Upload
emma-hubbard
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
PPD: Platform for Private Data
Mohit Tiwariwith Krste Asanović, Dawn Song,
Petros Maniatis*, Prashanth Mohan, Charalampos Papamanthou, Elaine Shi, Emil Stefanov, Nguyen Tran
UC Berkeley Intel*
Ideal: Privacy Preserving Cloud
End User Developer
privacy evidenceprivacy policy API App
Cloud provider
Ideal: Platform for Private Data
• Data protection as a service
• Users– control access to their data – access third-party applications
• Developers – save resources, need not be security experts– access personal data hitherto unavailable
PPD: Platform for Private DataEnd User Developer
privacy evidenceintuitiveprivacy policy API App
PPD Cloud provider
App +
Guest OS
private data vault sealed container
Outline of this talk
• PPD: Platform for Private Data
• PPD Architecture
• PPD Prototype and Evaluation
PPD Applications
Cloud Storage
Personal Documents
Real-time applications
E-commerce
Social applications
Miscellaneous:Browsing, peer-to-peer
userinitiated sharing
End-User
Hardware with TPM
PPD Cloud Provider
Untrusted Storage
Trusted User Interface
Protected Channel
ACLs
id o r w
A.tax A A A
PPD Architecture: Users
Application Container
App
Untrusted Application
End-User Developer
Hardware with TPM
PPD Cloud Provider PPD Controller and ACL Manager
Cleartext data
Untrusted Storage
Trusted User Interface
PPD Architecture: Applications
uni-directional
per-capsule: RWper-user: R all, W flagged
App
Untrusted Application
End-Users Developers
Hardware with TPM
PPD Cloud Provider PPD Controller and ACL Manager
Dedup, Caching,
Replication,…
PPD Storage Proxy
App
Storage ContainerIntegrity
check
Untrusted Storage
Trusted User Interface
PPD Architecture: Storage
PPD Timeline #1: User attests Client
User Client Cloud Server
TPM.send(hw id)
Attest(code)Trusted PPD Server
Response (result) Separation kernel on client checkedsitekey
sitekeyClient attested
Alice
PPD Timeline #2: User launches App
User Client Cloud ServerAlice Launch trusted UI
Authentication
Trusted PPD Kernel
PPD UI,
Control
App+
Guest OSLaunch application
Trusted PPD Kernel
PPD UI,
Control
App+
Guest OSApp communication
User and Developer Interface
• User creates data capsules– personal by default and decides who to share it with– does not specify a lattice of security labels
• PPD System provides trusted UI to user – User conveys change of ACLs to PPD
• Developers can request– Application Containers: per-user, per-data-capsule – Storage Containers: per-application, per-system
Outline of this talk
• PPD: Platform for Private Data
• PPD Architecture
• PPD Prototype and Evaluation
PPD Building Blocks
• Data capsules– E.g. “tax documents”, “thanksgiving ”– System assigns ACL as private by default
• Protected Containers– Linux containers (LXC), Copy-on-write FS (UnionFS).– Stops all explicit communication, except channels.– Hardware side channels, timing leaks out of scope
PPD Building Blocks
• Protected Channels– iptables firewall rules for LXC containers– Encryption, integrity-checking (TLS/SSL for network)– Trusted Channel from User to PPD to change ACLs
• Storage Proxies– Key-value proxy: put, get, and setACL interface– File-system proxy: fuse-based layer on key-val proxy
PPD Building Blocks
• PPD Controller– manages containers and channels – dynamically creates containers based on user or
application requests– assigns iptables rules for all containers
• Remote Attestation– Intel TXT, TPM v1.2– attest correct PPD code on untrusted machines
PPD Applications
• Friendshare: online storage with de-duplication (like Dropbox)
• Git: repository version control server
• Etherpad: online, collaborative editing (like Google Docs)
PPD Prototype
TLS Proxy TLS Proxy
EtherPad Co
ntro
ller
ACL Store
K/V Proxy FS Proxy
DeDup
Secure Block DeviceStorage
FriendShare
TPM Chip (Remote Attestation)
LXCContainers
ACL changes
Linux Kernel
IPTables
ApplicationLayer
StorageLayer
End Users
Eval: Porting Apps for PPD
• Scripts to install and configure apps in containers
• Application v. Storage containers– Friendshare• Application: Scan directories, chunk files, change ACL• Storage: De-duplication
– Git, Etherpad• Application: entire functionality
Eval: PPD Application Performance
• Minimal effect on Friendshare throughput
Small Requests: 10 filenames Big Requests: 10KB images
Summary
• PPD: New Data-Centric Cloud Platform– user controlled sharing– rich, mostly legacy applications
• PPD Architecture– untrusted application and storage components
• PPD Prototype and Evaluation– small performance and porting cost
Current and Future Work
• Applications– medical applications, business data analytics
• Client-side PPD on Android– light-weight containers and channels on Nexus S
• Application initiated sharing– differential privacy
Related Approaches
• DIFC – PPD does not do fine-grained information flow tracking– Constrained containers + Dev API = simple system
• Capabilities– Can be used to implement containers and channels– Re-write legacy applications
• Android Security– Static, Coarse-grained permissions– User does not own data
PPD Insights
• Co-design UI and System software– User decisions are intuitive (“share doc with Bob”)– System manages untrusted apps and private data
• Developer API – Per-user functionality v. Cross-user Optimizations
• Privacy: Data owners’ access control policy – Apps ‘see’ data only in sealed containers
PPD: Platform for Private Data
• PPD is a data-centric cloud platform– rich, untrusted applications – strong privacy guarantees for end user
• PPD will spark innovation– through apps from small developers– making more private data available