Secure file system versioning at the block level

In typical file systems, valuable data is vulnerable to being accidentally or maliciously deleted or overwritten. Versioning file systems protect data from accidents by transparently retaining old versions, but do less well in protecting data from malicious attack. These systems remain vulnerable to attackers who gain unauthorized access to prune old file versions, who bypass the file system to directly manipulate storage, or who exploit bugs in any part of the operating system. This paper presents VDisk, a secure, block-level versioning system that adds file-grain versioning to a standard, unmodified file system. VDisk consists of a set of untrusted user-mode tools and a trusted, secure kernel that is implemented within an isolated Xen virtual machine domain. The secure kernel is designed to be simple and thus trustworthy. This kernel logs file-system updates to a secure log, exports a read-only view of the log to the rest of the system and securely removes unwanted versions from the log. Secure cleaning is implemented in a two-level manner. An untrusted, user-mode cleaner selects log entries for reclamation and submits cleaning requests to the trusted VDisk kernel along with a proof that the request satisifies the device's version-retention policy. The secure kernel verifies the proof and updates the log.

[1]  Craig A. N. Soules,et al.  Design and Implementation of a Self-Securing Storage Device , 2000 .

[2]  Peter A. Dinda,et al.  Wayback: A User-level Versioning File System for Linux (Awarded Best Paper!) , 2004, USENIX Annual Technical Conference, FREENIX Track.

[3]  David K. Gifford,et al.  The Cedar file system , 1988, CACM.

[4]  Randal C. Burns,et al.  Ext3cow: a time-shifting file system for regulatory compliance , 2005, TOS.

[5]  Craig A. N. Soules,et al.  Metadata Efficiency in Versioning File Systems , 2003, FAST.

[6]  C Arpaci-DusseauAndrea,et al.  Improving storage system availability with D-GRAID , 2005 .

[7]  James Lau,et al.  File System Design for an NFS File Server Appliance , 1994, USENIX Winter.

[8]  Carl Staelin,et al.  An Implementation of a Log-Structured File System for UNIX , 1993, USENIX Winter.

[9]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[10]  Randy H. Katz,et al.  A case for redundant arrays of inexpensive disks (RAID) , 1988, SIGMOD '88.

[11]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[12]  Mendel Rosenblum,et al.  The design and implementation of a log-structured file system , 1991, SOSP '91.

[13]  Angelos Bilas,et al.  Clotho: Transparent Data Versioning at the Block I/O Level , 2004, MSST.

[14]  Qing Yang,et al.  TRAP-Array: A Disk Array Architecture Providing Timely Recovery to Any Point-in-time , 2006, ISCA 2006.

[15]  Chandramohan A. Thekkath,et al.  Petal: distributed virtual disks , 1996, ASPLOS VII.

[16]  Sara McMains,et al.  File System Logging versus Clustering: A Performance Comparison , 1995, USENIX.

[17]  Junfeng Yang,et al.  Using model checking to find serious file system errors , 2004, TOCS.

[18]  Andrew Warfield,et al.  Facilitating the Development of Soft Devices , 2005, USENIX Annual Technical Conference, General Track.

[19]  Werner Vogels,et al.  File system usage in Windows NT 4.0 , 1999, SOSP.

[20]  James E. Johnson,et al.  Overview of the Spiralog File System , 1996, Digit. Tech. J..

[21]  Andrea C. Arpaci-Dusseau,et al.  Awarded Best Student Paper! -- Improving Storage System Availability with D-GRAID , 2004 .

[22]  Marianne Shaw,et al.  Constructing Services with Interposable Virtual Hardware , 2004, NSDI.

[23]  RosenblumMendel,et al.  The design and implementation of a log-structured file system , 1991 .

[24]  Volkmar Sieh,et al.  Framework for testing the fault-tolerance of systems including OS and network aspects , 2001, Proceedings Sixth IEEE International Symposium on High Assurance Systems Engineering. Special Topic: Impact of Networking.

[25]  Steve R. Kleiman,et al.  SnapMirror: File-System-Based Asynchronous Mirroring for Disaster Recovery , 2002, FAST.

[26]  Dan Walsh,et al.  Design and implementation of the Sun network filesystem , 1985, USENIX Conference Proceedings.

[27]  Jeffrey Katcher,et al.  PostMark: A New File System Benchmark , 1997 .

[28]  Walter F. Tichy,et al.  Rcs — a system for version control , 1985, Softw. Pract. Exp..

[29]  David A. Patterson,et al.  Undo for Operators: Building an Undoable E-mail Store , 2003, USENIX Annual Technical Conference, General Track.

[30]  Robert S. Fabry,et al.  A fast file system for UNIX , 1984, TOCS.

[31]  Mary Baker,et al.  Measurements of a distributed file system , 1991, SOSP '91.

[32]  Ethan L. Miller,et al.  Long-Term file activity patterns in a UNIX workstation environment , 1998 .

[33]  Samuel T. King,et al.  Debugging Operating Systems with Time-Traveling Virtual Machines (Awarded General Track Best Paper Award!) , 2005, USENIX Annual Technical Conference, General Track.

[34]  Brendan Murphy,et al.  Windows 2000 Dependability , 2000 .

[35]  Andrew Warfield,et al.  Safe Hardware Access with the Xen Virtual Machine Monitor , 2007 .

[36]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[37]  Andrea C. Arpaci-Dusseau,et al.  Life or Death at Block-Level , 2004, OSDI.

[38]  Sailesh Chutani,et al.  The Episode File System , 1992 .

[39]  Andrea C. Arpaci-Dusseau,et al.  Association Proceedings of the Third USENIX Conference on File and Storage Technologies San Francisco , CA , USA March 31 – April 2 , 2004 , 2004 .

[40]  P. Cederqvist,et al.  Version Management with CVS , 1993 .

[41]  Andrew Warfield,et al.  Parallax: Managing Storage for a Million Machines , 2005, HotOS.

[42]  Andrea C. Arpaci-Dusseau,et al.  Semantically-Smart Disk Systems , 2003, FAST.

[43]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[44]  Randal C. Burns,et al.  Secure deletion for a versioning file system , 2005, FAST'05.

[45]  YangJunfeng,et al.  An empirical study of operating systems errors , 2001 .

[46]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[47]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[48]  John A. Kunze,et al.  A trace-driven analysis of the UNIX 4.2 BSD file system , 1985, SOSP '85.

[49]  Samuel J. Leffler,et al.  A Fast File System for UNIX (Revised July 27, 1983) , 1983 .

[50]  Andrea C. Arpaci-Dusseau,et al.  Information and control in gray-box systems , 2001, SOSP.

[51]  Kirby McCoy VMS File System Internals , 1990 .

[52]  Norman C. Hutchinson,et al.  Deciding when to forget in the Elephant file system , 1999, SOSP.

[53]  Simon Yuill Concurrent Versions System , 2008 .

[54]  Steven D. Gribble,et al.  Using time travel to diagnose computer problems , 2004, EW 11.

[55]  Erez Zadok,et al.  A Versatile and User-Oriented Versioning File System , 2004, FAST.

[56]  Mahadev Satyanarayanan,et al.  Andrew: a distributed personal computing environment , 1986, CACM.

[57]  Paul N. Hilfinger,et al.  PRCS: The Project Revision Control System , 1998, SCM.

[58]  Margo Seltzer,et al.  Trace-based analyses and optimizations for network storage servers , 2004 .

[59]  Margo I. Seltzer,et al.  Passive NFS Tracing of Email and Research Workloads , 2003, FAST.

[60]  Thomas E. Anderson,et al.  A Comparison of File System Workloads , 2000, USENIX Annual Technical Conference, General Track.

[61]  Dirk Grunwald,et al.  Peabody: the time travelling disk , 2003, 20th IEEE/11th NASA Goddard Conference on Mass Storage Systems and Technologies, 2003. (MSST 2003). Proceedings..

[62]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.