Real-time Database Storage & Self-Securing in Docsity.com: Security & Partial Policies, Slides of Network security

An in-depth look into the real-time database storage and self-securing storage systems used by docsity.com. It covers topics such as real-time system dependencies, covert channels, partial security policies, and self-contained storage devices. The document also discusses the importance of logical correctness and timeliness in real-time systems and the role of dynamic rules in controlling security violations.

Typology: Slides

2012/2013

Uploaded on 04/22/2013

sathiamoorthy
sathiamoorthy 🇮🇳

4.4

(24)

106 documents

1 / 26

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Secure Storage
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a

Partial preview of the text

Download Real-time Database Storage & Self-Securing in Docsity.com: Security & Partial Policies and more Slides Network security in PDF only on Docsity!

1

Secure Storage

2

Secure Storage

  • Real-time database storage
  • Partial security policies
  • Self-securing storage
  • FARSITE

4

Real-time Database Storage

  • Covert channel is the means by which

higher security process transfers

information to a lower security process

  • Critical transactions must complete by the

deadlines

  • Security violations are controlled

5

Real-time Database Storage

  • Percentages are used for defining partial

security

  • Known access pattern
  • Acceptable risk level could vary from 0

(low) to 4 (high)

  • Rules can be either static or dynamic
  • Static rules apply to conflicts that are

resolved in the same way

7

Real-time Database Storage

  • Maintains a specification tool which is

stored in internal data structures

  • Two transactions conflict if:
    • They access the same data item
    • At least one of them writes to the data item
    • One transaction has a higher security and priority level than the other
    • Execution times of the transactions must intersect

8

Partial Security Policies

  • Specify security levels (0 for low and 4 for high)
  • Number of security levels can be arbitrary
  • Split security:
    • Permit covert channels for two highest levels
    • Do not permit covert channels from the two highest levels to the three lowest levels
  • Another partial security policy:
    • Keep highest level completely secure
    • Permit controlled number of violations among lower levels

10

Self-Securing Storage

  • Primary benefit is in intrusion detection
  • IDS succeeds because of modified storage
  • Self-securing storage provides an alternate storage model that is beyond the reach of the intruder
  • Intruder
    • Compromises secrets
    • Creates backdoor entry path
    • Places Trojan horses
    • Taints stored data

11

Self-Securing Storage

  • Data restoration
    • Requires significant amount of time
    • Reduces availability of the original system
    • Misalignment of data between backup and intruder modified data
  • Data storage is usually under OS control
  • Self-securing storage is not under OS

control

13

Self-Securing Storage

• SSS

  • Operates as an independent device
  • Stores and protects data
  • Assists in intrusion recovery
  • Simplifies intrusion detection
  • SSS security perimeter consists of
  • Self-contained software that exports only a simple storage interface to the outside
  • Verifies each command’s integrity before processing

14

Self-Securing Storage

  • SSS is a single function device, unlike an

OS

  • Old versions of objects that SSS keeps

forms the history pool

  • Every time an object is modified the prior

version becomes part of the history pool

  • SSS guarantees a minimum storage time

for objects in history pool before they are

reclaimed

16

Self-Securing Storage

  • SSS variation is to write snapshots instead

of versioning

  • Snapshots do not provide the same level

of data integrity as versioning

  • SSS ensures
    • Data survival
    • Audit log survival
  • SSS is cost effective given low storage

costs

17

FARSITE

  • Stands for Federated, Available, and Reliable Storage for an Incompletely Trusted Environment
  • FARSITE is
    • Secure
    • Scalable file system
    • Logical centralized file server
    • Physical distributed file server
  • Developed in 2002 at Carnegie-Mellon University, with federal grant

19

FARSITE

  • No central administration required
  • Security of any distributed system is managing trust
  • FARSITE manages trust using public-key cryptographic certificates
  • FARSITE certification model is distributed intentionally
  • Allows for separation of responsibilities between users and computers
  • Example: HR authorizes users and IT manages computers

20

FARSITE

  • Every computer that is part of the system

has three roles:

  • Client (interacts with user)
  • Directory group (collection of computers that collectively manage file information using Byzantine-fault-tolerant protocol)
  • File host (every group member stores a copy of file information)