Presentation is loading. Please wait.

Presentation is loading. Please wait.

FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer."— Presentation transcript:

1 FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer Science Rutgers University Workshop on Spontaneous Networking May 12, 2006

2 Workshop on Spontaneous Networking File System Management  Organization: Too many files, directories, servers…  Protection: Left to the discretion of the owner  Dynamism: Cannot be incorporated without file system extension

3 Workshop on Spontaneous Networking File System Management  Organization: Too many files, directories, servers…  Protection: Left to the discretion of the owner  Dynamism: Cannot be incorporated without file system extension Administrator has little control over file access policies

4 Workshop on Spontaneous Networking Observations  File names are powerful Can be used to implement access policies  All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information contained in messages

5 Workshop on Spontaneous Networking Observations  File names are powerful Can be used to implement access policies  All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information contained in messages Access policies can be implemented by interposition and message transformation

6 Workshop on Spontaneous Networking FireWall  Interposes on the client- server path  Stores network flow history  Evaluates each message against the firewall policies  Passes-through, drops, or transforms network packets

7 Workshop on Spontaneous Networking FileWall  Interposes on client-server path  Stores file access history  Evaluates each message against FileWall policies  Transforms file system messages

8 Workshop on Spontaneous Networking FileWall  Interposes on client-server path  Stores file access history  Evaluates each message against FileWall policies  Transforms file system messages FileWall constructs virtual namespaces using file system namespaces and access policies through message transformation

9 Workshop on Spontaneous Networking Applications of FileWall Model  Access control  Quality of Service (QoS)  File system organization  Intrusion detection  Information Lifecycle Management (ILM)  Data transformations  …

10 Workshop on Spontaneous Networking Outline  Motivation  Design Access Context FileWall Policies  Implementation  Evaluation  Related Work  Conclusions

11 Workshop on Spontaneous Networking Access Context  Access history Access statistics Sequence of accesses Describes user behavior  Environment Time, available disk space, CPU load, etc.

12 Workshop on Spontaneous Networking Maintaining Access Context  Requirements Compact representation Contain semantic information which describes user behavior Easy to understand and specify Soft state

13 Workshop on Spontaneous Networking Access Tree  Node = file “run” Groups of accesses performed by same application Open to close or approximate using clustered accesses  Attributes File name Type of run (READ, WRITE, etc.) Operation count  Edge Run started after and ended before parent  Depth-first traversal defines sequence of runs in an access tree

14 Workshop on Spontaneous Networking Access Tree Example Root

15 Workshop on Spontaneous Networking Access Tree Example Read 1 Root 1

16 Workshop on Spontaneous Networking Access Tree Example Read 1, Create/Delete 2 Root 1 2

17 Workshop on Spontaneous Networking Access Tree Example Read 1, Create/Delete 2, Read/Write 3 Root 1 2 3

18 Workshop on Spontaneous Networking Access Tree Example Read 1, Create/Delete 2, Read/Write 3, Write 1 Root 1 2 31

19 Workshop on Spontaneous Networking Outline  Motivation  Design Access Context FileWall Policies  Implementation  Evaluation  Related Work  Conclusions

20 Workshop on Spontaneous Networking FileWall Policies  Transform messages (requests and replies) Sequence of rules INPUT and OUTPUT  Use: Access context File attributes contained in messages

21 Workshop on Spontaneous Networking FileWall Policy Example  Policy: “Show files accessed today”  For each client-visible file: Access Time = TODAY  Transform directory listing messages READDIR and READDIRPLUS

22 Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies FileWall

23 Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies M READDIR FileWall

24 Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIR FileWall

25 Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIR FileWall

26 Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIRREADDIRPLUS FileWall

27 Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIRPLUS FileWall

28 Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIRPLUS FileWall

29 Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIRPLUS FileWall

30 Workshop on Spontaneous Networking FileWall Policy Example Access Context Policies READDIRPLUSREADDIR FileWall

31 Workshop on Spontaneous Networking Policy Descriptors  INPUT Rule: int fwin(rpc_msg request) { if (request.proc == READDIR) { request.proc = READDIRPLUS; return FORWARD; }  OUTPUT Rule: int fwout(rpc_msg reply) { if (reply.proc == READDIRPLUS) { FOREACH entp in reply { if (entp.atime == TODAY) copy_entry(resp_entp, entp) } reply.entries = res_entp; reply.proc = READDIR; return FORWARD; } Specified as C programs and compiled as loadable shared modules

32 Workshop on Spontaneous Networking Outline  Motivation  Design Access Context FileWall Policies  Implementation  Evaluation  Related Work  Conclusions

33 Workshop on Spontaneous Networking Implementation  FileWall: Click Modular Router NFS over UDP

34 Workshop on Spontaneous Networking Implementation  FileWall Click Modular Router NFS over UDP  FileWall Client SFS toolkit Session establishment Bootstrapping Identify list of available file systems

35 Workshop on Spontaneous Networking Outline  Motivation  Design Access Context FileWall Policies  Implementation  Evaluation  Related Work  Conclusions

36 Workshop on Spontaneous Networking Interposition Overhead: Emacs Compilation

37 Workshop on Spontaneous Networking Case Study: Flash Crowd Mitigation  General purpose server Email, user homes, web server Files mounted over NFS  Web servers are prone to flash crowds  Current policies Rate limit number of requests Disable web server

38 Workshop on Spontaneous Networking Mitigating Flash Crowds with FileWall  Access context Rate of sequential file reads, directory listings, etc.  Policy Hide files with rate greater than a threshold Show files again when rate falls below threshold  Only the source of the flash crowd disappears from the namespace

39 Workshop on Spontaneous Networking Results

40 Workshop on Spontaneous Networking Related Work  Infokernel [Arpaci-Dusseau ‘03], firewall/NAT  Access Context Desktop search [Soules ’03] File system prefetching [Amer ’02, Lei ’97] Enforcing enterprise-wide policies [He ’05]  Semantic file systems [Sheldon ’91, Pike ’93, Neuman ’92, Rao ’93]  Extensible file systems [Zadok ’00, Tewari ’05]

41 Workshop on Spontaneous Networking Future Work  User study Real deployment Behavior models

42 Workshop on Spontaneous Networking Future Work  User study Real deployment Behavior models  Policy language Constraints Debugging and logging

43 Workshop on Spontaneous Networking Future Work  User study Real deployment Behavior models  Policy language Constraints Debugging and logging  Data transformations Censorship Protocol translations NFS -> CIFS Recipe-based file system (CASPER) IP -> RDMA Video encoding Content adaptation

44 Workshop on Spontaneous Networking Conclusions  Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required

45 Workshop on Spontaneous Networking Conclusions  Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required  Provides administrators the ability to define a wide variety of access policies Protect file systems Provide quality of service

46 Thank You Questions?

47 Workshop on Spontaneous Networking Evaluation  Dell Poweredge 2600 systems Dual 2.4GHz Intel Xeon processors 1GB RAM 36GB 15000 RPM SCSI disk  Linux  Gigabit Ethernet switch

48 Workshop on Spontaneous Networking QoS Policy

49 Workshop on Spontaneous Networking Policy Enforcement Requirements  Expressive  Deployable  Scalable  Available

Download ppt "FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer."

Similar presentations

Dynamic Replica Placement for Scalable Content Delivery Yan Chen, Randy H. Katz, John D. Kubiatowicz {yanchen, randy, EECS Department.

Dynamic Replica Placement for Scalable Content Delivery Yan Chen, Randy H. Katz, John D. Kubiatowicz {yanchen, randy, EECS Department.
High speed links, distributed services, can’t modify routers  Lack of visibility But, need for more visibility and control  Increased number and complexity.

High speed links, distributed services, can’t modify routers  Lack of visibility But, need for more visibility and control  Increased number and complexity.
Other File Systems: LFS and NFS. 2 Log-Structured File Systems The trend: CPUs are faster, RAM & caches are bigger –So, a lot of reads do not require.

Other File Systems: LFS and NFS. 2 Log-Structured File Systems The trend: CPUs are faster, RAM & caches are bigger –So, a lot of reads do not require.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition File-System Interface.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition File-System Interface.
Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Communications and Networks Chapter 8.

Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Communications and Networks Chapter 8.
CS 550 Amoeba-A Distributed Operation System by Saie M Mulay.

CS 550 Amoeba-A Distributed Operation System by Saie M Mulay.
OSMOSIS Final Presentation. Introduction Osmosis System Scalable, distributed system. Many-to-many publisher-subscriber real time sensor data streams,

OSMOSIS Final Presentation. Introduction Osmosis System Scalable, distributed system. Many-to-many publisher-subscriber real time sensor data streams,
Kyushu University Graduate School of Information Science and Electrical Engineering Department of Advanced Information Technology Supervisor: Professor.

Kyushu University Graduate School of Information Science and Electrical Engineering Department of Advanced Information Technology Supervisor: Professor.
Federated DAFS: Scalable Cluster-based Direct Access File Servers Murali Rangarajan, Suresh Gopalakrishnan Ashok Arumugam, Rabita Sarker Rutgers University.

Federated DAFS: Scalable Cluster-based Direct Access File Servers Murali Rangarajan, Suresh Gopalakrishnan Ashok Arumugam, Rabita Sarker Rutgers University.
An Overlay Multicast Infrastructure for Live/Stored Video Streaming Visual Communication Laboratory Department of Computer Science National Tsing Hua University.

An Overlay Multicast Infrastructure for Live/Stored Video Streaming Visual Communication Laboratory Department of Computer Science National Tsing Hua University.
Implementing Network File System Policies with FileWall Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode Department.

Implementing Network File System Policies with FileWall Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode Department.
Adaptive Content Delivery for Scalable Web Servers Authors: Rahul Pradhan and Mark Claypool Presented by: David Finkel Computer Science Department Worcester.

Adaptive Content Delivery for Scalable Web Servers Authors: Rahul Pradhan and Mark Claypool Presented by: David Finkel Computer Science Department Worcester.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.

NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.
11 SERVER CLUSTERING Chapter 6. Chapter 6: SERVER CLUSTERING2 OVERVIEW  List the types of server clusters.  Determine which type of cluster to use for.

11 SERVER CLUSTERING Chapter 6. Chapter 6: SERVER CLUSTERING2 OVERVIEW  List the types of server clusters.  Determine which type of cluster to use for.
Understanding Active Directory

Understanding Active Directory
File Systems (2). Readings r Silbershatz et al: 11.8.

File Systems (2). Readings r Silbershatz et al: 11.8.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Similar presentations

Ads by Google