Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jed Liu Xin Qi Michael D. George Lucas Waye K. Vikram Andrew C. Myers Department of Computer Science Cornell University 22 nd ACM SIGOPS Symposium on Operating.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Jed Liu Xin Qi Michael D. George Lucas Waye K. Vikram Andrew C. Myers Department of Computer Science Cornell University 22 nd ACM SIGOPS Symposium on Operating."— Presentation transcript:

1 Jed Liu Xin Qi Michael D. George Lucas Waye K. Vikram Andrew C. Myers Department of Computer Science Cornell University 22 nd ACM SIGOPS Symposium on Operating Systems Principles 14 October 2009

2 The Web is Not Enough The Web: decentralized information- sharing Limitations for integrating information –Medicine, finance, government, military, … –Need security and consistency Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Is there a principled way to build federated applications while guaranteeing security and consistency?

3 Fabric: A System and a Language Decentralized system for securely sharing information and computation All information looks like an ordinary program object Objects refer to each other with references –Any object can be referenced uniformly from anywhere –References can cross nodes and trust domains –All references look like ordinary object pointers Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Compiler and runtime enforce security and consistency despite distrust n.child.value++ node1 child: node2 value: 42 n

4 Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Fabric Enables Federated Sharing General Practitioner (GP) Psychiatrist HIPAA-compliant policy Different HIPAA-compliant policy

5 Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Fabric Enables Federated Sharing General Practitioner (GP) Psychiatrist

6 Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Fabric Enables Federated Sharing General Practitioner (GP) Psychiatrist HIPAA-compliant policy Different HIPAA-compliant policy

7 Example: Filling a Prescription Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Order medication Verify prescriptionGet current medications Pharmacist PsychiatristGeneral Practitioner Check for conflicts

8 Update inventory Example: Filling a Prescription Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Pharmacist Fill order Mark prescription as filled Psychiatrist Must be done by pharmacist Must be done by psychiatrist Security issues Pharmacist shouldn’t see entire record Psychiatrist doesn’t fully trust pharmacist with update –Need secure distributed computation Security issues Pharmacist shouldn’t see entire record Psychiatrist doesn’t fully trust pharmacist with update –Need secure distributed computation Consistency issues Need atomicity Doctors might be accessing medical record concurrently Consistency issues Need atomicity Doctors might be accessing medical record concurrently

9 Pharmacy Example in Fabric Order orderMed(PatRec psyRec, PatRec gpRec, Prescription p) { if (!psyRec.hasPrescription(p)) return Order. INVALID ; if (isDangerous(p, gpRec.getMeds())) return Order. DANGER ; } Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Get prescriptions Get current medications Check for conflicts

10 Pharmacy Example in Fabric Order orderMed(PatRec psyRec, PatRec gpRec, Prescription p) { atomic { if (!psyRec.hasPrescription(p)) return Order. INVALID ; if (isDangerous(p, gpRec.getMeds())) return Order. DANGER ; Worker psy = psyRec.getWorker(); psyRec.markFilled@psy(p); updateInventory(p); return Order.fill(p); } } Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Mark prescription as filled Update inventory Fill order

11 A High-Level Language Order orderMed(PatRec psyRec, PatRec gpRec, Prescription p) { atomic { if (!psyRec.hasPrescription(p)) return Order. INVALID ; if (isDangerous(p, gpRec.getMeds())) return Order. DANGER ; Worker psy = psyRec.getWorker(); psyRec.markFilled@psy(p); updateInventory(p); return Order.fill(p); } Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Java with: Remote calls Nested transactions (atomic blocks) Label annotations for security (elided) Java with: Remote calls Nested transactions (atomic blocks) Label annotations for security (elided)

12 Order orderMed(PatRec psyRec, PatRec gpRec, Prescription p) { atomic { if (!psyRec.hasPrescription(p)) return Order. INVALID ; if (isDangerous(p, gpRec.getMeds())) return Order. DANGER ; Worker psy = psyRec.getWorker(); psyRec.markFilled@psy(p); updateInventory(p); return Order.fill(p); } A High-Level Language Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage All objects accessed uniformly regardless of location Objects fetched as needed Remote calls are explicit All objects accessed uniformly regardless of location Objects fetched as needed Remote calls are explicit Run-time system requirement: Secure transparent data shipping Run-time system requirement: Secure transparent data shipping

13 Order orderMed(PatRec psyRec, PatRec gpRec, Prescription p) { atomic { if (!psyRec.hasPrescription(p)) return Order. INVALID ; if (isDangerous(p, gpRec.getMeds())) return Order. DANGER ; Worker psy = psyRec.getWorker(); psyRec.markFilled@psy(p); updateInventory(p); return Order.fill(p); } Remote Calls Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Remote call — pharmacist runs method at psychiatrist’s node Run-time system requirements: Secure transparent data shipping Secure remote calls Run-time system requirements: Secure transparent data shipping Secure remote calls

14 Order orderMed(PatRec psyRec, PatRec gpRec, Prescription p) { atomic { if (!psyRec.hasPrescription(p)) return Order. INVALID ; if (isDangerous(p, gpRec.getMeds())) return Order. DANGER ; Worker psy = psyRec.getWorker(); psyRec.markFilled@psy(p); updateInventory(p); return Order.fill(p); } Federated Transactions Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Remote call — pharmacist runs method at psychiatrist’s node Federated transaction — spans multiple nodes & trust domains Run-time system requirements: Secure transparent data shipping Secure remote calls Secure federated transactions Run-time system requirements: Secure transparent data shipping Secure remote calls Secure federated transactions

15 Fabric Security Model Decentralized system – anyone can join What security guarantees can we provide? Decentralized security principle: Need notion of “you” and “trust” in system and language –Principals and acts-for Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage You can’t be hurt by what you don’t trust

16 Principals and Trust in Fabric Principals represent users, nodes, groups, roles Trust delegated via acts-for –“Alice acts-for Bob” means “Bob trusts Alice” –Like “speaks-for” [LABW91] –Generates a principal hierarchy Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage A pharm acts for A doc acts for

17 Trust Management Fabric principals are objects Explicit trust delegation via method calls –Compiler and run-time ensure that caller has proper authority Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage // Adds “Alice acts-for Bob” to principal hierarchy bob.addDelegatesTo(alice) class Principal { boolean delegatesTo(principal p); void addDelegatesTo(principal p) where caller (this); … } Determines whether p acts for this principal Determines whether p acts for this principal Caller must have authority of this principal

18 Security Labels in Fabric Based on Jif programming language [M99] Decentralized label model [ML98] –Labels specify security policies to be enforced Compiler and run-time system ensure that policies are satisfied Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage class Prescription { Drug{Psy A pharm ; Psy Psy} drug; Dosage{Psy A pharm ; Psy Psy} dosage; … } Confidentialit y: Alice Bob Alice permits Bob to read Integrity:Alice Bob Alice permits Bob to write

19 Security Labels in Fabric Based on Jif programming language [M99] Decentralized label model [ML98] –Labels specify security policies to be enforced Compiler and run-time system ensure that policies are satisfied Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage class Prescription { Drug{Psy A pharm ; Psy Psy} drug; Dosage{Psy A pharm ; Psy Psy} dosage; … } Run-time system requirements: Secure transparent data shipping Secure remote calls Secure federated transactions Enforcement of security labels Run-time system requirements: Secure transparent data shipping Secure remote calls Secure federated transactions Enforcement of security labels Confidentialit y: Alice Bob Alice permits Bob to read Integrity:Alice Bob Alice permits Bob to write

20 Contributions Language combining: –Remote calls –Nested transactions –Security annotations System with: –Secure transparent data shipping –Secure remote calls –Secure federated transactions –Enforcement of security labels Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Challenge: How to provide all these in the same system?

21 Fabric Run-Time System Decentralized platform for secure, consistent sharing of information and computation –Nodes join freely –No central control over security Nodes are principals –Root of trust –Authentication: X.509 certificates bind hostnames to principal objects Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage

22 Fabric Architecture Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Worker nodes (Workers) Dissemination nodes Storage nodes (Stores) transaction remote call

23 Fabric Architecture Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Worker nodes (Workers) Dissemination nodes Storage nodes securely store persistent objects Each object specifies its own security policy, enforced by store transaction remote call

24 Fabric Architecture Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Worker nodes (Workers) Dissemination nodes cache signed, encrypted objects in peer-to-peer distribution network for high availability Storage nodes securely store persistent objects Each object specifies its own security policy, enforced by store disseminate transaction remote call

25 Fabric Architecture Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage transaction Worker nodes compute on cached objects Computation may be distributed across workers in federated transactions remote call write read disseminate Dissemination nodes cache signed, encrypted objects in peer-to-peer distribution network for high availability Storage nodes securely store persistent objects Each object specifies its own security policy, enforced by store

26 Illusion of access to arbitrarily large object graph –Workers cache objects –Objects fetched as pointers are followed out of cache Stores enforce security policies on objects –Worker can read (write) object only if it’s trusted to enforce confidentiality (integrity) Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Secure Transparent Data Shipping Worker node: y = x.f object cache x proxy Fabric object graph (distributed) x y

27 Illusion of access to arbitrarily large object graph –Workers cache objects –Objects fetched as pointers are followed out of cache Stores enforce security policies on objects –Worker can read (write) object only if it’s trusted to enforce confidentiality (integrity) Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Secure Transparent Data Shipping Worker node: y = x.f object cache x proxy Fabric object graph (distributed) x y Run-time system requirements: Secure transparent data shipping Secure remote calls Secure federated transactions Enforcement of security labels Run-time system requirements: Secure transparent data shipping Secure remote calls Secure federated transactions Enforcement of security labels

28 Secure Remote Calls Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Is callee trusted to see call? Call itself might reveal private information Method arguments might be private Is callee trusted to see call? Call itself might reveal private information Method arguments might be private Is caller trusted to make call? Caller might not have sufficient authority to make call Method arguments might have been tampered with by caller Is caller trusted to make call? Caller might not have sufficient authority to make call Method arguments might have been tampered with by caller Is callee trusted to execute call? Call result might have been tampered with by callee Is callee trusted to execute call? Call result might have been tampered with by callee Is caller trusted to see result? Call result might reveal private information Is caller trusted to see result? Call result might reveal private information Static checksDynamic checks Confidentiality Integrity Confidentiality calleecaller

29 Secure Federated Transactions Transactions can span multiple workers, cross trust domains –No single node trusted for entire log: distributed log structure Object updates propagated transparently and securely in multi-worker transactions Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Mark prescription as filled Pharmacist Psychiatrist Pharmacist not trusted to log update

30 Also in the Paper... Dissemination of encrypted object groups –Key management to support this Writer maps for secure propagation of updates Hierarchical two-phase commit for federated transactions Interactions of transaction abort and information flow control Automatic ‘push’ of updated objects to dissemination layer In-memory caching of object groups at store Caching acts-for relationships at workers Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage

31 Implementation Fabric prototype implemented in Java and Fabric –Total: 35 kLOC –Compiler translates Fabric into Java 15 k-line extension to Jif compiler Polyglot [NCM03] compiler extension –Dissemination layer: 1.5k-line extension to FreePastry Popularity-based replication (à la Beehive [RS04] ) –Store uses BDB as backing store Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage

32 Overheads in Fabric Extra overhead on object accesses at worker –Run-time label checking –Logging reads and writes –Cache management (introduces indirection) –Transaction commit Overhead at store for reads and commits Ported non-trivial web app to evaluate performance Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage

33 Used at Cornell since 2004 –Over 2000 students in over 40 courses Two prior implementations: –J2EE/EJB2.0 54k-line web app with hand-written SQL Oracle database –Hilda [YGG+07] High-level language for data-driven web apps Fabric implementation Cornell CMS Experiment Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage app server DB server app server (worker) CMS store

34 Performance Results Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage

35 Scalability Results Language integration: easy to replicate app servers Reasonable speed-up with strong consistency –Work offloaded from store onto workers Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage app server (worker) CMS store 3 workers 5 workers Course overview 2.18 x2.49 x Student info2.45 x2.94 x

36 Related Work CategoryExamplesWhat Fabric Adds Federated object store OceanStore/Pond Transactions Security policies Secure distributed storage systems Boxwood, CFS, Past Fine-grained security High-level programming Distributed object systems Gemstone, Mneme, ObjectStore, Sinfonia, Thor Security enforcement Multi-worker transactions with distrust Distributed computation/RPC Argus, Avalon, CORBA, Emerald, Live Objects, Network Objects Single-system view of persistent data Strong security enforcement Distributed information flow systems DStar, Jif/Split, Swift Transactions on persistent data Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage Fabric is the first to combine information-flow security, remote calls, and transactions in a decentralized system.

37 Summary Fabric is a platform for secure and consistent federated sharing Prototype implementation Contributions: –High-level language integrating information flow, transactions, distributed computation –Transparent data shipping and remote calls while enforcing secure information flow –New techniques for secure federated transactions: hierarchical commits, writer maps Jed Liu – Fabric: A Platform for Secure Distributed Computation and Storage

38 Jed Liu Xin Qi Michael D. George Lucas Waye K. Vikram Andrew C. Myers Department of Computer Science Cornell University 22 nd ACM SIGOPS Symposium on Operating Systems Principles 14 October 2009

Download ppt "Jed Liu Xin Qi Michael D. George Lucas Waye K. Vikram Andrew C. Myers Department of Computer Science Cornell University 22 nd ACM SIGOPS Symposium on Operating."

Similar presentations

Chapter 10: Designing Databases

Chapter 10: Designing Databases
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Decentralized User Authentication in a Global File System Max Meisterhans - Seminar in Distributed Computing WS 05/06.

Decentralized User Authentication in a Global File System Max Meisterhans - Seminar in Distributed Computing WS 05/06.
C6 Databases.

C6 Databases.
Using Multi-Encryption to Provide Secure and Controlled Access to XML Documents Tomasz Müldner, Jodrey School of Computer Science, Acadia University, Wolfville,

Using Multi-Encryption to Provide Secure and Controlled Access to XML Documents Tomasz Müldner, Jodrey School of Computer Science, Acadia University, Wolfville,
The State of the Art in Distributed Query Processing by Donald Kossmann Presented by Chris Gianfrancesco.

The State of the Art in Distributed Query Processing by Donald Kossmann Presented by Chris Gianfrancesco.
CS-550: Distributed File Systems [SiS]1 Resource Management in Distributed Systems: Distributed File Systems.

CS-550: Distributed File Systems [SiS]1 Resource Management in Distributed Systems: Distributed File Systems.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
Approaches to EJB Replication. Overview J2EE architecture –EJB, components, services Replication –Clustering, container, application Conclusions –Advantages.

Approaches to EJB Replication. Overview J2EE architecture –EJB, components, services Replication –Clustering, container, application Conclusions –Advantages.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Other File Systems: AFS, Napster. 2 Recap NFS: –Server exposes one or more directories Client accesses them by mounting the directories –Stateless server.

Other File Systems: AFS, Napster. 2 Recap NFS: –Server exposes one or more directories Client accesses them by mounting the directories –Stateless server.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Overview Distributed vs. decentralized Why distributed databases

Overview Distributed vs. decentralized Why distributed databases
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.
.NET Mobile Application Development Introduction to Mobile and Distributed Applications.

.NET Mobile Application Development Introduction to Mobile and Distributed Applications.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Similar presentations

Ads by Google