Sponsor |
Ling Liu / Mudhakar
Srivatsa |
Area |
Systems and Security |
Problem
Several wide area network file systems like CFS [1] and Farsite
[2] have been proposed recently. A unique feature of these file systems is that
they are serverless. They store files on a
large collection of untrusted nodes that form an
overlay network. Serverless file storage services are
faced with the challenge of having to harness the collective resources of
loosely coupled, insecure, and unreliable machines to provide a secure, and
reliable file-storage service. To complicate matters further, some of the nodes
in the overlay network could be malicious. Hence, wide-area file storage
services must be capable of handling malicious behavior by a small fraction of
nodes in the system. CFS employs cryptographic techniques to maintain file data
confidentiality and integrity. Farsite permits file
write and update operations by using a Byzantine fault-tolerant group of
meta-data servers (directory service). Both CFS and Farsite
use replication as a technique to provide higher fault-tolerance and
availability.
However, a major drawback with serverless file systems like CFS and Farsite
is that they are vulnerable to targeted attacks on files. In a targeted attack,
an adversary is interested in compromising a small set of files (target files).
The fundamental problem with these systems arises from the following two
reasons:
1.
The
number of replicas maintained by the system is usually much smaller than the
number of malicious nodes.
2.
The
nodes (IP-address) that host the replicas of any target file are publicly
known.
Hence, malicious nodes can easily attack the set
of replica holders of a target file. The attack could be a denial-of-service
attack, a distributed denial-of-service attack using malicious nodes in the
system or a host compromise attack. A denial-of-service (DoS)
attack would render the target file unavailable; a host compromise attack could
corrupt all the replicas of a file thereby effectively wiping out the target
file from the file system.
One way to mitigate target file attacks is to
hide the location of the replicas of a file from an adversary. If the location
of a file were perfectly hidden then an adversary would not be able to
isolate any small subset of good nodes, attacking who guarantees that the
target file is under attack. We have proposed location keys as a technique to
hide files on an overlay network in [4]. Analogous to traditional cryptographic
keys that hide the contents of a file, location keys hide the location of a
file on the overlay network. The provable hardness of breaking
location keys makes them a highly attractive choice for implementing access
control on files stored in an overlay network. Location key based data
placement scheme guards the target file from DoS and
host compromise attacks, simplifies key management and key distribution and
adds minimal performance overhead to the system in addition to providing
traditional guarantees like data confidentiality and integrity.
This mini-project focuses on implementing a
prototype for SWAN-FS (Secure Wide Area Network File System) based on location
keys. SWAN-FS is implemented on the Chord [3] routing protocol. There are three
important phases in this mini-project.
1.
The
first stage is to implement a simple flat file system (devoid of directory
structures) based on location keys. You also need to benchmark the timings of
standard file system operations like file open, read, write and close. You can
use our existing Java based implementation of the Chord protocol.
2.
The
second stage is to implement DoS and host compromise
attacks on SWAN-FS. You need to evaluate the ability of SWAN-FS in defending
itself against these attacks.
3.
The
third stage is to implement SWAN-FS’s solutions
to mitigate inference attacks. You need to evaluate the ability of SWAN-FS in
defending itself against inference attacks. You could also identify new
inference attacks and study them.
Deliverables
Each of the three stages described above constitutes
one mini-project. The deliverables for your mini-project includes
1. A report describing your findings and measurements.
2. A tar-ball of your code.
Evaluation
You will be graded on the quality of your implementation
and your report.
Bibliography
[1] A.
Adya and W. Bolosky and M.
Castro and G. Cermak and R. Chaiken
and J. R. Douceur and J. Howell and J. R. Lorch and
M. Theimer and R. P. Wattenhofer.
"FARSITE: Federated, Available and Reliable Storage for
an Incompletely Trusted Environment", in the Proceedings of the 5th
Symposium on OSDI, 2002.
[2] F. Dabek and M. F. Kaashoek
and D. Karger and R. Morris and
[3]
[4] M. Srivatsa
and L. Liu. “Location Keys for Secure Wide-Area Network File
Systems”, draft
report, 2004.