曾梦岐,谷大武,侯方勇,宋宁楠

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.03.046

2010-01-01

Abstract:This paper puts forward a self-securing disk model system, which self-securing storage technique and cryptographic technique are combined to protect disk data. The self-securing technique includes safe boundary, and access control. The cryptographic technique mainly refers to encryption/decryption. The self-securing disk is more intelligent when expansion adds to common disk architecture.

Fangyong Hou,Dawu Gu,Nong Xiao,Yuhua Tang

DOI: https://doi.org/10.1109/cit.2008.4594711

2008-01-01

Abstract:To protect data privacy and integrity, it encrypts each protected disk sector and creates hash tree upon all the protected sectors to resist against any possible attacks. To make it an appropriate way for disk protection, it designs the required solutions of disk layout, performance optimizing and consistency maintaining. Disk layout uses a fixed disk region to preserve hash tree nodes; performance optimizing utilizes system memory to buffer those frequently used hash tree nodes to offload the big working cost; and consistency maintaining logs disk modifications to recovery the valid result after unexpected failures. The implementation cost is low and running performance is satisfiable. Analysis and experimental simulations show that it is a practical and available way to build secure disk.

Fangyong Hou,Dawu Gu,Nong Xiao,Zhiping Cai

DOI: https://doi.org/10.1109/iscc.2008.4625600

2008-01-01

Abstract:Approach that integrates encryption and verification is proposed to protect hard disk data. For each data sector, MAC is calculated and the (data sector, MAC) pair is encrypted through the encryption key deduced from the secret root key and a unique nonce. By assuring the nonce to be trusted or untampered through hash tree, data can then be properly decrypted and authenticated. To achieve satisfiable performance, it applies stream cipher to offload the encryption cost, and adopts special structure hash tree with hot-access-windows to fulfill nonce checking efficiently. Ultimately, it can provide data protection with characteristics like solid resistance against any attacks, online working mode, low-level protecting, and high performance. Related model, approaches and system realization are elaborated, as well as testing results. Theoretical analysis and experimental simulations show that it is a practical and available way to build secure disk.

Wu Dianshuang,Liu Hang,He Dequan

DOI: https://doi.org/10.16526/j.cnki.11-4762/tp.2009.05.031

2009-01-01

Abstract:To transparently encrypt the data stored in solid state disk (SSD) and enhance the integration of the whole secure storage system, a method to integrate hardware encryption function into SSD was proposed after analyzing the architecture of SSD. The scheme of encrypted SSD was also given. Then, the hardware encryption module (HEM) to be embedded into the SSD was designed and implemented based on FPGA. Finally, the encrypted SSD was implemented with the HEM, common ATA flash disk controller and NAND flash chips. The testing and experimental results show that the encrypted SSD can encrypt all the data stored in it and the integration of the encryption function doesn't lead to decrease of performance due to hardware implementation, high speed and no use of system resources of HEM.

MAO Weifeng,PING Lingdi,JIANG Li,CHEN Xiaoping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.068

2006-01-01

Abstract:SECOS is a secure operating system with independent intellectual property right,which accords with the requirements of level 4 secure operation system technology.This paper illustrates some key issues of the system,including design method for enchancement of security,improved model from the Bell-La Padula MAC(mandatory access control) implementation,the realization of the model,formal method during the system development,conversiion channel analysis and its prevention,and secure deletion.The performance evaluation shows the design and implementation of SECOS is effective.

YANG Bo,ZHANG Ji-zheng,JIA Hui-bo

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.04.028

2006-01-01

Abstract:Self-securing mechanism means the shift of storage security functionality into the storage device's firmware,which guarantees the availability and integrity of data storage in the case of host systems or client systems are compromised.With the popularization of the embedded processor,erecting security perimeter on storage device will direct the development of storage system.

Mais Nijim,Xiao Qin,Tao Xie

DOI: https://doi.org/10.1145/1210596.1210598

2006-01-01

ACM Transactions on Storage

Abstract:Since security is of critical importance for modern storage systems, it is imperative to protect stored data from being tampered with or disclosed. Although an increasing number of secure storage systems have been developed, there is no way to dynamically choose security services to meet disk requests' flexible security requirements. Furthermore, existing security techniques for disk systems are not suitable to guarantee desired response times of disk requests. We remedy this situation by proposing an adaptive strategy (referred to as AWARDS) that can judiciously select the most appropriate security service for each write request, while endeavoring to guarantee the desired response times of all disk requests. To prove the efficiency of the proposed approach, we build an analytical model to measure the probability that a disk request is completed before its desired response time. The model also can be used to derive the expected value of disk requests' security levels. Empirical results based on synthetic workloads as well as real I/O-intensive applications show that AWARDS significantly improves overall performance over an existing scheme by up to 358.9% (with an average of 213.4%).

Weiping Zhang,Wenyuan Chen,Jian Tang,Peng Xu,Yibin Li,Shengyong Li

DOI: https://doi.org/10.3390/s91109300

IF: 3.9

2009-01-01

Sensors

Abstract:In this paper, a novel portable hard-disk encryption/decryption system with a MEMS coded lock is presented, which can authenticate the user and provide the key for the AES encryption/decryption module. The portable hard-disk encryption/decryption system is composed of the authentication module, the USB portable hard-disk interface card, the ATA protocol command decoder module, the data encryption/decryption module, the cipher key management module, the MEMS coded lock controlling circuit module, the MEMS coded lock and the hard disk. The ATA protocol circuit, the MEMS control circuit and AES encryption/decryption circuit are designed and realized by FPGA(Field Programmable Gate Array). The MEMS coded lock with two couplers and two groups of counter-meshing-gears (CMGs) are fabricated by a LIGA-like process and precision engineering method. The whole prototype was fabricated and tested. The test results show that the user’s password could be correctly discriminated by the MEMS coded lock, and the AES encryption module could get the key from the MEMS coded lock. Moreover, the data in the hard-disk could be encrypted or decrypted, and the read-write speed of the dataflow could reach 17 MB/s in Ultra DMA mode.

Weiping Zhang,Wenyuan Chen,Jian Tang,Peng Xu,Yibin Li,Shengyong Li

DOI: https://doi.org/10.3390/s91109300

IF: 3.9

2009-01-01

Sensors

Abstract:In this paper, a novel portable hard-disk encryption/decryption system with a MEMS coded lock is presented, which can authenticate the user and provide the key for the AES encryption/decryption module. The portable hard-disk encryption/decryption system is composed of the authentication module, the USB portable hard-disk interface card, the ATA protocol command decoder module, the data encryption/decryption module, the cipher key management module, the MEMS coded lock controlling circuit module, the MEMS coded lock and the hard disk. The ATA protocol circuit, the MEMS control circuit and AES encryption/decryption circuit are designed and realized by FPGA(Field Programmable Gate Array). The MEMS coded lock with two couplers and two groups of counter-meshing-gears (CMGs) are fabricated by a LIGA-like process and precision engineering method. The whole prototype was fabricated and tested. The test results show that the user's password could be correctly discriminated by the MEMS coded lock, and the AES encryption module could get the key from the MEMS coded lock. Moreover, the data in the hard-disk could be encrypted or decrypted, and the read-write speed of the dataflow could reach 17 MB/s in Ultra DMA mode.

Jie Lin,Yunliang Zhang,Zhiyong Tan,Yiqi Dai

2009-01-01

Abstract:The paper proposes a novel secure distributed disk system. By dynamically exploiting file-system semantics of on-disk data blocks and sensing activities of the local file system, the disk system can be integrated with the current file systems seamlessly without changing the standard block interface between them and can efficiently manage accesses to the files from multiple hosts. And the disk system adopts a new data distribution scheme to ensure confidentiality, reliability and availability of data, and a credibility evaluation strategy to prevent some attacks from malicious clients and data servers.

Mengqi Zeng,Fangyong Hou,Dawu Gu,Yuanyuan Zhang,NingNan Song

DOI: https://doi.org/10.1109/HPCC.2008.129

2008-01-01

Abstract:Hybrid hard drives (HHD) are coming up with potential high viability in mobile computing. It's quite necessary to put forward an efficient secure scheme for hybrid hard drives. NAND Flash of HHD is made full use as a container and a buffer for metadata. We propose an efficient combined scheme based on Galois/Counter Mode (GCM) to protect hard disk data by authenticated encryption, and build a secure architecture for HHD. Our results show that we not only protect the disk data by authenticated encryption, but also gain high performance. According to the simulation results, for the best of our methods, the performance overhead is less than 18%, which is efficient and acceptable practically.

Minal Moharir,A. V. Suresh

DOI: https://doi.org/10.48550/arXiv.1109.4565

2011-08-26

Abstract:The main objective of the paper is to study and develop an efficient method for Hard Disk Drive(HDD) Security using Full Disk Encryption (FDE) with Advanced Encryption Standards(AES) for data security specifically for Personal Computers(PCS) and Laptops . The focus of this work is to authenticate and protect the content of HDD from illegal use. The paper proposes an adaptive methods for protecting a HDD based on FDE. The proposed method is labeled as DiskTrust. FDE encrypts entire content or a single volume on your disk. DiskTrust implements Symmetric key cryptography with, Advanced Encryption Standards. Finally, the applicability of these methodologies for HDD security will be evaluated on a set of data files with different key sizes.

Cryptography and Security

Hong-Liang TIAN,Yong ZHANG,Xin-Hui XU,Chao LI,Chun-Xiao XING

DOI: https://doi.org/10.11897/SP.J.1016.2016.00154

2016-01-01

Chinese Journal of Computers

Abstract:Big data,known for its characteristics of high volume,high value and centralized storage, is an attractive target for attackers.Thus,big data security is an important issue.However,the two most common data security measures used in big data platforms (e.g.Hadoop)are not satisfactory:(1 )Access control mechanisms are prone to bugs and vulnerabilities;(2)Data encryption is provably secure but incurs considerable overheads during data processing.In this paper,we present TrustedSSD,a secure Solid State Drive (SSD)that efficiently guarantees the security of data-at-rest by enforcing a fine-grained access control.We first analysis the security of TrustedSSD,and then describe the design and implementation of the system,highlighting the challenges involved. We built a prototype of TrustedSSD on a commercially successful SSD controller.Experimental results on both synthetic and real-world workloads show that TrustedSSD incurs less than 3%overhead.Therefore,we believe TrustedSSD is a promising approach to big data security.

GAO Wei,GU Da-wu,HOU Fang-yong,SONG Ning-nan

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.02.050

2009-01-01

Abstract:A fast disk encryption algorithm targeted at the specific application scenario of disk encryption is devised.The new algorithm is a tweakable cipher,and experimental results show that its performance is about 20% better than the algorithm adopted by Windows Vista Bitlocker Driver Encryption in software environment.The algorithm can provide the pseudo integrity protection ability.

ZHANG Jing,CHEN Wen-yuan,ZHANG Wei-ping

DOI: https://doi.org/10.3969/j.issn.1008-0570.2008.26.064

2008-01-01

Abstract:With the explosion of information,information security increasingly becomes evident. A complete data encryption system must consists of a reliable authentication mechanism and an advanced encryption algorithm. In this paper,we will introduce a new fast encryption system based on MEMS stronglink,USB controller and FPGA and its crypto algorithm is AES. A common IDE harddisk attached on this system becomes a very safe USB mobile encrypted harddisk,and the data throughput rate of it achieves 10MB/s,closed to any common USB flash disk in the market.

Yuxia Cheng,Qing Wu,Bei Wang,Wenzhi Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_4

2017-01-01

Abstract:Protecting data security and privacy is one of the top concerns in the public cloud. As the cloud infrastructure is complex, and it is difficult for cloud users to gain trust. Particularly, how to guarantee the confidentiality and integrity of in-memory user private data in untrusted cloud faces big challenges. The in-memory data is typically used for online processing that requires high performance and plaintext access in CPU, therefore simple data encryption is infeasible for in-memory data security protection. In this paper, we propose a secure in-memory data cache scheme based on the memcached key-value store system and leverage the new trusted Intel SGX processors to protect sensitive operations. Firstly, we build a secure enclave and design a trusted channel protocol using remote attestation mechanism. Secondly, we propose a cache server partitioning method that decouples the sensitive key-value operations with enclave protection. Thirdly, we implement a secure client library to maintain the original cache semantics for application compatibility. The experimental result showed that the proposed solutions achieves comparable performance with the traditional key-value store systems, while improves the level of data security in untrusted cloud.

Jinwoo Ahn,Seungjin Lee,Jinhoon Lee,Youngwoo Ko,Junghee Lee,Youngjae Kim

DOI: https://doi.org/10.48550/arXiv.2108.06459

2021-08-14

Cryptography and Security

Abstract:Privileged malware neutralizes software-based versioning systems and destroys data. To counter this threat, a versioning solid-state drive (SSD) that performs versioning inside the SSD has been studied. An SSD is a suitable candidate for data versioning because it can preserve previous versions without additional copying, and provide high security with a very small trusted computing base (TCB). However, the versioning SSDs studied so far commonly use a full disk versioning method that preserves all file versions in a batch. This paper demonstrates that SSDs, which provide full disk versioning, can be exposed to data tampering attacks when the retention time of data is less than the malware's dwell time. To deal with this threat, we propose SGX-SSD, a policy-based per-file versioning SSD to keep a deeper history for only the important files of users. However, since the SSD isn't aware of a file semantic, and the versioning policy information should be securely received from the untrusted host computer, implementing the per-file versioning in SSD is a huge challenge. To solve this problem, SGX-SSD utilizes the Intel SGX and has a secure host interface to securely receive policy information (configuration values) from the user. Also, to solve the file semantic unawareness problem of the SSD, a piggyback module is designed to give a file hint at the host layer, and an algorithm for selective versioning based on the policy is implemented in the SSD. To prove our system, we prototyped SGX-SSD the Jasmine OpenSSD platform in Linux environment. In the experimental evaluation, we proved that SGX-SSD provides strong security with little additional overhead for selective per-file versioning.

LIN Hao-xiang,DONG Yuan,ZHANG Wei,ZHANG Su-qin,HU Chang-jun

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.01.026

2007-01-01

Abstract:Recently it has been a focus to protect personal sensitive information. Using cryptographic technique is a promising way. This paper describes the design and implementation of Waycryptic, a versatile cryptographic file system for Linux. By integrating cryptographic technique into file system level, users obtain transparent, dynamic, efficient and secure encryption function without modifying their applications. Encrypted files could be saved on any physical file system which supports extended attributes (XATTR). Waycryptic also permits encrypted files to be shared among multi users and to be easily recovered by designating an account in advance. The results of Iozone and Bonnie benchmarks show that Waycryptic is comparatively efficient and is suitable for personal or multi-user systems which require enhanced security.

Jinwoo Ahn,Donggyu Park,Chang-Gyu Lee,Donghyun Min,Junghee Lee,Sungyong Park,Qian Chen,Youngjae Kim

DOI: https://doi.org/10.48550/arxiv.1904.05012

2019-01-01

Abstract:Traditional techniques to prevent damage from ransomware attacks are to detect and block attacks by monitoring the known behaviors such as frequent name changes, recurring access to cryptographic libraries and exchange keys with remote servers. Unfortunately, intelligent ransomware can easily bypass these techniques. Another prevention technique is to recover from the backup copy when a file is infected with ransomware. However, the data backup technique requires extra storage space and can be removed with ransomware. In this paper, we propose to implement an access control mechanism on a disk drive, called a KEY-SSD disk drive. KEY-SSD is the data store and the last barrier to data protection. Unauthorized applications will not be able to read file data even if they bypass the file system defense, thus denying the block request without knowing the disk's registered block key and completely eliminating the possibility of the file becoming hostage to ransomware. We have prototyped KEY-SSD and validated the usefulness of KEY-SSD by demonstrating 1) selective block access control, 2) unauthorized data access blocking and 3) negligible performance overhead. Our comprehensive evaluation of KEY-SSD for various workloads show the KEY-SSD performance is hardly degraded due to OS lightweight key transmission and access control drive optimization. We also confirmed that KEY-SSD successfully protects the files in the actual ransomware sample.

Zijian Deng,Xuejia Lai

DOI: https://doi.org/10.1109/sitis.2007.38

2008-01-01

Abstract:How to protect the sensitive information from unauthorized disclosure is one of the problems in computer security. In this paper we present a new method for preventing the sensitive file from unauthorized disclosure, Security File Management (SFM). SFM relies on Dual-Core technology, Extensible Firmware Interface and Trusted computing to provide a much high level of security than current solutions. All operations of sensitive files are run in Trusted Boundary. In this paper, we present the architecture of SFM, the initial designer and the security analysis.