THE MAGAZINE OF USENIX & SAGE April 2002 • Volume 27 • Number 2 inside: CONFERENCE REPORTS CONFERENCE ON FILE AND STORAGE TECHNOLOGIES (FAST ‘02) & The Advanced Computing Systems Association & The System Administrators Guild conference reports This issue’s reports focus on on the Conference on File and ing: “We need disk fingers,”said Morris. Conference on File and Storage Tech- Storage Technologies He went on to introduce microelectro- mechanical systems, or MEMS-based nologies (FAST 2002) held in Monterey, MONTEREY, CALIFORNIA devices. One MEMS device would con- California, January 28-30, 2002. JANUARY 28-30, 2002 tain many read/write heads operating in OUR THANKS TO THE SUMMARIZERS: parallel on a single media surface. IBM KEYNOTE I has produced a prototype of such a STORAGE: FROM ATOMS TO PEOPLE device, called “Millipede,”that uses Ismail Ari Robert Morris, IBM Almaden Research array-heated heads to make pits in a Center polymer media surface. Scott Banachowski Summarized by Zachary Peterson Zachary Peterson Morris concluded by charging the Dr. Morris began by defining the impor- attending researchers of futuristic stor- tance and motivation of the FAST con- age to consider an ideal case where stor- ference. Storage is getting faster and age devices will be self-organizing, larger. In fact, it has increased by 14 self-optimizing, and self-protecting. He orders of magnitude. However, these believes the IBM IceCube is the begin- increases are only interesting when they ning of such devices. Many IceCubes are aid computer scientists. Morris asserted placed physically contiguous with each that “storage determines the way we use other in three dimensions, reducing the computers” and, therefore, is a technol- space needed to manage a large storage ogy worthy of investigation, the most array. When an IceCube fails, it is simply important existing technology being the left in the structure, letting the other hard disk drive. devices recover around it. This is the Morris enumerated the challenges that first step IBM Research is making face the disk drive and how IBM toward self-managing storage, and they Research plans to addresses them. The hope to continue this trend through an greatest of these challenges is the hard, ideology called “autonomic computing.” physical limit at which the magnetic This concept transcends storage and will properties used to store data no longer affect all levels of context-based com- hold, called the superparamagnetic limit puting. In general, researchers need to – a limit that has been passed and re- move toward an environment where sys- predicted a few times. IBM has pushed tems should be easy to use and easy to this limit out by various means of maintain for the end user, while still manipulating the physical organization providing the performance and capacity of the magnetic media. Making the bits gains seen in the past. more square and smaller, combined with a layering of magnetic substrates, SESSION: SECURE STORAGE enables current production drives to Summarized by Zachary Peterson achieve greater capacities with a higher STRONG SECURITY FOR NETWORK-ATTACHED signal-to-noise ratio. IBM hopes to con- STORAGE tinue this trend in their future produc- Ethan Miller, Darrell Long, University of tion disks by reducing the size of bits to California, Santa Cruz; William Free- a single grain and by utilizing electron man, TRW; Benjamin Reed, IBM beam lithography to create very small Research and accurate components. Ethan Miller presented a set of security IBM also looks beyond the standard disk protocols to provide for an on-disk drive architecture, and the limitations method of securing data in a network- inherent in such a design, for the future attached storage system. Even someone of storage. The disk arm is too confin- who absconds with a disk using strong 70 Vol. 27, No. 2 ;login: security cannot gain access to the data. work is especially useful for comparing and effective method of storing keys. For Additionally, the presence of an authen- aspects of security and performance for more information, refer to http://identis- EPORTS tication scheme means that maliciously various methods of security. Riedel then cape.stanford.edu/. R changed data can be detected. showed some trace-driven simulator results that, when applied to the com- SESSION: PERFORMANCE AND Miller presented three schemes of secu- mon framework, illustrate that encrypt- MODELING ONFERENCE rity, each offering higher levels of pro- C on-disk systems are a preferred method tection with slightly decreased system Summarized by Scott Banachowski of security over encrypt-on-wire, pro- performance. In scheme 1, each block is WOLF – A NOVEL REORDERING WRITE viding the best security for the least secured using public-key encryption and BUFFER TO BOOST THE PERFORMANCE OF effort. The framework and the analysis signed using a hash function. Scheme 2 LOG-STRUCTURED FILE SYSTEMS can be applied to answer questions extends this model to include an HMAC Jun Wang and Yiming Hu, University of beyond this particular result and to dif- for added authentication and security Cincinnati ferent environments. but increases processing time at the Log-structured file systems make good client and the server. Scheme 3 avoids ENABLING THE ARCHIVAL STORAGE OF use of disk bandwidth by combining using the slow public-key encryption SIGNED DOCUMENTS several writes into a single sequential methods used in schemes 1 and 2, and Petros Maniatis and Mary Baker, disk access. However, one shortcoming replaces them with a secure keyed-hash Stanford University of log-structured file systems is the over- approach. Results of these three schemes Consider a situation where two people head incurred from cleaning. Cleaning is compared to a baseline system with no agree to a contract, the contract is digi- the process of reclaiming space in a seg- security showed that the public-key tally signed by each person, and ment occupied by obsolete blocks; by encryption schemes suffer significantly archived. Significantly later, one of the rewriting the segment’s live blocks to the in sequential I/O operations. However, signers challenges the contract. What log, the entire segment is freed. the last scheme shows only slightly problems arise with the passage of time? Jun Wang presented a method (called degraded performance, about 1% to Petros Maniatis addressed these issues, WOLF) for reducing the cleaning over- 20% degradation, compared to the base- providing one possible solution that head of log-structured file systems. The line. This work demonstrates that on- extends traditional archival storage to key idea comes from the observation disk security and authentication for support archiving of long-term con- that file accesses form a bimodal distri- network-attached storage can be tracts. bution: some files are repeatedly rewrit- achieved efficiently using a keyed-hash ten while others rarely change. If the approach. As time passes, issues arise that make it difficult to ensure the long-term validity bimodal distribution of data is classified A FRAMEWORK FOR EVALUATING STORAGE of signed data, the sensitivity of keys when written to disk, each type of data SYSTEM SECURITY being the most outstanding issue. Keys can be stored in separate segments. Over Erik Riedel, Mahesh Kallahalla, and Ram are lost, names are changed, and digital time, segments of rewritten data will Swaminathan, HP Labs certificates expire. This issue begs two have almost all their blocks quickly Erik Riedel asserted that there is a need questions: “Can one trust a 30-year-old invalidated, and segments of infre- for a quantitative evaluation of storage signature key?” and “How does one ver- quently modified data will accumulate security. This is because storage has ify such a signature?” Maniatis intro- few holes. unique propreties that differentiate it duced KASTS, a key archival service that WOLF uses an adaptive grouping algo- from other security applications, such as uses time stamping and timed storage of rithm to identify active and inactive networks. Propreties such as sharing, keys as an answer to these questions. data, and assigns the data into separate distribution, and persistence make KASTS uses two main components, a log segments. Using this method, rewrit- applying network security ideas unsatis- Time-Stamping Server (TSS) and a Key ten data may be reordered into a factory. He went on to develop a frame- Archival Service (KAS), to establish a bimodal distribution of segments, leav- work of security variables, such as user time of signing and an effective method ing little work for the cleaner. The algo- operations, encryption methods, and for verifying old signatures. KASTS uses rithm tracks segment buffer block attacks, that when permuted, expose the a versioned and balanced tree for the accesses with reference counters for a benefits and drawbacks for categories of public keys of signatures. Maniatis time-window of initialized 10 minutes existing storage security. This frame- argued that this structure is a feasible April 2002 ;login: FAST 2002 71 to determine which kind of segment the model with a network model. The simu- responsible for simulating the device on data belongs to. lation, configured 16 disk RAIDs, was a bus and translating bus signals to sim- fed a synthetic workload and a Web ulator requests; the data manager uses a Wang described the performance of a server trace. Forney found that their RAM-based cache to hold the data WOLF implementation adapted from implementation performed similarly to stored on the device; and the timing the Sprite LFS source. The metric used LANDLORD, a performance-compari- manager keeps the system state, timing in measurements was overall write cost, son algorithm rather than an implemen- info, and the simulation engine. Obvi- a value that incorporates garbage collec- tation comparison. The simulation ous limitations of a TASE system is that tion overhead by including the expense showed that their policy alleviated dra- it must be capable of responding to of reading and rewriting cleaned blocks.