![Page 1: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/1.jpg)
Towards a Data-centric Approach
to Attribution in the Cloud
Wenchao Zhou Georgetown University
In collaboration with Boon Thau Loo, Andreas Haeberlen, Zachary Ives (Penn), and Micah Sherr (Georgetown)
![Page 2: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/2.jpg)
Introduction
Success of Cloud Economics of outsourcing data, computing and management Virtualization of resources (storage, computing, networking) Continued migration of applications to the cloud
Amazon EC2, Salesforce, Office 365, iCloud, etc Middleware and firewalls in enterprise networks [SIGCOMM 12] Interdomain routing [HotNets 12]
Increasing interaction between applications/clients
2
![Page 3: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/3.jpg)
Motivation
Call for Attribution Needed in tasks with collective efforts Who is responsible for unexpected symptoms?
Attacks, bugs, client-side misbehavior Evidences for accountability
3
![Page 4: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/4.jpg)
A Simple Example
A simple task that requires collective effort: routing System administrator observes strange behavior Example: the route to foo.com has suddenly changed
4
Why did my route to foo.com change?!
Alice foo.com
Route r1
Route r2
Malicious Attack?
A
D E
B C Software Bugs?
![Page 5: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/5.jpg)
An Ideal Solution
5
The Cloud
A: Because Route r1 disappeared as B considers the channel between B
and C is down.
Alice
Route r2
A
D E
B C
What does attribution look like?
Why did my route to foo.com change?!
Q: Explain why the route to foo.com
changed to r2.
Route r1
foo.com
![Page 6: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/6.jpg)
A Data-centric Perspective
We assume a general distributed system A network consisting of nodes (e.g., VMs) The state of a node is a set of tuples (routes, config, ...) Idea: Attribution as reasoning of state dependencies
Base tuples: boundary of the reasoning, considered as facts 6
Alice
foo.com
route(C, foo.com)
link(C, foo.com)
route(A, B) A
B C
D E
…… route(B, foo.com)
link(B, C)
route(A, foo.com)
link(A, B) route(A, D) link(A, B)
link(A, D)
![Page 7: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/7.jpg)
Provenance for Attribution
Provenance for encoding state dependencies Explains the derivation of tuples Captures the dependencies between tuples as a graph Attribution of a tuple is a tree rooted at the tuple
Route r1 disappeared as B removes the link between B and C 7
Alice
foo.com
route(C, foo.com)
link(C, foo.com)
A
B C
D E
route(B, foo.com)
link(B, C)
route(A, foo.com)
link(A, B)
route(D, foo.com)
link(D, E)
route(E, foo.com)
link(E, B)
![Page 8: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/8.jpg)
Challenges
Historical information about distributed state
8
Alice foo.com
Route r2
Route r1
![Page 9: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/9.jpg)
Challenges
Historical information about distributed state Correct and complete provenance in transient state
9
Alice foo.com
Route r1
![Page 10: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/10.jpg)
Challenges
Historical information about distributed state Correct and complete provenance in transient state Distributed maintenance – performance tradeoffs
10
Alice foo.com
Route r1
![Page 11: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/11.jpg)
Challenges
Historical information about distributed state Correct and complete provenance in transient state Distributed maintenance – performance tradeoffs Security guarantee in an untrusted environment
11
Alice foo.com
Route r1
![Page 12: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/12.jpg)
Related Work
12
Provenance for distributed settings Cloud systems: PA-S3fs [MMS 10], RAMP [IPW 11] Collaborative data sharing systems: Orchestra [GIK+ 07]
Provenance for historical system state PASS [MHB+ 06] workflow systems (Kepler [ABJ 06], VisTrails [CFS+ 06], etc)
Provenance security Sprov [HSW 09], Pedigree [RBT+ 08]
![Page 13: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/13.jpg)
Challenges
Provenance model (distribution + time) Storage and maintenance at large scale Distributed provenance querying Security guarantees in adversarial environment
Application
Store
Provenance Maintenance
Provenance Querying
Primary system Provenance system
Network
Users Operator
Extractor
13
![Page 14: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/14.jpg)
Outline
Introduction Motivation: Explain general system anomalies Approach: Secure Time-aware Provenance
Provenance Model [SIGMOD 10, VLDB 13]
Provenance Maintenance and Querying Securing Network Provenance Conclusion
14
![Page 15: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/15.jpg)
State Transition Systems – State
Node’s state captured as tuples Message captured as a triplet (src, dest, +/-tuple) System state S = (H,M), where H is a set of per-node
state, and M is the channel state 15
link Src Dest Cost A B 3 A C 5
pathCost Src Dest Cost A B 3 A C 5 … … …
![Page 16: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/16.jpg)
Transition Logic as Derivation Rules
State transition in general distributed systems E.g. state machine or event-driven model Idea: New state as derivation result of old states
Derivation rules: abstract dependency logic Example:
Rule head is derived, if all the predicates in rule body hold Written as Network Datalog (NDlog) rules [LCG+ 06]
mm nnnn @......@@:@ 2211 ττττ ∧∧∧−Rule head Rule body
16
![Page 17: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/17.jpg)
Extracting Dependency Logic
Option 1: Inferred provenance Declarative specifications explicitly capture provenance E.g. Declarative networking, SQL queries, etc.
Option 2: Disclosed provenance Modified source code reports provenance
Option 3: Observed provenance Defined on observed I/Os of a black-box system
17
Declarative Chord DHT
Hadoop MapReduce
Quagga Software Router
![Page 18: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/18.jpg)
Example: Pairwise Minimal Cost
sp2: pathCost(@Z,D,C1+C2) :- link(@S,Z,C1), minCost(@S,D,C2).
sp1: pathCost(@S,D,C) :- link(@S,D,C).
link(@Src,Dst,C) – “a direct link from node Src to Dst with cost C”
sp3: minCost(@S,D,MIN<C>) :- pathCost(@S,D,C).
18
![Page 19: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/19.jpg)
Example: Pairwise Minimal Cost
sp2: pathCost(@Z,D,C1+C2) :- link(@S,Z,C1), minCost(@S,D,C2).
sp1: pathCost(@S,D,C) :- link(@S,D,C).
link(@Src,Dst,C) – “a direct link from node Src to Dst with cost C”
pathCost(@Src,Dst,C) – “a path from node Src to Dst with cost C”
sp3: minCost(@S,D,MIN<C>) :- pathCost(@S,D,C).
19
![Page 20: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/20.jpg)
Example: Pairwise Minimal Cost
sp2: pathCost(@Z,D,C1+C2) :- link(@S,Z,C1), minCost(@S,D,C2).
sp1: pathCost(@S,D,C) :- link(@S,D,C).
link(@Src,Dst,C) – “a direct link from node Src to Dst with cost C”
pathCost(@Src,Dst,C) – “a path from node Src to Dst with cost C”
minCost(@Src,Dst,C) – “best path from node Src to Dst with minimal cost C”
sp3: minCost(@S,D,MIN<C>) :- pathCost(@S,D,C).
One-hop paths
Aggregation for min cost
Multi-hop paths
20
![Page 21: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/21.jpg)
Execution Model
sp2a: ΔpathCost(@Z,D,C1+C2) :- Δlink(@S,Z,C1), minCost(@S,D,C2). sp2b: ΔpathCost(@Z,D,C1+C2) :- link(@S,Z,C1), ΔminCost(@S,D,C2).
21
Pipeline Semi-naïve evaluation [LCG+ 06] Rewrite into event-condition-action rules Consume updates, and generate new updates
![Page 22: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/22.jpg)
+pathCost(a,c,4) +link(b,a,1) +link(b,c,3)
mincost(b,c,3)
Execution Traces
22
a b
c
at time t1 a b
c
(b,a,1)
at time t2 a b
c
at time t0
sp2: pathCost(@Z,D,C1+C2) :- link(@S,Z,C1), minCost(@S,D,C2).
sp1: pathCost(@S,D,C) :- link(@S,D,C).
sp3: minCost(@S,D,MIN<C>) :- pathCost(@S,D,C).
sp1 +pathCost(b,c,3)
sp3 +minCost(b,c,3)
a
b
c
sp2
sp3 +minCost(a,c,4)
-minCost(a,c,5)
t0@b t2@b t3@a
Execution trace as an ordered sequences of events Encode the execution of a state transition system
![Page 23: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/23.jpg)
Provenance Model
Constraints
Rule triggering
23
a b
c
at time t1 a b
c
at time t2
(b,a,1)
INSERT(t2, b, link(@b,a,1)) EXIST(t2, b, minCost(@b,c,3))
DERIVE(t2, b, pathCost(@a,c,4), sp2@b)
INSERT(t3, a, pathCost(@a,c,4))
DERIVE(t3, a, minCost(@a,c,4), sp3@a)
INSERT(t3, a, minCost(@a,c,4))
DELETE(t3, a, minCost(@a,c,5))
…… INSERT(t0, b, minCost(@b,c,3))
Snapshot
INSERT/DELETE: Tuple τ was inserted (deleted) on node n at time t
DERIVE/UNDERIVE: Tuple τ was derived (underived) via rule R on node n at time t
SEND/RECV: Update +/- τ was sent (received) by node n at time t
pathCost(@a,c,4)
RECV(t3, a, pathCost(@a,c,4), b, t2)
SEND(t2, b, pathCost(@a,c,4), a)
Communication
![Page 24: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/24.jpg)
Correctness
Provenance should be “consistent” with the trace Both are artifact from a system execution Idea: Extract a subtrace from provenance graph
Extracting subtrace using topological sort Edges in provenance graph represents dependencies
Question: how do we define “consistency”
24
![Page 25: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/25.jpg)
Provenance Properties
Provenance is valid The extracted subtrace should be a viable trace
Provenance is sound The extracted subtrace has same event orders as actual trace Problem: order of concurrent events (no synchronized clocks) Idea: per-node perspective (indistinguishable executions)
Provenance is complete Provenance includes complete explanation of state (changes) Idea: state (changes) are reproducible based on provenance
Provenance is minimal Provenance is exactly the explanation and nothing more 25
![Page 26: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/26.jpg)
Outline
Introduction Motivation: Explain general system anomalies Approach: Secure Time-aware Provenance
Provenance Model Maintenance and Querying [VLDB 13]
Securing Provenance Conclusion
26
![Page 27: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/27.jpg)
Provenance Maintenance [SIGMOD 10]
Provenance as views of network state [GIK+ 07] Maintain in relational tables (prov, ruleExec, send, recv) Incremental view maintenance Pipelined Semi-Naïve (PSN) [LCG+ 06] evaluation
Automatic rewrite of derivation rules Additionally maintain provenance data Does NOT affect the scalability of the base protocol
NDlog rule NDlog rule + provenance
maintenance rules
Automatic Rewrite
Execution
prov ruleExec
…
27
![Page 28: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/28.jpg)
Recursive Provenance Querying
28 provQuery(@N,VID,Time) prov(@N,VID,Time,RID,RTime,RLoc)
prov.VID = provQuery.VID
execQuery(@Rloc,RID,Time) ruleExec(@Rloc,RID,Rule,Time,CList,Trigger)
execQuery.RID = ruleExec.RID
project (execQuery.Rloc, ruleExec.Trigger/CList,execQuery.Time) as provQuery(@N,VID,Time)
project (prov.Rloc, prov.RID, prov.RTime) as execQuery(@Rloc,RID,Time)
Traversal of the provenance graph Step 1: Retrieve rule execution instances Step 2: Expand dependent derivations
![Page 29: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/29.jpg)
Recursive Provenance Querying
29
Traversal of the provenance graph Step 1: Retrieve rule execution instances Step 2: Expand dependent derivations
Generic framework for provenance querying Formulated in declarative networking engine Allows customization (annotation defined in provenance
semiring [GKT 07]) and optimization (caching, etc)
![Page 30: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/30.jpg)
Performance Tradeoffs
Proactive maintenance Provenance deltas – deltas between adjacent versions Incrementally applied in querying
Reactive maintenance Idea: sufficient data for reconstructing provenance Input logs – communications and update of base tuples Reconstruct provenance by deterministic replay Long-running systems? Periodic snapshots
Analogous to log-structured versioning systems
Mai
nten
ance
vs.
Que
ryin
g pe
rfor
man
ce
30
![Page 31: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/31.jpg)
Outline
Introduction Motivation: Explain general system anomalies Approach: Secure Network Provenance
Provenance Model Provenance Maintenance and Querying Securing Network Provenance [SOSP 11] Conclusions
31
![Page 32: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/32.jpg)
Challenge: Adversaries Can Lie
32
The Network
Q: Explain why the route to foo.com
changed to r2.
Alice foo.com
Route r2
A
D E
B C
Problem: adversary can … ... fabricate plausible (yet incorrect) response … point accusation towards innocent nodes
Everything is fine. Router E advertised a new route.
I should cover up the intrusion.
![Page 33: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/33.jpg)
Threat Model
Existing work Trusted kernel, monitor, or hardware
E.g. Backtracker [OSDI 06], ReVirt [OSDI 02], A2M [SOSP 07]
These components may have bugs or be compromised Alternatives that do have require such trust?
No trusted components Adversary has full control over an arbitrary subset of the
network (Byzantine faults). E.g. Compromised nodes can tamper, drop, or replay information
Pessimistic threat model gives strong guarantees
33
![Page 34: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/34.jpg)
Ideal Guarantees
Ideally: explanation is always complete and accurate Fundamental limitations
E.g. Faulty nodes secretly exchange messages E.g. Faulty nodes communicate outside the system
What guarantees can we provide?
34
![Page 35: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/35.jpg)
Realistic Guarantees [SOSP 11]
No faults: Explanation is complete and accurate Byzantine fault: Explanation identifies at least one faulty node
35
The Network
Q: Why did my route to foo.com change to r2?
A: Because someone accessed Router D and changed its router
configuration from X to Y.
Alice foo.com
Route r2
A
D E
B C
Aha, at least I know which node is compromised.
![Page 36: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/36.jpg)
Securing Cross-Node Edges
Idea 1: Each node keeps vertices about local actions TAP model cleanly partition the provenance graph
Idea 2: Make the graph tamper-evident Secure cross-node edges (evidence of omissions)
36
RECV SEND
SEND RECEIVE
Signed commitment from B
Signed ACK from A
Router A Router B
![Page 37: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/37.jpg)
Secure Provenance Maintenance
Tamper-evident logs [HKD 07] Linear append-only list of events Recursively-defined hash chain Include top-level hash in messages Any tampering breaks the chain!
37
Alice foo.com
A
B C
D E
…… SEND RCV-ACK
…… RECV ACK
h14
h15
h16
h17
SeqNo, SEND
SeqNo, INS
SeqNo, ACK
SeqNo, RECV ……
![Page 38: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/38.jpg)
Secure Provenance Querying
Recursively construct the provenance graph Retrieve secure logs from remote nodes Check for tampering, omission, and equivocation Replay the log to regenerate the provenance graph
38
Alice foo.com
A
B C
D E
route(A, foo.com)
link(A, B) Explain the route
from A to foo.com.
RECV (from B)
![Page 39: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/39.jpg)
Secure Provenance Querying
Recursively construct the provenance graph Retrieve secure logs from remote nodes Check for tampering, omission, and equivocation Replay the log to regenerate the provenance graph
39
Alice foo.com
A
B C
D E
route(B, foo.com)
link(B, C)
route(A, foo.com)
link(A, B) RECV (from C)
![Page 40: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/40.jpg)
Secure Provenance Querying
Recursively construct the provenance graph Retrieve secure logs from remote nodes Check for tampering, omission, and equivocation Replay the log to regenerate the provenance graph
40
Alice foo.com
route(C, foo.com)
link(C, foo.com)
A
B C
D E
link(B, C)
route(A, foo.com)
link(A, B) route(B, foo.com) OK. Now I know how the route was derived.
![Page 41: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/41.jpg)
NetTrails [SIGMOD-demo 11]
Based on the RapidNet declarative networking engine http://netdb.cis.upenn.edu/rapidnet/
System available for download.
41
![Page 42: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/42.jpg)
Outline
Introduction Motivation: Explain general system anomalies Approach: Secure Network Provenance
Provenance Model Provenance Maintenance and Querying Securing Network Provenance Conclusions
42
![Page 43: Towards a Data-centric Approach to Attribution in the Cloudcsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/0… · Towards a Data-centric Approach to Attribution in](https://reader033.vdocuments.site/reader033/viewer/2022042305/5ed0b27e146b1a6dad4b9cb7/html5/thumbnails/43.jpg)
Ongoing and Future Directions
43
Privacy concerns of provenance Tension between attribution and privacy Results in Interdomain routing [HotNets 11, SIGCOMM 12]
Better use of provenance data Provenance-based recovery and damage assessment Feedback for invariant refinement. Deduce invariants
(desired properties) by mining reported provenance.
Answer why-not questions
Project website: http://snp.cis.upenn.edu/