Don't trust your file server

All too often, decisions about whom to trust in computer systems are driven by the needs of system management rather than data security. In particular data storage is often entrusted to people who have no role in creating or using the data-through outsourcing of data management, hiring of outside consultants to administer servers, or even collocation servers in physically insecure machine rooms to gain better network, connectivity. This paper outlines the design of SUNDR, a network file system designed to run on untrusted servers. SUNDR servers can safely be managed by people who have no permission to read or write data stored in the file system. Thus, people can base their trust decisions on who needs to use data and their administrative decisions on how best to manage the data. Moreover, with SUNDR, attackers will no longer be able to wreak havoc by compromising servers and tampering with data. They will need to compromise clients while legitimate users are logged on. Since clients do not need to accept incoming network connections, they can more easily be firewalled and protected from compromise than servers.

[1]  David Mazières,et al.  Separating key management from file system security , 1999, SOSP.

[2]  Radek Vingralek,et al.  How to build a trusted database system on untrusted storage , 2000, OSDI.

[3]  Kevin Fu,et al.  Group Sharing and Random Access in Cryptographic Storage File Systems , 1999 .

[4]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[5]  Liba Svobodova,et al.  A distributed data storage system for a local network , 1980 .

[6]  David Mazières,et al.  Fast and secure distributed read-only file system , 2000, TOCS.

[7]  Chandramohan A. Thekkath,et al.  Petal: distributed virtual disks , 1996, ASPLOS VII.

[8]  Paul Mackerras,et al.  The rsync algorithm , 1996 .

[9]  Ben Y. Zhao,et al.  OceanStore: An Extremely Wide-Area Storage System , 2002, ASPLOS 2002.

[10]  Dan Duchamp A toolkit approach to partially connected operation , 1997 .

[11]  Matt Blaze,et al.  A cryptographic file system for UNIX , 1993, CCS '93.

[12]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[13]  Mahadev Satyanarayanan,et al.  Disconnected operation in the Coda File System , 1992, TOCS.

[14]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[15]  Mahadev Satyanarayanan,et al.  Disconnected Operation in the Coda File System , 1999, Mobidata.

[16]  Chandramohan A. Thekkath,et al.  Frangipani: a scalable distributed file system , 1997, SOSP.