Security of a High Performance Commodity Storage Subsystem

Abstract

How do we incorporate security into a high performance commodity storage sub-system? Technology trends and the increasing importance of I/O bound workloads are driving the development of commodity network attached storage devices which deliver both increased functionality and increased performance to end users. In the network attached world, storage devices co-exist on the network with their clients, application file managers, and malicious adversaries who seek to bypass system security policies. As storage devices move from behind the protection of a server and become first class network entities in their own right, they must become actively involved in protecting themselves from network attacks. They must do this while cooperating with higher level applications, such as distributed file systems or database systems, to enforce the application's security policies over storage resources. In this dissertation, I address this problem by proposing a cryptographic capability system which enables application file managers to asynchronously make policy decisions while the commodity storage devices synchronously enforce these decisions. This dissertation analyzes a variety of access control schemata that exist in current distributed storage systems. Motivated by the analysis, I propose a basic cryptographic capability system that is flexible enough to efficiently meet the requirements of many distributed storage systems. Next, I explore how a variety of different mechanisms for describing a set of NASD objects can be used to improve the basic capability system. The result is a new design based on remote execution techniques. The new design places more access control processing at the drive in order to deliver increased performance and functional advantages. Based on the performance limitations of software cryptography demonstrated in a prototype implementation of a network attached storage device, I propose/evaluate an alternative to standard message authentication codec

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jul 01, 1999
Accession Number
ADA370102

Entities

People

  • Howard Gobioff

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • C4I
  • Cyber
  • Energy and Power Technologies
  • Ground and Sea Platforms
  • Human Systems

DTIC Thesaurus Topics

  • Application Protocols
  • Asymetric Encryption
  • Communication Channels
  • Computer Networks
  • Computer Programming
  • Computer Programs
  • Computer Science
  • Computers
  • Cryptography
  • Cybersecurity
  • Denial Of Service Attack
  • Local Area Networks
  • Network Protocols
  • Network Science
  • Operating Systems
  • Security Protocols
  • Software Development

Fields of Study

  • Computer science

Readers

  • Computer Science/Computer Engineering/Data Science/Digital Signal Processing.
  • Cybersecurity.
  • Parallel and Distributed Computing.

Technology Areas

  • Cyber