security and privacy in cloud computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · dataflow...
TRANSCRIPT
![Page 1: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/1.jpg)
Ragib HasanJohns Hopkins Universityen.600.412 Spring 2010
Lecture 603/22/2010
Security and Privacy in Cloud Computing
![Page 2: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/2.jpg)
Verifying Computations in a Cloud
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 2
ScenarioUser sends her data processing job to the cloud.
Clouds provide dataflow operation as a service (e.g., MapReduce, Hadoop etc.)
Problem: Users have no way of evaluating the correctness of results
![Page 3: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/3.jpg)
DataFlow Operations
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3
PropertiesHigh performance, in-memory data processingEach node performs a particular functionNodes are mostly independent of each other
ExamplesMapReduce, Hadoop, System S, Dryad
![Page 4: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/4.jpg)
How do we ensure DataFlow operation results are correct?
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 4
Du et al., RunTest: Assuring Integrity of Dataflow Processing in Cloud Computing Infrastructures, AsiaCCS 2010
Goals•To determine the malicious nodes in a DataFlow system•To determine the nature of their malicious action•To evaluate the quality of output data
![Page 5: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/5.jpg)
Possible Approaches
• Re-do the computation
• Check memory footprint of code execution
• Majority voting
• Hardware-based attestation
• Run-time attestation
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 5
![Page 6: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/6.jpg)
RunTest: Randomized Data Attestation
Idea
– For some data inputs, send it along multiple dataflow paths
– Record and match all intermediate results from the matching nodes in the paths
– Build an attestation graph using node agreement
– Over time, the graph shows which node misbehave (always or time-to-time)
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 6
![Page 7: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/7.jpg)
Attack Model
• Data model:– Input deterministic DataFlow (i.e., same input to a
function will always produce the same output)
– Data processing is stateless (e.g., selection, filtering)
• Attacker:– Malicious or compromised cloud nodes
– Can produce bad results always or some time
– Can collude with other malicious nodes to provide same bad result
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 7
![Page 8: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/8.jpg)
Attack Model (scenarios)
Parameters– b_i = probability of providing bad result
– c_i = probability of providing the same bad result as another malicious node
Attack scenarios– NCAM: b_i = 1, c_i = 0
– NCPM: 0 < b_i <1, c_i = 0
– FTFC: b_i = 1, c_i = 1
– PTFC: 0< b_i < 1, c_i = 0
– PTPC: 0< b_i < 1, 0 < c_i < 1
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 8
![Page 9: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/9.jpg)
Integrity Attestation Graph
Definition:
– Vertices: Nodes in the DataFlow paths
– Edges: Consistency relationships.
– Edge weight: fraction of consistent output of all outputs generated from same data items
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 9
![Page 10: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/10.jpg)
Consistency Clique
Complete subgraph of an attestation graph which has
– 2 or more nodes
– All nodes always agree with each other (i.e., all edge weights are 1)
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 10
1
2
3
45
![Page 11: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/11.jpg)
How to find malicious nodes
Intuitions
– Honest nodes will always agree with each other to produce the same outputs, given the same data
– Number of malicious nodes is less than half of all nodes
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 11
![Page 12: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/12.jpg)
Finding Consistency Cliques: BK Algorithm
Goal: find the maximal clique in the attestation graph
Technique:
Apply Bron-Kerbosch algorithm to find the maximal clique(s) (see better example at Wikipedia)
Any node not in a maximal clique of size k/2 is a malicious node
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 12
Note: BK algorithm is NP-Hard
Authors proposed 2 optimizations to make it run quicker
![Page 13: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/13.jpg)
Identifying attack patterns
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 13
NCAM
PTFCFTFC
PTFC/NCPM
![Page 14: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/14.jpg)
Inferring data quality
Quality = 1 – (c/n)
– where
•n = total number of unique data items
•c = total number of duplicated data with inconsistent results
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 14
![Page 15: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/15.jpg)
Evaluation
• Extended IBM System S
• Experiments:
– Detection rate
– Sensitivity to parameters
– Comparison with majority voting
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 15
![Page 16: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/16.jpg)
Evaluation
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 16
NCPM (b=0.2, c=0)
Different misbehavior probabilities
![Page 17: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/17.jpg)
Discussion
• Threat model
• High cost of Bron-Kerbosch algorithm (O(3n/3))
• Results are for building attestation graphs per function
• Scalability
• Experimental evaluation
3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 17
![Page 18: Security and Privacy in Cloud Computingragib/sp10/cs412/lectures/600.412.lecture06.pdf · DataFlow Operations 3/22/2010 en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan 3 Properties](https://reader034.vdocuments.site/reader034/viewer/2022050406/5f83515c4936a5751962e8d7/html5/thumbnails/18.jpg)
3/22/2010 18en.600.412 Spring 2010 Lecture 6 | JHU | Ragib Hasan
Further Reading
TPM Reset Attack http://www.cs.dartmouth.edu/~pkilab/sparks/
Halderman et al., Lest We Remember: Cold Boot Attacks on Encryption Keys, USENIX Security 08, http://citp.princeton.edu/memory/