Secure Untrusted Data Repository (SUNDR)
Secure Untrusted Data Repository (SUNDR) Jinyuan Li, Maxwell Krohn,∗ David Mazieres,` and Dennis Shasha NYU Department of Computer Science Abstract for over 20,000 different software packages. Many of these packages are bundled with various operating sys- SUNDR is a network file system designed to store data tem distributions, often without a meaningful audit. By securely on untrusted servers. SUNDR lets clients de- compromising sourceforge, an attacker can therefore in- tect any attempts at unauthorized file modification by troduce subtle vulnerabilities in software that may even- malicious server operators or users. SUNDR’s protocol tually run on thousands or even millions of machines. achieves a property called fork consistency, which guar- Such concerns are no mere academic exercise. For ex- antees that clients can detect any integrity or consistency ample, the Debian GNU/Linux development cluster was failures as long as they see each other’s file modifications. compromised in 2003 [2]. An unauthorized attacker used An implementation is described that performs compara- a sniffed password and a kernel vulnerability to gain su- bly with NFS (sometimes better and sometimes worse), peruser access to Debian’s primary CVS and Web servers. while offering significantly stronger security. After detecting the break-in, administrators were forced to freeze development for several days, as they employed manual and ad-hoc sanity checks to assess the extent of 1 Introduction the damage. Similar attacks have also succeeded against Apache [1], Gnome [32], and other popular projects. SUNDR is a network file system that addresses a long- Rather than hope for invulnerable servers, we have de- standing tension between data integrity and accessibility.
[Show full text]