论文信息 - Design and Implementation of Views: Isolated Perspectives of a File System

Design and Implementation of Views: Isolated Perspectives of a File System

We present Views, a file system architecture that provides isolation between system components for the purposes of access control, regulatory compliance, and sandboxing. Views allows for discrete I/O entities, such as users, groups, or processes, to have a logically complete yet fully isolated perspective (view) of the file system. This ensures that each entity’s file system activities only modify that entity’s view of the file system, but in a transparent fashion that does not limit or restrict the entity’s functionality. Views can therefore be used to monitor system activity based on user accounts for access control (as required by federal regulations such as HIPAA), provide a reliable sandbox for arbitrary applications without inducing any noticeable loss in performance, and enable traditional snapshotting functionality by manipulating and transplanting views as snapshots in time. Views’ architecture is designed to be file system independent, extremely easy to use and manage, and flexible in defining isolation and sharing polices. Our implementation of Views is built on ext3cow, which additionally provides versioning capabilities to all entities. Benchmarking results show that the performance of Views is nearly identical to other traditional file systems such as ext3.

Zachary N. J. Peterson | Matthew W. Pagano | M. Pagano

[1] Andreas Gr. POSIX Access Control Lists on Linux , 2003 .

[2] Stephen Smalley,et al. Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[3] Craig A. N. Soules,et al. Metadata Efficiency in Versioning File Systems , 2003, FAST.

[4] Randal C. Burns,et al. Ext3cow: a time-shifting file system for regulatory compliance , 2005, TOS.

[5] 许娜. 基于VMware ESX Server的实验教学平台建设 , 2011 .

[6] Tal Garfinkel,et al. Virtualization Aware File Systems: Getting Beyond the Limitations of Virtual Disks , 2006, NSDI.

[7] Zhenkai Liang,et al. One-Way Isolation: An Effective Approach for Realizing Safe Execution Environments , 2005, NDSS.

[8] Andreas Grünbacher,et al. POSIX Access Control Lists on Linux , 2003, USENIX Annual Technical Conference, FREENIX Track.

[9] Erez Zadok,et al. A Versatile and User-Oriented Versioning File System , 2004, FAST.

[10] Kevin M. Stine,et al. Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule [revision 1] , 2005 .

[11] Norman C. Hutchinson,et al. Deciding when to forget in the Elephant file system , 1999, SOSP.

[12] A. Meyer. The Health Insurance Portability and Accountability Act. , 1997, Tennessee medicine : journal of the Tennessee Medical Association.