Download Real-time Database Storage & Self-Securing in Docsity.com: Security & Partial Policies and more Slides Network security in PDF only on Docsity! 1 Secure Storage Docsity.com 2 Secure Storage • Real-time database storage • Partial security policies • Self-securing storage • FARSITE Docsity.com 5 Real-time Database Storage • Percentages are used for defining partial security • Known access pattern • Acceptable risk level could vary from 0 (low) to 4 (high) • Rules can be either static or dynamic • Static rules apply to conflicts that are resolved in the same way Docsity.com 6 Real-time Database Storage • Dynamic rules can be based on: – Security violation percentage – Deadline miss percentage – Number of consecutive missed deadlines • Example of rule: – If (security_violation_% >= 5) violate_timeliness – If (missed_transact_% > 10) violate_security Docsity.com 7 Real-time Database Storage • Maintains a specification tool which is stored in internal data structures • Two transactions conflict if: – They access the same data item – At least one of them writes to the data item – One transaction has a higher security and priority level than the other – Execution times of the transactions must intersect Docsity.com 10 Self-Securing Storage • Primary benefit is in intrusion detection • IDS succeeds because of modified storage • Self-securing storage provides an alternate storage model that is beyond the reach of the intruder • Intruder – Compromises secrets – Creates backdoor entry path – Places Trojan horses – Taints stored data Docsity.com 11 Self-Securing Storage • Data restoration – Requires significant amount of time – Reduces availability of the original system – Misalignment of data between backup and intruder modified data • Data storage is usually under OS control • Self-securing storage is not under OS control Docsity.com 12 Self-Securing Storage • SSS views both the OS and users as questionable entities • SSS – Self-contained – Self-controlled – Internally version all data – Audit all requests for data storage or retrieval – Ensures information survival – Establishes a secure perimeter around the storage device Docsity.com 15 Self-Securing Storage • Deliberate attempts to overflow history pool cannot be prevented • History pool contains all information about the system’s recent activity • SSS supports secure administrative access to data • Secure administrative access can be granted by – Physical access – Cryptographic keys Docsity.com 16 Self-Securing Storage • SSS variation is to write snapshots instead of versioning • Snapshots do not provide the same level of data integrity as versioning • SSS ensures – Data survival – Audit log survival • SSS is cost effective given low storage costs Docsity.com 17 FARSITE • Stands for Federated, Available, and Reliable Storage for an Incompletely Trusted Environment • FARSITE is – Secure – Scalable file system – Logical centralized file server – Physical distributed file server • Developed in 2002 at Carnegie-Mellon University, with federal grant Docsity.com 20 FARSITE • Every computer that is part of the system has three roles: – Client (interacts with user) – Directory group (collection of computers that collectively manage file information using Byzantine-fault-tolerant protocol) – File host (every group member stores a copy of file information) Docsity.com 21 FARSITE • What is Byzantine-fault-tolerant protocol? – Dates back to the 12th century country of Byzantium – Several armies surrounded Byzantium with the goal of capturing it – All armies worked together to achieve their goal – Each army did not fully trust the other army – Each army exchanged secret message with the other army to find the appropriate time to attack Docsity.com 22 FARSITE • What is Byzantine-fault-tolerant protocol – When two-thirds of the armies arrived at the same conclusion about attack time then they planned the attack • Widely used in today’s network systems Docsity.com 25 FARSITE • FARSITE’s key features: – Reliability and availability (achieved through replication) – Security (use different mechanisms to enforce read and write access control) – Durability (updates are committed only on the client’s local disk) – Consistency (temporary control loaned to clients via a lease mechanism) – Scalability (uses hint-based and delayed directory-change notification) – Efficiency (uses co-location for replicas of identical files) – Manageability (because of data replication, failure of any one system does not affect performance) Docsity.com 26 References • Byzantine http://www.fordham.edu/halsall/byzantium/ • Byzantine Generals Problem http://research.microsoft.com/users/lampor t/pubs/byz.pdf Docsity.com