PASIS: Perpetually Available and Secure Information Systems

1
PASIS Perpetually Available and Secure
Information Systems
Pradeep K. Khosla (pkk_at_cs.cmu.edu)Han Kiliccote
(kiliccote_at_cmu.edu) Institute for Complex
Engineered Systems College of Engineering/School
of Computer Science Carnegie Mellon
University Pittsburgh, PA 15213
Institute for Complex Engineered Systems
2
Objectives

• Create a Distributed Information system that is
• Perpetually Available
• Access to Information and Services should always
  be available even when some system components are
  attacked, down, or unavailable
• Secure
• Information should be secure even when some
  system components are compromised
• Computation must be Secure
• Easy to Deploy
• Provide toolkits and languages to easily develop
  or convert legacy systems to intruder resistant
  systems

3
Existing Practice

• Client-Server Architectures with Replicas
• Reliability and Robustness
• servers are attacked whole system is down
• servers are subject to denial of service attacks
• Security
• all data and reasoning are in the servers
• each server is a single point of failure
• Scalability and Performance
• servers are the bottleneck

4
Approach - Overview

• Virtual Server
• Data and reasoning capabilities are not located
  in a single physical agent
• No single point of failure
• Applications perceive other PASIS-agents as part
  of a monolithic server
• Data and meta-data are decimated and dispersed

5
Pasis - Technologies

• Decimate Information
• Divide the information into small chunks
  (puzzle-pieces)
• Distribute the chunks to a large number of
  PASIS-enabled computers
• Resilient against denial of service attacks

6
Information Dispersal

• Disperse information
• Distribute the data to n computers so that m of
  them can reconstruct the data but p cannot (p ? m
  ? n)

Simplified Blackley Algorithm
7
Information Dispersal
8
Preliminary Results

• Comparison of Pasis with current information
  systems
• 1000 Computers
• 109 info items
• 15 out of 60 scheme
• 100 read operations per second
• Each info item is 1K bytes

9
Preliminary Results

• Information Dispersal
• Comparison between receiving a message from a
  single machine versus multiple machines on
  Internet

10
Preliminary Results

• There is no need to guarantee reliable
  communication between the agents
• Performance comparison between UDP vs TCP/IP

11
Information Dispersal

• Issues
• Automatic selection of dispersal scheme
• Share renewal
• Share revocation
• Share addition
• Uneven share sizes
• Limited Cheater/Intruder detection

12
Pasis - Technologies

• Fully distributed directory services - New Model
  for managing Distributed Network of Information
  agents
• Classical replicated server model is not robust,
  e.g., whole Internet can be severely disabled by
  only eliminating 11 root domain servers
• Solution small-world virtual network

13
Small World Virtual Network

• Fully distributed Directory Services for use with
  Internet or Wireless Ad-hoc networks
• Based on Cayley graphs
• Excellent degree/diameter/size
• Optimally fault-tolerant

14
Preliminary results

• Cayley Graphs
• Based on Faber-Moore graphs
• Each agent knows about 1000 other agents
  (neighbors)
• In 1 hop 106 agents can be reached
• In 2 hops 109 agents can be reached
• Excellent resiliency against attacks
• 1000 agents have to be attacked to partition
  another agent
• gt99 of the agents have to be attacked to
  partition 0.1 of the agents
• Packets can be denied at the hardware level to
  drop communication from non-neighbors
• Directed graphs (direct communication not
  allowed)

15
Pasis - Infrastructure

• Class libraries and extensions for converting
  existing programs to Pasis programs
• Common Corba services will be ported to PASIS
  (e.g. persistence directory service, locking,..
  )
• Extensions for C for distributed and parallel
  STL (Standard Template Library)
• C based on ODMG standard
• Java based API for interfacing with PASIS

class Person int age
class Person DispObjdint age
16
Pasis - C extension

• Class libraries for C and Extended STL
  (Standard Template Library)
• A syntactic procedure to convert existing
  applications
• use dint, dchar, dfloat rather than int,
  char and float.
• use PltAgt a foo() rather than P a foo()
• derive all the classes from DispObject

17
Access Control

• Multiversioning, dependency based concurrency and
  access control protocol
• locking based algorithms are not appropriate for
  large number of servers
• intruder detection
• recovery from attacks

18
Preliminary Results

• Dependency Based Concurrency Control (Very early
  Simulation)

100 Elements50 Transactions10 elements per
transaction
19
Secure Computation

• Secure computation
• Execute an algorithm in a distributed manner such
  that the System knows the inputs and outputs
  but no single physical agent does
• Constant round computation is possible
• Create a secure processor

20
Demonstrations
Local Machine

• Secure and reliable ftp server
• Guarantees security and perpetual availability of
  regular files
• No more file server unreachable or down
  errors
• Works with popular applications

PasisFtp proxy
PasisAgent
Network
Pasis Agent
Pasis Agent
Pasis Agent
21
Demonstrations (cont.)

• Secure and Reliable Ftp Server
• Regular applications (such as Microsoft Word) use
  the ftp protocol to contact the ftp proxy (a
  Pasis application)
• Ftp proxy divides the information into smaller
  chunks and sends them to the Pasis Agent through
  interprocess communication
• Pasis Agent disperses the information using n/m
  threshold scheme to other agents using Pasis
  Network Protocol (TCP/IP with probabilistic
  extensions)
• The multiversioning database in each Pasis Agent
  stores the information while guaranteeing
  concurrency

22
Demonstrations

• The Pasis File System
• A File System based on commercial systems (NT,
  Unix, etc) that guarantees security and perpetual
  availability of information
• Files are decimated and dispersed to all PASIS
  enabled computers
• No central authority
• No single point of failure
• Implementation on NT, Unix and other OS

23
Metrics

• Information dispersal
• Model and compare performance against existing
  distributed file systems and databases
• Model and simulate the performance against random
  attacks in large systems (10 - 1Million machines)
• Test the performance against random attacks in a
  small system (10-100 machines)
• Access Control
• Model and compare the performance under attacks
  with existing protocols
• Pasis Infrastructure
• How well Pasis adheres to existing standards
• How many man/month is required to convert
  existing legacy systems into Pasis

24
Expected Accomplishments

• Embedded Distributed Security and Replication
  Mechanisms
• perpetual availability and security of
  information systems
• secure computation to eliminate malicious users
• Distributed Multiversioning Dependency-based
  Access Control
• Automatic recovery when intruders are detected
• An infrastructure to create intruder tolerant
  systems
• Extensions to existing languages to automatically
  create new or convert existing applications to
  intruder resilient system
• Demonstration of an Intrusion Tolerant System

25
Task Schedule

• Embedded distributed security and replication
  mechanisms
• Pasis Architecture (Month 18)
• Automatic selection of threshold schemes (Month
  22)
• PASIS infrastructure
• Extensions to C (Month 12)
• Extensions to Java. (Month 18)
• Access Control
• Distributed multiversioning dependency-based
  access control protocol (Month 30)
• Fraudulent Usage Detection and Recovery
  mechanisms. (Month 32)

26
Schedule
27
Pasis Summary

• A new paradigm in Distributed Agent-based Systems
  that
• Combines advantages of Centralized and
  Distributed Architectures
• Provides Scalability through the idea of Virtual
  Server and Virtual Client
• Provides Novel Security Mechanisms through
  Information Dispersal
• Provides Reliability through innovative
  Information Replication Mechanisms

28
(No Transcript)
29
Shamirs dispersal scheme

• Select a polynomial of degree m - 1 with m - 1
  random coefficients
• The secret s is the free coefficient
• cm-1xm-1 c1x s
• For each agent evaluate the polynomial using the
  unique id of each agent
• s1 cm-1a1m-1 c1a1 s
• .
• sn cm-1anm-1 c1an s

Addition of two integers
30
Demonstrations (cont.)

• Secure calculator
• Secure addition, subtraction and multiplication
• Resilient against failures
• Resilient against malicious users

31
Demonstrations (cont.)

• Secure reasoning

32
Secure Reasoning

• Use dispersed integers 1 and 0 to represent
  Boolean true and false
• AND(x, y) x y
• OR(x, y) x y - x y
• NOT(x) 1 - x
• Using AND, OR, and NOT, create the other
  operations
• sbit dispersed interger
• sint array of sbit32
• sdouble struct sint mantissa sint exponent

33
Demonstrations (cont.)

• Agent manager
• Monitors manager Pasis as a whole
• Agents
• Appliances
• Programs
• Users
• Performs security checks distributedly

34
Whats cooking (Cont.)

• Distributed GIS system for navigating in a
  partially known terrain
• 40000 information agents
• route selection
• shortest path algorithms

35
Whats cooking (cont.)

• Information System Development Toolkit
• Easy development of large communities of software
  agents
• Automatic management of information and
  computation agents