PPD: Platform for Private Data
description
Transcript of PPD: Platform for Private Data
![Page 1: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/1.jpg)
PPD: Platform for Private Data
Mohit Tiwariwith Krste Asanović, Dawn Song,
Petros Maniatis*, Prashanth Mohan, Charalampos Papamanthou, Elaine Shi, Emil Stefanov, Nguyen Tran
UC Berkeley Intel*
![Page 2: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/2.jpg)
The Age of Big Data
Plentiful, and Private
![Page 3: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/3.jpg)
Rich Applications
Time
Richness
![Page 4: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/4.jpg)
Vulnerable software
(Un) Intentional Misuse
Insider Attacks
Need Data Protection as a Service
![Page 5: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/5.jpg)
Ideal: Privacy Preserving Cloud
End User Developer
privacy evidenceprivacy policy API App
Cloud provider
![Page 6: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/6.jpg)
Ideal: Platform for Private Data
• Data protection as a service
• Users– control access to their data – access third-party applications
• Developers – save resources, need not be security experts– access personal data hitherto unavailable
![Page 7: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/7.jpg)
Challenge #1Untrusted applications own users’ data.
End User Developer
API
Cloud provider
![Page 8: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/8.jpg)
Challenge #2 Novice Users
![Page 9: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/9.jpg)
PPD: Platform for Private DataEnd User Developer
privacy evidenceintuitiveprivacy policy API App
PPD Cloud provider
App +
Guest OS
private data vault sealed container
![Page 10: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/10.jpg)
Outline of this talk
• PPD: Platform for Private Data
• PPD Architecture
• PPD Prototype and Evaluation
![Page 11: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/11.jpg)
PPD Applications
Cloud Storage
Personal Documents
Real-time applications
E-commerce
Social applications
Miscellaneous:Browsing, peer-to-peer
userinitiated sharing
![Page 12: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/12.jpg)
End-User
Hardware with TPM
PPD Cloud Provider
Untrusted Storage
Trusted User Interface
Protected Channel
ACLs
id o r wA.tax A A A
PPD Architecture: Users
![Page 13: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/13.jpg)
Application Container
App
Untrusted Application
End-User Developer
Hardware with TPM
PPD Cloud Provider PPD Controller and ACL Manager
Cleartext data
Untrusted Storage
Trusted User Interface
PPD Architecture: Applications
uni-directional
per-capsule: RWper-user: R all, W flagged
![Page 14: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/14.jpg)
App
Untrusted Application
End-Users Developers
Hardware with TPM
PPD Cloud Provider PPD Controller and ACL Manager
Dedup, Caching,
Replication,…
PPD Storage Proxy
App
Storage ContainerIntegrity
check
Untrusted Storage
Trusted User Interface
PPD Architecture: Storage
![Page 15: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/15.jpg)
PPD Timeline #1: User attests Client
User Client Cloud Server
TPM.send(hw id)
Attest(code)Trusted PPD Server
Response (result) Separation kernel on client checkedsitekey
sitekeyClient attested
Alice
![Page 16: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/16.jpg)
PPD Timeline #2: User launches App
User Client Cloud ServerAlice Launch trusted UI
Authentication
Trusted PPD Kernel
PPD UI,
Control
App+
Guest OSLaunch application
Trusted PPD Kernel
PPD UI,
Control
App+
Guest OSApp communication
![Page 17: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/17.jpg)
User and Developer Interface
• User creates data capsules– personal by default and decides who to share it with– does not specify a lattice of security labels
• PPD System provides trusted UI to user – User conveys change of ACLs to PPD
• Developers can request– Application Containers: per-user, per-data-capsule – Storage Containers: per-application, per-system
![Page 18: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/18.jpg)
Outline of this talk
• PPD: Platform for Private Data
• PPD Architecture
• PPD Prototype and Evaluation
![Page 19: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/19.jpg)
PPD Building Blocks
• Data capsules– E.g. “tax documents”, “thanksgiving ”– System assigns ACL as private by default
• Protected Containers– Linux containers (LXC), Copy-on-write FS (UnionFS).– Stops all explicit communication, except channels.– Hardware side channels, timing leaks out of scope
![Page 20: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/20.jpg)
PPD Building Blocks
• Protected Channels– iptables firewall rules for LXC containers– Encryption, integrity-checking (TLS/SSL for network)– Trusted Channel from User to PPD to change ACLs
• Storage Proxies– Key-value proxy: put, get, and setACL interface– File-system proxy: fuse-based layer on key-val proxy
![Page 21: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/21.jpg)
PPD Building Blocks
• PPD Controller– manages containers and channels – dynamically creates containers based on user or
application requests– assigns iptables rules for all containers
• Remote Attestation– Intel TXT, TPM v1.2– attest correct PPD code on untrusted machines
![Page 22: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/22.jpg)
PPD Applications
• Friendshare: online storage with de-duplication (like Dropbox)
• Git: repository version control server
• Etherpad: online, collaborative editing (like Google Docs)
![Page 23: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/23.jpg)
PPD Prototype
TLS Proxy TLS Proxy
EtherPad Co
ntro
ller
ACL Store
K/V Proxy FS Proxy
DeDup
Secure Block DeviceStorage
FriendShare
TPM Chip (Remote Attestation)
LXCContainers
ACL changes
Linux KernelIPTables
ApplicationLayer
StorageLayer
End Users
![Page 24: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/24.jpg)
Eval: Porting Apps for PPD
• Scripts to install and configure apps in containers
• Application v. Storage containers– Friendshare• Application: Scan directories, chunk files, change ACL• Storage: De-duplication
– Git, Etherpad• Application: entire functionality
![Page 25: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/25.jpg)
Eval: PPD Application Performance
• Minimal effect on Friendshare throughput
Small Requests: 10 filenames Big Requests: 10KB images
![Page 26: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/26.jpg)
PPD Application Performance
• Minimal effect on Friendshare latency
![Page 27: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/27.jpg)
Summary
• PPD: New Data-Centric Cloud Platform– user controlled sharing– rich, mostly legacy applications
• PPD Architecture– untrusted application and storage components
• PPD Prototype and Evaluation– small performance and porting cost
![Page 28: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/28.jpg)
The PPD Team
![Page 29: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/29.jpg)
Current and Future Work
• Applications– medical applications, business data analytics
• Client-side PPD on Android– light-weight containers and channels on Nexus S
• Application initiated sharing– differential privacy
![Page 30: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/30.jpg)
Related Approaches
• DIFC – PPD does not do fine-grained information flow tracking– Constrained containers + Dev API = simple system
• Capabilities– Can be used to implement containers and channels– Re-write legacy applications
• Android Security– Static, Coarse-grained permissions– User does not own data
![Page 31: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/31.jpg)
Conclusion
End User Developer
privacy evidenceprivacy policy API App
PPD Cloud provider
![Page 32: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/32.jpg)
Backups
![Page 33: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/33.jpg)
PPD Insights
• Co-design UI and System software– User decisions are intuitive (“share doc with Bob”)– System manages untrusted apps and private data
• Developer API – Per-user functionality v. Cross-user Optimizations
• Privacy: Data owners’ access control policy – Apps ‘see’ data only in sealed containers
![Page 34: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/34.jpg)
Summary
![Page 35: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/35.jpg)
PPD Evaluation: Etherpad
![Page 36: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/36.jpg)
PPD Evaluation: Git
![Page 37: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/37.jpg)
PPD: Platform for Private Data
• PPD is a data-centric cloud platform– rich, untrusted applications – strong privacy guarantees for end user
• PPD will spark innovation– through apps from small developers– making more private data available
![Page 38: PPD: Platform for Private Data](https://reader035.fdocuments.net/reader035/viewer/2022062323/568166d9550346895ddaf85e/html5/thumbnails/38.jpg)
PPD Design
• Simplest: User + PPD – Data capsules + ACL: (UI)
• Next: User + Application (front-end) + PPD– Per-user, Sharing
• Next: + Backend Storage– Rich optimizations, integrity checked