Security considerations when designing a distributed file system using object storage devices

We present the design goals that led us to developing a distributed object-based secure file system, Brave. Brave uses mutually authenticated object storage devices, SCARED, to store file system data. Rather than require a new authentication infrastructure. we show how we use a simple authentication protocol that is bridged into existing security infrastructures, even if there is more than one authentication protocol or domain present. We position our work in the context of some of the current work going on in distributed secure file systems and present our implementation of our file system. We also present some security weaknesses that are shared with other distributed file systems that may not be apparent when designing these systems.

[1]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[2]  Tim Howes,et al.  Lightweight Directory Access Protocol , 1995, RFC.

[3]  Matt Blaze,et al.  A cryptographic file system for UNIX , 1993, CCS '93.

[4]  Erez Zadok,et al.  Cryptfs: A Stackable Vnode Level Encryption File System , 1998 .

[5]  J. Howard Et El,et al.  Scale and performance in a distributed file system , 1988 .

[6]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[7]  Jim Zelenka,et al.  File server scaling with network-attached secure disks , 1997, SIGMETRICS '97.

[8]  David Mazières,et al.  Separating key management from file system security , 1999, SOSP.

[9]  Giuseppe Cattaneo,et al.  Design and Implementation of a Transparent Cryptographic File System for Unix , 2007 .

[10]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[11]  Michael Burrows,et al.  Proceedings of Fast '03: 2nd Usenix Conference on File and Storage Technologies 2nd Usenix Conference on File and Storage Technologies Block-level Security for Network-attached Disks , 2022 .

[12]  Erez Zadok,et al.  FIST: a language for stackable file systems , 2000, OPSR.

[13]  Darrell D. E. Long,et al.  Strong Security for Network-Attached Storage , 2002, FAST.

[14]  Ben Y. Zhao,et al.  OceanStore: an architecture for global-scale persistent storage , 2000, SIGP.

[15]  Jeff Hodges,et al.  Lightweight Directory Access Protocol (v3): Technical Specification , 2002, RFC.

[16]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[17]  Sailesh Chutani,et al.  DEcorum File System Architectural Overview , 1990, USENIX Summer.

[18]  David Robinson,et al.  NFS version 4 Protocol , 2000, RFC.

[19]  Brent Callaghan,et al.  NFS Version 3 Protocol Specification , 1995, RFC.

[20]  Randal C. Burns,et al.  Authenticating Network-Attached Storage , 2000, IEEE Micro.