SWAN-FS: Secure Wide-Area Network File System


Ling Liu / Mudhakar Srivatsa
{lingliu, mudhakar}@cc.gatech.edu
CCB 216 / CCB 226


Systems and Security


Several wide area network file systems like CFS [1] and Farsite [2] have been proposed recently. A unique feature of these file systems is that they are serverless. They store files on a large collection of untrusted nodes that form an overlay network. Serverless file storage services are faced with the challenge of having to harness the collective resources of loosely coupled, insecure, and unreliable machines to provide a secure, and reliable file-storage service. To complicate matters further, some of the nodes in the overlay network could be malicious. Hence, wide-area file storage services must be capable of handling malicious behavior by a small fraction of nodes in the system. CFS employs cryptographic techniques to maintain file data confidentiality and integrity. Farsite permits file write and update operations by using a Byzantine fault-tolerant group of meta-data servers (directory service). Both CFS and Farsite use replication as a technique to provide higher fault-tolerance and availability.


However, a major drawback with serverless file systems like CFS and Farsite is that they are vulnerable to targeted attacks on files. In a targeted attack, an adversary is interested in compromising a small set of files (target files). The fundamental problem with these systems arises from the following two reasons:

1.      The number of replicas maintained by the system is usually much smaller than the number of malicious nodes.

2.      The nodes (IP-address) that host the replicas of any target file are publicly known.

Hence, malicious nodes can easily attack the set of replica holders of a target file. The attack could be a denial-of-service attack, a distributed denial-of-service attack using malicious nodes in the system or a host compromise attack. A denial-of-service (DoS) attack would render the target file unavailable; a host compromise attack could corrupt all the replicas of a file thereby effectively wiping out the target file from the file system.


One way to mitigate target file attacks is to hide the location of the replicas of a file from an adversary. If the location of a file were perfectly hidden then an adversary would not be able to isolate any small subset of good nodes, attacking who guarantees that the target file is under attack. We have proposed location keys as a technique to hide files on an overlay network in [4]. Analogous to traditional cryptographic keys that hide the contents of a file, location keys hide the location of a file on the overlay network. The provable hardness of breaking location keys makes them a highly attractive choice for implementing access control on files stored in an overlay network. Location key based data placement scheme guards the target file from DoS and host compromise attacks, simplifies key management and key distribution and adds minimal performance overhead to the system in addition to providing traditional guarantees like data confidentiality and integrity.


This mini-project focuses on implementing a prototype for SWAN-FS (Secure Wide Area Network File System) based on location keys. SWAN-FS is implemented on the Chord [3] routing protocol. There are three important phases in this mini-project.

1.      The first stage is to implement a simple flat file system (devoid of directory structures) based on location keys. You also need to benchmark the timings of standard file system operations like file open, read, write and close. You can use our existing Java based implementation of the Chord protocol.

2.      The second stage is to implement DoS and host compromise attacks on SWAN-FS. You need to evaluate the ability of SWAN-FS in defending itself against these attacks.

3.      The third stage is to implement SWAN-FS’s solutions to mitigate inference attacks. You need to evaluate the ability of SWAN-FS in defending itself against inference attacks. You could also identify new inference attacks and study them.


Each of the three stages described above constitutes one mini-project. The deliverables for your mini-project includes

1. A report describing your findings and measurements.

2. A tar-ball of your code.

You will be graded on the quality of your implementation and your report.


[1] A. Adya and W. Bolosky and M. Castro and G. Cermak and R. Chaiken and J. R. Douceur and J. Howell and J. R. Lorch and M. Theimer and R. P. Wattenhofer. "FARSITE: Federated, Available and Reliable Storage for an Incompletely Trusted Environment", in the Proceedings of the 5th Symposium on OSDI, 2002.

[2] F. Dabek and M. F. Kaashoek and D. Karger and R. Morris and I. Stoica. "Wide-area Cooperative Storage with CFS", in the Proceedings of the 18th SOSP, 2001.

[3] I. Stoica and R. Morris and D. Karger and M.F. Kaashoek and H. Balakrishnan. "Chord: A scalable peer-to-peer lookup service for Internet applications", in the Proceedings of SIGCOMM Annual Conference on Data Communication, 2001.

[4] M. Srivatsa and L. Liu. “Location Keys for Secure Wide-Area Network File Systems”, draft report, 2004.