Horus: fine-grained encryption-based security for large-scale storage

With the growing use of large-scale distributed systems, the likelihood that at least one node is compromised is increasing. Large-scale systems that process sensitive data such as geographic data with defense implications, drug modeling, nuclear explosion modeling, and private genomic data would benefit greatly from strong security for their storage. Nevertheless, many high performance computing (HPC), cloud, or secure content delivery network (SCDN) systems that handle such data still store them unencrypted or use simple encryption schemes, relying heavily on physical isolation to ensure confidentiality, providing little protection against compromised computers or malicious insiders. Moreover, current encryption solutions cannot efficiently provide fine-grained encryption for large datasets. Our approach, Horus, encrypts large datasets using keyed hash trees (KHTs) to generate different keys for each region of the dataset, providing fine-grained security: the key for one region cannot be used to access another region. Horus also reduces key management and distribution overhead while providing end-to-end data encryption and reducing the need to trust system operators or cloud service providers. Horus requires little modification to existing systems and user applications. Performance evaluation shows that our prototype's key distribution is highly scalable and robust: a single key server can provide 140,000 keys per second, theoretically enough to sustain more than 100 GB/s I/O throughput, and multiple key servers can efficiently operate in parallel to support load balancing and reliability.

[1]  Darrell D. E. Long,et al.  Quota enforcement for high-performance distributed storage systems , 2007, 24th IEEE Conference on Mass Storage Systems and Technologies (MSST 2007).

[2]  Robert B. Ross,et al.  PVFS: A Parallel File System for Linux Clusters , 2000, Annual Linux Showcase & Conference.

[3]  Yuan Xie,et al.  Hybrid checkpointing using emerging nonvolatile memories for future exascale systems , 2011, TACO.

[4]  Michael Burrows,et al.  Proceedings of Fast '03: 2nd Usenix Conference on File and Storage Technologies 2nd Usenix Conference on File and Storage Technologies Block-level Security for Network-attached Disks , 2022 .

[5]  Scott A. Brandt,et al.  Intra-file Security for a Distributed File System , 2002 .

[6]  Ahmed Obied,et al.  Broadcast Encryption , 2008, Encyclopedia of Multimedia.

[7]  Andrew J. Hutton,et al.  Lustre: Building a File System for 1,000-node Clusters , 2003 .

[8]  Frank B. Schmuck,et al.  GPFS: A Shared-Disk File System for Large Computing Clusters , 2002, FAST.

[9]  Bin Zhou,et al.  Scalable Performance of the Panasas Parallel File System , 2008, FAST.

[10]  Shueng-Han Gary Chan,et al.  Key management approaches to offer data confidentiality for secure multicast , 2003 .

[11]  Behzad Bordbar,et al.  Stateless data concealment for distributed systems , 2008, J. Comput. Syst. Sci..

[12]  Carlos Maltzahn,et al.  Ceph: a scalable, high-performance distributed file system , 2006, OSDI '06.

[13]  Steven Swanson,et al.  Gordon: using flash memory to build fast, power-efficient clusters for data-intensive applications , 2009, ASPLOS.

[14]  G Bronevetsky,et al.  Scalable I/O Systems via Node-Local Storage: Approaching 1 TB/sec File I/O , 2009 .

[15]  Ralph C. Merkle,et al.  Secrecy, authentication, and public key systems , 1979 .

[16]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[17]  Andrew W. Leung,et al.  Scalable security for petascale parallel file systems , 2007, Proceedings of the 2007 ACM/IEEE Conference on Supercomputing (SC '07).

[18]  Qian Wang,et al.  Plutus: Scalable Secure File Sharing on Untrusted Storage , 2003, FAST.

[19]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[20]  Ethan L. Miller,et al.  Pergamum: Replacing Tape with Energy Efficient, Reliable, Disk-Based Archival Storage , 2008, FAST.

[21]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[22]  Rob VanderWijngaart,et al.  NAS Parallel Benchmarks I/O Version 2.4. 2.4 , 2002 .

[23]  Darrell D. E. Long,et al.  Horus: fine-grained encryption-based security for high performance petascale storage , 2011, PDSW '11.

[24]  Hairong Kuang,et al.  The Hadoop Distributed File System , 2010, 2010 IEEE 26th Symposium on Mass Storage Systems and Technologies (MSST).

[25]  Darrell D. E. Long,et al.  Strong Security for Network-Attached Storage , 2002, FAST.

[26]  Kevin Fu,et al.  Group Sharing and Random Access in Cryptographic Storage File Systems , 1999 .

[27]  Vitaly Shmatikov,et al.  Airavat: Security and Privacy for MapReduce , 2010, NSDI.