Security for a high performance commodity storage subsystem

How do we incorporate security into a high performance commodity storage subsystem? Technology trends and the increasing importance of I/O bound workloads are driving the development of commodity network attached storage devices which deliver both increased functionality and increased performance to end-users. In the network attached world, storage devices co-exist on the network with their clients, application filemanagers, and malicious adversaries who seek to bypass system security policies. As storage devices move from behind the protection of a server and become first-class network entities in their own right, they must become actively involved in protecting themselves from network attacks. They must do this while cooperating with higher level applications, such as distributed file systems or database systems, to enforce the application's security policies over storage resources. In this dissertation, I address this problem by proposing a cryptographic capability system which enables application filemanagers to asynchronously make policy decisions while the commodity storage devices synchronously enforce these decisions. This dissertation analyzes a variety of access control schemata that exist in current distributed storage systems. Motivated by the analysis, I propose a basic cryptographic capability system that is flexible enough to efficiently meet the requirements of many distributed storage systems. Next, I explore how a variety of different mechanisms for describing a set of NASD objects can be used to improve the basic capability system. The result is a new design based on remote execution techniques. The new design places more access control processing at the drive in order to deliver increased performance and functional advantages. Based on the performance limitations of software cryptography demonstrated in a prototype implementation of a network attached storage device, I propose and evaluate an alternative to standard message authentication codes. This allows storage devices to pre-compute some security information and reduces the amount of request-time computation required to protect the integrity of read operations. Finally, I discuss the availability of cryptographic hardware, how much is required for a network attached storage device, and the implications of adding tamper-resistant hardware to a storage device.

[1]  P. G. Neumann,et al.  A general-purpose file system for secondary storage , 1965, Published in AFIPS '65 (Fall, part I).

[2]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[3]  Elliott I. Organick,et al.  The multics system: an examination of its structure , 1972 .

[4]  Raghu Ramakrishnan,et al.  Database Management Systems , 1976 .

[5]  M.E. Hellman,et al.  Privacy and authentication: An introduction to cryptography , 1979, Proceedings of the IEEE.

[6]  Roger M. Needham,et al.  A Universal File Server , 1980, IEEE Transactions on Software Engineering.

[7]  R. S. Fabry,et al.  A fast file system for UNIX , 1984, TOCS.

[8]  James W. Stamos,et al.  Static grouping of small objects to enhance performance of a paged virtual memory , 1984, TOCS.

[9]  Stafford E. Tavares,et al.  On the Design of S-Boxes , 1985, CRYPTO.

[10]  Dan Walsh,et al.  Design and implementation of the Sun network filesystem , 1985, USENIX Conference Proceedings.

[11]  John A. Kunze,et al.  A trace-driven analysis of the UNIX 4.2 BSD file system , 1985, SOSP '85.

[12]  John Kunze,et al.  A trace-driven analysis of the unix 4 , 1985, SOSP 1985.

[13]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[14]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[15]  Michelle Y. Kim,et al.  Synchronized Disk Interleaving , 1986, IEEE Transactions on Computers.

[16]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1987, SOSP '87.

[17]  Steve R. White,et al.  ABYSS: ATrusted Architecture for Software Protection , 1987, 1987 IEEE Symposium on Security and Privacy.

[18]  Steve H. Weingart Physical Security for the μABYSS System , 1987, 1987 IEEE Symposium on Security and Privacy.

[19]  Randy H. Katz,et al.  A case for redundant arrays of inexpensive disks (RAID) , 1988, SIGMOD '88.

[20]  Andrew R. Cherenson,et al.  The Sprite network operating system , 1988, Computer.

[21]  Sun Microsystems,et al.  RPC: Remote Procedure Call Protocol specification , 1988, RFC.

[22]  Sun Microsystems,et al.  RPC: Remote Procedure Call Protocol specification: Version 2 , 1988, RFC.

[23]  Brian N. Bershad,et al.  Watchdogs - Extending the UNIX File System , 1988, Comput. Syst..

[24]  Paul A. Karger,et al.  Improving security and performance for capability systems , 1988 .

[25]  Stephen W. Miller,et al.  A Reference Model for Mass Storage Systems , 1988, Adv. Comput..

[26]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1988, TOCS.

[27]  F. Meade A Guide to Understanding Audit in Trusted Systems , 1988 .

[28]  J. Doug Tygar,et al.  ITOSS: An Integrated Toolkit For Operating System Security , 1989, FODO.

[29]  V. Rich Personal communication , 1989, Nature.

[30]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[31]  Mahadev Satyanarayanan,et al.  Integrating security in a large distributed system , 1989, TOCS.

[32]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[33]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[34]  Darrell D. E. Long,et al.  Swift: Using Distributed Disk Striping to Provide High I/O Data Rates , 1991, Comput. Syst..

[35]  Mary Baker,et al.  Measurements of a distributed file system , 1991, SOSP '91.

[36]  Li Gong,et al.  A security risk of depending on synchronized clocks , 1992, OPSR.

[37]  Hans Eberle,et al.  A High-Speed DES Implementation for Network Applications , 1992, CRYPTO.

[38]  Garth A. Gibson Redundant disk arrays: Reliable, parallel secondary storage. Ph.D. Thesis , 1990 .

[39]  John Wilkes Hamlyn — an interface for sender- based communications , 1992 .

[40]  Thomas Beth,et al.  Timely Authentication in Distributed Systems , 1992, ESORICS.

[41]  B. Clifford Neuman,et al.  A note on the use of timestamps as nonces , 1993, OPSR.

[42]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[43]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[44]  Matt Blaze,et al.  A cryptographic file system for UNIX , 1993, CCS '93.

[45]  Brian N. Bershad,et al.  Protocol service decomposition for high-performance networking , 1994, SOSP '93.

[46]  Li Gong,et al.  Variations on the themes of message freshness and replay-or the difficulty in devising formal methods to analyze cryptographic protocols , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[47]  Shivakumar Venkataraman,et al.  The TickerTAIP parallel RAID architecture , 1993, ISCA '93.

[48]  Wilson C. Hsieh,et al.  The logical disk: a new approach to improving file systems , 1994, SOSP '93.

[49]  B. Clifford Neuman,et al.  Proxy-based authorization and accounting for distributed systems , 1993, [1993] Proceedings. The 13th International Conference on Distributed Computing Systems.

[50]  Bennet S. Yee,et al.  Using Secure Coprocessors , 1994 .

[51]  James Lau,et al.  File System Design for an NFS File Server Appliance , 1994, USENIX Winter.

[52]  Avraham Leff,et al.  LAN and I/O convergence: a survey of the issues , 1994, Computer.

[53]  Garret Swart,et al.  A coherent distributed file cache with directory write-behind , 1994, TOCS.

[54]  Michael Dahlin,et al.  Cooperative caching: using remote client memory to improve file system performance , 1994, OSDI '94.

[55]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[56]  Mihir Bellare,et al.  Incremental Cryptography: The Case of Hashing and Signing , 1994, CRYPTO.

[57]  Catherine A. Meadows,et al.  Formal Verification of Cryptographic Protocols: A Survey , 1994, ASIACRYPT.

[58]  Srinivasan Seshan,et al.  RAID-II: a high-bandwidth network file server , 1994, ISCA '94.

[59]  Jim Griffioen,et al.  Reducing File System Latency using a Predictive Approach , 1994, USENIX Summer.

[60]  Customised Hardware Based on the REDOC III Algorithm for High-Performance Date Ciphering , 1995, FPL.

[61]  Bennet S. Yee,et al.  Secure Coprocessors in Electronic Commerce Applications , 1995, USENIX Workshop on Electronic Commerce.

[62]  Charles L. Seitz,et al.  Myrinet: A Gigabit-per-Second Local Area Network , 1995, IEEE Micro.

[63]  Tom Sheldon Netware 4.1: The Complete Reference , 1995 .

[64]  Joos Vandewalle,et al.  Integrity primitives for secure information systems : final report of RACE Integrity Primitives Evaluation RIPE-RACE 1040 , 1995 .

[65]  Robert W. Horst TNet: A Reliable System Area Network , 1995, IEEE Micro.

[66]  Mihir Bellare,et al.  XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.

[67]  Raj Srinivasan,et al.  RPC: Remote Procedure Call Protocol Specification Version 2 , 1995, RFC.

[68]  Benjamin Cox,et al.  NetBill Security and Transaction Protocol , 1995, USENIX Workshop on Electronic Commerce.

[69]  Alan F. Benner Fibre Channel: Gigabit Communications and I/O for Computer Networks , 1995 .

[70]  John H. Hartman,et al.  The Zebra striped network file system , 1995, TOCS.

[71]  Carl Staelin,et al.  The HP AutoRAID hierarchical storage system , 1995, SOSP.

[72]  Jim Zelenka,et al.  Informed prefetching and caching , 1995, SOSP.

[73]  Quinn Jacobson,et al.  Destage algorithms for disk arrays with non-volatile caches , 1995, Proceedings 22nd Annual International Symposium on Computer Architecture.

[74]  Thorsten von Eicken,et al.  U-Net: a user-level network interface for parallel and distributed computing , 1995, SOSP.

[75]  Ian Goldberg,et al.  Randomness and the Netscape browser , 1996 .

[76]  Bruce Schneier,et al.  Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists , 1996 .

[77]  Chandramohan A. Thekkath,et al.  Petal: distributed virtual disks , 1996, ASPLOS VII.

[78]  Peter Gutmann,et al.  Secure deletion of data from magnetic and solid-state memory , 1996 .

[79]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[80]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[81]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[82]  Eli Biham,et al.  TIGER: A Fast New Hash Function , 1996, FSE.

[83]  Mahadev Satyanarayanan,et al.  Long Term Distributed File Reference Tracing: Implementation and Experience , 1996, Softw. Pract. Exp..

[84]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .

[85]  Dawson R. Engler,et al.  Server operating systems , 1996, EW 7.

[86]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[87]  Garth A. Gibson,et al.  Understanding Customer Dissatisfaction with Underutilized Distributed File Servers (CMU-CS-96-158) , 1996 .

[88]  Gregory G. Finn,et al.  Derived virtual devices: a secure distributed file system mechanism , 1996 .

[89]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[90]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[91]  Garth A. Gibson,et al.  A Case for Network-Attached Secure Disks, , 1996 .

[92]  E. Grochowski,et al.  Future trends in hard disk drives , 1996 .

[93]  Chandramohan A. Thekkath,et al.  Frangipani: a scalable distributed file system , 1997, SOSP.

[94]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[95]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[96]  David Mazières Security and decentralized control of the SFS global file system , 1997 .

[97]  Paul J. Leach,et al.  A Common Internet File System (CIFS/1.0) Protocol , 1998 .

[98]  Bruce Schneier,et al.  Fast Software Encryption: Designing Encryption Algorithms for Optimal Software Speed on the Intel Pentium Processor , 1997, FSE.

[99]  William H. Mangione-Smith,et al.  A case study of partially evaluated hardware circuits: Key-specific DES , 1997, FPL.

[100]  Mihir Bellare,et al.  A concrete security treatment of symmet-ric encryption: Analysis of the DES modes of operation , 1997, FOCS 1997.

[101]  Thomas Y. C. Woo,et al.  A flow-based approach to datagram security , 1997, SIGCOMM '97.

[102]  Jim Zelenka,et al.  File server scaling with network-attached secure disks , 1997, SIGMETRICS '97.

[103]  Herman Schmit Incremental reconfiguration for pipelined applications , 1997, Proceedings. The 5th Annual IEEE Symposium on Field-Programmable Custom Computing Machines Cat. No.97TB100186).

[104]  Andy Barnhart,et al.  The common Internet file system , 1997 .

[105]  Garth A. Gibson,et al.  Filesystems for Network-Attached Secure Disks, , 1997 .

[106]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[107]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[108]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[109]  Christos Faloutsos,et al.  Active Storage for Large-Scale Data Mining and Multimedia , 1998, VLDB.

[110]  Markus Jakobsson,et al.  A practical secure physical random bit generator , 1998, CCS '98.

[111]  Tom Kean,et al.  DES key breaking, encryption and decryption on the XC6216 , 1998, Proceedings. IEEE Symposium on FPGAs for Custom Computing Machines (Cat. No.98TB100251).

[112]  Jeffrey M. Arnold Mapping the MD5 hash algorithm onto the NAPA architecture , 1998, Proceedings. IEEE Symposium on FPGAs for Custom Computing Machines (Cat. No.98TB100251).

[113]  Erik Riedel,et al.  A performance study of sequential I/O on windows NT TM 4 , 1998 .

[114]  Bruce Schneier,et al.  Cryptanalytic Attacks on Pseudorandom Number Generators , 1998, FSE.

[115]  G. Gheorghiu,et al.  Authorization for metacomputing applications , 1998, Proceedings. The Seventh International Symposium on High Performance Distributed Computing (Cat. No.98TB100244).

[116]  Vincent Rijmen,et al.  PRINCIPLES AND PERFORMANCE OF CRYPTOGRAPHIC ALGORITHMS , 1998 .

[117]  Æleen Frisch,et al.  Essential Windows NT System Administration , 1998 .

[118]  Jim Zelenka,et al.  A cost-effective, high-bandwidth storage architecture , 1998, ASPLOS VIII.

[119]  Cheryl Madson,et al.  The Use of HMAC-SHA-1-96 within ESP and AH , 1998, RFC.

[120]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[121]  Gregory R. Ganger,et al.  Dynamic Function Placement in Active Storage Clusters , 1999 .

[122]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[123]  Seth Copen Goldstein,et al.  Fast compilation for pipelined reconfigurable fabrics , 1999, FPGA '99.

[124]  Willy Zwaenepoel,et al.  IO-Lite: a unified I/O buffering and caching system , 1999, TOCS.

[125]  Randal C. Burns,et al.  Authenticating Network-Attached Storage , 2000, IEEE Micro.

[126]  Tatyana Ryutov,et al.  Access Control Framework for Distributed Applications , 2000 .

[127]  David Seal,et al.  ARM Architecture Reference Manual , 2001 .

[128]  Bart Preneel,et al.  Integrity Primitives for Secure Information Systems , 2005, Lecture Notes in Computer Science.