1. Agile Survivable Store PIs: Mustaque Ahamad, Douglas M. Blough, Wenke Lee and H.Venkateswaran PhD Students: Prahlad Fogla, Lei Kong, Subbu Lakshmanan, Arun Subbiah

2. Motivation Secure and highly available storage of confidential and critical information Agility –Everyone is good assumption provides better performance but highly vulnerable to compromises by malicious entities –Being paranoid at all times could severely limit performance or availability Support various types of security (e.g., confidentiality, availability & integrity) Allow security levels to be changed dynamically based on application needs or perceived level of threats

3. Agile Store Architecture Server fault detection Client intrusion detection Security manager Clients Distributed store

4. Availability through Replication Objects are replicated on multiple servers Quorum techniques are used to improve performance over full replication –objects are written to a subset of servers (write quorum) –objects are read from a different subset of servers (read quorum) –all write quorums intersect with all read quorums to ensure most up- to-date data is always read –background dissemination updates servers that are not part of a write quorum to provide same availability as full replication Adaptive quorum protocols are being developed to allow system and quorum sizes to be changed dynamically

5. Confidentiality through Fragmentation Write along a row Disseminate along a column Periodic share renewal f1f1 f2f2 f3f3 Read along a row

6. Agility through Intrusion and Fault Detection Client profiling to detect suspicious client behavior Monitoring of quorum protocols to detect faulty or compromised servers –to interfere with store, a server must deviate from quorum protocols –deviation from protocols causes server to be detected as faulty –forces compromised servers to behave correctly in order to escape detection

7. Architecture for Server Fault Detection Server fault detection Clients Distributed store P P

8. Distribution of Up-To-Date Responses from a Correct Server write quorum size = 34, n = 50, random quorum selection

9. Detection Probability

10. Proposed Work: Prototype Filesytem Implementation Appln NFS client Client Agent FS calls BFT metadata Service Metadata operations Data operations Data Servers Agile Store Service

11. Proposed Work: Prototype Details Application interface –Standard Posix file system calls –Extended API for applications that need flexible control Metadata service implemented by Byzantine fault-tolerant state machine with strong consistency model Data servers execute data operations and monitor the behavior of other data servers by acting as proxies MAC used to prevent faulty proxy server from tampering with data communication

12. Proposed Work: Prototype Details (cont.) Data access requests are authenticated and authorized individually by each server Access control managed at metadata servers and enforced by data servers All traffic through secure channels –A simple Public Key Infrastructure used for key management –Symmetric keys negotiated when necessary or periodically Data is fragmented and/or replicated (user-selectable)

13. Deliverables and Milestones Initial agile filesystem prototype (crypto infrastructure, replication, fragmentation, basic read/write protocols): Summer 2003 Full prototype (initial prototype + intrusion/fault detection and reconfiguration): December 2003