FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer

FileWall : Implementing File Access Policies Using Dynamic Access Context

Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode

DiscoLab

Department of Computer Science

Rutgers University

Workshop on Spontaneous Networking

May 12, 2006


File System Management

Organization: Too many files, directories, servers…

Protection: Left to the discretion of the owner

Dynamism: Cannot be incorporated without file system extension


File System Management

Organization: Too many files, directories, servers…

Protection: Left to the discretion of the owner

Dynamism: Cannot be incorporated without file system extension

Administrator has little control over file access policiesAdministrator has little control over file access policies


Observations

File names are powerful Can be used to implement access policies

All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information

contained in messages


Observations

File names are powerful Can be used to implement access policies

All file system access are performed through messages Message transformations can be used to enforce policies File system state can be constructed using information

contained in messages

Access policies can be implemented by interposition and message transformation

Access policies can be implemented by interposition and message transformation


FireWall

Interposes on the client-server path

Stores network flow history

Evaluates each message against the firewall policies

Passes-through, drops, or transforms network packets


FileWall

Interposes on client-server path

Stores file access history Evaluates each message

against FileWall policies Transforms file system

messages


FileWall

Interposes on client-server path

Stores file access history Evaluates each message

against FileWall policies Transforms file system

messages

FileWall constructs virtual namespaces using file system namespaces and access policies through

message transformation

FileWall constructs virtual namespaces using file system namespaces and access policies through

message transformation


Applications of FileWall Model

Access control Quality of Service (QoS) File system organization Intrusion detection Information Lifecycle Management (ILM) Data transformations …


Outline

Motivation Design

Access Context FileWall Policies

Implementation Evaluation Related Work Conclusions


Access Context

Access history Access statistics Sequence of accesses

Describes user behavior

Environment Time, available disk space, CPU load, etc.


Maintaining Access Context

Requirements Compact representation Contain semantic information which describes

user behavior Easy to understand and specify Soft state


Access Tree

Node = file “run” Groups of accesses performed by same application Open to close or approximate using clustered accesses

Attributes File name Type of run (READ, WRITE, etc.) Operation count

Edge Run started after and ended before parent

Depth-first traversal defines sequence of runs in an access tree


Access Tree Example

Root


Access Tree Example

Read 1

Root

1


Access Tree Example

Read 1, Create/Delete 2

Root

1

2


Access Tree Example

Read 1, Create/Delete 2, Read/Write 3

Root

1

2

3


Access Tree Example

Read 1, Create/Delete 2, Read/Write 3, Write 1

Root

1

2

3 1


Outline

Motivation Design




FileWall Policies

Transform messages (requests and replies) Sequence of rules INPUT and OUTPUT

Use: Access context File attributes contained in messages


FileWall Policy Example

Policy: “Show files accessed today” For each client-visible file:

Access Time = TODAY

Transform directory listing messages READDIR and READDIRPLUS



AccessContext

Policies

FileWall



AccessContext

Policies

MREADDIR

FileWall



AccessContext

Policies

READDIR

FileWall



AccessContext

Policies

READDIR

FileWall



AccessContext

Policies

READDIR READDIRPLUS

FileWall



AccessContext

Policies

READDIRPLUS

FileWall



AccessContext

Policies

READDIRPLUS

FileWall



AccessContext

Policies

READDIRPLUS

FileWall



AccessContext

Policies

READDIRPLUSREADDIR

FileWall


Policy Descriptors

INPUT Rule:int fwin(rpc_msg request) {

if (request.proc == READDIR) {

request.proc = READDIRPLUS;

return FORWARD;

}

}

OUTPUT Rule:int fwout(rpc_msg reply) { if (reply.proc == READDIRPLUS) { FOREACH entp in reply {

if (entp.atime == TODAY) copy_entry(resp_entp, entp)

} reply.entries = res_entp; reply.proc = READDIR; return FORWARD; }}

Specified as C programs and compiled as loadable shared modules

Specified as C programs and compiled as loadable shared modules


Outline

Motivation Design




Implementation

FileWall: Click Modular Router NFS over UDP


Implementation

FileWall Click Modular Router NFS over UDP

FileWall Client SFS toolkit Session establishment Bootstrapping

Identify list of available file systems


Outline

Motivation Design




Interposition Overhead: Emacs Compilation


Case Study: Flash Crowd Mitigation

General purpose server Email, user homes, web server Files mounted over NFS

Web servers are prone to flash crowds Current policies

Rate limit number of requests Disable web server


Mitigating Flash Crowds with FileWall

Access context Rate of sequential file reads, directory listings,

etc. Policy

Hide files with rate greater than a threshold Show files again when rate falls below threshold

Only the source of the flash crowd disappears from the namespace


Results


Related Work

Infokernel [Arpaci-Dusseau ‘03], firewall/NAT Access Context

Desktop search [Soules ’03] File system prefetching [Amer ’02, Lei ’97] Enforcing enterprise-wide policies [He ’05]

Semantic file systems [Sheldon ’91, Pike ’93, Neuman ’92, Rao ’93]

Extensible file systems [Zadok ’00, Tewari ’05]


Future Work

User study Real deployment Behavior models


Future Work


Policy language Constraints Debugging and logging


Future Work


Policy language Constraints Debugging and logging

Data transformations Censorship Protocol translations

NFS -> CIFS Recipe-based file system (CASPER) IP -> RDMA

Video encoding Content adaptation


Conclusions

Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required


Conclusions

Per-file access policies can be enforced using virtual namespaces No client or server modification required Soft state maintenance required

Provides administrators the ability to define a wide variety of access policies Protect file systems Provide quality of service

Thank You

Questions?


Evaluation

Dell Poweredge 2600 systems Dual 2.4GHz Intel Xeon processors 1GB RAM 36GB 15000 RPM SCSI disk

Linux Gigabit Ethernet switch


QoS Policy


Policy Enforcement Requirements

Expressive Deployable Scalable Available

Documents

FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer