Saturday 6th July, 2013
8:00pm to 8:45pm
publish-subscribe feeds + trust relationship network
Within the Honeynet Project we have used a custom publish/subscribe protocol called "hpfeeds" for sharing live data feeds from honeypots within the group. In 2012 we worked on a new backend with a new sharing and authorization model called "hpfriends". This combines the hpfeeds protocol with social trust relations to grant people access to feeds. This talk presents the protocol and system, which in our vision could enable simple and natural data sharing for the whole security community.
In hpfeeds, data is shared on channels. Access to these channels is managed by an ACL which defines who is allowed to subscribe or publish on that channel. If you are allowed to get on it, you're seeing all data that is sent to the channel.
This access model resulted in a few issues regarding visibility on who is actually seeing data of people. Some folks were reluctant to share their data with everyone and would only want it to stay in a small group of people. Then also how do we handle external parties like companies and colleagues? Our setup was strictly limited to the Honeynet Project because of these design issues.
So the technical solution to these problems was a new backend system with a different sharing model. "hpfriends" models the trust relationships with our partners, coworkers and other HP members. Sometimes we are willing to share certain information with certain
people instead of putting it out to the public. This is now reflected in the data sharing in hpfriends being based on a graph of sharing relationships - basically a social network for data sharing.
The actual protocol that is used by sensors and subscribers - hpfeeds - stays exactly the same as it was in order to not introduce any backwards compatibility problems. We don't need to modify our sensors or sinks at all!
People on the new system can define which channels they share with people. The target of sharing relationships can be other users or groups of users. Also one can decide to share the data that one actually produces or share the data that one "knows" or "sees" - which means that the sharing relationships are becoming transitive. These "share all" relations mean passing on data which others share with me to my peers. If that's desirable has to
be agreed outside of the system.
The hpfeeds broker has been adapted (rewritten) to handle messages based on this model. A new frontend has been created to modify the model and create sharing relationships.
I would like to invite the audience to try our current version, which is hosted in our Honeynet Project "honeycloud" as usual (thanks to the Norwegian HP chapter).
Sign in to add slides, notes or videos to this session