Secure Network Provenance

Secure Network Provenance Wenchao Zhou *, Qiong Fei*, Arjun Narayan*, Andreas Haeberlen*, Boon Thau Loo*, Micah Sherr + * University of Pennsylvania + Georgetown University http://snp.cis.upenn.edu/

Motivation Why did my route to foo.com change?! D Route r 2 E Innocent Reason? Malicious Attack? Alice Route r 1 A foo.com An example scenario: network routing System administrator observes strange behavior Example: the route to foo.com has suddenly changed What exactly happened (innocent reason or malicious attack)? B C 2

We Need Secure Forensics For network routing Example: incident in March 2010 Traffic from Capitol Hill got redirected but also for other application scenarios Distributed hash table: Eclipse attack Cloud computing: misbehaving machines Online multi player gaming: cheating Goal: secure forensics in adversarial scenarios 3

Ideal Solution Q: Explain why the route to foo.com changed to r2. D Route r 2 E Alice A B C foo.com The Network Not realistic: adversary can tell lies A: Because someone accessed Router D and changed the configuration from X to Y. 4

Challenge: Adversaries Can Lie Everything is fine. Router E advertised a new route. Q: Explain why the route to foo.com changed to r2. D Route r 2 E Alice A B C foo.com The Network Problem: adversary can... fabricate plausible (yet incorrect) response point accusation towards innocent nodes 5

Existing Solutions Existing systems assume trusted components Trusted OS kernel, monitor, or hardware E.g. Backtracker [OSDI 06], PASS [USENIX ATC 06], ReVirt [OSDI 02], A2M [SOSP 07] These components may have bugs or be compromised Are there alternatives that do not require such trust? Our solution: We assume no trusted components; Adversary has full control over an arbitrary subset of the network (Byzantine faults). 6

Ideal Guarantees Ideally: explanation is always complete and accurate Fundamental limitations E.g. Faulty nodes secretly exchange messages E.g. Faulty nodes communicate outside the system What guarantees can we provide? Fundamentally impossible 7

Realistic Guarantees Q: Why did my route to foo.com change to r2? D Route r 2 E Alice A B The Network C foo.com Aha, at least I know which node is compromised. A: Because someone accessed Router D and changed its router configuration from X to Y. No faults: Explanation is complete and accurate Byzantine fault: Explanation identifies at least one faulty node Formal definitions and proofs in the paper 8

Outline Goal: A secure forensics system that works in an adversarial environment Explains unexpected behavior No faults: explanation is complete and accurate Byzantine fault: exposes at least one faulty node with evidence Model: Secure Network Provenance Tamper-evident Maintenance and Processing Evaluation Conclusion 9

Provenance as Explanations Alice A D route(a, foo.com) link(a, B) B route(d, foo.com) link(d, E) Origin: data provenance in databases foo.com route(c, foo.com) link(c, foo.com) Explains the derivation of tuples (ExSPAN [SIGMOD 10]) Captures the dependencies between tuples as a graph Explanation of a tuple is a tree rooted at the tuple E route(b, foo.com) link(b, C) C route(e, foo.com) link(e, B) 10

Provenance as Explanations route(d, foo.com) link(d, E) route(e, foo.com) link(e, B) route(a, foo.com) link(a, B) route(b, foo.com) route(c, foo.com) link(b, C) Origin: data provenance in databases link(c, foo.com) Explains the derivation of tuples (ExSPAN [SIGMOD 10]) Captures the dependencies between tuples as a graph Explanation of a tuple is a tree rooted at the tuple 11

Secure Network Provenance route(a, foo.com) link(a, B) route(b, foo.com) route(c, foo.com) link(b, C) link(c, foo.com) Challenge #1. Handle past and transient behavior Traditional data provenance targets current, stable state What if the system never converges? What if the state no longer exists? 12

Secure Network Provenance Time = t1 Time = t2 Time = t3 route(a, foo.com) route(c, foo.com) route(b, foo.com) route(c, foo.com) link(a, B) route(b, foo.com) route(c, foo.com) link(c, foo.com) link(b, C) link(c, foo.com) link(b, C) link(c, foo.com) Challenge #1. Handle past and transient behavior Timeline Traditional data provenance targets current, stable state What if the system never converges? What if the state no longer exists? Solution: Add a temporal dimension 13

Secure Network Provenance Time = t1 Time = t2 Time = t3 route(c, foo.com) route(b, foo.com) route(c, foo.com) +route(a, foo.com) +route(b, foo.com) link(a, B) +route(c, foo.com) link(c, foo.com) link(b, C) link(c, foo.com) link(b, C) +link(c, foo.com) Challenge #2. Explain changes, not just state Traditional data provenance targets system state Often more useful to ask why a tuple (dis)appeared Solution: Include deltas in provenance Timeline 14

Secure Network Provenance route(d, foo.com) link(d, E) route(e, foo.com) link(e, B) route(a, foo.com) link(a, B) route(b, foo.com) route(c, foo.com) link(b, C) link(c, foo.com) Challenge #3. Partition and secure provenance A trusted node would be ideal, but we don t have one Need to partition the graph among the nodes themselves Prevent nodes from altering the graph 15

Partitioning the Provenance Graph Step 1: Each node keeps vertices about local actions Split cross node communications 16

Partitioning the Provenance Graph RECV SEND Step 1: Each node keeps vertices about local actions Split cross node communications Step 2: Make the graph tamper evident 17

Securing Cross Node Edges Signed commitment from B RECEIVE SEND Signed ACK from A RECV SEND Router A Router B Step 1: Each node keeps vertices about local actions Split cross node communications Step 2: Make the graph tamper evident Secure cross node edges (evidence of omissions) 18

Outline Goal: A secure forensics system that works in an adversarial environment Explains unexpected behavior No faults: explanation is complete and accurate Byzantine fault: exposes at least one faulty node with evidence Model: Secure Network Provenance Tamper-evident Maintenance and Processing Evaluation Conclusion 19

System Overview Users Primary system Application Provenance system Query engine Maintenance engine Operator Extract provenance Maintain provenance Query provenance Network Stand alone provenance system On demand provenance reconstruction Provenance graph can be huge (with temporal dimension) Rebuild only the parts needed to answer a query 20

Extracting Dependencies Option 1: Inferred provenance Declarative specifications explicitly capture provenance E.g. Declarative networking, SQL queries, etc. Option 2: Reported provenance Modified source code reports provenance Option 3: External specification Defined on observed I/Os of a black box system 21

Secure Provenance Maintenance Maintain sufficient information for reconstruction I/O and non deterministic events are sufficient Logs are maintained using tamper evident logging Based on ideas from PeerReview [SOSP 07] D E Alice A RECV ACK B C SEND RCV ACK foo.com 22

Secure Provenance Querying Recursively construct the provenance graph Retrieve secure logs from remote nodes Check for tampering, omission, and equivocation Replay the log to regenerate the provenance graph D E Alice A route(a, foo.com) RECV (from B) link(a, B) foo.com Explain the route from A to foo.com. B C 23

Secure Provenance Querying Recursively construct the provenance graph Retrieve secure logs from remote nodes Check for tampering, omission, and equivocation Replay the log to regenerate the provenance graph D E Alice A route(a, foo.com) link(a, B) route(b, foo.com) RECV (from C) foo.com B link(b, C) C 24

Secure Provenance Querying Recursively construct the provenance graph Retrieve secure logs from remote nodes Check for tampering, omission, and equivocation Replay the log to regenerate the provenance graph D E Alice A OK. Now I know how the route was derived. route(a, foo.com) link(a, B) B route(b, foo.com) C link(b, C) foo.com route(c, foo.com) link(c, foo.com) 25

Outline Goal: A secure forensics system that works in an adversarial environment Explains unexpected behavior No faults: explanation is complete and accurate Byzantine fault: exposes at least one faulty node with evidence Model: Secure Network Provenance Tamper-evident Maintenance and Processing Evaluation Conclusion 26

Evaluation Results Prototype implementation (SNooPy) How useful is SNP? Is it applicable to different systems? How expensive is SNP at runtime? Traffic overhead, storage cost, additional CPU overhead? Does SNP affect scalability? What is the querying performance? Per query traffic overhead? Turnaround time for each query? 27

Usability: Applications We evaluated SNooPy with Quagga BGP: RouteView (external specification) Explains oscillation caused by router misconfiguration Hadoop MapReduce: (reported provenance) Detects a tampered Mapper that returns inaccurate results Declarative Chord DHT: (inferred provenance) Detects an Eclipse attacker that always returns its own ID SNooPy solves problems reported in existing work 28

Runtime Overhead: Storage Over 50% of the overhead was due to signatures and acks. Batching messages would help. Manageable storage overhead One week of data: E.g. Quagga 7.3GB; Chord 665MB 29

Query Latency largely due to replaying logs Verification Replay Download dominated by verifying logs and snapshots Query latency varies from application to application Reasonable overhead 30

Summary Secure network provenance in untrusted environments Requires no trusted components Strong guarantees even in the presence of Byzantine faults Formal proof in a technical report Significantly extends traditional provenance model Past and transient state, provenance of change, Efficient storage: reconstructs provenance graph on demand Application independent (Quagga, Hadoop, and Chord) Questions? Project website: http://snp.cis.upenn.edu/ 31