Capability Access Control for P2P Data Sharing

1
Capability Access Control for P2P Data Sharing

• Roxana Geambasu
• Magda Balazinska
• Steve Gribble
• Hank Levy

2
Motivation

• Lots of personal data
• Data organization
• Desktop search, virtual folders Spotlight
• Sharing
• P2P BitTorrent, Kazaa
• Web services Flickr, YouTube
• Integrate these two functions?

3
Motivating Scenario
Alice
Bob
Main Dishes
Snacks
Grandpa
European
Asian
Alice's recipes
Recipes
Recipes
sharing
view composition
view
4
SharedViews

• Organize data into views
• Selectively share dynamic collections
• Integrate other dynamic collections locally
• Protect shared data
• Peer-to-peer
• No global administration, less management
• Assumption read-only workloads

5
Agenda

• Motivation
• Approach
• Views and capabilities
• Integration of capabilities with views
• The SharedViews system
• Capability implementation
• Query processing
• Prototype
• Evaluation

6
Approach Views and Capabilities

• Integrate DB views with capability protection
• Views
• Organize data
• Share dynamic sets of data
• Seamlessly compose views
• Capabilities
• Control access to views
• Facilitate sharing exchanging capabilities
• Ease management

7
Scenario SharedViews Solution
Alice
Bob
CA2
Main Dishes
Snacks
Grandpa
CG1
European
Asian
CG1
CG0
CA0
Grandpa's recipes
Alice's recipes
Files
Files
CX
CX
CX
CX
Capa to a view
View defined on a capa
Capa sharing
8
Integration of Views and Capabilities

• Views are named via capabilities
• Capabilities enable same rights as DB
• Other rights CATALOG_LOOKUP
• Integrate capabilities into SQL
• Minor modifications

9
Query Language Modifications

• Use capabilities to name views
• Queries on top of capabilities
• SELECT FROM CA1
• WHERE CONTAINS(text,ginger)
• CREATE VIEW returns capa
• CREATE VIEW AS
• SELECT FROM CG1 WHERE CONTAINS(text,snack)
• UNION SELECT FROM CA0 WHERE CONTAINS(text,
  snack)
• CA1

A

10
Query Language Modifications (2)

• Create restricted capabilities
• RESTRICT CA1 RIGHTS SELECT CA1
• Usage selective sharing/revocation
• Revoke capabilities
• REVOKE CA1 USING CA1
• CA1 requires REVOKE right
• Other modifications
• Bootstrapping
• Catalog information lookup

A
B
G

11
Agenda

• Motivation
• Approach
• Capabilities
• Integration of capabilities with views
• The SharedViews system
• Capability structure
• Query processing
• Prototype
• Evaluation

12
SharedViews Architecture
13
Capability Structure

• Password capabilities
• Probabilistic protection against forgery
• Capability structure
• Advantages of our model
• No special privilege required to manage capas
• Can be easily transferred

14
Query Processing

• Validate capa at every invocation
• Two techniques
• Recursive evaluation
• Query rewrite

15
Recursive Evaluation
A
B
G

16
Query Rewrite
A
B
G

17
The SharedViews Prototype

• Query engine Beagle
• GUI
• Web browser Web server
• People fill in Web forms to operate on views
• Capabilities are exposed as Web links
• Capabilities are bookmarked
• Share a view by emailing the Web link (capa)
• Successful session is similar to search session

18
Agenda

• Motivation
• Approach
• Capabilities
• Integration of capabilities with views
• The SharedViews system
• Capability implementation
• Query processing
• Prototype
• Evaluation

19
Evaluation

• Dominating components?
• Scales with query distribution?
• Opportunities to optimize?

20
Dominating Components Simple queries
21
Scaling with Query Distribution

• Query distribution
• Depth
• Breadth
• Fast networks
• Insignificant overhead for recursive evaluation
• Slow networks
• Recursive return of results becomes bottleneck

22
Query Rewrite and Optimization
23
Summary

• SharedViews
• Selective and protected sharing
• No global protection structure
• Seamlessly integrate remote data collections into
  local one
• A web of personal files
• Use views to organize and share
• Use capabilities to protect

24
Appendix
25
Motivation

• Huge collections of personal data
• Data organization
• Desktop search, virtual folders Spotlight
• Sharing
• P2P BitTorrent, Kazaa
• Web services Flickr, YouTube
• Integrate these two functionalities?

26
Capabilities

• Capability secure token that
• identifies an object
• enables a set of rights
• provides holder with authority
• must be unforgeable
• Facilitate sharing
• Ease management
• No user accounts
• No global/coordinated protection

27
Capabilities Pros and Cons to ACLs

• Ease sharing
• Exchange capabilities
• Simplify management
• No user accounts
• No user authentication
• No centralized / global protection
• But ACLs
• Allow access logging and tracking
• Allow confinement
• Overall
• Capabilities are suited in our unmanaged, p2p,
  home environment

28
Catalog Tables

• Two catalog tables
• CapTable -- stores protection-related info
• All capabilities handed out by the system are
  saved
• Selective capability revocation is easy

29
The SharedViews Prototype (2)

• Successful session is similar to search session
• User submits a view evaluation request
• System returns Web link-like capas to files
• User selects link to a file
• System returns content a.o. attributes
• Failures are handled, ensuring
• Faulty view evaluation does not reveal unshared
  files
• Best effort

30
Related Work

• Data organization
• Views WinFS, Spotlight, Google Desktop
• Personal information management Haystack
• Data sharing
• P2P Kazaa, BitTorrent
• Access control
• ACLs
• Cryptography
• Capabilities
• Hydra, The Capability-based System, Amoeba

31
Future Work

• Scalability
• Caching and replication
• Real workload needed
• Enable updates
• Capability organization

32
Scaling with Query Distribution

• Recursive evaluation overhead
• Small for fast networks
• Increased depth 1-5 3 increase for 5000
  results
• Increase breadth 1-4 17 increase for 5000
  results
• Large for broadband
• Increased depth 1-5 80 increase for 5000
  results
• Query rewrite vs recursive eval over broadband
• View depth 5, and 5000 results 24 benefit