ppd: platform for private data
DESCRIPTION
PPD: Platform for Private Data. Mohit Tiwari with Krste Asanović , Dawn Song, Petros Maniatis *, Prashanth Mohan, Charalampos Papamanthou , Elaine Shi, Emil Stefanov , Nguyen Tran UC Berkeley Intel* . The Age of Big Data. Plentiful, and Private. Rich Applications. - PowerPoint PPT PresentationTRANSCRIPT
PPD: Platform for Private Data
Mohit Tiwariwith Krste Asanović, Dawn Song,
Petros Maniatis*, Prashanth Mohan, Charalampos Papamanthou, Elaine Shi, Emil Stefanov, Nguyen Tran
UC Berkeley Intel*
The Age of Big Data
Plentiful, and Private
Rich Applications
Time
Richness
Vulnerable software
(Un) Intentional Misuse
Insider Attacks
Need Data Protection as a Service
Ideal: Privacy Preserving Cloud
End User Developer
privacy evidenceprivacy policy API App
Cloud provider
Ideal: Platform for Private Data
• Data protection as a service
• Users– control access to their data – access third-party applications
• Developers – save resources, need not be security experts– access personal data hitherto unavailable
Challenge #1Untrusted applications own users’ data.
End User Developer
API
Cloud provider
Challenge #2 Novice Users
PPD: Platform for Private DataEnd User Developer
privacy evidenceintuitiveprivacy policy API App
PPD Cloud provider
App +
Guest OS
private data vault sealed container
Outline of this talk
• PPD: Platform for Private Data
• PPD Architecture
• PPD Prototype and Evaluation
PPD Applications
Cloud Storage
Personal Documents
Real-time applications
E-commerce
Social applications
Miscellaneous:Browsing, peer-to-peer
userinitiated sharing
End-User
Hardware with TPM
PPD Cloud Provider
Untrusted Storage
Trusted User Interface
Protected Channel
ACLs
id o r wA.tax A A A
PPD Architecture: Users
Application Container
App
Untrusted Application
End-User Developer
Hardware with TPM
PPD Cloud Provider PPD Controller and ACL Manager
Cleartext data
Untrusted Storage
Trusted User Interface
PPD Architecture: Applications
uni-directional
per-capsule: RWper-user: R all, W flagged
App
Untrusted Application
End-Users Developers
Hardware with TPM
PPD Cloud Provider PPD Controller and ACL Manager
Dedup, Caching,
Replication,…
PPD Storage Proxy
App
Storage ContainerIntegrity
check
Untrusted Storage
Trusted User Interface
PPD Architecture: Storage
PPD Timeline #1: User attests Client
User Client Cloud Server
TPM.send(hw id)
Attest(code)Trusted PPD Server
Response (result) Separation kernel on client checkedsitekey
sitekeyClient attested
Alice
PPD Timeline #2: User launches App
User Client Cloud ServerAlice Launch trusted UI
Authentication
Trusted PPD Kernel
PPD UI,
Control
App+
Guest OSLaunch application
Trusted PPD Kernel
PPD UI,
Control
App+
Guest OSApp communication
User and Developer Interface
• User creates data capsules– personal by default and decides who to share it with– does not specify a lattice of security labels
• PPD System provides trusted UI to user – User conveys change of ACLs to PPD
• Developers can request– Application Containers: per-user, per-data-capsule – Storage Containers: per-application, per-system
Outline of this talk
• PPD: Platform for Private Data
• PPD Architecture
• PPD Prototype and Evaluation
PPD Building Blocks
• Data capsules– E.g. “tax documents”, “thanksgiving ”– System assigns ACL as private by default
• Protected Containers– Linux containers (LXC), Copy-on-write FS (UnionFS).– Stops all explicit communication, except channels.– Hardware side channels, timing leaks out of scope
PPD Building Blocks
• Protected Channels– iptables firewall rules for LXC containers– Encryption, integrity-checking (TLS/SSL for network)– Trusted Channel from User to PPD to change ACLs
• Storage Proxies– Key-value proxy: put, get, and setACL interface– File-system proxy: fuse-based layer on key-val proxy
PPD Building Blocks
• PPD Controller– manages containers and channels – dynamically creates containers based on user or
application requests– assigns iptables rules for all containers
• Remote Attestation– Intel TXT, TPM v1.2– attest correct PPD code on untrusted machines
PPD Applications
• Friendshare: online storage with de-duplication (like Dropbox)
• Git: repository version control server
• Etherpad: online, collaborative editing (like Google Docs)
PPD Prototype
TLS Proxy TLS Proxy
EtherPad Co
ntro
ller
ACL Store
K/V Proxy FS Proxy
DeDup
Secure Block DeviceStorage
FriendShare
TPM Chip (Remote Attestation)
LXCContainers
ACL changes
Linux KernelIPTables
ApplicationLayer
StorageLayer
End Users
Eval: Porting Apps for PPD
• Scripts to install and configure apps in containers
• Application v. Storage containers– Friendshare• Application: Scan directories, chunk files, change ACL• Storage: De-duplication
– Git, Etherpad• Application: entire functionality
Eval: PPD Application Performance
• Minimal effect on Friendshare throughput
Small Requests: 10 filenames Big Requests: 10KB images
PPD Application Performance
• Minimal effect on Friendshare latency
Summary
• PPD: New Data-Centric Cloud Platform– user controlled sharing– rich, mostly legacy applications
• PPD Architecture– untrusted application and storage components
• PPD Prototype and Evaluation– small performance and porting cost
The PPD Team
Current and Future Work
• Applications– medical applications, business data analytics
• Client-side PPD on Android– light-weight containers and channels on Nexus S
• Application initiated sharing– differential privacy
Related Approaches
• DIFC – PPD does not do fine-grained information flow tracking– Constrained containers + Dev API = simple system
• Capabilities– Can be used to implement containers and channels– Re-write legacy applications
• Android Security– Static, Coarse-grained permissions– User does not own data
Conclusion
End User Developer
privacy evidenceprivacy policy API App
PPD Cloud provider
Backups
PPD Insights
• Co-design UI and System software– User decisions are intuitive (“share doc with Bob”)– System manages untrusted apps and private data
• Developer API – Per-user functionality v. Cross-user Optimizations
• Privacy: Data owners’ access control policy – Apps ‘see’ data only in sealed containers
Summary
PPD Evaluation: Etherpad
PPD Evaluation: Git
PPD: Platform for Private Data
• PPD is a data-centric cloud platform– rich, untrusted applications – strong privacy guarantees for end user
• PPD will spark innovation– through apps from small developers– making more private data available
PPD Design
• Simplest: User + PPD – Data capsules + ACL: (UI)
• Next: User + Application (front-end) + PPD– Per-user, Sharing
• Next: + Backend Storage– Rich optimizations, integrity checked