Anonymizing Filesystem Metadata for Analysis

Transcription

1 Anonymizing Filesystem Metadata for Analysis Chris Xin Symantec 2006 Symantec Corporation, All Rights Reserved

2 Challenges of Filesystem Analysis Real-time live-system monitoring is difficult. performance degradation security & privacy concerns stability risk Traces difficult to reconstruct I/O dependencies system states security & privacy concerns Benchmarks There are lies, damn lies and then there are benchmarks. Filesystem images snapshot, backups security & privacy concerns

3 Agenda Challenges of filesystem analysis Keeping filesystem images metasave Metadata anonymization secure metasave Measurement space efficiency time efficiency resource consumption Summary

4 Filesystem Images Storing the whole system would be expensive. large storage space long time Keeping metadata is a wise idea. A good resource for understanding some characteristics of a file system Cumulative images can be obtained to track the change trend of a file system file size, age, type information filesystem aging analysis Address some privacy concerns by eliminating user data Some file systems already provide such a utility. Ext2: e2image Linux NTFS: ntfsclone --metadata VxFS: metasave

5 Metasave Utility The utility saves or restores the metadata of VxFS Available in version 1 and later versions. Metadata is kept in a way that the original geometry of a file system is preserved and all the inode information is intact. No user data is retained. Metadata can be saved on top of a snapshot, a backup, or a live system as an image file. The image file can be deflated and metadata can be restored back to a file or a device. What do we do with images? troubleshooting debugging file system analysis

6 Efficient Anonymization But your clients may say no Sensitive information is still in the file and directory names Concerns of performance degradation Solution: Anonymize clients information in metadata Names of files and directories Client information in file system intent logs Requirements Must be difficult to recover original information Keep the geometry of the file system: retain the length of the file/directory names Time efficient Space efficient Minimum performance degradation

7 Secure Metasave Enhanced metasave with encryption options Evolved from metasave, a VxFS utility for saving/restoring metadata of a file system Online image saving Use cryptographic message digest algorithm to obfuscate client information The algorithm can be chosen by a client s requirement Default: SHA-1

8 Message Digest Secure one-way hash function: e=h(m) M: original message H: hash function e: digested message Key properties Given M, easy to compute e=h(m) Given e, hard to compute M such that e=h(m) Given M, hard to find M' (different from M) such that H(M)=H(M') (minimum collision)

9 Implementation OpenSSL library Obfuscate a file/directory name Do it by individual pathname components /a/bc/bcd /x/rd/wyz Retain name length Digest works on a fixed length of characters at a time. 20 characters for SHA-1 If len(name) > len(digest), process it in segments. If len(name) < len(digest) or len(final segment) < len(digest), digest the name string and remove some characters to preserve its original length. Digest can contain characters that are illegal in file/directory names; map them to legal characters.

10 File/Directory Name Manipulation original name string 0 79 digests chop to org. length 0 67 obfuscated filename Parse a name string Message digest Chop it to its original length Random number generator with a changeable seed Character mapping 0 67

11 Obfuscation Options Full-name obfuscation Retain file extension if any Obfuscate extensions as well and make them consistent obfuscation option original name foo1.c foo2.c full-name abcde uwxyz retain file extension jkis.c swdx.c consistent extension jkis.x swdx.x

12 Further Handling Multiple extensions and prefixes for name-only obfuscation option Look at the last extension only foo.c.bak abced.bak retain extension of 4 or less; obfuscate anything bigger Do not obfuscate the name of special administrative files or directories lost+found Rebuild directory indexes and block checksums after name obfuscation Symlinks Point to the same place within the file system.. is kept intact Intent logs Offers an option to not include intent logs in an image file. If intent log is retained, file and directory names are obfuscated.

13 Collision Probability What s a collision? Two files/directories with different names, say A and B, end up with the same name after obfuscation. Do we have to worry about it? Not really Collision only matters within individual directories. Chance of collision is tiny With SHA-1, 1 in possibility for a filesystem with a trillion file/directory names, and 1 in for quadrillion names. The character mapping and name length chopping increase the chance of collisions slightly. An optional name conflict check is followed after obfuscation for a file system with large directories.

14 Measurement Three categories Space consumption Time consumption encryption overhead Resource consumption Six filesystems measured four customer filesystems two filesystems on our production server (fs #2 and #6) Experiment environment Live production system Sun Fire E Sparc CPUs, 32GB memory, shared disks Test machine Sun Fire V240 2 Sparc CPUs, 2GB memory, single-user disks

15 Space Efficiency The image of metadata usually takes about 1-5% of the filesystem size. storage efficiency % of image over fs size % of total cap. % of used cap. filesystem

16 Time Efficiency How long does it take to get an anonymized file system image? use filename-only option on the live production system about 30 minutes to get an encrypted metadata image from fs # secs for fs #2. on the test machine: time efficiency time (sec) filesystem

17 A closer look The factors in play # of inodes total filesystem size filesystem capacity fs # files time (sec) time (sec) msv size/ msv size/ total(gb) used(gb) production test total fs cap. used fs cap % 0.12% ,721 59, ,180 2,259, % 0.04% 0.05% 6.88% 0.60% 0.08% 0.73% 0.56% 11.73% 0.63%

18 Encryption Overhead Space efficiency is the same. time efficiency Little overhead introduced on a live production system I/O bounded shared disk Noticeable computational overhead on the test machine.

19 Encryption Overhead on the Test Machine normalized time no-encryption full-obfuscation filename-only consistent-extension file system

20 Encryption Overhead on the Production System normalized time no-encryption full-obfuscation filename-only consistent-extension file system

21 Resource Consumption Not much performance degradation during image saving 20 MB memory and 1% of CPU were utilized during the image dumping on a live production system.

22 Summary A method of anonymizing filesystem metadata. Obfuscate clients information to relieve privacy concerns Cost 1-5% storage of the original file system size. Fairly quick process and little performance degradation. We encourage saving file metadata images with anonymization. Provide a good resource for file system analysis Benefit both development and research The anonymization scheme can be used in other file system utilities, such as trace collecting.

23 References Bruce Schneier, Applied Cryptography. Second Edition, J. Wiley and Sons, 1996 Mark Ryan, One-way secure hash functions, Computer Security lecture notes, University of Birmingham. Geoff Kuenning and Ethan L. Miller, "Anonymization Techniques for URLs and Filenames," Technical Report UCSC-CRL-03-05, University of California, Santa Cruz, September Xiaoyun Wang, Yiqun Lisa Yin and Hongbo Yu, Finding Collisions in the Full SHA-1, CRYPTO

24 Acknowledgements Thanks to Oleg Kiselev, John Colgrove, Craig Harmer, Chuck Silvers and George Mathew for discussions. Thanks to Marianne Lent and Paul Massiglia for suggestions. Thanks to Ken Zachmann for helping with experiments.

25 Questions