Secure Storage

1
Secure Storage
2
Secure Storage

• Real-time database storage
• Partial security policies
• Self-securing storage
• FARSITE

3
Real-time Database Storage

• Real-time system depends on
• Logical correctness of actions
• Timeliness of actions
• Example of a real-time databases
• Stock market
• Automated factories
• Poor response time in either of the above two
  examples would result in loss

4
Real-time Database Storage

• Covert channel is the means by which higher
  security process transfers information to a lower
  security process
• Critical transactions must complete by the
  deadlines
• Security violations are controlled

5
Real-time Database Storage

• Percentages are used for defining partial
  security
• Known access pattern
• Acceptable risk level could vary from 0 (low) to
  4 (high)
• Rules can be either static or dynamic
• Static rules apply to conflicts that are resolved
  in the same way

6
Real-time Database Storage

• Dynamic rules can be based on
• Security violation percentage
• Deadline miss percentage
• Number of consecutive missed deadlines
• Example of rule
• If (security_violation_ gt 5) violate_timeliness
• If (missed_transact_ gt 10) violate_security

7
Real-time Database Storage

• Maintains a specification tool which is stored in
  internal data structures
• Two transactions conflict if
• They access the same data item
• At least one of them writes to the data item
• One transaction has a higher security and
  priority level than the other
• Execution times of the transactions must intersect

8
Partial Security Policies

• Specify security levels (0 for low and 4 for
  high)
• Number of security levels can be arbitrary
• Split security
• Permit covert channels for two highest levels
• Do not permit covert channels from the two
  highest levels to the three lowest levels
• Another partial security policy
• Keep highest level completely secure
• Permit controlled number of violations among
  lower levels

9
Partial Security Policies

• Policy allows information flow through covert
  channels for improving real-time performance
• Policy does not compromise the security of entire
  database

10
Self-Securing Storage

• Primary benefit is in intrusion detection
• IDS succeeds because of modified storage
• Self-securing storage provides an alternate
  storage model that is beyond the reach of the
  intruder
• Intruder
• Compromises secrets
• Creates backdoor entry path
• Places Trojan horses
• Taints stored data

11
Self-Securing Storage

• Data restoration
• Requires significant amount of time
• Reduces availability of the original system
• Misalignment of data between backup and intruder
  modified data
• Data storage is usually under OS control
• Self-securing storage is not under OS control

12
Self-Securing Storage

• SSS views both the OS and users as questionable
  entities
• SSS
• Self-contained
• Self-controlled
• Internally version all data
• Audit all requests for data storage or retrieval
• Ensures information survival
• Establishes a secure perimeter around the storage
  device

13
Self-Securing Storage

• SSS
• Operates as an independent device
• Stores and protects data
• Assists in intrusion recovery
• Simplifies intrusion detection
• SSS security perimeter consists of
• Self-contained software that exports only a
  simple storage interface to the outside
• Verifies each commands integrity before
  processing

14
Self-Securing Storage

• SSS is a single function device, unlike an OS
• Old versions of objects that SSS keeps forms the
  history pool
• Every time an object is modified the prior
  version becomes part of the history pool
• SSS guarantees a minimum storage time for objects
  in history pool before they are reclaimed

15
Self-Securing Storage

• Deliberate attempts to overflow history pool
  cannot be prevented
• History pool contains all information about the
  systems recent activity
• SSS supports secure administrative access to data
• Secure administrative access can be granted by
• Physical access
• Cryptographic keys

16
Self-Securing Storage

• SSS variation is to write snapshots instead of
  versioning
• Snapshots do not provide the same level of data
  integrity as versioning
• SSS ensures
• Data survival
• Audit log survival
• SSS is cost effective given low storage costs

17
FARSITE

• Stands for Federated, Available, and Reliable
  Storage for an Incompletely Trusted Environment
• FARSITE is
• Secure
• Scalable file system
• Logical centralized file server
• Physical distributed file server
• Developed in 2002 at Carnegie-Mellon University,
  with federal grant

18
FARSITE

• Primary goal is to harness collective resources
  of
• Loosely coupled networks
• Insecure communication channels
• Untrusted computers
• for creating a
• Logically centralized
• Secure
• Reliable file-storage device

19
FARSITE

• No central administration required
• Security of any distributed system is managing
  trust
• FARSITE manages trust using public-key
  cryptographic certificates
• FARSITE certification model is distributed
  intentionally
• Allows for separation of responsibilities between
  users and computers
• Example HR authorizes users and IT manages
  computers

20
FARSITE

• Every computer that is part of the system has
  three roles
• Client (interacts with user)
• Directory group (collection of computers that
  collectively manage file information using
  Byzantine-fault-tolerant protocol)
• File host (every group member stores a copy of
  file information)

21
FARSITE

• What is Byzantine-fault-tolerant protocol?
• Dates back to the 12th century country of
  Byzantium
• Several armies surrounded Byzantium with the goal
  of capturing it
• All armies worked together to achieve their goal
• Each army did not fully trust the other army
• Each army exchanged secret message with the other
  army to find the appropriate time to attack

22
FARSITE

• What is Byzantine-fault-tolerant protocol
• When two-thirds of the armies arrived at the same
  conclusion about attack time then they planned
  the attack
• Widely used in todays network systems

23
FARSITE

• Used with file systems such as partitions in hard
  drives
• FARSITE
• Differs from NTFS model
• Places hard limit on the number of clients that
  can have a file open for concurrent writing
• Places soft limit on the number of clients that
  can have a file open for concurrent reading

24
FARSITE

• NTFS does not allow a directory to be renamed if
  there is an open handle on a file in that
  directory or in any of its descendants
• FARSITE implements a Unix-like semantics of not
  name-locking an open files path
• This approach is called lazy propagation

25
FARSITE

• FARSITEs key features
• Reliability and availability (achieved through
  replication)
• Security (use different mechanisms to enforce
  read and write access control)
• Durability (updates are committed only on the
  clients local disk)
• Consistency (temporary control loaned to clients
  via a lease mechanism)
• Scalability (uses hint-based and delayed
  directory-change notification)
• Efficiency (uses co-location for replicas of
  identical files)
• Manageability (because of data replication,
  failure of any one system does not affect
  performance)

26
References

• Byzantine http//www.fordham.edu/halsall/byzantium
  /
• Byzantine Generals Problem http//research.microso
  ft.com/users/lamport/pubs/byz.pdf