PASIS: Perpetually Available and Secure Information Systems

1
PASIS Perpetually Available and Secure
Information Systems
http//www.ices.cmu.edu/pasis/ Greg Ganger,
Pradeep Khosla, Chenxi Wang, Mehmet Bakkaloglu,
Michael Bigrigg, Garth Goodson, Semih Oguz, Vijay
Pandurangan, Craig Soules, John Strunk, Ken Tew,
Cory Williams, Ted Wong, Jay Wylie Carnegie
Mellon University
2
PASIS Objective

• Create information storage systems that are
• Perpetually Available
• Information should always be available even when
  some system components are down or unavailable
• Perpetually Secure
• Information integrity and confidentiality should
  always be enforced even when some system
  components are compromised
• Graceful in degradation
• Information access functionality and performance
  should degrade gracefully as system components
  fail
• Assumptions Some components will fail, some
  components will be compromised, some components
  will be inconsistent, BUT.
• surviving components allow the information
  storage system to survive

3
Survivable Storage Systems

• Surviving server-side intrusions
• decentralization data distribution schemes
• provides for availability and security of storage
• Surviving client-side intrusions
• server-side data versioning and request auditing
• enables intrusion diagnosis and recovery
• Tradeoff management balances availability,
  security, and performance
• maximize performance given other two

4
Self-Securing Storage

• Storage that protects itself
• prevents destruction of stored data
• prevents undetectable modifications
• looks for suspicious storage activity
• Effective tool for intrusion survival
• Detection watches storage events and triggers
  alarms
• Diagnosis provides info for administrators to
  analyze
• Recovery provides complete history of data
  versions

5
Step 1 Additional Security Perimeter
Application
Application
System Calls
File System
Host OperatingSystem
RPC or Device Driver
Storage Requests
Insecure
6
Step 2 Internal Versioning Auditing
File 1
File 2
File (n-1)
File n

7
Step 2 Internal Versioning Auditing
File 1
File 2
File (n-1)
File n

Detection Window
Expired versions
8
Step 2 Internal Versioning Auditing
File 1
File 2
File (n-1)
File n

• Storage device logs all requests
• Audit log is externally read-only

9
Feasibility Evaluation (OSDI00)

• Capacity requirements
• Question Are large detection windows feasible?
• Conclusion Weeks or months are possible
• Performance overheads
• Question Are performance costs too high?
• Conclusion Performance overhead is small
• (lt)lt15 cost for versioning and auditing

10
Benefits of Self-Securing Storage

• Storage-based intrusion detection
• A new opportunity (and viewpoint) to observe
• Informed analysis of security compromises
• Log tampering is visible and recoverable
• Capture exploit tools stored on the target
• Faster, better recovery
• Earlier states still in history pool
• Legitimate changes still present in history pool
• also, recovery from accidental deletion

11
Storage-based Intrusion Detection

• Standard goal Detect suspicious activity
• New opportunities to observe
• Changes to static files
• sshd, /bin/login, shell programs, config. files,
  etc.
• Unexpected patterns of changes
• non-append changes to audit log, etc.
• Corruption of well-understood files
• /etc/passwd, /var/log/wtmp, etc.
• Suspicious content
• known viruses, hidden files or directories, etc.

12
for comparison...

• Stronger than current storage-related IDSs
• e.g., Tripwire or virus scanners
• These periodically run on host and compare
  filesystem state to reference database or known
  viruses
• Stronger because
• detection checks can be in real time
• they cant be turned off in compromised host
  system
• they cant be spoofed or filtered by intermediary
• they do not rely on reference database

13
Post-Intrusion Diagnosis

• Goal Determine what/when it happened
• Self-securing storage informs key questions
• When did the intrusion happen?
• needed for recovery
• How did they get in?
• including capture of exploit tools for analysis
• What files were read, written, and seen tainted?
• damage estimation

14
For comparison Conventional Diagnosis
15
Hardcore Conventional Diagnosis

• BIG forensics effort required before analysis
• discovering deleted evidence from
• deleted inodes
• unallocated blocks
• slack space in the final block of files
• problems that this causes
• incomplete info is difficult to analyze
• most evidence is completely gone
• Self-securing storage puts focus on analysis
• all storage actions and states are preserved

16
Post-Intrusion Recovery
17
Post-Intrusion Recovery
18
Restore pre-intrusion versions rapidly
Restoring pre-intrusion state
19
Copy-forward users work carefully
Restoring users work
20
Summary of self-securing storage

• Protect stored data and audit storage accesses
• even if client OS is compromised
• Can save and observe anything inside device
• retain all versions of all data
• collect audit log of all requests
• watch storage events and trigger alarms
• Self-securing storage enables
• storage-based intrusion detection
• Informed analysis of security compromises
• faster, better recovery

21
PASIS Agent Architecture
System Characteristics
User Preferences
Tradeoff Management
Client Applications
PASIS Storage Nodes
Multi-read/write Communication
Encode Decode
22
Trade-off space
Scheme Selection Surface
23
PASIS Summary

• Decentralization data distribution schemes
• provides for availability and security of storage
• Tradeoff management balances availability,
  security, and performance
• and it is good engineering practice!
• Data versioning to survive malicious users
• enables intrusion diagnosis and recovery

24
For more informationhttp//www.pdl.cmu.edu/

• Greg.Ganger_at_cmu.edu
• Director, Parallel Data Lab