Data-Centric Security

Dawn SongUC Berkeley

Collaboration with Lorenzo Martignoni, Stephen McCamant, Pongsin Poosankam, Matei Zaharia, Scott Shenker, Ion Stoica, Vern Paxson, Emil, Elaine Shi, Petros, David Evans

TRANSFORMATION

HARDWARE SYSTEM ARCHITECTURES

SVA

Binary translation and

emulation

Formal methods

Hardware support for isolation

Dealing with malicious hardware

Cryptographic secure computation

Data-centric security

Secure browser appliance

Secure servers

WEB-BASED ARCHITECTURES

e.g., Enforce properties on a malicious OS

e.g., Prevent dataexfiltration

e.g., Enable complex distributed systems, with resilience to hostile OS’s

Outline

• Data-centric security: protecting the data directly instead of network or host-based protection

• Three examples– Cloud-terminal: providing trusted input/output– Platform for private data– Secure web applications: GuardRails

The Cloud Terminal Architecture for End-to-End Secure Applications

Dawn Songwith Lorenzo Martignoni, Stephen McCamant,

Pongsin Poosankam, Matei Zaharia, Scott Shenker, Ion Stoica, Vern Paxson

Motivation

• Sample application: online banking

• Quickly switch your PC to a secure operation mode

• Application provides a normal-looking graphical interface

• But, information security does not depend on your primary OS or any of its software• Application environment is known clean• Secure even if commodity OS is compromised by malware

Strawman Approach: one VM per app

• Possible approach: one VM per secure app • Pro: strong isolation• Cons:

• Heavy weight• Management overhead• Multiple general-pupose VMs on one machine require complex

hardware virtualization (e.g., Xen)• Must be careful to keep secure VMs clean (e.g., roll back virtual

disk after session)• How can the bank know you're using a secure VM?

• Want to achieve similar isolation, but • Much lighter weight on client side• Centralize the application logic and administration• Enable a new security abstraction

Cloud Terminal Architecture

General-purpose

OS

Securethin

terminal

Lightweight hypervisor

Trusted Computing Hardware

Cloud Rendering Engine

Application

Virtual desktop server

VM

Encrypted tunnel

Secure Thin Terminal

• Coexists with a general-purpose commodity OS• But completely stand-alone and isolated: when it runs,

the untrusted OS is suspended• Display output:

• Reads encrypted bitmaps from the network, and decrypts and displays them

• Inputs• Reads keyboard and mouse events, encrypts and sends them

on the network• Lightweight hypervisor enforces isolation• Trusted boot using a TPM allows remote attestation,

proving the STT is running unmodified on the bare hardware

Cloud Rendering Engine

• Move application logic to centralized servers for ease of administration and protection

• Each user session has its own VM with chosen application

• Virtual desktop server (e.g., VNC) plus encrypting proxy

• Performance optimization• VMs can share disk and memory copy-on-write to minimize

resource usage

• Applications• Standalone• Browser applications

Initial Prototype

Results from Initial Prototype

• Secure Thin Terminal: only a few KLOC • VNC client and drivers for input, graphics, and network

• Interactive latency (e.g., keystroke echo) low, even with a cloud server in another state

• Scalability for cloud rendering engine:• A single commodity server can support more than 100

simultaneous rendering VMs

Outline

• Data-centric security: protecting the data directly instead of network or host-based protection

• Three examples– Cloud-terminal: providing trusted input/output– Platform for private data– Secure web applications: GuardRails

Motivating Applications

Protecting users’ data is an intricate issue!

• Apps selling your data

• Inadvertent disclosure– AOL search log scandal– Netflix contest

• Malware and software compromise– RockYou password leakage

• Insider attack– Google incident

Platform for Private Data

• Provide desired services in the cloud while ensuring security and privacy of customers’ data

• Provide privacy & trust evidence– Customer does not just rely on trust on service provider

• Provide trustworthy audit trails– For forensics, provenance, accountability, dispute

• General architecture for broad applicability• Practical performance & usability

Platform for private data and privacy evidence

Platform for Private Data

Application:Financial advisor

Privacy evidence

Application:Drug side effect tracker

API

Architecture• Secure data capsule

– Data encrypted at rest– Security policy attached to data

• Trusted computing hardware provides root of trust• Secure execution environment

– Data capsule only decrypted in secure execution environment– Only authorized code can access and operate on data

• New programming model for privacy-aware applications• Support for legacy applications

– Program analysis and information flow • Advanced engines for database queries and privacy-preserving data

analytics• Secure auditing

Application

TPM &Processor isolation

Platform for Private Data(TCB)

Privacy evidence

Diff. Priv.

Engine

Application

Operations on sensitive data

Info flow tracking

…

Secure data capsules

QueryEngine

PolicyEngine

AuditEngine

Secure Execution Environment

Outline

• Data-centric security: protecting the data directly instead of network or host-based protection

• Three examples– Cloud-terminal: providing trusted input/output– Platform for private data– Secure web applications: guardrails

20

Ruby on Rails CodePolicy Annotations

Secure Web Application

Attach Policies to Data Little developer effort Improved readability

and analyzabilityAutomatically enforce policies throughout application

Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, David Evans. GuardRails: A Data-Centric Web Application Security Framework. To appear in USENIX WebApps 2011.

OWASP AppSec DC

21

Example PoliciesAnnotation Meaning

@delete, :admin, :to login Only administrators can delete this object

@edit, pswrd, self.id == user.id, :to login

Only the user may change that user’s password

@create, User, log_create; true

Whenever a User object is created, write to log

Policies are attached to classes or individual fields. Can perform arbitrary checking and actions based on read, edit, append, create, destroy events.

Conclusion

• Data-centric security: protecting the data directly instead of network or host-based protection

• Three examples– Cloud-terminal: providing trusted input/output– Platform for private data– Secure web applications: GuardRails

Thank you!

dawnsong@cs.berkeley.edu