FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone,...
-
date post
20-Dec-2015 -
Category
Documents
-
view
224 -
download
0
Transcript of FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone,...
![Page 1: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/1.jpg)
FileWall : Implementing File Access Policies Using Dynamic Access Context
Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode
DiscoLab
Department of Computer Science
Rutgers University
Workshop on Spontaneous Networking
May 12, 2006
![Page 2: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/2.jpg)
Workshop on Spontaneous Networking
File System Management
Organization: Too many files, directories, servers…
Protection: Left to the discretion of the owner
Dynamism: Cannot be incorporated without file system extension
![Page 3: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/3.jpg)
Workshop on Spontaneous Networking
File System Management
Organization: Too many files, directories, servers…
Protection: Left to the discretion of the owner
Dynamism: Cannot be incorporated without file system extension
Administrator has little control over file access policiesAdministrator has little control over file access policies
![Page 4: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/4.jpg)
Workshop on Spontaneous Networking
Observations
File names are powerful Can be used to implement access policies
All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information
contained in messages
![Page 5: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/5.jpg)
Workshop on Spontaneous Networking
Observations
File names are powerful Can be used to implement access policies
All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information
contained in messages
Access policies can be implemented by interposition and message transformation
Access policies can be implemented by interposition and message transformation
![Page 6: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/6.jpg)
Workshop on Spontaneous Networking
FireWall
Interposes on the client-server path
Stores network flow history
Evaluates each message against the firewall policies
Passes-through, drops, or transforms network packets
![Page 7: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/7.jpg)
Workshop on Spontaneous Networking
FileWall
Interposes on client-server path
Stores file access history Evaluates each message
against FileWall policies Transforms file system
messages
![Page 8: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/8.jpg)
Workshop on Spontaneous Networking
FileWall
Interposes on client-server path
Stores file access history Evaluates each message
against FileWall policies Transforms file system
messages
FileWall constructs virtual namespaces using file system namespaces and access policies through
message transformation
FileWall constructs virtual namespaces using file system namespaces and access policies through
message transformation
![Page 9: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/9.jpg)
Workshop on Spontaneous Networking
Applications of FileWall Model
Access control Quality of Service (QoS) File system organization Intrusion detection Information Lifecycle Management (ILM) Data transformations …
![Page 10: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/10.jpg)
Workshop on Spontaneous Networking
Outline
Motivation Design
Access Context FileWall Policies
Implementation Evaluation Related Work Conclusions
![Page 11: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/11.jpg)
Workshop on Spontaneous Networking
Access Context
Access history Access statistics Sequence of accesses
Describes user behavior
Environment Time, available disk space, CPU load, etc.
![Page 12: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/12.jpg)
Workshop on Spontaneous Networking
Maintaining Access Context
Requirements Compact representation Contain semantic information which describes
user behavior Easy to understand and specify Soft state
![Page 13: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/13.jpg)
Workshop on Spontaneous Networking
Access Tree
Node = file “run” Groups of accesses performed by same application Open to close or approximate using clustered accesses
Attributes File name Type of run (READ, WRITE, etc.) Operation count
Edge Run started after and ended before parent
Depth-first traversal defines sequence of runs in an access tree
![Page 14: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/14.jpg)
Workshop on Spontaneous Networking
Access Tree Example
Root
![Page 15: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/15.jpg)
Workshop on Spontaneous Networking
Access Tree Example
Read 1
Root
1
![Page 16: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/16.jpg)
Workshop on Spontaneous Networking
Access Tree Example
Read 1, Create/Delete 2
Root
1
2
![Page 17: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/17.jpg)
Workshop on Spontaneous Networking
Access Tree Example
Read 1, Create/Delete 2, Read/Write 3
Root
1
2
3
![Page 18: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/18.jpg)
Workshop on Spontaneous Networking
Access Tree Example
Read 1, Create/Delete 2, Read/Write 3, Write 1
Root
1
2
3 1
![Page 19: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/19.jpg)
Workshop on Spontaneous Networking
Outline
Motivation Design
Access Context FileWall Policies
Implementation Evaluation Related Work Conclusions
![Page 20: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/20.jpg)
Workshop on Spontaneous Networking
FileWall Policies
Transform messages (requests and replies) Sequence of rules INPUT and OUTPUT
Use: Access context File attributes contained in messages
![Page 21: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/21.jpg)
Workshop on Spontaneous Networking
FileWall Policy Example
Policy: “Show files accessed today” For each client-visible file:
Access Time = TODAY
Transform directory listing messages READDIR and READDIRPLUS
![Page 22: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/22.jpg)
Workshop on Spontaneous Networking
FileWall Policy Example
AccessContext
Policies
FileWall
![Page 23: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/23.jpg)
Workshop on Spontaneous Networking
FileWall Policy Example
AccessContext
Policies
MREADDIR
FileWall
![Page 24: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/24.jpg)
Workshop on Spontaneous Networking
FileWall Policy Example
AccessContext
Policies
READDIR
FileWall
![Page 25: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/25.jpg)
Workshop on Spontaneous Networking
FileWall Policy Example
AccessContext
Policies
READDIR
FileWall
![Page 26: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/26.jpg)
Workshop on Spontaneous Networking
FileWall Policy Example
AccessContext
Policies
READDIR READDIRPLUS
FileWall
![Page 27: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/27.jpg)
Workshop on Spontaneous Networking
FileWall Policy Example
AccessContext
Policies
READDIRPLUS
FileWall
![Page 28: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/28.jpg)
Workshop on Spontaneous Networking
FileWall Policy Example
AccessContext
Policies
READDIRPLUS
FileWall
![Page 29: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/29.jpg)
Workshop on Spontaneous Networking
FileWall Policy Example
AccessContext
Policies
READDIRPLUS
FileWall
![Page 30: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/30.jpg)
Workshop on Spontaneous Networking
FileWall Policy Example
AccessContext
Policies
READDIRPLUSREADDIR
FileWall
![Page 31: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/31.jpg)
Workshop on Spontaneous Networking
Policy Descriptors
INPUT Rule:int fwin(rpc_msg request) {
if (request.proc == READDIR) {
request.proc = READDIRPLUS;
return FORWARD;
}
}
OUTPUT Rule:int fwout(rpc_msg reply) { if (reply.proc == READDIRPLUS) { FOREACH entp in reply {
if (entp.atime == TODAY) copy_entry(resp_entp, entp)
} reply.entries = res_entp; reply.proc = READDIR; return FORWARD; }}
Specified as C programs and compiled as loadable shared modules
Specified as C programs and compiled as loadable shared modules
![Page 32: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/32.jpg)
Workshop on Spontaneous Networking
Outline
Motivation Design
Access Context FileWall Policies
Implementation Evaluation Related Work Conclusions
![Page 33: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/33.jpg)
Workshop on Spontaneous Networking
Implementation
FileWall: Click Modular Router NFS over UDP
![Page 34: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/34.jpg)
Workshop on Spontaneous Networking
Implementation
FileWall Click Modular Router NFS over UDP
FileWall Client SFS toolkit Session establishment Bootstrapping
Identify list of available file systems
![Page 35: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/35.jpg)
Workshop on Spontaneous Networking
Outline
Motivation Design
Access Context FileWall Policies
Implementation Evaluation Related Work Conclusions
![Page 36: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/36.jpg)
Workshop on Spontaneous Networking
Interposition Overhead: Emacs Compilation
![Page 37: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/37.jpg)
Workshop on Spontaneous Networking
Case Study: Flash Crowd Mitigation
General purpose server Email, user homes, web server Files mounted over NFS
Web servers are prone to flash crowds Current policies
Rate limit number of requests Disable web server
![Page 38: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/38.jpg)
Workshop on Spontaneous Networking
Mitigating Flash Crowds with FileWall
Access context Rate of sequential file reads, directory listings,
etc. Policy
Hide files with rate greater than a threshold Show files again when rate falls below threshold
Only the source of the flash crowd disappears from the namespace
![Page 39: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/39.jpg)
Workshop on Spontaneous Networking
Results
![Page 40: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/40.jpg)
Workshop on Spontaneous Networking
Related Work
Infokernel [Arpaci-Dusseau ‘03], firewall/NAT Access Context
Desktop search [Soules ’03] File system prefetching [Amer ’02, Lei ’97] Enforcing enterprise-wide policies [He ’05]
Semantic file systems [Sheldon ’91, Pike ’93, Neuman ’92, Rao ’93]
Extensible file systems [Zadok ’00, Tewari ’05]
![Page 41: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/41.jpg)
Workshop on Spontaneous Networking
Future Work
User study Real deployment Behavior models
![Page 42: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/42.jpg)
Workshop on Spontaneous Networking
Future Work
User study Real deployment Behavior models
Policy language Constraints Debugging and logging
![Page 43: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/43.jpg)
Workshop on Spontaneous Networking
Future Work
User study Real deployment Behavior models
Policy language Constraints Debugging and logging
Data transformations Censorship Protocol translations
NFS -> CIFS Recipe-based file system (CASPER) IP -> RDMA
Video encoding Content adaptation
![Page 44: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/44.jpg)
Workshop on Spontaneous Networking
Conclusions
Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required
![Page 45: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/45.jpg)
Workshop on Spontaneous Networking
Conclusions
Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required
Provides administrators the ability to define a wide variety of access policies Protect file systems Provide quality of service
![Page 46: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/46.jpg)
Thank You
Questions?
![Page 47: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/47.jpg)
Workshop on Spontaneous Networking
Evaluation
Dell Poweredge 2600 systems Dual 2.4GHz Intel Xeon processors 1GB RAM 36GB 15000 RPM SCSI disk
Linux Gigabit Ethernet switch
![Page 48: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/48.jpg)
Workshop on Spontaneous Networking
QoS Policy
![Page 49: FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649d415503460f94a1bb40/html5/thumbnails/49.jpg)
Workshop on Spontaneous Networking
Policy Enforcement Requirements
Expressive Deployable Scalable Available