SUNDR: Secure Untrusted Data Repository

Slides:



Advertisements
Similar presentations
Depot: Cloud Storage with Minimal Trust OSDI 2010 Prince Mahajan, Srinath Setty, Sangmin Lee, Allen Clement, Lorenzo Alvisi, Mike Dahlin, and Michael Walfish.
Advertisements

Peer-to-Peer (P2P) Distributed Storage 1Dennis Kafura – CS5204 – Operating Systems.
Accountable systems or how to catch a liar? Jinyang Li (with slides from authors of SUNDR and PeerReview)
SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
The Zebra Striped Network Filesystem. Approach Increase throughput, reliability by striping file data across multiple servers Data from each client is.
Serverless Network File Systems. Network File Systems Allow sharing among independent file systems in a transparent manner Mounting a remote directory.
CS-550: Distributed File Systems [SiS]1 Resource Management in Distributed Systems: Distributed File Systems.
Ivy: A Read/Write P2P File System Athicha Muthitacharoan, Robert Morris, Thomer Gil and Benjie Chen Presented by Rachel Rubin CS 294-4, Fall 2003.
Other File Systems: LFS and NFS. 2 Log-Structured File Systems The trend: CPUs are faster, RAM & caches are bigger –So, a lot of reads do not require.
Ivy: A Read/Write Peer-to- Peer File System A.Muthitacharoen, R. Morris, T. Gil, and B. Chen Presented by: Matthew Allen.
Distributed File System: Design Comparisons II Pei Cao Cisco Systems, Inc.
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
A Peer-to-Peer File System OSCAR LAB. Overview A short introduction to peer-to-peer (P2P) Systems Ivy: a read/write P2P file system (OSDI’02)
Crash recovery All-or-nothing atomicity & logging.
Wide-area cooperative storage with CFS
Pastiche: Making Backup Cheap and Easy Presented by: Boon Thau Loo CS294-4.
Metadata Issues in a Cryptographic File System David Bindel IRAM/ISTORE/OceanStore Retreat.
Secure File Storage Nathanael Paul CRyptography Applications Bistro March 25, 2004.
MetaSync File Synchronization Across Multiple Untrusted Storage Services Seungyeop Han Haichen Shen, Taesoo Kim*, Arvind Krishnamurthy,
Case Study - GFS.
File Systems (2). Readings r Silbershatz et al: 11.8.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Team CMD Distributed Systems Team Report 2 1/17/07 C:\>members Corey Andalora Mike Adams Darren Stanley.
FileSecure Implementation Training Patch Management Version 1.1.
DESIGN AND IMPLEMENTATION OF THE SUN NETWORK FILESYSTEM R. Sandberg, D. Goldberg S. Kleinman, D. Walsh, R. Lyon Sun Microsystems.
Network File System (NFS) Brad Karp UCL Computer Science CS GZ03 / M030 6 th, 7 th October, 2008.
Network File Systems Victoria Krafft CS /4/05.
Lecture 23 The Andrew File System. NFS Architecture client File Server Local FS RPC.
Sanjay Ghemawat, Howard Gobioff, and Shun-Tak Leung Google∗
Federated, Available, and Reliable Storage for an Incompletely Trusted Environment Atul Adya, Bill Bolosky, Miguel Castro, Gerald Cermak, Ronnie Chaiken,
Distributed File Systems Concepts & Overview. Goals and Criteria Goal: present to a user a coherent, efficient, and manageable system for long-term data.
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Distributed File Systems Steve Ko Computer Sciences and Engineering University at Buffalo.
SUNDR: Secure Untrusted Data Repository Jinyuan LiN.Y.U. Maxwell KrohnM.I.T. David MazièresN.Y.U. Dennis ShashaN.Y.U. Slides modified for CS739 OSDI 2004.
Construction of efficient PDP scheme for Distributed Cloud Storage. By Manognya Reddy Kondam.
Networked File System CS Introduction to Operating Systems.
1 JTE HPC/FS Pastis: a peer-to-peer file system for persistant large-scale storage Jean-Michel Busca Fabio Picconi Pierre Sens LIP6, Université Paris 6.
Distributed File Systems Case Studies: Sprite Coda.
Ivy: A Read/Write Peer-to-Peer File System A. Muthitacharoen, R. Morris, T. M. Gil, and B. Chen In Proceedings of OSDI ‘ Presenter : Chul Lee.
Amy Apon, Pawel Wolinski, Dennis Reed Greg Amerson, Prathima Gorjala University of Arkansas Commercial Applications of High Performance Computing Massive.
Module 5: Configuring Internet Explorer and Supporting Applications.
Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel.
1 File Systems: Consistency Issues. 2 File Systems: Consistency Issues File systems maintains many data structures  Free list/bit vector  Directories.
Serverless Network File Systems Overview by Joseph Thompson.
SPECULATIVE EXECUTION IN A DISTRIBUTED FILE SYSTEM E. B. Nightingale P. M. Chen J. Flint University of Michigan.
Fast Crash Recovery in RAMCloud. Motivation The role of DRAM has been increasing – Facebook used 150TB of DRAM For 200TB of disk storage However, there.
Robustness in the Salus scalable block store Yang Wang, Manos Kapritsos, Zuocheng Ren, Prince Mahajan, Jeevitha Kirubanandam, Lorenzo Alvisi, and Mike.
File Systems Security File Systems Implementation.
A Low-bandwidth Network File System Athicha Muthitacharoen et al. Presented by Matt Miller September 12, 2002.
Computer Science Lecture 19, page 1 CS677: Distributed OS Last Class: Fault tolerance Reliable communication –One-one communication –One-many communication.
Speculative Execution in a Distributed File System Ed Nightingale Peter Chen Jason Flinn University of Michigan.
1 JTE HPC/FS Pastis: a peer-to-peer file system for persistant large-scale storage Jean-Michel Busca Fabio Picconi Pierre Sens LIP6, Université Paris 6.
Implementing ISA Server Caching
GLOBAL EDGE SOFTWERE LTD1 R EMOTE F ILE S HARING - Ardhanareesh Aradhyamath.
POND: THE OCEANSTORE PROTOTYPE S. Rea, P. Eaton, D. Geels, H. Weatherspoon, J. Kubiatowicz U. C. Berkeley.
Distributed File Systems Group A5 Amit Sharma Dhaval Sanghvi Ali Abbas.
Lecture 25 The Andrew File System. NFS Architecture client File Server Local FS RPC.
Distributed File Systems Questions answered in this lecture: Why are distributed file systems useful? What is difficult about distributed file systems?
GPFS: A Shared-Disk File System for Large Computing Clusters Frank Schmuck & Roger Haskin IBM Almaden Research Center.
1 JTE HPC/FS Pastis: a peer-to-peer file system for persistant large-scale storage Jean-Michel Busca Fabio Picconi Pierre Sens LIP6, Université Paris 6.
1 Introduction to Shared Folders Shared folders provide network users access to files. Users connect to the shared folder over the network. Users must.
Computer Science Lecture 19, page 1 CS677: Distributed OS Last Class: Fault tolerance Reliable communication –One-one communication –One-many communication.
Ivy: A Read/Write Peer-to- Peer File System Authors: Muthitacharoen Athicha, Robert Morris, Thomer M. Gil, and Benjie Chen Presented by Saurabh Jha 1.
DISTRIBUTED FILE SYSTEM- ENHANCEMENT AND FURTHER DEVELOPMENT BY:- PALLAWI(10BIT0033)
Filesystems 2 Adapted from slides of Hank Levy
A Redundant Global Storage Architecture
DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S
Outline Review of Quiz #1 Distributed File Systems 4/20/2019 COP5611.
THE GOOGLE FILE SYSTEM.
Federated, Available, and Reliable Storage for an Incompletely Trusted Environment Atul Adya, William J. Bolosky, Miguel Castro, Gerald Cermak, Ronnie.
Presentation transcript:

SUNDR: Secure Untrusted Data Repository Jinyuan Li N.Y.U. Maxwell Krohn M.I.T. David Mazières N.Y.U. Dennis Shasha N.Y.U. OSDI 2004

Secure Computer Systems Group Motivation File system integrity is critical sourceforge.net: 90,000+ projects, including kernel projects Say: sourceforget.net is a CVS like server. Clients collaborate with each to update and check file in the file server. Sourceforge.net hosts many projects. NYU Secure Computer Systems Group

Secure Computer Systems Group Goal Prevent undetected tampering with your files! NYU Secure Computer Systems Group

Secure Computer Systems Group Current approaches Trust system administrator to do a good job Keep up with latest security patches Restrict accesses as much as possible … e.g. you might access files on NFS server. Just think about, if you want your files without tampering, you must trust your admin securing the server at all the time. For example (sub-bullet1, sub-butlet2) (Coz any intrusion would result in tampering, and users do not even get the change to detect it) NYU Secure Computer Systems Group

Secure Computer Systems Group Not always reliable Transition: Unfortunately, because you can not always trust your system to be *secure*. Our main design constraint is not to trust servers in the first place. NYU Secure Computer Systems Group

Secure Computer Systems Group SUNDR’s approach SUNDR is a network f/s designed for running on untrusted, or even compromised server Place trust in users authorized to modify particular files, not in server or admins maintaining server SUNDR properties: Unauthorized operations will be immediately detected If server drops operations, can be caught eventually The system we designed is called SUNDR. SUNDR is a network file system……………. XXX High level: making server act as dummy data repository simplifies proof/arguments for its security property. ======================= SUNDR properties NYU Secure Computer Systems Group

Secure Computer Systems Group Talk Outline Motivation Design A strawman file system SUNDR design Implementation Evaluation Okay to get rid of outline NYU Secure Computer Systems Group

Ideal File system semantics File system calls can be mapped to fetch/modify operations Fetch – client downloads new data Modify – client makes new change visible to others “Fetch-modify” consistency: A fetch reflects exactly the modifications that happen before it Impossible without online trusted parties Goal: Get as close to possible to “fetch-modify” consistency without online trusted parties Simple attacks by servers to return user bogus data is easy to fix by users signing their operations, however, there is no way for server to hide user’s operations to show users might Somewhere to mention what kind of attack server can carry out? Some operations in UNIX changes files, but do not use Open/close, therefore close-to-open consistency is not sufficent. NYU Secure Computer Systems Group

Secure Computer Systems Group Strawman File System A: echo “A was here” >> /share/aaa userA A Modify f1 sig1 B Fetch f4 sig2 A Modify f2 sig3 File server A Modify f2 sig3 userB FETCH FETCH FETCH Assumes all operations happen one at a time Server keeps a log as well as Each user keeps a complete log of all fetch/modify operations by all users To perform an operation, a user retrieves the server log first, do some checking and append the new operations and Signing the entire log Checking ensures that its local log is always a prefix of the newly fetched server log B: cat /share/aaa A Modify f1 sig1 B Fetch f4 sig2 Modify f2 sig3 B Fetch f2 sig4 NYU Secure Computer Systems Group

Secure Computer Systems Group An ordering relation A’s latest log: A Modify f1 sig1 B Fetch f4 sig2 Modify f2 sig3 LogA We define ≤ relation: LogA ≤ LogB iff LogA is prefix of LogB B’s latest log: A Modify f1 sig1 B Fetch f4 sig2 Modify f2 sig3 Fetch f2 sig4 LogB NYU Secure Computer Systems Group

Detecting attacks by the server A: echo “A was here” >> /share/aaa A Modify f1 sig1 B Fetch f4 sig2 Modify f2 sig3 File server A Modify f2 sig3 It is a per user log approach. B: cat /share/aaa (stale result!) A Modify f1 sig1 B Fetch f4 sig2 B Fetch f2 sig3 NYU Secure Computer Systems Group

Detecting attacks by the server A’s latest log: A Modify f1 sig1 B Fetch f4 sig2 Modify f2 sig3a LogA sig1 sig2 A’s log and B’s log can no longer be ordered: LogA ≤ LogB, LogB ≤ LogA sig3a B’s latest log: A Modify f1 sig1 B Fetch f4 sig2 B Fetch f2 sig3b LogB NYU Secure Computer Systems Group

Properties of Strawman FS High overhead, no concurrency A bad server can’t make up operations users didn’t perform A bad server can conceal users’ operations from each other, however, it will be detected if users check with each other. Call this property “fork consistency” Strawman is impractical, expensive and no support for concurrent operations Coz there is no way to let each user to “forget” its previous operations in log No support for concurrent operations NYU Secure Computer Systems Group

Fork Consistency: A tale of two worlds File Server A’s view B’s view RE … NYU Secure Computer Systems Group

Implications of fork consistency Closest possible consistency to “fetch-modify” without online trusted parties Can be leveraged with online trusted parties to detect violations of “fetch-modify” consistency users periodically gossip to check violations or deploy a trusted online “timestamp” box NYU Secure Computer Systems Group

Secure Computer Systems Group Talk Outline Motivation Design Strawman FS SUNDR approach Implementation Evaluation NYU Secure Computer Systems Group

Secure Computer Systems Group SUNDR architecture SUNDR server-side SUNDR client userA Untrusted Network block server userB consistency server Strawman is very simple, but impractical: Here we are going to present the design of SUNDR, which achieve the same good properties of strawman without its unrealistic assumptions and its overhead. SUNDR client block server stores blocks retrievable by content-hash consistency server orders all events NYU Secure Computer Systems Group

SUNDR data structures (I) Strawman FS problem: High bandwidth and storage consumption Need to reconstruct the whole file system Each file is writable by one user or group Partition inodes by allowed writer Hash each partition down to a 20-byte digest Basically, why do we care out this complication, MOTIVATE SUNDR’s design. Related back the strawman FS. Write it down. NYU Secure Computer Systems Group

Hash tree (1): File handle Each file is hashed into a 20-byte value using a hash tree Blocks are stored and indexed by their content-hash on the block server data1 i-node data2 Metadata 20-byte File Handle H(data1) data3 H(data2) iblk1 Ellude the existance of block server. Emphasize on each user has its own EXCLUSIVE fs map. Add legend: arrow means SHA1-hash H(data3) H(iblk1) data4 H(data4) NYU Secure Computer Systems Group

Secure Computer Systems Group Hash tree (2): FS digest Hash all files writable by each user/group to a 20-byte digest From this digest, client can retrieve and verify any block of any file (SFSRO, CFS, Pond …) i-node 2 i-table i-num 2 20-byte 3 20-byte 20-byte digest i-node 3 4 20-byte Ellude the existance of block server. Emphasize on each user has its own EXCLUSIVE fs map. i-node 4 NYU Secure Computer Systems Group

Secure Computer Systems Group SUNDR FS /: Dir entry: (share, Superuser, 3) Lookup “/” /share: Dir entry: (aaa, UserA, 4) Lookup “/share” 2 20-byte 3 4 digest Superuser: SUNDR State 2 20-byte 3 4 digest Fetch “/share/aaa” UserA: digest … How to fetch “/share/aaa”? UserB: 2 3 4 digest GroupG: NYU Secure Computer Systems Group

SUNDR data structure (II) Want server to order users’ fetch/modify operations Goal: Expose server’s failure to order operations properly Sign version vector along with digest Version vectors will expose ordering failures NYU Secure Computer Systems Group

Secure Computer Systems Group Version structure A A - 1 B - 1 G - 1 B A - 1 B - 2 G - 2 ≤ VSTA VSTB Digest A Digest B Signature A Signature B Each user has its own version structure (VST) Consistency server keeps latest VSTs of all users Clients fetch all other users’ VSTs from server before each operation and cache them We order VSTA ≤ VSTB iff all the version numbers in VSTA are less than or equal in VSTB Therefore in order to make comparison, we don’t need to ship the whole log to save bandwidth NYU Secure Computer Systems Group

Updating VST: An example Consistency Server A A-0 B-0 A DigA A-0 B-1 DigB B A-1 B-1 DigA A VSTA ≤ VSTB A-1 B-1 DigA A A: echo “A was here” >> /share/aaa B B A-0 B-1 DigB All red blocks signed by A All blue blocks signed by B A-1 B-1 DigA A A-1 B-2 DigB B B: cat /share/aaa A-1 B-2 DigB B NYU Secure Computer Systems Group

Secure Computer Systems Group Detecting attacks A Consistency Server A A-0 B-0 DigA B A-0 B-1 DigA ≤ A A-1 B-1 A: echo “A was here” >> /share/aaa B DigA A A-1 B-1 B A-0 B-1 DigA DigB A-0 B-0 DigA A A-0 B-2 DigB B A’s latest VST and B’s can no longer be ordered: VSTA ≤ VSTB, VSTB ≤ VSTA B: cat /share/aaa (stale!) A-0 B-2 DigB B NYU Secure Computer Systems Group

Supporting concurrent operations Two clients may issue operations concurrently How does second client know what vector to sign? If operations don’t conflict, can just include first user’s forthcoming version number in VST But how do you know if concurrent operations conflict? Solution: Pre-declare operations in signed updates Server returns latest VSTs and all pending updates, thereby ordering them before current operation User computes new VST including pending updates User signs and commits new VST Why this is a problem in SUNDR? In SUNDR, both fetch and modify operations will cause a user to increment its own version number. However if both users increment their numbers concurrently. The resulting VST can no longer ordered, even if the server didn’t do anything wrong, so we need to solve this problem. The second are operations that do cause conflicts NYU Secure Computer Systems Group

Concurrent update of VSTs Consistency Server A A A-0 B-0 B update: A-1 DigA B A-0 B-1 update: B-2 DigB A-1 A-0 B-1 DigB B A-1 B-2 A-0 B-0 DigA A VSTA ≤ VSTB A-1 B-1 DigA A A: echo “A was here” >>/share/aaa A-1 B-1 DigA A H B: cat /share/bbb A-1 B-2 DigB B A-1 B-2 DigB B NYU Secure Computer Systems Group

Secure Computer Systems Group Talk Outline Motivation Design Straw-man FS SUNDR approach Implementation Evaluation At this stage, you might wonder SUNDR is quite expensive, coz for each opeation, there is a lot of cryptographic signing and verifying of data structre, and for each data block, NYU Secure Computer Systems Group

Secure Computer Systems Group SUNDR Implementation SUNDR server-side setup Client Machine Domain SUNDR client daemon FS operations User block server Kernel VFS xfs.ko redirector consistency server NYU Secure Computer Systems Group

Block server implementation bstore Index System Stripe 1 Stripe 2 Stripe 3 SCSI Permanent Log Temporary Log EIDE (cf. Venti) NYU Secure Computer Systems Group

Secure Computer Systems Group Evaluation Running on FreeBSD 4.9 PentiumIV 3G, 3G RAM, LAN Two configurations: SUNDR : write updates to disk synchronously SUNDR/NVRAM : simulates effects of NVRAM Block server benchmark STORE: 18.4MB/s (peak), 11.9MB/s (sustained) FETCH: 1.2MB/s (random), 25.5MB/s (sequential) Esign cryptographic overhead Sign: 155us Verify: 100us One might not expect perf to be very bad. Expection low! NYU Secure Computer Systems Group

LFS small file benchmark Seconds NYU Secure Computer Systems Group

LFS multiple clients CREATE Seconds Number of users NYU Secure Computer Systems Group

Emacs installation performance Seconds NYU Secure Computer Systems Group

Emacs multiple clients untar Seconds Number of users NYU Secure Computer Systems Group

Secure Computer Systems Group Conclusion SUNDR provides file system integrity with untrusted servers Users detect unauthorized operations immediately Users can detect consistency violations eventually Yes, SUNDR is a practical file system performance is close to NFS NYU Secure Computer Systems Group

Secure Computer Systems Group A working example (3) Server /share A-1 B-1 A – 2 (fa, A, 2) A A-1 B-1 B B – 2 (fb, B, 5) A – 2 (fa, A, 2) A-2 B-1 A – 2 (fa, A, 2) B – 2 (fb, B, 5) /share/fa A-2 B-1 A-2 B-2 /share/fa /share/fb A-2 B-2 NYU Secure Computer Systems Group

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.