Fangyong Hou,Dawu Gu,Nong Xiao,Yuhua Tang

DOI: https://doi.org/10.1109/NAS.2008.48

2008-01-01

Abstract:Storage systems are more distributed and more subject to attacks. Cryptographic file system gives a promising way to mitigate the danger of exposing data by using encryption and integrity protection methods and guarantee end-to-end security to clients. This paper describes SRSAE, a generic approach to cryptographic file system, as well as its realization in a distributed data storage environment. SRSAE applies authenticated encryption to each data block transferred between clients and the remote block devices. It provides strong data confidentiality and integrity protections through trusted IV (Initialization Vector) and MAC (Message Authentication Code) comparison. Performance is optimized by buffering IV and MAC locally. Integration into original file system is presented with specific implementation. Related model, approach and system realization are elaborated, as well as testing results. Theoretical analysis and experimental simulations show that it is a practical and available way to build secure network storage system.

Fangyong Hou,Dawu Gu,Nong Xiao,Zhiping Cai

DOI: https://doi.org/10.1109/iscc.2008.4625600

2008-01-01

Abstract:Approach that integrates encryption and verification is proposed to protect hard disk data. For each data sector, MAC is calculated and the (data sector, MAC) pair is encrypted through the encryption key deduced from the secret root key and a unique nonce. By assuring the nonce to be trusted or untampered through hash tree, data can then be properly decrypted and authenticated. To achieve satisfiable performance, it applies stream cipher to offload the encryption cost, and adopts special structure hash tree with hot-access-windows to fulfill nonce checking efficiently. Ultimately, it can provide data protection with characteristics like solid resistance against any attacks, online working mode, low-level protecting, and high performance. Related model, approaches and system realization are elaborated, as well as testing results. Theoretical analysis and experimental simulations show that it is a practical and available way to build secure disk.

Huiba Li,Yiming Zhang,Dongsheng Li,Zhiming Zhang,Shengyun Liu,Peng Huang,Zheng Qin,Kai Chen,Yongqiang Xiong

DOI: https://doi.org/10.1145/3302424.3303967

2019-01-01

Abstract:This paper presents URSA, a hybrid block store that provides virtual disks for various applications to run efficiently on cloud VMs. Trace analysis shows that the I/O patterns served by block storage have limited locality to exploit. Therefore, instead of using SSDs as a cache layer, URSA proposes an SSD-HDD-hybrid storage structure that directly stores primary replicas on SSDs and replicates backup replicas on HDDs, using journals to bridge the performance gap between SSDs and HDDs. URSA integrates the hybrid structure with designs for high reliability, scalability, and availability. Experiments show that URSA in its hybrid mode achieves almost the same performance as in its SSD-only mode (storing all replicas on SSDs), and outperforms other block stores (Ceph and Sheepdog) even in their SSD-only mode while achieving much higher CPU efficiency (performance per core). We also discuss some practical issues in our deployment.

Di WANG,Jiwu SHU,Wei XUE,Meiming SHEN

DOI: https://doi.org/10.3321/j.issn:1000-0054.2007.01.029

2007-01-01

Abstract:A block-level in-band storage virtualization system was developed for mass storage environments.The system uses continuous regions to organize virtual and physical disks,which effectively reduces the metadata space consumption.The system also implements target-mode virtualization functions to provide good compatibility and can work with multiple nodes to eliminate performance bottlenecks.The tests show that the system latency is within 0.6% than normal network disks,and its processing ability is only limited by the physical devices in the storage network.

Patrick Simmons

DOI: https://doi.org/10.48550/arXiv.1104.4843

2011-04-26

Abstract:Disk encryption has become an important security measure for a multitude of clients, including governments, corporations, activists, security-conscious professionals, and privacy-conscious individuals. Unfortunately, recent research has discovered an effective side channel attack against any disk mounted by a running machine\cite{princetonattack}. This attack, known as the cold boot attack, is effective against any mounted volume using state-of-the-art disk encryption, is relatively simple to perform for an attacker with even rudimentary technical knowledge and training, and is applicable to exactly the scenario against which disk encryption is primarily supposed to defend: an adversary with physical access. To our knowledge, no effective software-based countermeasure to this attack supporting multiple encryption keys has yet been articulated in the literature. Moreover, since no proposed solution has been implemented in publicly available software, all general-purpose machines using disk encryption remain vulnerable. We present Loop-Amnesia, a kernel-based disk encryption mechanism implementing a novel technique to eliminate vulnerability to the cold boot attack. We offer theoretical justification of Loop-Amnesia's invulnerability to the attack, verify that our implementation is not vulnerable in practice, and present measurements showing our impact on I/O accesses to the encrypted disk is limited to a slowdown of approximately 2x. Loop-Amnesia is written for x86-64, but our technique is applicable to other register-based architectures. We base our work on loop-AES, a state-of-the-art open source disk encryption package for Linux.

Cryptography and Security

Qingshu Chen,Liang,Yubin Xia,Haibo Chen,Hyunsoo Kim

2016-01-01

Abstract:Copy-on-write virtual disks (e.g., qcow2 images) provide many useful features like snapshot, de-duplication, and full-disk encryption. However, our study uncovers that they introduce additional metadata for block organization and notably more disk sync operations (e.g., more than 3X for qcow2 and 4X for VMDK images). To mitigate such sync amplification, we propose three optimizations, namely per virtual disk internal journaling, dual-mode journaling, and adaptive-preallocation, which eliminate the extra sync operations while preserving those features in a consistent way. Our evaluation shows that the three optimizations result in up to 110% performance speedup for varmail and 50% for TPCC.

Xiaonan Zhao,Xiao Zhang,Qing Wang,Yanqiu Wang

DOI: https://doi.org/10.1109/ICDIS.2019.00018

2019-06-28

Abstract:Block storage resources are essential in an Infrastructure-as-a-Service(IaaS) cloud computing system. It is used for storing virtual machines’ images. It offers persistent storage service even the virtual machine is off. Distribute storage systems are used to provide block storage services in IaaS, such as Amazon EBS, Cinder, Ceph, Sheepdog. Ceph is widely used as the backend block storage service of OpenStack platform. It converts block devices into objects with the same size and saves them on the local file system. The performance of block devices provided by Ceph is only 30% of hard disks in many cases. One of the key issues that affect the performance of Ceph is the three replicas for fault tolerance. But our research finds that replicas are not the real reason slow down the performance. In this paper, we present a new approach to accelerate the IO operations. The experiment results show that by using our storage engine, Ceph can offer faster IO performance than the hard disk in most cases. Our new storage engine provides more than three times up than the original one.

Engineering,Computer Science

Mengqi Zeng,Dawu Gu,Fangyong Hou,Yuanyuan Zhang,Tao Cheng

DOI: https://doi.org/10.1109/NAS.2009.70

2009-01-01

Abstract:Self-securing storage devices prevents intruders from undetectably tampering with or permanently deleting stored data. To accomplish this, we design an efficient self-securing disk architecture, which is based on traditional self-securing storage prototype S4: 1) On the confidentiality protection side, authenticated encryption mode GCM is adapted to process disk block in parallel ,and authentication latency is overlapped with disk access latency so that our scheme is more efficient and secure than Windows BitLocker. 2) On the integrity protection side, GHASH proposed in GCM is used to generate MAC which is more efficient than SHA-1, MD5. Moreover, ldquoMinimum Integrity Verification Treerdquo is put forward to decrease performance loss at a maximum. 3) On the access control protection side, we propose a cryptographically featured capability based access control model, which is based on existing OSD access control model. We use hybrid hard drive as an instance to build a self-securing disk prototype which is implemented by simulation. The encryption/authentication overheads are significantly reduced due to buffer techniques and combined GCM/Flash scheme. According to the simulation results, the performance overhead is less than 18%, which is efficient and practical.

Shengmin Xu,Xingshuo Han,Guowen Xu,Jianting Ning,Xinyi Huang,Robert H. Deng

DOI: https://doi.org/10.1109/tsc.2023.3321314

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:Cloud computing is the widespread acceptance of a promising paradigm offering a substantial amount of storage and data services on demand. To preserve data confidentiality, many cryptosystems have been introduced. However, current solutions are incompatible with the resource-constrained end-devices because of a variety of vulnerabilities in terms of practicality and security. In this article, we propose a practical and secure data-sharing system by introducing a new design of attribute-based encryption with verifiable outsourced decryption-attribute-based encryption (VO-ABE for short). Our system offers: (1) data sharing at a fine-grained level; (2) a scalable key issuing protocol without any secure channel; (3) a verifiable outsourced decryption mechanism for resource-constrained end-devices against the malicious cloud service provider; and (4) adaptive security against the real-world attacks. To formalize our solution with cryptographic analysis, we present the formal definition of VO-ABE and its concrete construction with provable security. In particular, our design leverages the techniques of the traditional ABE, verifiable outsourced decryption, and randomness extractor to support fine-grained access control, cost-effective data sharing, and security assurance with high entropy. Moreover, our design is provably secure in the adaptive model under the standard assumption, which offers a stronger security guarantee since the state-of-the-art solution is selectively secure under the non-standard assumption and suffers from a variety of real-world attacks. The implementation and evaluation demonstrate that our solution enjoys superior functionality and better performance than the relevant solutions. More importantly, our solution is compatible with the resource-constrained end-devices since the decryption mechanism takes around 1.1 ms and is 22.7x faster than the state-of-the-art solution.

Fatemeh Khoda Parast,Brett Kelly,Saqib Hakak,Yang Wang,Kenneth B. Kent

DOI: https://doi.org/10.1109/access.2022.3227384

IF: 3.9

2022-12-13

IEEE Access

Abstract:Clustered storage systems are dominant solutions for the era of data-intensive computing. Ceph represents a sustainable clustered storage solution, supporting object, block, and file storage capabilities with no single point of failure. Despite the strong management abilities, security remains a serious concern in the Ceph storage system. To date, authentication and access control are the only supported security protocols in the system. Data confidentiality will be undermined if a malicious insider or outside intruder accesses storage devices. This study proposes a lightweight cryptographic-based interface, CephArmor, for a Ceph storage system to ensure data confidentiality in storage. The proposed method has been integrated into the Ceph stable version, Pacific, and evaluated through 45Drives Storinator servers, a commercial hardware commodity for storage solutions in real-world scenarios. The experimental results denote a nuanced overhead regarding elapsed time, throughput, average operations per second, and latency on a write operation. In contrast, the read operations illustrated near-zero performance overhead for the same metrics.

computer science, information systems,telecommunications,engineering, electrical & electronic

Mais Nijim,Xiao Qin,Tao Xie

DOI: https://doi.org/10.1145/1210596.1210598

2006-01-01

ACM Transactions on Storage

Abstract:Since security is of critical importance for modern storage systems, it is imperative to protect stored data from being tampered with or disclosed. Although an increasing number of secure storage systems have been developed, there is no way to dynamically choose security services to meet disk requests' flexible security requirements. Furthermore, existing security techniques for disk systems are not suitable to guarantee desired response times of disk requests. We remedy this situation by proposing an adaptive strategy (referred to as AWARDS) that can judiciously select the most appropriate security service for each write request, while endeavoring to guarantee the desired response times of all disk requests. To prove the efficiency of the proposed approach, we build an analytical model to measure the probability that a disk request is completed before its desired response time. The model also can be used to derive the expected value of disk requests' security levels. Empirical results based on synthetic workloads as well as real I/O-intensive applications show that AWARDS significantly improves overall performance over an existing scheme by up to 358.9% (with an average of 213.4%).

Minal Moharir,A. V. Suresh

DOI: https://doi.org/10.48550/arXiv.1109.4565

2011-08-26

Abstract:The main objective of the paper is to study and develop an efficient method for Hard Disk Drive(HDD) Security using Full Disk Encryption (FDE) with Advanced Encryption Standards(AES) for data security specifically for Personal Computers(PCS) and Laptops . The focus of this work is to authenticate and protect the content of HDD from illegal use. The paper proposes an adaptive methods for protecting a HDD based on FDE. The proposed method is labeled as DiskTrust. FDE encrypts entire content or a single volume on your disk. DiskTrust implements Symmetric key cryptography with, Advanced Encryption Standards. Finally, the applicability of these methodologies for HDD security will be evaluated on a set of data files with different key sizes.

Cryptography and Security

Fangyong Hou,Dawu Gu,Nong Xiao,Yuhua Tang

DOI: https://doi.org/10.1109/cit.2008.4594711

2008-01-01

Abstract:To protect data privacy and integrity, it encrypts each protected disk sector and creates hash tree upon all the protected sectors to resist against any possible attacks. To make it an appropriate way for disk protection, it designs the required solutions of disk layout, performance optimizing and consistency maintaining. Disk layout uses a fixed disk region to preserve hash tree nodes; performance optimizing utilizes system memory to buffer those frequently used hash tree nodes to offload the big working cost; and consistency maintaining logs disk modifications to recovery the valid result after unexpected failures. The implementation cost is low and running performance is satisfiable. Analysis and experimental simulations show that it is a practical and available way to build secure disk.

Ke Huang,Xiaosong Zhang,Xiaofen Wang,Xiaojiang Du,Ruonan Zhang

DOI: https://doi.org/10.1109/ISPA/IUCC.2017.00196

2017-01-01

Abstract:Ubiquitous devices exchange and store data at all times and places under a pervasive environment. Using cloud storage to manage these data is cost-effective. However, ubiquitous data suffers from efficiency, privacy, and functionality issues. BL-MLE is an ideal tool for encrypting user data while enabling block-level deduplication for storage saving. BL-MLE or any other deduplication system cannot support block dynamics. The major difficulties are three-fold: (1) Integrity breaches; (2) Ownership management and access control; (3) Key updates. To address these, we propose a scheme called Enabling Block Dynamics under Block-Level Message-Locked Encryption (EBD-MLE) to enable full-block dynamics under BL-MLE for ubiquitous data. In general, EBD-MLE is a complete mechanism that allows a single-block to be inserted, modified, or deleted securely and efficiently each time under BL-MLE. In this work, we classify users into three categories for access control concerns. We identify that only those users who own files can perform block operations on the file. Meanwhile, we introduce the concept of shadow sets, trivial tag sets, and metadata completion to solve the above three issues. While security proof validates our proposal, the experimental evidence suggests that EBD-MLE is sufficient for a computation-restrained device.

Da Xiao,Jiwu Shu,Wei Xue,Weimin Zheng

DOI: https://doi.org/10.1007/11428862_55

2005-01-01

Abstract:Storage virtualization is a key technique to exploit the potential of SANs. This paper describes the design and implementation of a storage virtualization system for the SAN environment. This system has asymmetric architecture, and virtualization operations are done by a metadata server allowing management to be accomplished at a single point. The system has better scalability compared to symmetric systems and can support heterogeneous platforms of hosts. Agent software was implemented in the volume management layer of hosts so that any standard HBA card can be used. The metadata server manages storage resources automatically and configuration of storage pools can be changed dynamically. The metadata server is also used for system monitoring, which is the basis of dynamic storage resource management and automatic failure recovery. Test results showed that the overhead introduced by our virtualization layer is negligible, and the performance of storage system was enhanced effectively by the striping strategy in organizing storage pools. The number of seeks per second to a logical volume allocated from a pool of four disks was increased by 55.2% compared to a plain FC disk.

Letian Yi,Jiwu Shu,Ying Zhao,Yingjin Qian,Youyou Lu,Weimin Zheng

DOI: https://doi.org/10.1109/tc.2013.6

IF: 3.183

2014-01-01

IEEE Transactions on Computers

Abstract:Existing block-based parallel file systems, which are deployed in the storage area network (SAN), blend metadata with data in underlying disks. Unfortunately, such symmetric architecture is prone to system-level failures, as metadata on shared disks can be damaged by a malfunctioning client. In this paper, we present an asymmetric block-based parallel file system, Redbud, which isolates the metadata storage in the metadata server (MDS) access domain. Although centralized metadata management can effectively improve the reliability of the system, it faces some challenges in providing high performance and availability. Towards this end, we introduce an embedded directory mechanism to explore the disk bandwidth of the metadata storage; we also introduces adaptive layout operations to deliver high I/O throughput for various file access pattern. Besides, by taking the MDS's load into consideration, we propose an adaptive timeout algorithm to make the MDS failure detection adaptive to the evolving workloads, improving the system availability. Measurements of a wide range of workloads demonstrate the benefit of our design and that Redbud gains good scalability.

Yanbing Jiang,Chentao Wu,Jie Li,Minyi Guo

DOI: https://doi.org/10.1109/iccd.2016.7753263

2016-01-01

Abstract:In large scale data centers, with the increasing amount of user data, Triple Disk Failure Tolerant arrays (3DFTs) gain much popularity due to their high reliability and low monetary cost. With the development of cloud computing, scalability becomes a challenging issue for disk arrays like 3DFTs. Although previous solutions improves the efficiency of RAID scaling, they suffer many problems (high I/O overhead and long migration time) in 3DFTs. It is because that existing approaches have to cost plenty of migration I/Os on balancing the data distribution according to the complex layout of erasure codes. To address this problem, we propose a novel Balanced Data Redistribution scheme (BDR) to accelerate the scaling process, which can be applied on XOR-based 3DFTs. BDR migrates proper data blocks according to a global point of view on a stripe set, which guarantees uniform data distribution and a small number of data movements. To demonstrate the effectiveness of BDR, we conduct several evaluations and simulations. The results show that, compared to typical RAID scaling approaches like Round-Robin (RR), SDM and RS6, BDR reduces the scaling I/Os by up to 77.45%, which speeds up the scaling process of 3DFTs by up to 4.17×, 3.31×, 3.88×, respectively.

Yili Gong,Yanyan Xu,Yingchun Lei,Wenjie Wang

DOI: https://doi.org/10.1109/hpcc-css-icess.2015.54

2015-01-01

Abstract:Cloud-based file systems are widely accepted and adopted for personal and business purposes in recent years. Statistics shows that approximately 25% of file operations from a typical user are random writes. Inherited from traditional disk-based file systems, most distributed file systems are also based on objects or chunks of fixed sizes, which work well for sequential writes but poorly for random writes. This paper investigates the design paradigm of variable-sized objects for a distributed file system. A novel distributed file system named VarFS, is presented to incorporate variable object indexing and support random write operations. VarFS reduces the amount of unnecessary data being read and the number of objects modified in face of updates and consequently alleviates the total amount of data transferred. The implementation is based on Ceph and the performance measurements show that it can achieve 1-2 orders of magnitude less latency than Ceph on random writes. At the same time the overhead for initial writes and re-writes is acceptable.

Jie Lin,Yunliang Zhang,Zhiyong Tan,Yiqi Dai

2009-01-01

Abstract:The paper proposes a novel secure distributed disk system. By dynamically exploiting file-system semantics of on-disk data blocks and sensing activities of the local file system, the disk system can be integrated with the current file systems seamlessly without changing the standard block interface between them and can efficiently manage accesses to the files from multiple hosts. And the disk system adopts a new data distribution scheme to ensure confidentiality, reliability and availability of data, and a credibility evaluation strategy to prevent some attacks from malicious clients and data servers.

Yiming Zhang,Huiba Li,Shengyun Liu,Jiawei Xu,Guangtao Xue

DOI: https://doi.org/10.1145/3365839

2020-01-01

ACM Transactions on Storage

Abstract:Block storage provides virtual disks that can be mounted by virtual machines (VMs). Although erasure coding (EC) has been widely used in many cloud storage systems for its high efficiency and durability, current EC schemes cannot provide high-performance block storage for the cloud. This is because they introduce significant overhead to small write operations (which perform partial write to an entire EC group), whereas cloud-oblivious applications running on VMs are often small-write-intensive. We identify the root cause for the poor performance of partial writes in state-of-the-art EC schemes: for each partial write, they have to perform a time-consuming write-after-read operation that reads the current value of the data and then computes and writes the parity delta, which will be used to “patch” the parity in journal replay. In this article, we present a speculative partial write scheme (called PARIX) that supports fast small writes in erasure-coded storage systems. We transform the original formula of parity calculation to use the data deltas (between the current/original data values), instead of the parity deltas, to calculate the parities in journal replay. For each partial write, this allows PARIX to speculatively log only the new value of the data without reading its original value. For a series of n partial writes to the same data, PARIX performs pure write (instead of write-after-read) for the last n-1 ones while only introducing a small penalty of an extra network round-trip time to the first one. Based on PARIX, we design and implement PARIX Block Storage (PBS), an efficient block storage system that provides high-performance virtual disk service for VMs running cloud-oblivious applications. PBS not only supports fast partial writes but also realizes efficient full writes, background journal replay, and fast failure recovery with strong consistency guarantees. Both microbenchmarks and trace-driven evaluation show that PBS provides efficient block storage and outperforms state-of-the-art EC-based systems by orders of magnitude.