DOCSLIB.ORG

Open Butler-Thesis.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Open Butler-Thesis.Pdf The Pennsylvania State University The Graduate School LEVERAGING EMERGING STORAGE FUNCTIONALITY FOR NEW SECURITY SERVICES A Dissertation in Computer Science and Engineering by Kevin Raymond Boyce Butler c 2010 Kevin Raymond Boyce Butler Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy August 2010 The dissertation of Kevin Raymond Boyce Butler was reviewed and approved∗ by the following: Patrick D. McDaniel Associate Professor of Computer Science and Engineering Dissertation Advisor, Chair of Committee Trent R. Jaeger Associate Professor of Computer Science and Engineering Bhuvan Urgaonkar Assistant Professor of Computer Science and Engineering Stephen G. Simpson Professor of Mathematics Matthew A. Blaze Associate Professor of Computer and Information Science University of Pennsylvania Raj Acharya Professor of Computer Science and Engineering Head of the Department of Computer Science and Engineering ∗Signatures are on file in the Graduate School. Abstract The complexity of modern operating systems makes securing them a challenging problem. However, changes in the computing model, such as the rise of cloud computing and smarter peripherals, have presented opportunities to reconsider system architectures, as we move from traditional “stove-pipe” computing to distributed systems. In particular, we can build trustworthy components that act to provide security in complex systems. The focus of this dissertation is on how new disk architectures may be exploited to aid the protection of systems by acting as policy decision and enforcement points. We prototype disks that enforce data immutability at the block level on critical system data, preventing malicious code from inserting itself into system configuration and boot files. We then examine how storage may be used to ensure the integrity state of hosts prior to allowing access to data, and how such a design improves the security of portable storage devices. Through the continual measuring of system state, we show through formal reasoning that such a device enforces guarantees that data is read and written while the host is in a good state. Finally, we discuss future directions and how secure disk architectures can be used as the basis for large-scale and distributed system security. iii Table of Contents List of Figures ix List of Tables xiii Acknowledgments xiv Chapter 1 Introduction 1 1.1 Using Storage to Reduce the TCB . 4 1.2 Thesis Statement . 6 1.3 Contributions of Dissertation . 7 1.4 Trust Model and Limitations . 8 1.5 Publications . 10 Chapter 2 Foundational Work 11 2.1 Database Machines and Augmented Disks . 11 2.2 Security in Operating Systems . 13 2.2.1 Process Isolation . 15 2.2.2 System Threats from Rootkits . 16 2.2.3 Autonomous Security . 18 2.3 Secure Autonomous Storage . 19 2.3.1 Securing Data with the Filesystem . 19 2.3.2 Augmented Secure Disks . 21 2.4 Trust Establishment . 23 2.4.1 Trusting the Boot Process . 23 2.4.2 Reducing the TCB . 25 2.4.3 Devices for Trust Establishment . 26 2.4.4 Trusted Storage . 27 iv 2.5 Usability Concerns . 27 2.5.1 Threats from Improper Token Usage . 28 2.5.2 Insertion vs. Proximity-Based Tokens . 29 2.5.3 Tokens vs. Secure Cryptographic Channel . 30 2.5.4 Studies of Token-Based Interfaces . 31 Chapter 3 Designing Disks to Autonomously Enforce Security 33 3.1 ASD Design . 34 3.1.1 Requirements . 34 3.1.2 ASD Design . 35 3.2 Applications . 38 3.2.1 Support for Authenticated Encryption . 38 3.2.2 Capability-Based Access Control . 41 3.2.2.1 Capability Representation . 42 3.2.2.2 OS Constructions . 44 3.2.3 Preserving Information Flow . 45 3.3 Emulating an ASD . 47 3.3.1 Modeling ASDs . 48 3.3.2 Flash Memory Emulator . 49 3.3.3 Experimental Setup . 50 3.4 Evaluation . 51 3.4.1 Small Random Access Workload . 53 3.4.2 Large Contiguous Access Workload . 54 3.4.3 Large Disk Analysis . 54 Chapter 4 Autonomous Disk Enforcement for Rootkit Protection 56 4.1 The Problem of Persistent Rootkits . 56 4.2 Rootkit-Resistant Disks . 58 4.2.1 Goals for an RRD . 59 4.2.2 RRD Design . 60 4.2.3 Tokens and Disk Policy . 61 4.2.4 RRD Operation . 64 4.3 Prototype Implementation . 65 4.3.1 RRD . 66 4.3.1.1 Label Management . 67 4.3.2 Host Machine . 67 4.3.3 Installer . 68 4.4 Evaluation . 69 4.4.1 Experimental Setup . 70 4.4.2 Performance . 71 4.4.2.1 Postmark . 71 v 4.4.2.2 System Install . 72 4.4.3 Scalability . 73 4.4.3.1 Measuring Label Creep . 74 4.4.3.2 Label Space Constraints . 75 4.4.4 Security . 75 4.5 Discussion . 76 4.5.1 System Tokens and atime . 76 4.5.2 File system Modification . 77 4.5.3 Maintenance Concerns . 78 4.5.3.1 Token Duplication . 78 4.5.3.2 Backup . 78 4.5.3.3 Revocation . 79 4.5.3.4 Large-Scale Installations and Upgrades . 79 4.5.4 Considerations for Windows Systems . 79 4.6 Summary . 80 Chapter 5 Enforcing Inter-OS Isolation with SwitchBlade 82 5.1 Introduction . 82 5.2 System Goals . 84 5.2.1 Design Criteria . 84 5.2.2 Securing On-Disk Storage . 85 5.2.3 Threat Model . 85 5.3 Architecture . 86 5.3.1 SwitchBlade Policy . 87 5.3.2 SwitchBlade Management . 89 5.3.3 Boot Process . 90 5.3.4 System Management with SwitchBlade . 91 5.4 Prototype Implementation . 92 5.4.1 SwitchBlade implementation . 92 5.4.1.1 Audit log . 93 5.4.1.2 Policy management . 94 5.4.1.3 Boot sector integrity requirements . 94 5.4.2 Client System . 94 5.4.2.1 Multiboot Operation . 95 5.4.2.2 Virtualized Operation . 96 5.4.3 Experience . 97 5.4.3.1 Segment Creation . 97 5.4.3.2 Regular Operation . 98 5.4.4 Abnormal Token Removal . 99 5.5 Evaluation . 99 5.5.1 Security Analysis . 99 vi 5.5.2 Performance Evaluation . 101 5.6 Discussion . 103 5.6.1 Token Management . 103 5.6.2 Disk Administration . 103 5.6.3 SwitchBlade Applications . 104 5.7 Towards More Complex System Security with Autonomous Storage . 105 Chapter 6 Storage-Enabled Secure Boot with Firma 107 6.1 The Need for Commodity Secure Boot . 107 6.2 Design of Firma . 109 6.3 Management and Operation . 111 6.3.1 Installation . 111 6.3.2 Deployment to the Host . 113 6.3.3 Regular Operation . 114 6.3.4 Error Handling . ..
Load more

Recommended publications
  • Copy on Write Based File Systems Performance Analysis and Implementation
    Copy On Write Based File Systems Performance Analysis And Implementation Sakis Kasampalis Kongens Lyngby 2010 IMM-MSC-2010-63 Technical University of Denmark Department Of Informatics Building 321, DK-2800 Kongens Lyngby, Denmark Phone +45 45253351, Fax +45 45882673 [email protected] www.imm.dtu.dk Abstract In this work I am focusing on Copy On Write based file systems. Copy On Write is used on modern file systems for providing (1) metadata and data consistency using transactional semantics, (2) cheap and instant backups using snapshots and clones. This thesis is divided into two main parts. The first part focuses on the design and performance of Copy On Write based file systems. Recent efforts aiming at creating a Copy On Write based file system are ZFS, Btrfs, ext3cow, Hammer, and LLFS. My work focuses only on ZFS and Btrfs, since they support the most advanced features. The main goals of ZFS and Btrfs are to offer a scalable, fault tolerant, and easy to administrate file system. I evaluate the performance and scalability of ZFS and Btrfs. The evaluation includes studying their design and testing their performance and scalability against a set of recommended file system benchmarks. Most computers are already based on multi-core and multiple processor architec- tures. Because of that, the need for using concurrent programming models has increased. Transactions can be very helpful for supporting concurrent program- ming models, which ensure that system updates are consistent. Unfortunately, the majority of operating systems and file systems either do not support trans- actions at all, or they simply do not expose them to the users.
    [Show full text]
  • Membrane: Operating System Support for Restartable File Systems Swaminathan Sundararaman, Sriram Subramanian, Abhishek Rajimwale, Andrea C
    Membrane: Operating System Support for Restartable File Systems Swaminathan Sundararaman, Sriram Subramanian, Abhishek Rajimwale, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau, Michael M. Swift Computer Sciences Department, University of Wisconsin, Madison Abstract and most complex code bases in the kernel. Further, We introduce Membrane, a set of changes to the oper- file systems are still under active development, and new ating system to support restartable file systems. Mem- ones are introduced quite frequently. For example, Linux brane allows an operating system to tolerate a broad has many established file systems, including ext2 [34], class of file system failures and does so while remain- ext3 [35], reiserfs [27], and still there is great interest in ing transparent to running applications; upon failure, the next-generation file systems such as Linux ext4 and btrfs. file system restarts, its state is restored, and pending ap- Thus, file systems are large, complex, and under develop- plication requests are serviced as if no failure had oc- ment, the perfect storm for numerous bugs to arise. curred. Membrane provides transparent recovery through Because of the likely presence of flaws in their imple- a lightweight logging and checkpoint infrastructure, and mentation, it is critical to consider how to recover from includes novel techniques to improve performance and file system crashes as well. Unfortunately, we cannot di- correctness of its fault-anticipation and recovery machin- rectly apply previous work from the device-driver litera- ery. We tested Membrane with ext2, ext3, and VFAT. ture to improving file-system fault recovery. File systems, Through experimentation, we show that Membrane in- unlike device drivers, are extremely stateful, as they man- duces little performance overhead and can tolerate a wide age vast amounts of both in-memory and persistent data; range of file system crashes.
    [Show full text]
  • The Multics System, 1975
    Honeywell The Multics System O 1975,1976,Honeywell Information Systems Inc. File No.:lLll - -- - ecure A Unique Business Problem-SolvingTool Here is a computer techniques are available to system that enables data all users automatically processing users to control through the Multics operating and distribute easily accessi- supervisor. ble computer power. The Because it is a unique Honeywell Multics System combination of advanced represents an advanced computing theory and out- approach to making the com- standing computer hardware, puter an integral, thoroughly Multics can provide an infor- reliable part of a company's mation service system more operation. advanced than any other yet The Multics System available. replaces many of the proce- Honeywell offers, as dures limiting conventional part of its advanced Series 60 systems and sweeps away line, two models for Multics - many of the factors that have the Model 68/60 and the restricted the application of Model 68/80. computers to routine data While contributing sig- processing assignments. nificantly to the application Now-with Multics - diversity of the Series 60 the computer becomes a family, these Multics systems responsive tool for solving also enable Honeywell to challenging business accommodate more efficiently problems. the computing needs of The Multics System today's businesses. incorporates many of the most user-oriented program- ming and supervisory tech- niques yet devised. These Multics is Transaction Processing -and More Although Multics is by Ease of accessibility, design a transaction oriented, featuring a simple and con- interactive information sys- sistent user interface for all tem, its functional capability types of services. There is no encompasses the full spec- job control or command trum of a general purpose language to learn and an computer.
    [Show full text]
  • Multics Security Evaluation: Vulnerability Analysis*
    * Multics Security Evaluation: Vulnerability Analysis Paul A. Karger, 2Lt, USAF Roger R. Schell, Maj, USAF Deputy for Command and Management Systems (MCI), HQ Electronic Systems Division Hanscom AFB, MA 01730 ABSTRACT operational requirements cannot be met by dedicated sys- A security evaluation of Multics for potential use as a tems because of the lack of information sharing. It has two-level (Secret / Top Secret) system in the Air Force been estimated by the Electronic Systems Division (ESD) Data Services Center (AFDSC) is presented. An overview sponsored Computer Security Technology Panel [10] that is provided of the present implementation of the Multics these additional costs may amount to $100,000,000 per Security controls. The report then details the results of a year for the Air Force alone. penetration exercise of Multics on the HIS 645 computer. In addition, preliminary results of a penetration exercise 1.2 Requirement for Multics Security of Multics on the new HIS 6180 computer are presented. Evaluation The report concludes that Multics as implemented today is not certifiably secure and cannot be used in an open This evaluation of the security of the Multics system use multi-level system. However, the Multics security was performed under Project 6917, Program Element design principles are significantly better than other con- 64708F to meet requirements of the Air Force Data Ser- temporary systems. Thus, Multics as implemented today, vices Center (AFDSC). AFDSC must provide responsive can be used in a benign Secret / Top Secret environment. interactive time-shared computer services to users within In addition, Multics forms a base from which a certifiably the Pentagon at all classification levels from unclassified to secure open use multi-level system can be developed.
    [Show full text]
  • Towards Comprehensible and Effective Permission Systems
    Towards Comprehensible and Effective Permission Systems Adrienne Porter Felt Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2012-185 http://www.eecs.berkeley.edu/Pubs/TechRpts/2012/EECS-2012-185.html August 9, 2012 Copyright © 2012, by the author(s). All rights reserved. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission. Towards Comprehensible and Effective Permission Systems by Adrienne Porter Felt A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the GRADUATE DIVISION of the UNIVERSITY OF CALIFORNIA, BERKELEY Committee in charge: Professor David Wagner, Chair Professor Vern Paxson Professor Tapan Parikh Fall 2012 Towards Comprehensible and Effective Permission Systems Copyright c 2012 by Adrienne Porter Felt Abstract Towards Comprehensible and Effective Permission Systems by Adrienne Porter Felt Doctor of Philosophy in Computer Science University of California, Berkeley Professor David Wagner, Chair How can we, as platform designers, protect computer users from the threats associated with ma- licious, privacy-invasive, and vulnerable applications? Modern platforms have turned away from the traditional user-based permission model and begun adopting application permission systems in an attempt to shield users from these threats. This dissertation evaluates modern permission systems with the goal of improving the security of future platforms.
    [Show full text]
  • US Department of the Interior Geological Survey Mail Stop 964 Box 25046, Federal Center'denver, Colorado 80225
    U.S. Department of the Interior Geological Survey Mail Stop 964 Box 25046, Federal Center 'Denver, Colorado 80225 Program MARQDCLAG: Marquardt inversion of DC-Schlumberger soundings by lagged-convolution by Walter L. Anderson Open-File Report 79-1432 1979 Multics Documentation Page 2 Program MARQDCLAG CONTENTS DISCLAIMER 3 INTRODUCTION * 4 PARAMETERS AND DATA REQUIRED 5 PROGRAM FILES 5 DETAIL PARAMETER AND DATA DEFINITIONS 6 $parras parameters 6 $init parameters 10 DATA MATRIX NOTES 11 EXAMPLES OF INPUT PARAMETERS AND DATA ORDERING 11 SPECIAL OBJECT FORMAT PHRASES 12 MULTICS OPERATING INSTRUCTIONS 12 ERROR MESSAGES 13 PRINTED RESULTS ]4 REFERENCES 16 Appendix 1.-- Source listing 17 Source availability 17 Appendix 2.-- Conversion to other systems 53 Appendix 3.-- Test problem input/output listing 54 Multics Documentation Page 3 Program MARQDCLAG DISCLAIMER This program was written in Fortran IV for a Honeywell Multics 68/80 system*. Although program tests have been made, no guarantee (expressed or implied) is made by the author regarding accuracy or proper functioning of this program on all computer systems. * Brand or manufacturers' names used in this report are for descriptive purposes only and do not constitute endorsement by the U.S. Geological Survey. Multics Documentation Page 4 Program MARQDCLAG By Walter L. Anderson INTRODUCTION Program MARQDCLAG is a general-purpose program for the least squares inversion of direct-current (DC) Schlumberger sounding data obtained over one-dimensional horizontally stratified earth models. A modified Marquardt (1963) nonlinear least squares algorithm (MARQRT) is used for inversion of Schlumberger soundings. A digital filter developed by Anderson (1975) is employed, along with a fast lagged-convolution adaptive algorithm (RLAGH1), to efficiently and accurately evaluate the necessary Hankel transform integrals for a Schlumberger array configuration (see for example, Zohdy, 1975, p.
    [Show full text]
  • The Evolution of the Unix Time-Sharing System*
    The Evolution of the Unix Time-sharing System* Dennis M. Ritchie Bell Laboratories, Murray Hill, NJ, 07974 ABSTRACT This paper presents a brief history of the early development of the Unix operating system. It concentrates on the evolution of the file system, the process-control mechanism, and the idea of pipelined commands. Some attention is paid to social conditions during the development of the system. NOTE: *This paper was first presented at the Language Design and Programming Methodology conference at Sydney, Australia, September 1979. The conference proceedings were published as Lecture Notes in Computer Science #79: Language Design and Programming Methodology, Springer-Verlag, 1980. This rendition is based on a reprinted version appearing in AT&T Bell Laboratories Technical Journal 63 No. 6 Part 2, October 1984, pp. 1577-93. Introduction During the past few years, the Unix operating system has come into wide use, so wide that its very name has become a trademark of Bell Laboratories. Its important characteristics have become known to many people. It has suffered much rewriting and tinkering since the first publication describing it in 1974 [1], but few fundamental changes. However, Unix was born in 1969 not 1974, and the account of its development makes a little-known and perhaps instructive story. This paper presents a technical and social history of the evolution of the system. Origins For computer science at Bell Laboratories, the period 1968-1969 was somewhat unsettled. The main reason for this was the slow, though clearly inevitable, withdrawal of the Labs from the Multics project. To the Labs computing community as a whole, the problem was the increasing obviousness of the failure of Multics to deliver promptly any sort of usable system, let alone the panacea envisioned earlier.
    [Show full text]
  • Sandisk Cruzer Ent.Indd
    Cruzer Enterprise Secure Enterprise-Grade Portable Storage USB Flash drives have transformed from consumer Works in Harmony With Your gadgets into must-have productivity tools used Existing IT Infrastructure by business professionals everywhere. However, most portable storage devices used in the Cruzer Enterprise helps make the introduction of corporate environment are privately owned and secure, personal storage a simple and seamless lack the security and control measures required process. Cruzer Enterprise requires very little effort by organizations. This exposes organizations to to deploy or support, since it requires no installation tremendous risks and liabilities when a device of dedicated drivers and no administrative rights containing sensitive information is lost or stolen. to operate. That means business professionals can Data loss can potentially lead to damaging results, easily and effectively take their data beyond the such as expensive customer notifi cations, a corporate network to personal home computers, compromised company image, and failure to meet customer sites, and hotel business centers regulatory requirements. — ensuring anytime, anywhere access to critical business information. Secure Portable Storage — Strong and Simple Cruzer Enterprise has also been rigorously tested with leading solutions which enforce policies on the Cruzer® Enterprise USB drives are specifi cally usage of removable devices. This allows for Cruzer designed to meet the unique security, compliance, Enterprise to work seamlessly, without having to and manageability needs of enterprise-size compromise endpoint security. businesses. It does not rely upon users to decide which fi les to secure. Instead it requires mandatory access control for all fi les, storing them in an encrypted, password-protected partition.
    [Show full text]
  • A File System Level Snapshot in Ext4
    Computer Engineering and Intelligent Systems www.iiste.org ISSN 2222-1719 (Paper) ISSN 2222-2863 (Online) Vol 2, No.8, 2011 A File System Level Snapshot In Ext4 Uma Nagaraj Computer Engineering Department, Pune University, MAE, Alandi Pune, Maharashtra 412105, India E-mail: [email protected] Ganesh Patil Computer Engineering Department, Pune University, MAE, Alandi Pune, Maharashtra 412105, India E-mail: [email protected] Swapnil Gaikwad Computer Engineering Department, Pune University, MAE, Alandi Pune, Maharashtra 412105, India E-mail: [email protected] Akshay Nehe Computer Engineering Department, Pune University, MAE, Alandi Pune, Maharashtra 412105, India E-mail: [email protected] Ashish Mayekar Computer Engineering Department, Pune University, MAE, Alandi Pune, Maharashtra 412105, India E-mail: [email protected] Received: 2011-10-20 Accepted: 2011-10-29 Published:2011-11-04 Abstract Snapshot makes a copy of current working system. Creating a snapshot with some processing and overheads is important to provide the reliable data service during backup. There are two types of snapshot techniques: volume-based approach and system-based approach. The volume-based Logical Volume Manager provides compact space usability, but requires some space to save snapshot and makes system with extra overheads. The system-based Snapshot works better than volume based. The file system based Snapshot does not need reserve space for snapshot. Therefore, the system-based Snapshot is considered a good solution in the computer environment where large-scale space management capability is not that critical. However, such snapshot feature is available in Linux kernel 2.2, 2.6 in EXT3 file system. In this paper, we proposed a system-based snapshot for the ext4 system in Linux kernel 2.6 or higher.
    [Show full text]
  • Cyberpro December 4, 2008
    Volume 1, Edition 15 CyberPro December 4, 2008 Keeping Cyberspace Professionals Informed Officers The articles and information appearing herein are intended for President educational purposes to promote discussion in the public interest and to Larry K. McKee, Jr. keep subscribers who are involved in the development of Cyber-related concepts and initiatives informed on items of common interest. The Senior Analyst newsletter and the information contained therein are not intended to Jim Ed Crouch provide a competitive advantage for any commercial firm. Any ------------------------------ misuse or unauthorized use of the newsletter and its contents will result CyberPro Research in removal from the distribution list and/or possible administrative, civil, Analyst and/or criminal action. Kathryn Stephens The views, opinions, and/or findings and recommendations contained in this summary are those of the authors and should not be construed as an official position, policy, or decision of the United States Government, CyberPro Archive U.S. Department of Defense, or National Security Cyberspace Institute. To subscribe or unsubscribe to this newsletter click here CyberPro News Subscription. Please contact Larry McKee , ph. (757) 871-3578, regarding CyberPro subscription, sponsorship, and/or advertisement. All rights reserved. CyberPro may not be published, broadcast, rewritten or redistributed without prior NSCI consent. 110 Royal Aberdeen Smithfield, VA 23430 ph. (757) 871 - 3578 CyberPro National Security Cyberspace Institute P a g e | 1 Volume
    [Show full text]
  • VERSIONFS a Versatile and User-Oriented Versioning File System
    VERSIONFS A Versatile and User-Oriented Versioning File System A THESIS PRESENTED BY KIRAN-KUMAR MUNISWAMY-REDDY TO THE GRADUATE SCHOOL IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN COMPUTER SCIENCE STONY BROOK UNIVERSITY Technical Report FSL-03-03 December 2003 Abstract of the Thesis Versionfs A Versatile and User-Oriented Versioning File System by Kiran-Kumar Muniswamy-Reddy Master of Science in Computer Science Stony Brook University 2003 File versioning is a useful technique for recording a history of changes. Applications of ver- sioning include backups and disaster recovery, as well as monitoring intruders’ activities. Alas, modern systems do not include an automatic and easy-to-use file versioning system. Existing backup systems are slow and inflexible for users. Even worse, they often lack backups for the most recent day’s activities. Online disk snapshotting systems offer more fine-grained versioning, but still do not record the most recent changes to files. Moreover, existing systems also do not give individual users the flexibility to control versioning policies. We designed a lightweight user-oriented versioning file system called Versionfs. Versionfs works with any file system, whether local or remote, and provides a host of user-configurable policies: versioning by users, groups, processes, or file names and extensions; version retention policies by maximum number of versions kept, age, or total space consumed by versions of a file; version storage policies using full copies, compressed copies, or deltas. Versionfs creates file versions automatically, transparently, and in a file-system portable manner—while maintaining Unix semantics. A set of user-level utilities allow administrators to configure and enforce default policies; users are able to set policies within configured boundaries, as well as view, control, and recover files and their versions.
    [Show full text]
  • The Third Extended File System with Copy-On-Write
    Limiting Liability in a Federally Compliant File System Zachary N. J. Peterson The Johns Hopkins University Hopkins Storage Systems Lab, Department of Computer Science Regulatory Requirements z Data Maintenance Acts & Regulations – HIPAA, GISRA, SOX, GLB – 4,000+ State and Federal Laws and Regulations with regards to storage z Audit Trail – creating a “chain of trust” – Files are versioned over time – Authenticated block sharing (copy-on-write) between versions. z Disk Encryption – Privacy and Confidentiality – Non-repudiation Hopkins Storage Systems Lab, Department of Computer Science Secure Deletion in a Regulatory Environment z Desire to limit liability when audited – Records that go out of audit scope do so forever – When a disk is subpoenaed old or irrelevant data are inaccessible z Existing Techniques – Secure overwrite [Gutmann] – File key disposal in disk encrypted systems [Boneh & Lipton] z Existing solutions don’t work well in block- versioning file systems Hopkins Storage Systems Lab, Department of Computer Science Technical Problems z Secure overwriting of noncontiguous data blocks is slow and inefficient – When versions share blocks, data to be overwritten may be noncontiguous z Cannot dispose file keys in a versioning file system – Blocks encrypted with a particular key need to be available in future versions z User space tools are inadequate – Can’t delete metadata – Can’t be interposed between file operations – Truncate may leak data – Difficult to be synchronous Hopkins Storage Systems Lab, Department of Computer Science
    [Show full text]