Trusted data path protecting shared data in virtualized distributed systems

While sharing data across distributed machines is critical for modern IT applications, it also raises issues of maintaining desired data privacy and protecting data from inappropriate disclosure. However, it is difficult to retain controls on the data that is being shared in environments where services can be composed and deployed dynamically across distributed providers. To protect sensitive information against potential risks of inappropriate disclosures, access rights of applications to data should not only depend on their functional characteristics, but also on their as well as the underlying systems’ behaviors. Stated more explicitly, applications that are suspected of faulty, erroneous, or malicious behaviors, or that run on systems that may be compromised, should not be able to gain access to protected data or entrusted with the same data access rights as others. There exist many sophisticated prevention-based mechanisms to eliminate risks of inappropriate disclosures. However, there are cases where such risks are associated with the core functionality of the system. This thesis tries to provide a remedy for scenarios where such risks cannot be directly eliminated. The idea is to detect existing risks, then evaluate whether it is tolerable to share certain information under such risks. This thesis proposes a context flow model (CFC) that controls the information flow in a distributed system. Each service application along with its surrounding context in the distributed system is treated as a controllable principal. CFC defines an access control model that controls the information exchange between these principals. The access control model has three main parts. First, an online monitoring framework is used to evaluate the trustworthiness of context of the service applications and the underlining systems. Second, a trust-based access control (TBAC) specification determines the permitted information exchanges considering the active contexts of the service applications. Third, an external communication interception runtime framework enforces the above specification transparently for the entire distributed system. When there are multiple principals participating in the same information flow, the same TBAC specification is applied uniformly on all principals. In this way, we provide the protection guarantee throughout the entire information flow path, thus efficiently converting the path into a trusted data path (TDP). The most important principle guiding the design and implementation of the CFC model is the integrity of the model itself. Since we do not trust the service applications and the underlying systems automatically, we place the risk evaluation and associated monitoring components of the CFC model into isolated domains, which are domains that are not subject to the same attacks or failures targeting applications and general purpose operating systems. We have implemented a prototype of trusted data paths leveraging virtualization technologies. The TDP software deploys online monitoring agents into privileged domains in platforms virtualized with the Xen hypervisor to assure the reliability of monitoring results. The TDP software also transparently intercepts communications between service applications, at the driver level in privileged domains. Using this technique, sensitive information that is not suitable for the current context can be automatically removed, without application involvement. The TDP approach offers system support for protecting data access in environments where systems and services are subject to failures, programming errors, and attacks. It presents a system-level solution for fine-grained protection on data sharing in distributed systems. It particularly targets systems (1) that lack the extensibility to include context factors via built-in security mechanisms, such as legacy software; (2) that are subject to attack or are suspected of faulty behaviors themselves; (3) that wish to delegate context-based controls to external partners; and (4) that want to enforce context-based control ubiquitously instead of only at the source or sink. Applications that can benefit from the CFC-TBAC model range from web applications like search and knowledge management or digital content services, to healthcare information systems, to file sharing systems using mail servers or online storage systems.