Embed Size (px)
Citation preview
Cloud Integrity MonitoringCloud Integrity Monitoring
Mike SmorulADAPT Group
University of Maryland, College Par
Cloud ComputingCloud Computing
• A new paradigm for offering a wide variety of cost effective services – storage, compute, software, application, infrastructure – over the internet.
• A major issue – confidentiality and integrity of data stored in a cloud.
• This presentation: a new light weight scheme for clients to monitor the integrity of their holdings in the cloud.
Monitoring ConcernsMonitoring Concerns
• Transfer to validate incurs a fee.
• Last mile may be too slow.– Remote monitoring not feasible
• How can third parties validate their data?
Background: ACE Integrity Background: ACE Integrity TokenToken
• Small proof that resides alongside a file.– Proof links digest of file to external number (CSI)
• May be transferred over insecure channels and still validated– Does not rely on secret data (private key, etc)
• Linked to a single (nightly) published witness.– Witness is tiny (32 bytes)– Widely published– Witness provides 24h time window for token– Independent of size or type of data
Token ConstructionToken Construction
• Construction Steps– Aggregate all digests for a round (seconds)– Create small summary value for the round– At the end of each day, publish witness =
aggregate data for all intermediate values
• Value– Small amount of data after each aggregation– Alteration of the content of any object will
cause the value of the witness to be different– Two levels allow for quick client response and
tiny daily data
Token ConstructionToken Construction
Summary Information0
(CSI0)
Aggregated Hash Value0
(AHV0)
+ +
Summary Information1
(CSI1)
+
Summary Information2
(CSI2)
Aggregated Hash Value3
(AHV3)
h() h() h()
Aggregated Hash Value1
(AHV1)
Intermediate Hash Value (IHV)
Intermediate Hash Value(IHV)
Aggregation Time Frame for AHV1 time
Hash Value ofIT Req6
Hash Value ofIT Req7
Hash Value ofIT Req5
Hash Value ofIT Req8
Shaded values are proof to AHV1 for the integrity token issued for IT Req5
Witness Value0
(WV0)
Intermediate Hash Value(IHV)
Intermediate Hash Value (IHV)
Aggregation Time Frame for WV1
time
SI3
Striped values are proof to WV0 for SI0
ACE TokenACE Token
Types of AuditTypes of Audit
Audit Local Files: Periodically scans files and compares stored digests with computed digests. Assume valid hashes in local storage
Audit Local Digests: Recompute the round summary for each digest using that digest and its token. This is compared to value stored on the IMS. Assume IMS returns valid summary information, do not trust
hashes stored locally
External IMS Audit: Round summaries are used to compute witness values. These are compared with offsite witness values. Do not trust IMS, force IMS to prove its CSIs link to a witness
Storing token in a cloudStoring token in a cloud
• Two possibilities– Whole token may be stored as separate file.– Validation components of token may be stored
in attribute/value pairs
• Tokens are small (1-2k)
• Validation information is even smaller (<1k)
Validation by 3Validation by 3rdrd party party
• 3rd party downloads object and token.• Runs validation processes using external
information• No interaction with original depositor
required.• Validation information may be supplied as
http headers from cloud service.– Validation information adds at most 10 digests
to the header.– Uses metadata stored in cloud (no extra
objects)
Data FlowData Flow
Cloud Storage
Depositor
IMS
2. Token + data
Consumer
3. Token + data
1. Token Request/Response
4. CSI Request/Response
How 3How 3rdrd party validation works party validation works
1. Acquire token and original file– Use http headers, or separate token request
2. Compute digest for file3. Compute CSI value using token + digest4. Compare computed CSI to remote CSI on
IMS– IMS is public, generally not tied to depositor.
5. (Optionally) Challenge IMS to prove CSI6. Compare challenge result to external
Witness
Validation during processingValidation during processing
• Upload validation routines along with application
• Application computes digest during access– Most languages allows you to chain or wrap
data reads.
• After read finished, validate digest using token
• Inexpensive – Most computation likely to be service– External data required (CSI, Witness) is very
small
Ex: Image Conversion ServiceEx: Image Conversion Service
• Request file from cloud storage– Compute digest during read– Perform transformation
• When read finishes– Validate integrity using digest + token– Roll back transformation, log error if validation
fails
• No extra reads required for validation• Transformation likely to be more
expensive than digest calculation
Remote ValidationRemote Validation
• Most clouds do not charge for intra-cloud transfer.
• Create an EC2 instance or other service that reads all data and validates
• May be expensive depending on CPU fees• Sampling may be adequate• Requires you to trust EC2 to run your
service and not return false results– False/forged results unlikely.– You are supplying image/software
Additional InformationAdditional Information
• Cloud extensions still in development• ACE Audit Manager is available for
download– http://adapt.umiacs.umd.edu/ace– Now BSD licensed!
