Presentation is loading. Please wait.

Presentation is loading. Please wait.

Working Set-Based Access Control for Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science.

Published byIsabelle Lemmons Modified over 10 years ago

Similar presentations

Presentation on theme: "Working Set-Based Access Control for Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science."— Presentation transcript:

1 Working Set-Based Access Control for Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University of New Jersey { smaldone, vinodg, iftode }@cs.rutgers.edu

2 June 5, 2009SACMAT 20092 Mobile Access to Network File Systems Increasing Alice @Trusted Network File Servers Alice @Untrusted Personal Device Corporate Intranet VPN Server Firewall Internet VPN File Accesses

3 June 5, 2009SACMAT 20093 The Working Set Concept The working set of a process is the collection of information referenced by the process during a time interval. [Denning 1968] –Temporal locality of a process memory accesses –Memory pages to keep resident in memory to optimize performance now and in the near future –Informs memory page replacement algorithms to avoid thrashing

4 June 5, 2009SACMAT 20094 WSBAC: Working Set-Based Access Control Setting –Trusted Devices vs. Untrusted Devices Applies the working set principle to network file system security (access control) –Learn working set during trusted accesses –Enforce working set during untrusted accesses

5 June 5, 2009SACMAT 20095Contributions Working Set-Based Access Control (WSBAC) –Novel access control technique that estimates per-user file access working sets and enforces during access from untrusted devices Prototype Implementation of WSBAC for Network File Systems –POLEX: Working set policy extraction –POLEN: Working set policy enforcement Evaluation using Real-World Network File System Traces –Experimental evaluation of WSBAC using real-world NFS traces, which suggests that WSBAC is feasible and highly-effective

6 June 5, 2009SACMAT 20096Outline Introduction WSBAC Architecture FileWall WSBAC Design and Implementation Evaluation and Results Related Work Conclusions and Future Work

7 June 5, 2009SACMAT 20097 WSBAC Architecture Overview POLEX POLEN File Server 1 2 1 1 2 3 3 Untrusted Devices Working Sets Trusted Network Domain (Corporate Intranet) POLEN Vault Area Trusted Devices

8 June 5, 2009SACMAT 20098 Working Sets Switch POLEX: POLicy EXtraction for Network File Systems File Server Policy View Namespace (PVN) POLEX Administrator Trusted Devices

9 June 5, 2009SACMAT 20099 POLEN: POLicy ENforcement for Network File Systems Working Sets File Server POLEN Untrusted Devices Reliable Secondary Authentication Mechanism WSBAC Virtual Namespace POLEN Vault Area

10 June 5, 2009SACMAT 200910 Implementation using FileWall Network File Server FileWall Network File System Client Network File System Accesses Network File System Protocols –Composed of client/server messages –Requests sent by client –Responses sent by server FileWall: An NFS Middlebox –Interposed on client/server path –External to client/server path

11 June 5, 2009SACMAT 200911 FileWall Architecture FileWall: A Firewall for Network File System, S. Smaldone, A. Bohra, and L. Iftode. In the Proceedings of the 3rd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'07). Scheduler Forwarder Access Context FileWall Policy Request Handler File Server … FS Client Response Handler

12 June 5, 2009SACMAT 200912 The POLEX Implementation The POLEX Implementation Forwarder Access Context POLEX Extraction Handler Scheduler Network File System Stream Administrator View Handlers Working Set Summaries (Bloom Filters)

13 June 5, 2009SACMAT 200913 The POLEN Implementation Forwarder Access Context POLEN Enforcement Handler Scheduler Network File System Stream Speculation Handler File Server Client or Vault Area Working Set Summaries (Bloom Filters)

14 June 5, 2009SACMAT 200914Outline Introduction WSBAC Architecture FileWall WSBAC Design and Implementation Evaluation and Results Related Work Conclusions

15 June 5, 2009SACMAT 200915Evaluation Goals –What are the working set estimation costs (space and time)? –How accurate is working set estimation? –How time sensitive are working set estimates? –How much does speculation reconciliation impact users? –What are the network file system performance overheads? Setup –Systems: Dual 2.4 GHz CPUs, 3 GB RAM, Linux 2.6 –Perform offline analysis using Harvard File System Traces [Ellard03] –Custom NFS fine-grained file access generation utility –OpenSSH compilation as application performance benchmark

16 June 5, 2009SACMAT 200916 POLEX Time and Storage Requirements Size of TraceTime to AnalyzeState Size 1 Day (~3.3 GB - 6,308,023 Req/Res Pairs)52 min154MB 1 Hour (~140 MB - 262,834 Req/Res Pairs)2.49 min154MB

17 June 5, 2009SACMAT 200917 POLEX Accuracy Average Error RateOver-Estimation Rate Run 11.08%31.6% Run 20.76%41.2% Run 31.02%42.5% Run 40.79%36.5% Run 50.97%42.9% Average0.92%38.9%

18 June 5, 2009SACMAT 200918 POLEX Sensitivity Day 1Day 2Day 3Day 4Day 5 User 10.26%0.03%0.02%0.01% User 20.31%4.4%0.0%3.3%0.27% User 30.37%0.36%0.82%2.5%0.61% User 40.48%1.8%0.55%0.66%0.11% User 50.18%0.28%0.18%0.34%0.27% Average0.32%1.4%0.31%1.4%0.27%

19 June 5, 2009SACMAT 200919 Speculation Rates AverageMaxMin 1.4%2.4%0.028% AverageMaxMin 7 speculative rqst/day12 speculative rqst/day>1 speculative rqst/day For Heavy Users (~500 rqst/day):

20 June 5, 2009SACMAT 200920 POLEN Operating Costs

21 June 5, 2009SACMAT 200921 POLEN Application Performance

22 June 5, 2009SACMAT 200922 Related Work Policy Extraction and Inference –RBAC Role Mining [Kuhlmann03, Schlegelmilch05] –XACML AC Property Inference [Anderson04, Martin06] –Firewall Policy Inference [Golnabi06, Tongaonkar07] –Gray-Box Systems [Arpaci-Dusseau01] Context-Aware Access Control –Secure Collaborations in Mobile Computing [Toninelli06] –Ubiquitous Services [Corradi04, Yokotama06] –Ad-Hoc Networks [Saidane07] –Web Services [Bhatti05, Kapsalis06]

23 June 5, 2009SACMAT 200923 Conclusions and Future Work WSBAC: Working Set-Based Access Control for Network File Systems –Access control technique that estimates per-user working sets to formulate access control policy for accesses from untrusted devices –Prototype design and implementation of POLEX and POLEN –Experimental evaluation suggests that WSBAC is highly effective, exhibiting low error rates Future Work: Real-World Deployment and User Study –Study qualitative impact on users (usability) –Produce better network file system traces for future access control studies

24 Thank You! http://discolab.rutgers.edu

25 June 5, 2009SACMAT 200925 What is a Network File System? Network File Server Network File System Client Network File System Accesses Network File System Protocols –Composed of client/server messages –Requests sent by client –Responses sent by server NFS (UNIX), CIFS/Samba (Windows), etc.

26 June 5, 2009SACMAT 200926 Policy View Namespace (PVN) PVN Root PVN1 Control Shadow Mirrored FS Namespace FILE METADATA EFFECTIVE AC Shadow File Contents Start / Stop Collection Modify Collection Parameters Modify View Parameters

27 June 5, 2009SACMAT 200927 Alices Working Set Accuracy: Errors and Over-Estimations What does over-estimation mean? Alices Working Set What does an error mean? X X X O O O

Download ppt "Working Set-Based Access Control for Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science."

Similar presentations

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.
Symantec 2010 Windows 7 Migration Global Results.

Symantec 2010 Windows 7 Migration Global Results.
AGVISE Laboratories %Zone or Grid Samples – Northwood laboratory

AGVISE Laboratories %Zone or Grid Samples – Northwood laboratory
Design and Evaluation of an Autonomic Workflow Engine Thomas Heinis, Cesare Pautasso, Gustavo Alsonso Dept. of Computer Science Swiss Federal Institute.

Design and Evaluation of an Autonomic Workflow Engine Thomas Heinis, Cesare Pautasso, Gustavo Alsonso Dept. of Computer Science Swiss Federal Institute.
COMP 110: Introduction to Programming Tyler Johnson Feb 18, 2009 MWF 11:00AM-12:15PM Sitterson 014.

COMP 110: Introduction to Programming Tyler Johnson Feb 18, 2009 MWF 11:00AM-12:15PM Sitterson 014.
COMP 110: Introduction to Programming Tyler Johnson Feb 25, 2009 MWF 11:00AM-12:15PM Sitterson 014.

COMP 110: Introduction to Programming Tyler Johnson Feb 25, 2009 MWF 11:00AM-12:15PM Sitterson 014.
COMP 110: Introduction to Programming Tyler Johnson Mar 16, 2009 MWF 11:00AM-12:15PM Sitterson 014.

COMP 110: Introduction to Programming Tyler Johnson Mar 16, 2009 MWF 11:00AM-12:15PM Sitterson 014.
COMP 110: Introduction to Programming Tyler Johnson Apr 20, 2009 MWF 11:00AM-12:15PM Sitterson 014.

COMP 110: Introduction to Programming Tyler Johnson Apr 20, 2009 MWF 11:00AM-12:15PM Sitterson 014.
COMP 110: Introduction to Programming Tyler Johnson Apr 13, 2009 MWF 11:00AM-12:15PM Sitterson 014.

COMP 110: Introduction to Programming Tyler Johnson Apr 13, 2009 MWF 11:00AM-12:15PM Sitterson 014.
COMP 110: Introduction to Programming Tyler Johnson January 12, 2009 MWF 11:00AM-12:15PM Sitterson 014.

COMP 110: Introduction to Programming Tyler Johnson January 12, 2009 MWF 11:00AM-12:15PM Sitterson 014.
COMP 110: Introduction to Programming Tyler Johnson Mar 25, 2009 MWF 11:00AM-12:15PM Sitterson 014.

COMP 110: Introduction to Programming Tyler Johnson Mar 25, 2009 MWF 11:00AM-12:15PM Sitterson 014.
COMP 110: Introduction to Programming Tyler Johnson Apr 27, 2009 MWF 11:00AM-12:15PM Sitterson 014.

COMP 110: Introduction to Programming Tyler Johnson Apr 27, 2009 MWF 11:00AM-12:15PM Sitterson 014.
Covert Barcodes handle on-the-spot Brand and Document Authentication Information Management Institute Conference on Security Printing 11/18/2009 Read what.

Covert Barcodes handle on-the-spot Brand and Document Authentication Information Management Institute Conference on Security Printing 11/18/2009 Read what.
2010 Tax Class1 Day 3 Class Participation Class Exercise – Paul Austin Publ. 4491-W Exercise page 98 Advanced Section.

2010 Tax Class1 Day 3 Class Participation Class Exercise – Paul Austin Publ W Exercise page 98 Advanced Section.
Tax Year 20091 TYPES OF PAYMENTS 1040 PG 2 Line 61- 63 & 68 Federal income tax withheld from W-2s, 1099s Estimated payments & $ applied from prior year.

Tax Year TYPES OF PAYMENTS 1040 PG 2 Line & 68 Federal income tax withheld from W-2s, 1099s Estimated payments & $ applied from prior year.
Process Description and Control

Process Description and Control
1

1
Processes and Operating Systems

Processes and Operating Systems
Large Scale Integration of Senses for the Semantic Web Jorge Gracia, Mathieu dAquin, Eduardo Mena Computer Science and Systems Engineering Department (DIIS)

Large Scale Integration of Senses for the Semantic Web Jorge Gracia, Mathieu dAquin, Eduardo Mena Computer Science and Systems Engineering Department (DIIS)
Towards Automating the Configuration of a Distributed Storage System Lauro B. Costa Matei Ripeanu {lauroc, NetSysLab University of British.

Towards Automating the Configuration of a Distributed Storage System Lauro B. Costa Matei Ripeanu {lauroc, NetSysLab University of British.

Similar presentations

Ads by Google