5/4/20101Unified Platform for Secure Networked Information SystemsyDuke CPS296.1 Spring10Xuanran ZongBackground & Motivation• Underlying network– Accountability– Efficient packet tracingFlow analysis–Flow analysis• No integration with networked information system– Focus on specific threat– Different environmentObjective• Unified Declarative platform– Specify– ImplementAnalyze–Analyze– Audit• Large-scale secure information systemBuilding blocks• Logic-based trust management system (Binder)• Declarative networking (NDlog)liSeNDlog• Data analyze via provenanceBinder• Query language based Datalog• Access control in untrusted network• Context• ‘Says’Says• Example:b1 may-access(P,O,read) :- good(P).b2 may-access(P,O,read) :-bob says may-access(P,O,read).• Why do they choose Binder?Binder vs NDlogBinder NDlogNetworkAssumptionUntrusted TrustedExport of derived tuplesNo restriction Restricted (Locationspecifies)Evaluation Order Top-down (Why?) Bottom-up (Why?)5/4/20102SeNDlog• Unification of Binder and NDlog• Features– Rules bind to particular nodeEl–ExampleAt N, c1,c2,...,cnr1 p :- p1,p2,...,pn.r2 p1 :- p2,p3,...,pn.SeNDlog• Communication– Explicit control of import and export tuples– Import predicate (body): N says pExport predicate (head): N saysp@X–Export predicate (head): N says p@X– Why do we need these restriction? Why not just simply use NDlog style?– ExampleAt N,e1 p(X,Y) :- p1(X), p2(Y).e2 p(X,Y,W) :- Y says p1(X), Z says p2(W), Z!=N.e3 p(Y,Z)@X :- p1(X), Y says p2(Z).e4 Z says p(Y)@X :- Z says p(Y), p1(X).SeNDlog• Honesty Constraint– X says p in head => X says p in body– Why?• Extensions– Security level: efficiency security tradeoff– Is it necessary?Some SeNDlog Examples• Authenticated path-vector protocolAt Z,z1 route(Z,X,P) :- neighbor(Z,X), P=f_initPath(Z,X).z2route(Z Y P) :Xsaysadvertise(YP)• Can also implement BGP, P2P, CDNz2 route(Z,Y,P) :-X says advertise(Y,P), acceptRoute(Z,X,Y).z3 advertise(Y,P)@X :- neighbor(Z,X), route(Z,Y,P),carryTraffic(Z,X,Y), P1=f_concat(X,P). Another Example• Secure Chord DHTAt NI,ni1 requestCert(NI,K)@CA :- startNetwork(NI),publicKey(NI,K), MyCA(NI,CA).ni2 nodeID(NI,N) :- CA says nodeIDCert(NI,N,K)i3d()@ni3 CA says nodeIDCert(NI,N,K)@LI :-CA says nodeIDCert(NI,N,K), landmark(NI,LI).At CA,ca1 nodeIDCert(NI,N,K)@NI :- NI says requestCert(NI,K),S=secret(CA,NI), N=f_generateID(K,S).At LI,li1 acceptJoinRequest(NI) :- CA says nodeIDCert(NI,N,K).One more example• Secure DHT-based join processingAt alice,a1 storeA(X,Y)@NI :- tableA(X,Y), K=f_sha(X),NI=Chord::K.bb• One more layer of autheticationAt bob,b1 storeB(X,Y)@NI :- tableB(X,Y), K=f_sha(X),NI=Chord::K.At NI,r1 results(X,Y)@r :- alice says storeA(X,Y),bob says storeB(Y,Z).5/4/20103Secure Query Processing• Pipelined semi-naïve evaluation (PSN)– Asynchronous• Authenticated PSNTSi GSi Ch k–Two more operator: SigGenerator, SigChecker– Examplez2a ∆route(Z, Y, P) :- X says ∆advertise(Y, P),acceptRoute(Z,X, Y ).z2b ∆route(Z, Y, P):- X says advertise(Y, P),∆acceptRoute(Z,X, Y ).Layering support and security extensions• Extract payload, discard multiple headers• LocSpecDemux to support local overlay dataflow• Security extension– Optional attribute to SigGenerator and SigCheckerNetwork Provenance• Capture the how each predicate is derived– Diagnosis, forensics, trust management• Naturally fit the bottom-up evaluation• Local vs Distributed• Online vs OfflineNetwork Provenance• Authenticated provenanceEvaluation• Comparing the performance between auth and non-auth• Results– Authentication introduces latency, especially in PlanetLab– Auth + Provenance doubles the completion time– Small message transfer tends to have negligible latency overhead (Chord DHT)– Bandwidth intensive query tends to have more overhead (best path)Discussion point• Untrusted node?• Query optimization?• Compilation overhead? Compilation ffi i
View Full Document