working set-based access control for network file systems
DESCRIPTION
Working Set-Based Access Control for Network File Systems. Stephen Smaldone , Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University of New Jersey { smaldone, vinodg, iftode }@cs.rutgers.edu. Mobile Access to Network File Systems Increasing. - PowerPoint PPT PresentationTRANSCRIPT
Working Set-Based Access Control for Working Set-Based Access Control for Network File SystemsNetwork File Systems
Stephen Smaldone, Vinod Ganapathy, and Liviu IftodeDiscoLab - Department of Computer Science
Rutgers, The State University of New Jersey
{ smaldone, vinodg, iftode }@cs.rutgers.edu
June 5, 2009 SACMAT 2009 2
Mobile Access to Network File Systems IncreasingMobile Access to Network File Systems Increasing
Alice @Trusted
Network File Servers
Alice @Untrusted Personal Device
Corporate Intranet
VPNServer
Firewall
Internet
VPN
File Accesses
June 5, 2009 SACMAT 2009 3
The Working Set ConceptThe Working Set Concept
• The working set of a process is the collection of information referenced by the process during a time interval. [Denning 1968]– Temporal locality of a process’ memory accesses– Memory pages to keep resident in memory to
optimize performance now and in the near future– Informs memory page replacement algorithms to
avoid thrashing
June 5, 2009 SACMAT 2009 4
WSBAC: Working Set-Based Access ControlWSBAC: Working Set-Based Access Control
• Setting– Trusted Devices vs. Untrusted Devices
• Applies the working set principle to network file system security (access control)– Learn working set during trusted accesses– Enforce working set during untrusted accesses
June 5, 2009 SACMAT 2009 5
ContributionsContributions
• Working Set-Based Access Control (WSBAC)– Novel access control technique that estimates per-user file
access working sets and enforces during access from untrusted devices
• Prototype Implementation of WSBAC for Network File Systems– POLEX: Working set policy extraction– POLEN: Working set policy enforcement
• Evaluation using Real-World Network File System Traces– Experimental evaluation of WSBAC using real-world NFS traces,
which suggests that WSBAC is feasible and highly-effective
June 5, 2009 SACMAT 2009 6
OutlineOutline
• Introduction• WSBAC Architecture• FileWall• WSBAC Design and Implementation• Evaluation and Results• Related Work• Conclusions and Future Work
June 5, 2009 SACMAT 2009 7
WSBAC Architecture OverviewWSBAC Architecture Overview
POLEX
POLEN
File Server1
2
1
1
2
3
3
UntrustedDevices
WorkingSets
Trusted Network Domain (Corporate Intranet)
POLENVault Area
TrustedDevices
June 5, 2009 SACMAT 2009 8
WorkingSets
Switch
POLEX: POLEX: POLPOLicy icy EXEXtraction for Network File Systemstraction for Network File Systems
File ServerPolicy View Namespace
(PVN)POLEX
Administrator
TrustedDevices
June 5, 2009 SACMAT 2009 9
POLEN: POLEN: POLPOLicy icy ENENforcementforcement for Network File for Network File SystemsSystems
WorkingSets
File Server
POLEN
UntrustedDevices
Reliable Secondary
AuthenticationMechanism
WSBAC Virtual Namespace
POLENVault Area
June 5, 2009 SACMAT 2009 10
Implementation using FileWallImplementation using FileWall
NetworkFile Server
FileWall
NetworkFile System Client
Network File SystemAccesses
• Network File System Protocols– Composed of client/server messages– Requests sent by client– Responses sent by server
• FileWall: An NFS Middlebox– Interposed on client/server path– External to client/server path
June 5, 2009 SACMAT 2009 11
FileWall ArchitectureFileWall Architecture
FileWall: A Firewall for Network File System, S. Smaldone, A. Bohra, and L. Iftode. In the Proceedings of the 3rd IEEE International Symposium
on Dependable, Autonomic and Secure Computing (DASC'07).
Scheduler
Forwarder
AccessContext
FileWall Policy
RequestHandler File Server
…FS Client
ResponseHandler
June 5, 2009 SACMAT 2009 12
The POLEX ImplementationThe POLEX Implementation
Forwarder
AccessContext
POLEX
ExtractionHandler
Scheduler
NetworkFile System
Stream
Administrator
ViewHandlers
Working SetSummaries
(Bloom Filters)
June 5, 2009 SACMAT 2009 13
The POLEN ImplementationThe POLEN Implementation
Forwarder
AccessContext
POLEN
EnforcementHandler
Scheduler
NetworkFile System
Stream SpeculationHandler
File Server
Clientor
Vault Area
Working SetSummaries
(Bloom Filters)
June 5, 2009 SACMAT 2009 14
OutlineOutline
• Introduction• WSBAC Architecture• FileWall• WSBAC Design and Implementation• Evaluation and Results• Related Work• Conclusions
June 5, 2009 SACMAT 2009 15
EvaluationEvaluation
• Goals– What are the working set estimation costs (space and time)?– How accurate is working set estimation?– How time sensitive are working set estimates?– How much does speculation reconciliation impact users?– What are the network file system performance overheads?
• Setup– Systems: Dual 2.4 GHz CPUs, 3 GB RAM, Linux 2.6– Perform offline analysis using Harvard File System Traces
[Ellard’03]– Custom NFS fine-grained file access generation utility– OpenSSH compilation as application performance benchmark
June 5, 2009 SACMAT 2009 16
POLEX Time and Storage RequirementsPOLEX Time and Storage Requirements
Size of Trace Time to Analyze State Size
1 Day (~3.3 GB - 6,308,023 Req/Res Pairs) 52 min 154MB
1 Hour (~140 MB - 262,834 Req/Res Pairs) 2.49 min 154MB
June 5, 2009 SACMAT 2009 17
POLEX AccuracyPOLEX Accuracy
Average Error Rate Over-Estimation Rate
Run 1 1.08% 31.6%
Run 2 0.76% 41.2%
Run 3 1.02% 42.5%
Run 4 0.79% 36.5%
Run 5 0.97% 42.9%
Average 0.92% 38.9%
June 5, 2009 SACMAT 2009 18
POLEX SensitivityPOLEX Sensitivity
Day 1 Day 2 Day 3 Day 4 Day 5
User 1 0.26% 0.03% 0.02% 0.01% 0.01%
User 2 0.31% 4.4% 0.0% 3.3% 0.27%
User 3 0.37% 0.36% 0.82% 2.5% 0.61%
User 4 0.48% 1.8% 0.55% 0.66% 0.11%
User 5 0.18% 0.28% 0.18% 0.34% 0.27%
Average 0.32% 1.4% 0.31% 1.4% 0.27%
June 5, 2009 SACMAT 2009 19
Speculation RatesSpeculation Rates
Average Max Min
1.4% 2.4% 0.028%
Average Max Min
7 speculative rqst/day 12 speculative rqst/day >1 speculative rqst/day
• For Heavy Users (~500 rqst/day):
June 5, 2009 SACMAT 2009 20
POLEN Operating CostsPOLEN Operating Costs
0
100
200
300
400
500
600
700
getattr lookup access read write create
NFS Operation
Re
sp
on
se
La
ten
cy
(u
se
c)
NFS-minimal
POLEN-minimal
NFS-LAN
POLEN-LAN
June 5, 2009 SACMAT 2009 21
POLEN Application PerformancePOLEN Application Performance
0
10
20
30
40
50
60
70
untar configure compile install remove
Benchmark Phase
Tim
e (
se
c)
NFS
POLEN
June 5, 2009 SACMAT 2009 22
Related WorkRelated Work
• Policy Extraction and Inference– RBAC Role Mining [Kuhlmann’03, Schlegelmilch’05]– XACML AC Property Inference [Anderson’04,
Martin’06]– Firewall Policy Inference [Golnabi’06, Tongaonkar’07]– Gray-Box Systems [Arpaci-Dusseau’01]
• Context-Aware Access Control– Secure Collaborations in Mobile Computing
[Toninelli’06]– Ubiquitous Services [Corradi’04, Yokotama’06]– Ad-Hoc Networks [Saidane’07]– Web Services [Bhatti’05, Kapsalis’06]
June 5, 2009 SACMAT 2009 23
Conclusions and Future WorkConclusions and Future Work
• WSBAC: Working Set-Based Access Control for Network File Systems– Access control technique that estimates per-user working sets to
formulate access control policy for accesses from untrusted devices
– Prototype design and implementation of POLEX and POLEN– Experimental evaluation suggests that WSBAC is highly
effective, exhibiting low error rates
• Future Work: Real-World Deployment and User Study– Study qualitative impact on users (usability)– Produce better network file system traces for future access
control studies
Thank You!Thank You!
http://discolab.rutgers.edu
June 5, 2009 SACMAT 2009 25
What is a Network File System?What is a Network File System?
NetworkFile Server
NetworkFile System Client
Network File SystemAccesses
• Network File System Protocols– Composed of client/server messages– Requests sent by client– Responses sent by server
• NFS (UNIX), CIFS/Samba (Windows), etc.
June 5, 2009 SACMAT 2009 26
Policy View Namespace (PVN)Policy View Namespace (PVN)
PVN Root
PVN1
Control Shadow
MirroredFS Namespace
FILE METADATA
EFFECTIVE AC
Shadow File Contents
• Start / Stop Collection• Modify Collection Parameters• Modify View Parameters
June 5, 2009 SACMAT 2009 27
Alice’s Working Set
Accuracy: Errors and Over-EstimationsAccuracy: Errors and Over-Estimations
What does over-estimation mean?
Alice’s Working Set
What does an error mean?
X
X
X
O O
O