. There exist many sophisticated prevention-based mechanisms to eliminate risks of inappropriate disclosures. However, there are cases where such risks are associated with the core functionality of the system. This thesis tries to provide a remedy for scenarios where such risks cannot be directly eliminated. The idea is to detect existing risks, then evaluate whether it is tolerable to share certain information under such risks. This thesis proposes a context flow model (CFC) that controls the information flow in a distributed system. Each service application along with its surrounding context in the distributed system is treated as a controllable principal. CFC defines an access control model that controls the information exchange between these principals. The access control model has three main parts. First, an online monitoring framework is used to evaluate the trustworthiness of context of the service applications and the underlining systems. Second, a trust-based access control (TBAC) specification determines the permitted information exchanges considering the active contexts of the service applications. Third, an external communication interception runtime framework enforces the above specification transparently for the entire distributed system. When there are multiple principals participating in the same information flow, the same TBAC specification is applied uniformly on all principals. In this way, we provide the protection guarantee throughout the entire information flow path, thus efficiently converting the path into a trusted data path (TDP). The most important principle guiding the design and implementation of the CFC model is the integrity of the model itself. Since we do not trust the service applications and the underlying systems automatically, we place the risk evaluation and associated monitoring components of the CFC model into isolated domains, which are domains that are not subject to the same attacks or failures targeting applications and general purpose operating systems. We have implemented a prototype of trusted data paths leveraging virtualization technologies. The TDP software deploys online monitoring agents into privileged domains in platforms virtualized with the Xen hypervisor to assure the reliability of monitoring results. The TDP software also transparently intercepts communications between service applications, at the driver level in privileged domains. Using this technique, sensitive information that is not suitable for the current context can be automatically removed, without application involvement. The TDP approach offers system support for protecting data access in environments where systems and services are subject to failures, programming errors, and attacks. It presents a system-level solution for fine-grained protection on data sharing in distributed systems. It particularly targets systems (1) that lack the extensibility to include context factors via built-in security mechanisms, such as legacy software; (2) that are subject to attack or are suspected of faulty behaviors themselves; (3) that wish to delegate context-based controls to external partners; and (4) that want to enforce context-based control ubiquitously instead of only at the source or sink. Applications that can benefit from the CFC-TBAC model range from web applications like search and knowledge management or digital content services, to healthcare information systems, to file sharing systems using mail servers or online storage systems.

[1]  Karsten Schwan,et al.  Protected data paths: delivering sensitive data via untrusted proxies , 2006, PST.

[2]  Karsten Schwan,et al.  Differential data protection for dynamic distributed applications , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[3]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[4]  Calton Pu,et al.  Fine-Grain, End-to-End Security for Web Service Compositions , 2007, IEEE International Conference on Services Computing (SCC 2007).

[5]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[6]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[7]  Abhinav Srivastava,et al.  Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections , 2008, RAID.

[8]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[9]  Philip K. Chan,et al.  Learning nonstationary models of normal network traffic for detecting novel attacks , 2002, KDD.

[10]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[11]  Donald E. Eastlake,et al.  US Secure Hash Algorithm 1 (SHA1) , 2001, RFC.

[12]  Elisa Bertino,et al.  TRBAC: a temporal role-based access control model , 2000, RBAC '00.

[13]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[14]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[15]  Karsten Schwan,et al.  A middleware toolkit for client-initiated service specialization , 2001, OPSR.

[16]  Shigeru Chiba,et al.  HyperSpector: virtual distributed monitoring environments for secure intrusion detection , 2005, VEE '05.

[17]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[18]  Julita Vassileva,et al.  Bayesian Network Trust Model in Peer-to-Peer Networks , 2003, AP2PC.

[19]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[20]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[21]  Bernhard Schölkopf,et al.  Face Detection - Efficient and Rank Deficient , 2004, NIPS.

[22]  Hironobu Takagi,et al.  Transcoding proxy for nonvisual web access , 2000, Assets '00.

[23]  A. Forrey,et al.  The Health Insurance Portability and Accountability Act: practice of dentistry in the United States: privacy and confidentiality. , 2003, The journal of contemporary dental practice.

[24]  Karl Aberer,et al.  Managing trust in a peer-2-peer information system , 2001, CIKM '01.

[25]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[26]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[27]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[28]  Jonathan Grudin,et al.  A study of preferences for sharing and privacy , 2005, CHI Extended Abstracts.

[29]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[30]  Karsten Schwan,et al.  I-Queue: Smart Queues for Service Management , 2006, ICSOC.

[31]  A. Meyer The Health Insurance Portability and Accountability Act. , 1997, Tennessee medicine : journal of the Tennessee Medical Association.

[32]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[33]  Jeffrey C. Mogul,et al.  Architecture and performance of server-directed transcoding , 2003, TOIT.

[34]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[35]  David Wetherall,et al.  Privacy oracle: a system for finding application leaks with black box differential testing , 2008, CCS.

[36]  Hari Balakrishnan,et al.  6th ACM/IEEE International Conference on on Mobile Computing and Networking (ACM MOBICOM ’00) The Cricket Location-Support System , 2022 .

[37]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[38]  Karsten Schwan,et al.  CameraCast: flexible access to remote video sensors , 2007, Electronic Imaging.

[39]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[40]  Vijay Varadharajan,et al.  A Trust based Access Control Framework for P2P File-Sharing Systems , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[41]  Chetan Kalyan,et al.  Information leak detection in financial e-mails using mail pattern analysis under partial information , 2007 .

[42]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[43]  Karsten Schwan,et al.  Protectit: trusted distributed services operating on sensitive data , 2008, Eurosys '08.

[44]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[45]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[46]  Wenke Lee,et al.  Evading network anomaly detection systems: formal reasoning and practical techniques , 2006, CCS '06.

[47]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[48]  Heejo Lee,et al.  A Flexible Trust-Based Access Control Mechanism for Security and Privacy Enhancement in Ubiquitous Systems , 2007, 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE'07).

[49]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[50]  Calton Pu,et al.  Operational information systems: an example from the airline industry , 2000, WIESS'00.

[51]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[52]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[53]  Karsten Schwan,et al.  VStore: efficiently storing virtualized state across mobile devices , 2008, MobiVirt '08.

[54]  Wenke Lee,et al.  Polymorphic Blending Attacks , 2006, USENIX Security Symposium.

[55]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[56]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[57]  Mostafa H. Ammar,et al.  A reputation system for peer-to-peer networks , 2003, NOSSDAV '03.