Design and Implementation of Views: Isolated Perspectives of a File System Matthew W. Pagano Zachary N. J. Peterson The Johns Hopkins University Baltimore, Maryland, USA fmpagano,[email protected] Abstract sensitive data these health records can hold from unau- thorized modifications, HIPAA includes provisions that We present Views, a file system architecture that provides address the way patient medical records are accessed and isolation between system components for the purposes stored. Specifically, HIPAA mandates the use of access of access control, regulatory compliance, and sandbox- control mechanisms designed to monitor the activity of ing. Views allows for discrete I/O entities, such as users, individual system users, thereby protecting the privacy of groups, or processes, to have a logically complete yet patient information [12]. Fulfilling this mandate requires fully isolated perspective (view) of the file system. This the ability to efficiently and reliably isolate and identify ensures that each entity’s file system activities only mod- the actions of each individual user on a multi-purpose, ify that entity’s view of the file system, but in a trans- multi-user workstation or server. parent fashion that does not limit or restrict the entity’s Similarly, the need for isolation between system com- functionality. Views can therefore be used to monitor ponents is paramount when testing applications or pro- system activity based on user accounts for access control cesses. Researchers often need to monitor the behavior (as required by federal regulations such as HIPAA), pro- of applications running on their systems such that: 1) vide a reliable sandbox for arbitrary applications with- they are guaranteed that they can record all of the applica- out inducing any noticeable loss in performance, and en- tion’s behavior; 2) they can prevent any undesirable data able traditional snapshotting functionality by manipulat- modification; and 3) they can completely undo all of the ing and transplanting views as snapshots in time. Views’ application’s actions without the threat of missing some architecture is designed to be file system independent, ex- covert or obscure behavior. This scenario is often found tremely easy to use and manage, and flexible in defin- in research pertaining to malware, virtualization, honey- ing isolation and sharing polices. Our implementation of pots and honeynets, software quality assurance, and sys- Views is built on ext3cow, which additionally provides tem benchmarking and performance testing. In each, the versioning capabilities to all entities. Benchmarking re- researcher requires concrete assurance that she can de- sults show that the performance of Views is nearly iden- pendably monitor all modifications made by a particular tical to other traditional file systems such as ext3. user or application. It is worth noting that each of these examples has its own set of requirements. In fields such 1 Introduction as malware and honeypot research, the threat model de- scribes an adversary who is actively endeavoring to sub- The need to reliably isolate, analyze, and potentially vert the safeguards implemented by the researcher. Any snapshot various file system states exists in many envi- such solution must therefore be robustly and securely im- ronments today. One particularly salient example is that plemented at a low level to thwart such tampering, espe- of medical security, in which there has been a recent im- cially if the testing system is connected to legitimate sys- petus to convert highly sensitive paper medical records tems. In software quality assurance and benchmarking, into electronic format. The Health Insurance Portabil- system speed and performance is a high priority in or- ity and Accountability Act of 1996 (HIPAA) was writ- der to provide a realistic testing environment, so isolation ten to develop standards for the normalization of indi- strategies such as virtualization might not be acceptable. vidual health records and to encourage the use of elec- Once isolation between system components is tronic records pursuant to these goals. To protect the achieved, the researcher may need to save the state of This work was supported in part by Independent Security Evalua- a given component for development, offline analysis, tors, Baltimore, Maryland, USA. future use/restarting from some point in time, or trans- plant to a different environment. This is often the case pre-configured in the file system (as opposed to a revi- in application and process checkpoint and recovery sion control system that requires additional configuration solutions, virtual machine analysis and migrations, and and management), resource efficiency and low overhead database management (especially if databases are to be as only the file system blocks that are modified between operated on and modified in parallel). Each scenario views are copied and rewritten, as well as a high degree requires some means of isolating and snapshotting a of confidence in the isolation since it is performed deter- certain system component in a comprehensive, portable ministically at the file system level (as opposed to using manner. heuristics that may not be 100% accurate). Furthermore, Regardless of the environment and chosen solution, Views supports temporal policies that dictate how long what is needed in each case is a method of reliably mon- a view is valid. For example, an entity that is suspected itoring and controlling file system access, as well as pre- of misbehaving may be analyzed and all modifications it venting and undoing unauthorized data modification. In has made to the file system easily purged. traditional file systems, such as ext3 or NTFS, unau- To minimize performance and storage overheads, thorized modifications to data are commonly prevented Views uses a copy-on-write mechanism to store only the through kernel-enforced permissions or access control blocks that have been modified, although copy-on-write lists. This is usually implemented by storing metadata functionality is not a requirement for our implementation. within inodes that lists the users who may access the data. Because Views is implemented in the kernel, it provides However, even in cases where modifications are autho- throughput performance that compares well to an unmod- rized, unforeseen problems may arise. This is because all ified file system, as we discuss in Section 5. users, groups, and processes share the same namespace; Our overall design is largely file system independent that is, they have the same view of the data. For most in that it relies only upon Linux’s built-in Extended At- file system applications, this is preferential because it en- tribute interface [2]. As this is currently the only require- ables data sharing (e.g. applications and configuration ment of Views, Views can be implemented on a wide va- files) and avoids wasting disk space with many copies of riety of file systems. Views does not modify any ker- the same data. The ease with which data can be shared, nel interfaces, requires no special software, and is com- though, can be detrimental when dealing with sensitive pletely transparent to the user. Since Views is imple- information, (e.g. accidentally copying a health record to mented in the kernel, it obtains an additional protection the /tmp directory may make it accessible to all users). mechanism when compared to a user space implementa- Another obvious drawback to this architecture is that any tion. Our design is indiscriminate of backup and restore changes to application data, be they benign or malevo- techniques and allows for easy integration into informa- lent, are seen by all users. For example, a trojan horse tion life-cycle management systems. unintentionally installed by a single user could affect all We have implemented Views in the ext3cow file sys- who use that system. tem [7]. Ext3cow is a freely-available, open-source ver- www.ext3cow.com We present the design and implementation of Views, sioning file system (available at: ) a system for providing isolated yet logically complete that is designed to meet other regulatory compliance re- perspectives of a file system. These isolated perspec- quirements, such as fine-grained data authenticity and en- tives can be used to achieve the needs of the scenarios cryption. described thus far in a reliable, efficient manner. The pri- mary design goal of Views is to provide every entity in 2 Related Work the system with its own isolated view of the file system. We define an entity to be anything that can perform I/O Views is designed to incorporate three prevailing tech- within the file system. An entity can be a user, group, niques in current operating systems research: kernel process, family of processes, etc. A view is a logically modification to improve security, isolation between I/O complete perspective of the file system; every entity sees entities via distinct namespaces, and versioning of files the entire file system hierarchy. Any data modifications to achieve regulatory compliance. There has been sig- made by an entity are, by default, only viewable by that nificant research in each of these three areas. Security- entity. In one extreme example, a user can perform an Enhanced Linux (SELinux) [4] is a system created by the rm -rf / operation without affecting any other user. National Security Agency to introduce a flexible manda- Views features a robust policy management mechanism, tory access control (MAC) architecture to Linux. As with allowing namespaces to be customized for every entity. Views, SELinux modifies the Linux kernel by imple- Providing data isolation at the file system level within menting the native extended attribute structure to assign the kernel allows for increased security (as opposed to labels to the entities of a file system. Using these labels, implementing the isolation in user space), ease of use for SELinux can determine what are permissible interactions the administrator and system users as all of the logic is between entities based on customizable security policies.