TRANSFORMATION

HARDWARE SYSTEM ARCHITECTURES

SVA

Binary translation and

emulation

Formal methods

Hardware support for isolation

Dealing with malicious hardware

Cryptographic secure computation

Data-centric security

Secure browser appliance

Secure servers

WEB-BASED ARCHITECTURES

e.g., Enforce properties on a malicious OS

e.g., Prevent dataexfiltration

e.g., Enable complex distributed systems, with resilience to hostile OS’s

Mohit Tiwari, UC Berkeley

with Krste Asanović, Dawn Song, Petros Maniatis, Prashanth Mohan, Christoforos Papamanthou,

Elaine Shi, Emil Stefanov, Nguyen Tran

Platform for Private Data

The Age of Big Data

Plentiful, and Private

Rich Applications

Privacy breaches

Vulnerable software

(Un) Intentional Misuse

Insider Attacks

Ideal: Privacy Preserving Cloud

End User Developer

privacy evidenceprivacy policy API App

Cloud provider

Challenge #1Untrusted applications own users’ data.

End User Developer

API

Cloud provider

Challenge #2

Novice Users

PPD: Platform for Private DataEnd User Developer

privacy evidenceprivacy policy API App

PPD Cloud provider

App

private data vault sealed container

Outline of this talk

• PPD: Platform for Private Data

• PPD Architecture

• PPD Prototype and Evaluation

PPD Insights

• Co-design UI and System software– User decisions are intuitive (“share doc with Bob”)– System manages untrusted apps and private data

• Developer API – Per-user functionality v. Cross-user Optimizations

• Privacy: Data owners’ access control policy – Apps ‘see’ data only in sealed containers

PPD Applications

Cloud Storage

Personal Documents

Real-time applications

E-commerce

Social applications

Miscellaneous:Browsing, peer-to-peer

userinitiated sharing

End-User

Hardware with TPM

PPD Cloud Provider

Untrusted Storage

Trusted User Interface

Protected Channel

ACLs

id o r w

A.tax A A A

PPD Architecture: Users

Application Container

App

Untrusted Application

End-User Developer

Hardware with TPM

PPD Cloud Provider PPD Controller and ACL Manager

Cleartext data

Untrusted Storage

Trusted User Interface

PPD Architecture: Applications

App

Untrusted Application

End-Users Developers

Hardware with TPM

PPD Cloud Provider PPD Controller and ACL Manager

Dedup, Caching,

Replication,…

PPD Storage Proxy

App

Storage ContainerIntegrity

check

Untrusted Storage

Trusted User Interface

PPD Architecture: Storage

PPD Timeline #1: User attests Client

User Client Cloud Server

TPM.send(hw id)

Attest(code)Trusted PPD Server

Response (result) Separation kernel on client checkedsitekey

sitekeyClient attested

Alice

PPD Timeline #2: User launches App

User Client Cloud ServerAlice Launch trusted UI

Authentication

Trusted PPD Kernel

PPD UI,

Control

AppContainerLaunch application

Trusted Kernel

PPD UI,

Control

AppContainer

App communication

User and Developer Interface

• User creates data – personal by default and decides who to share it with

• PPD System provides trusted UI to user – User conveys change of ACLs to PPD

• Developers can request– Application Containers: per-user, per-data-capsule – Storage Containers: per-application, per-system

Outline of this talk

• PPD: Platform for Private Data

• PPD Architecture

• PPD Prototype and Evaluation

PPD Building Blocks

• Data capsules– Capsule inferred based on user actions– E.g. “tax documents”, “thanksgiving album”– System assigns ACL as private by default

• Protected Containers– Linux containers (LXC), Copy-on-write FS (UnionFS).– Stops all explicit communication, except channels.– Hardware side channels, timing leaks out of scope

PPD Building Blocks

• Protected Channels– iptables firewall rules for LXC containers– Encryption, integrity-checking (TLS/SSL for network)– Trusted Channel from User to PPD to change ACLs

• Storage Proxies– Key-value proxy: put, get, and setACL interface– File-system proxy: fuse-based layer on key-val proxy

PPD Building Blocks

• PPD Controller– manages containers and channels – dynamically creates containers based on user or

application requests– assigns iptable rules for all containers

• Remote Attestation– Intel TXT, TPM v1.2– attest correct PPD code on untrusted machines

PPD Applications

• Friendshare: online storage with de-duplication (like Dropbox)

• Git: repository version control server

• Etherpad: online, collaborative editing (like Google Docs)

PPD Prototype

TLS Proxy TLS Proxy

EtherPad Co

ntro

ller

ACL Store

K/V Proxy FS Proxy

DeDup

Secure Block DeviceStorage

FriendShare

TPM Chip (Remote Attestation)

LXCContainers

ACL changes

Linux Kernel

IPTables

ApplicationLayer

StorageLayer

End Users

Writing & Porting Apps for PPD

• Scripts to install and configure apps in containers

• Application v. Storage containers– Friendshare• Application: Scan directories, chunk files, change ACL• Storage: De-duplication

– Git, Etherpad• Application: entire functionality

PPD Application Performance

• Minimal effect on Friendshare throughput

Small Requests: 10 filenames Big Requests: 10KB images

PPD Application Performance

• Minimal effect on Friendshare latency

Current and Future Work

• Applications– medical applications, business data analytics

• Client-side PPD on Android– light-weight containers and channels on Nexus S

• Application initiated sharing– differential privacy

Related Approaches

• PPD v. DIFC – PPD does not do fine-grained sharing– Constrained containers: simple, yet most benefits of fine-grained

information flow tracking.– Developer API: reduce run-time exceptions

• PPD v. Capabilities– Can be used to implement containers and channels– Re-write legacy applications

• PPD v. Android Security– Static, Coarse-grained permissions– User does not own data

Summary

• PPD: New Data-Centric Cloud Platform– user controlled sharing– rich, mostly legacy applications

• PPD Architecture– untrusted application and storage components

• PPD Prototype and Evaluation– small performance and porting cost

The PPD Team

Conclusion

End User Developer

privacy evidenceprivacy policy API App

PPD Cloud provider

Backups

PPD Evaluation: Etherpad

PPD Evaluation: Git