DOCSLIB.ORG

FUSE Poster ISW5

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
FUSE Poster ISW5 Intelligent Storage Consortium Exposing rich user services through file system interfaces Sunil K.T. Subramanya Vishal Kher Sojeong Hong David H.C. Du Yongdae Kim {subram, vkher, shong, du, kyd}@cs.umn.edu Motivation Fuse + OSD – Existing applications still use file system interface, ex: backup, archive, indexing applications. So use Fuse to talk with the OSD Target? – Alternative to having a mapping layer from file to objects in the kernel (E.g. osdfs) Build a simple networked file system - CoreFS – With core functionalities – Simple to extend Encrypting file system (SecFS) – Extension to CoreFS 2 What is FUSE FUSE is a framework which allows implementing file systems in the user space. It consists of 2 components – User space library (dynamically linkable) which is used by file system implementers. – Kernel module which binds to the VFS and redirects calls to the fuse library. Example FS using Fuse: encfs, cvsfs, sshfs, GmailFS, zfs, … 3 How FUSE works http://fuse.sourceforge.net 4 Why use FUSE? Advantages: – Flexibility – easy to code in user space than kernel space. – File system implementation not tied to any particular OS. – Doesn’t require Kernel recompile. – Non-privileged mounts possible. Disadvantage: – Performance - redundant data copy, many user space/kernel space switches 5 FUSE on Open Solaris Project Objective: Provide Fuse functionality for Solaris. Phase1: – To port existing Fuse implementation from FreeBSD to Open Solaris. – Current status: Works for a Read-only filesystem Few vnode operations yet to be implemented. – Other work to be done include – porting fuse library, implement necessary locks and kernel handling for more than one FS mount on Solaris. 6 FUSE on Open Solaris Project: Phase 2 New Features not in current Fuse implementation (fuse 2.5.3): – Implementation of Mmap functionality – Provide record locking, ACL support – Address performance issues related to FUSE message passing mechanism. – Provide inode persistence in the kernel, current fuse doesn’t do any persistence. So any FS App. crash means all information lost 7 CoreFS: Goals A Simple Networked File System – Rapid Prototyping – Educational purposes Give file system developers some form of a basic distributed file system – Implement only the “core” functionalities File system that is easy to extend – Implementers can extend this file system as per their requirements Good potential starting point for our projects – SGFS, accountFS, encFS, … 8 The CoreFS Architecture Client SGFS ACFS SecFS SGFS ACFS SecFS process CoreFS Client CoreFS Server (/bin/ls) FUSE Library FUSE Local VFS file OS Kernel system CoreFS is available at http://www.cs.umn.edu/research/sclab/coreFS.html 9 Performance 12000 12000 10000 10000 ) ) s s 8000 8000 / / B B K K ( ( t t 6000 6000 u u p p t h h g g u 4000 u 4000 o o r r h h T T 2000 2000 0 0 4 8 16 32 64 128 256 512 1024 4 8 16 32 64 128 256 512 1024 Write performanceRecord Length (KB) Read performanceRecord Length (KB) Performed between 3GHz PentiumIV machines with 1GB of RAM with Linux 2.6.13 and 100Mbps To avoid 4KB limit CoreFS was run in direct IO mode Currently CoreFS client does not perform any caching 10 Encrypting File System (SecFS): Motivation Growth in sensitive data Demand on secure file system – Company includes large number of different projects, different types of groups etc – Large amount of data is shared – Requires efficient key management Storage outsourcing – + Reduce maintenance cost – - Untrusted third party storage 11 SecFS - High-level Goals Implement a basic framework for secure file sharing and key management Use this to design new key management schemes Use this framework to evaluate existing key management mechanisms based on various factors – For example, number of revocations, group size, etc. 12 SecFS Features Provides end-to-end encryption – Writer encrypts and reader decrypts. Makes cryptographic operations transparent to users Enables secure file sharing by distributing group key Employs a trusted key server while using untrusted storage Reduces cost required for group key distribution, computation, and storage using an efficient group key management scheme – Currently implemented: SD, OFT key management schemes D. Naor et al. Revocation and Tracing Schemes for Stateless Receiver. Croypto 2001. D.A.McGrew et al. Key Establishment in Large Dynamic Groups Using One-way Function Trees. 13 System Components Key Server Key Server Machine OFT SD Group Man. Library suseradd id.. secFS client secFS server suserdel id.. OFT SD OFT SD Group Man. Library Group Man. Library CoreFS client CoreFS fileserver vi topsecret.txt FUSE Library FUSE kernel VFS VFS Client Machine Storage Server 14 System Overview GROUP CREATE, MEMBER ADD, DELETE KEY SERVER GROUP OWNER SECRET KEY SEND INITIALIZATION REKEYING INFO ENCRYPTED DATA READ/WRITE MEMBERS UNTRUSTED STORAGE DATA ENCRYPT/DECRYPT secure channel insecure channel 15 Future Work CoreFS – Make client multi-threaded to allow asynchronous calls – Support all system calls – Implement caching SecFS – Support key update during data update if there is group key version changes – Optimizations Maintain key tree on disk (database or filesystem) to support multiple groups – Make secure channel (authentication, link encryption) – Performance Evaluation 16.
Load more

Recommended publications
  • A Study of Cryptographic File Systems in Userspace
    Turkish Journal of Computer and Mathematics Education Vol.12 No.10 (2021), 4507-4513 Research Article A study of cryptographic file systems in userspace a b c d e f Sahil Naphade , Ajinkya Kulkarni Yash Kulkarni , Yash Patil , Kaushik Lathiya , Sachin Pande a Department of Information Technology PICT, Pune, India [email protected] b Department of Information Technology PICT, Pune, India [email protected] c Department of Information Technology PICT, Pune, India [email protected] d Department of Information Technology PICT, Pune, India [email protected] e Veritas Technologies Pune, India, [email protected] f Department of Information Technology PICT, Pune, India [email protected] Article History: Received: 10 January 2021; Revised: 12 February 2021; Accepted: 27 March 2021; Published online: 28 April 2021 Abstract: With the advancements in technology and digitization, the data storage needs are expanding; along with the data breaches which can expose sensitive data to the world. Thus, the security of the stored data is extremely important. Conventionally, there are two methods of storage of the data, the first being hiding the data and the second being encryption of the data. However, finding out hidden data is simple, and thus, is very unreliable. The second method, which is encryption, allows for accessing the data by only the person who encrypted the data using his passkey, thus allowing for higher security. Typically, a file system is implemented in the kernel of the operating systems. However, with an increase in the complexity of the traditional file systems like ext3 and ext4, the ones that are based in the userspace of the OS are now allowing for additional features on top of them, such as encryption-decryption and compression.
    [Show full text]
  • File System Design Approaches
    File System Design Approaches Dr. Brijender Kahanwal Department of Computer Science & Engineering Galaxy Global Group of Institutions Dinarpur, Ambala, Haryana, INDIA [email protected] Abstract—In this article, the file system development design The experience with file system development is limited approaches are discussed. The selection of the file system so the research served to identify the different techniques design approach is done according to the needs of the that can be used. The variety of file systems encountered developers what are the needed requirements and show what an active area of research file system specifications for the new design. It allowed us to identify development is. The file systems researched fell into one of where our proposal fitted in with relation to current and past file system development. Our experience with file system the following four categories: development is limited so the research served to identify the 1. The file system is developed in user space and runs as a different techniques that can be used. The variety of file user process. systems encountered show what an active area of research file 2. The file system is developed in the user space using system development is. The file systems may be from one of the FUSE (File system in USEr space) kernel module and two fundamental categories. In one category, the file system is runs as a user process. developed in user space and runs as a user process. Another 3. The file system is developed in the kernel and runs as a file system may be developed in the kernel space and runs as a privileged process.
    [Show full text]
  • Alpha Release of the Data Service
    This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 777533. PROviding Computing solutions for ExaScale ChallengeS D5.2 Alpha release of the Data service Start / 01 November 2017 Project: PROCESS H2020 – 777533 Duration: 36 Months Dissemination1: Public Nature2: R Due Date: 31 January 2019 Work Package: WP 5 Filename3 PROCESS_D5.2_Alpha_release_of_the_Data_service_v1.0.docx ABSTRACT During the first 15 months of its implementation, PROCESS has progressed from architecture design based on use cases’ requirements (D4.1) and through architecture validation again based on use cases (D4.2) towards initial implementations of computing services (D6.1) and data services - effort presented here in the deliverable D5.2. In D5.2 we provide an initial demonstrator of the data services, which works in cooperation with the computation services demonstrated in D6.1. The demonstrator is based on the design of the PROCESS data infrastructure described in D5.1. The implementation and initial integration of the infrastructure are based on use case requirements, formulated here as custom application-specific services which are part of the infrastructure. The central, connecting component of the data infrastructure is LOBCDER. It implements a micro-infrastructure of data services, based on dynamically provisioned Docker containers. Additionally to LOBCDER and use case-specific services, the data infrastructure contains generic data and metadata- handling services (DISPEL, DataNet). Finally, Cloudify integrates the micro-infrastructure and the orchestration components of WP7. 1 PU = Public; CO = Confidential, only for members of the Consortium (including the EC services). 2 R = Report; R+O = Report plus Other.
    [Show full text]
  • Lightweight Virtualization with Gobolinux' Runner
    Lightweight virtualization with GoboLinux’ Runner Lucas C. Villa Real [email protected] About GoboLinux ● Alternative distribution born in 2002 ● Explores novel ideas in the Linux distribution ecosystem ● Introduces a rather diferent directory hierarchy How diferent? lucasvr@fedora ~] ls / bin dev home lib64 media opt root sbin sys usr boot etc lib lost+found mnt proc run srv tmp var lucasvr@fedora ~] ls /usr bin games include lib lib64 libexec local sbin share src tmp lucasvr@fedora ~] ls /usr/local bin etc games include lib lib64 libexec sbin share src lucasvr@gobolinux ~] ls / Data Mount Programs System Users GoboLinux File System Hierarchy /Programs Self-contained programs: no need for a package manager ~] ls /Programs AbsTk DifUtils GnuTLS Kerberos LibXML2 ACL Dit GoboHide Kmod LibXSLT Acpid DosFSTools GParted Lame Linux AGNClient E2FSProgs Gperf LCMS Linux-Firmware ALSA-Lib EFIBootMgr GPM Less Linux-PAM ALSA-Utils ELFUtils Grep LibDRM Lsof APR EncFS Grof LibEvdev Lua APR-Util ExFAT GRUB LibExif LuaRocks … /Programs Multiple versions of a given program can coexist ~] ls /Programs/GTK+ 2.24.22 2.24.30 3.10.6 3.21.4 Current Settings ~] ls /Programs/GTK+/2.24.22 bin doc include lib Resources share ~] ls /Programs/GTK+/2.24.22/bin gtk-builder-convert gtk-demo gtk-query-immodules2.0 gtk-update-icon-cache ~] ls /Programs/GTK+/2.24.30/bin gtk-builder-convert gtk-demo gtk-query-immodules2.0 gtk-update-icon-cache /Programs Easy to tell which fles belongs to which packages lucasvr@fedora ~] ls -l /bin/bash -rwxr-xr-x. 1 root root 1072008
    [Show full text]
  • Hands-On Linux Administration on Azure
    Hands-On Linux Administration on Azure Explore the essential Linux administration skills you need to deploy and manage Azure-based workloads Frederik Vos BIRMINGHAM - MUMBAI Hands-On Linux Administration on Azure Copyright © 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Rahul Nair Content Development Editor: Nithin George Varghese Technical Editor: Komal Karne Copy Editor: Safis Editing Project Coordinator: Drashti Panchal Proofreader: Safis Editing Indexer: Mariammal Chettiyar Graphics: Tom Scaria Production Coordinator: Deepika Naik First published: August 2018 Production reference: 1310818 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78913-096-6 www.packtpub.com mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career.
    [Show full text]
  • Operating System Support for Run-Time Security with a Trusted Execution Environment
    Operating System Support for Run-Time Security with a Trusted Execution Environment - Usage Control and Trusted Storage for Linux-based Systems - by Javier Gonz´alez Ph.D Thesis IT University of Copenhagen Advisor: Philippe Bonnet Submitted: January 31, 2015 Last Revision: May 30, 2015 ITU DS-nummer: D-2015-107 ISSN: 1602-3536 ISBN: 978-87-7949-302-5 1 Contents Preface8 1 Introduction 10 1.1 Context....................................... 10 1.2 Problem....................................... 12 1.3 Approach...................................... 14 1.4 Contribution.................................... 15 1.5 Thesis Structure.................................. 16 I State of the Art 18 2 Trusted Execution Environments 20 2.1 Smart Cards.................................... 21 2.1.1 Secure Element............................... 23 2.2 Trusted Platform Module (TPM)......................... 23 2.3 Intel Security Extensions.............................. 26 2.3.1 Intel TXT.................................. 26 2.3.2 Intel SGX.................................. 27 2.4 ARM TrustZone.................................. 29 2.5 Other Techniques.................................. 32 2.5.1 Hardware Replication........................... 32 2.5.2 Hardware Virtualization.......................... 33 2.5.3 Only Software............................... 33 2.6 Discussion...................................... 33 3 Run-Time Security 36 3.1 Access and Usage Control............................. 36 3.2 Data Protection................................... 39 3.3 Reference
    [Show full text]
  • A Novel Cryptographic Framework for Cloud File Systems and Cryfs, a Provably-Secure Construction
    A Novel Cryptographic Framework for Cloud File Systems and CryFS, a Provably-Secure Construction Sebastian Messmer1, Jochen Rill2, Dirk Achenbach2, and J¨ornM¨uller-Quade3 1 [email protected] 2 FZI Forschungszentrum Informatik frill,[email protected] 3 Karlsruhe Institute of Technology (KIT) [email protected] Abstract. Using the cloud to store data offers many advantages for businesses and individuals alike. The cloud storage provider, however, has to be trusted not to inspect or even modify the data they are entrusted with. Encrypting the data offers a remedy, but current solutions have various drawbacks. Providers which offer encrypted storage themselves cannot necessarily be trusted, since they have no open implementation. Existing encrypted file systems are not designed for usage in the cloud and do not hide metadata like file sizes or directory structure, do not provide integrity, or are prohibitively inefficient. Most have no formal proof of security. Our contribution is twofold. We first introduce a comprehensive formal model for the security and integrity of cloud file systems. Second, we present CryFS, a novel encrypted file system specifically designed for usage in the cloud. Our file system protects confidentiality and integrity (including metadata), even in presence of an actively malicious cloud provider. We give a proof of security for these properties. Our implemen- tation is easy and transparent to use and offers performance comparable to other state-of-the-art file systems. 1 Introduction In recent years, cloud computing has transformed from a trend to a serious competition for traditional on-premise solutions. Elastic cost models and the availability of virtually infinite resources present an alternative to offers of a preset volume.
    [Show full text]
  • Encfs Goes Multi-User: Adding Access Control to an Encrypted File System
    c 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. http://ieeexplore.ieee.org/document/7860544/ EncFS goes Multi-User: Adding Access Control to an Encrypted File System Dominik Leibenger Jonas Fortmann Christoph Sorge CISPA, Saarland University University of Paderborn CISPA, Saarland University [email protected] [email protected] [email protected] Abstract—Among the different existing cryptographic file entities, which especially preserves the opportunity of creating systems, EncFS has a unique feature that makes it attractive for efficient, server-side snapshots if supported by the provider.1 backup setups involving untrusted (cloud) storage. It is a file- based overlay file system in normal operation (i.e., it maintains In contrast to other file-based encryption tools, EncFS a directory hierarchy by storing encrypted representations of has a unique feature: It allows to reverse its functionality files and folders in a specific source folder), but its reverse mode as to generate a deterministic, encrypted view of an existing allows to reverse this process: Users can mount deterministic, (unencrypted) folder on a local file system on the fly. The encrypted views of their local, unencrypted files on the fly, encrypted view can be synchronized to external, untrusted allowing synchronization to untrusted storage using standard cloud storage using standard tools like rsync [6] without hav- tools like rsync without having to store encrypted representations ing to store a local copy and without requiring changes to the on the local hard drive.
    [Show full text]
  • Tahoe-LAFS Documentation Release 1.X
    Tahoe-LAFS Documentation Release 1.x The Tahoe-LAFS Developers January 19, 2017 Contents 1 Welcome to Tahoe-LAFS! 3 1.1 What is Tahoe-LAFS?..........................................3 1.2 What is “provider-independent security”?................................3 1.3 Access Control..............................................4 1.4 Get Started................................................4 1.5 License..................................................4 2 Installing Tahoe-LAFS 5 2.1 First: In Case Of Trouble.........................................5 2.2 Pre-Packaged Versions..........................................5 2.3 Preliminaries...............................................5 2.4 Install the Latest Tahoe-LAFS Release.................................6 2.5 Running the tahoe executable.....................................8 2.6 Running the Self-Tests..........................................8 2.7 Common Problems............................................9 2.8 Using Tahoe-LAFS............................................9 3 How To Run Tahoe-LAFS 11 3.1 Introduction............................................... 11 3.2 Do Stuff With It............................................. 12 3.3 Socialize................................................. 13 3.4 Complain................................................. 13 4 Configuring a Tahoe-LAFS node 15 4.1 Node Types................................................ 16 4.2 Overall Node Configuration....................................... 16 4.3 Connection Management........................................
    [Show full text]
  • Porting FUSE to L4re
    Großer Beleg Porting FUSE to L4Re Florian Pester 23. Mai 2013 Technische Universit¨at Dresden Fakult¨at Informatik Institut fur¨ Systemarchitektur Professur Betriebssysteme Betreuender Hochschullehrer: Prof. Dr. rer. nat. Hermann H¨artig Betreuender Mitarbeiter: Dipl.-Inf. Carsten Weinhold Erkl¨arung Hiermit erkl¨are ich, dass ich diese Arbeit selbstst¨andig erstellt und keine anderen als die angegebenen Hilfsmittel benutzt habe. Declaration I hereby declare that this thesis is a work of my own, and that only cited sources have been used. Dresden, den 23. Mai 2013 Florian Pester Contents 1. Introduction 1 2. State of the Art 3 2.1. FUSE on Linux . .3 2.1.1. FUSE Internal Communication . .4 2.2. The L4Re Virtual File System . .5 2.3. Libfs . .5 2.4. Communication and Access Control in L4Re . .6 2.5. Related Work . .6 2.5.1. FUSE . .7 2.5.2. Pass-to-Userspace Framework Filesystem . .7 3. Design 9 3.1. FUSE Server parts . 11 4. Implementation 13 4.1. Example Request handling . 13 4.2. FUSE Server . 14 4.2.1. LibfsServer . 14 4.2.2. Translator . 14 4.2.3. Requests . 15 4.2.4. RequestProvider . 15 4.2.5. Node Caching . 15 4.3. Changes to the FUSE library . 16 4.4. Libfs . 16 4.5. Block Device Server . 17 4.6. File systems . 17 5. Evaluation 19 6. Conclusion and Further Work 25 A. FUSE operations 27 B. FUSE library changes 35 C. Glossary 37 V List of Figures 2.1. The architecture of FUSE on Linux . .3 2.2. The architecture of libfs .
    [Show full text]
  • Paratrac: a Fine-Grained Profiler for Data-Intensive Workflows
    ParaTrac: A Fine-Grained Profiler for Data-Intensive Workflows Nan Dun Kenjiro Taura Akinori Yonezawa Department of Computer Department of Information and Department of Computer Science Communication Engineering Science The University of Tokyo The University of Tokyo The University of Tokyo 7-3-1 Hongo, Bunkyo-Ku 7-3-1 Hongo, Bunkyo-Ku 7-3-1 Hongo, Bunkyo-Ku Tokyo, 113-5686 Japan Tokyo, 113-5686 Japan Tokyo, 113-5686 Japan [email protected] [email protected] [email protected] tokyo.ac.jp tokyo.ac.jp tokyo.ac.jp ABSTRACT 1. INTRODUCTION The realistic characteristics of data-intensive workflows are With the advance of high performance distributed com- critical to optimal workflow orchestration and profiling is puting, users are able to execute various data-intensive an effective approach to investigate the behaviors of such applications by harnessing massive computing resources [1]. complex applications. ParaTrac is a fine-grained profiler Though workflow management systems have been developed for data-intensive workflows by using user-level file system to alleviate the difficulties of planning, scheduling, and exe- and process tracing techniques. First, ParaTrac enables cuting complex workflows in distributed environments [2{5], users to quickly understand the I/O characteristics of from optimal workflow management still remains a challenge entire application to specific processes or files by examining because of the complexity of applications. Therefore, one low-level I/O profiles. Second, ParaTrac automatically of important and practical demands is to understand and exploits fine-grained data-processes interactions in workflow characterize the data-intensive applications to help workflow to help users intuitively and quantitatively investigate management systems (WMS) refine their orchestration for realistic execution of data-intensive workflows.
    [Show full text]
  • Lamassu: Storage-Efficient Host-Side Encryption
    Lamassu: Storage-Efficient Host-Side Encryption Peter Shah and Won So NetApp Inc. Abstract moves downstream through the stack. This strategy can Many storage customers are adopting encryption solu- take many forms, such as built-in application encryption, tions to protect critical data. Most existing encryption OS-based file system encryption or VM-level encryp- solutions sit in, or near, the application that is the source tion [3, 19, 22]. We term any encryption that runs on of critical data, upstream of the primary storage system. the same physical hardware as the primary application Placing encryption near the source ensures that data re- data-source encryption. mains encrypted throughout the storage stack, making it In general, existing data-source encryption solutions easier to use untrusted storage, such as public clouds. interfere with content-driven data management features Unfortunately, such a strategy also prevents down- provided by storage systems — in particular, deduplica- stream storage systems from applying content-based fea- tion. If a storage controller does not have access to the tures, such as deduplication, to the data. In this paper, we keys used to secure data, it cannot compare the contents present Lamassu, an encryption solution that uses block- of encrypted data to determine which sections, if any, are oriented, host-based, convergent encryption to secure duplicates. data, while preserving storage-based data deduplication. In this paper, we present an alternative encryption Unlike past convergent encryption systems, which typi- strategy that provides the benefits of upstream encryp- cally store encryption metadata in a dedicated store, our tion while preserving storage-based data deduplication system transparently inserts its metadata into each file’s on downstream storage.
    [Show full text]