Authenticated Storage Using Small Trusted Hardware Hsin-Jung Yang, Victor Costan, Nickolai Zeldovich, and Srini Devadas

Similar documents
PageVault: Securing Off-Chip Memory Using Page-Based Authen?ca?on. Blaise-Pascal Tine Sudhakar Yalamanchili

6.857 L17. Secure Processors. Srini Devadas

Efficient Memory Integrity Verification and Encryption for Secure Processors

Securing the Frisbee Multicast Disk Loader

Security Challenges and Opportunities in Adaptive and Reconfigurable Hardware

Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds

An NVMe-based FPGA Storage Workload Accelerator

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing

Initial Evaluation of a User-Level Device Driver Framework

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

VIAF: Verification-based Integrity Assurance Framework for MapReduce. YongzhiWang, JinpengWei

The Google File System

CloudSky: A Controllable Data Self-Destruction System for Untrusted Cloud Storage Networks

Remote Data Checking for Network Codingbased. Distributed Storage Systems

9 GENERATION INTEL CORE DESKTOP PROCESSORS

CODESSEAL: Compiler/FPGA Approach to Secure Applications

CA485 Ray Walshe Google File System

Moneta: A High-performance Storage Array Architecture for Nextgeneration, Micro 2010

Name: 1. CS372H: Spring 2009 Final Exam

ASN Configuration Best Practices

A Design for Networked Flash

Refresher: Applied Cryptography

Industry Collaboration and Innovation

McAfee Network Security Platform 9.1

Outline 1 Motivation 2 Theory of a non-blocking benchmark 3 The benchmark and results 4 Future work

EyeCheck Smart Cameras

HPE ProLiant Gen10. Franz Weberberger Presales Consultant Server

FADE: A Secure Overlay Cloud Storage System with Access Control and Assured Deletion. Patrick P. C. Lee

2016 inn In ovatint SYSTEM novatint version 3 REQUIREMENTS System Requirements D ate :

An NVMe-based Offload Engine for Storage Acceleration Sean Gibb, Eideticom Stephen Bates, Raithlin

Trojan-tolerant Hardware & Supply Chain Security in Practice

EPYC VIDEO CUG 2018 MAY 2018

The Google File System

Accelerating Pointer Chasing in 3D-Stacked Memory: Challenges, Mechanisms, Evaluation Kevin Hsieh

RAMCloud and the Low- Latency Datacenter. John Ousterhout Stanford University

CS3600 SYSTEMS AND NETWORKS

The Google File System

SSH Bulk Transfer Performance. Allan Jude --

RAMCloud: Scalable High-Performance Storage Entirely in DRAM John Ousterhout Stanford University

DASH COPY GUIDE. Published On: 11/19/2013 V10 Service Pack 4A Page 1 of 31

Two hours - online. The exam will be taken on line. This paper version is made available as a backup

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

PCIe Storage Beyond SSDs

CCR1009 CCR1009. Cloud Core Router. The CCR1009 is a powerful Ethernet router based on the cutting edge TILERA 9 core CPU.

Performance COE 403. Computer Architecture Prof. Muhamed Mudawar. Computer Engineering Department King Fahd University of Petroleum and Minerals

CSAIL. Computer Science and Artificial Intelligence Laboratory. Massachusetts Institute of Technology

Topics. " Start using a write-ahead log on disk " Log all updates Commit

Comparison of SSL/TLS libraries based on Algorithms/languages supported, Platform, Protocols and Performance. By Akshay Thorat

Asynchronous Logging and Fast Recovery for a Large-Scale Distributed In-Memory Storage

The Google File System

RAPIDIO USAGE IN A BIG DATA ENVIRONMENT

Google File System. Sanjay Ghemawat, Howard Gobioff, and Shun-Tak Leung Google fall DIP Heerak lim, Donghun Koo

Firmware Updates for Internet of Things Devices

Session key establishment protocols

COS 318: Operating Systems. Journaling, NFS and WAFL

Zettabyte Reliability with Flexible End-to-end Data Integrity

jvpfs: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components

Session key establishment protocols

Recovering Disk Storage Metrics from low level Trace events

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

Android Bootloader and Verified Boot

McAfee Network Security Platform

SFS: Random Write Considered Harmful in Solid State Drives

RAMCloud: A Low-Latency Datacenter Storage System Ankita Kejriwal Stanford University

NEC Express5800 A2040b 22TB Data Warehouse Fast Track. Reference Architecture with SW mirrored HGST FlashMAX III

No More Waiting Around

Join Processing for Flash SSDs: Remembering Past Lessons

FAST SQL SERVER BACKUP AND RESTORE

Distributed Systems Final Exam

Compute Node Design for DAQ and Trigger Subsystem in Giessen. Justus Liebig University in Giessen

Programmable Logic Design Grzegorz Budzyń Lecture. 15: Advanced hardware in FPGA structures

SMB Direct Update. Tom Talpey and Greg Kramer Microsoft Storage Developer Conference. Microsoft Corporation. All Rights Reserved.

AEGIS Secure Processor

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

COS 318: Operating Systems. NSF, Snapshot, Dedup and Review

Vess A2000 Series NVR Storage Appliance

VMware VMmark V1.1 Results

Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

McAfee Network Security Platform 8.3

Zynq-7000 All Programmable SoC Product Overview

Fast packet processing in the cloud. Dániel Géhberger Ericsson Research

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

Design and Implementation of the Ascend Secure Processor. Ling Ren, Christopher W. Fletcher, Albert Kwon, Marten van Dijk, Srinivas Devadas

McAfee Network Security Platform

Simplify System Complexity

Side Load Feature Nasuni Corporation Boston, MA

McAfee Network Security Platform 9.1

Building blocks for custom HyperTransport solutions

Maximizing heterogeneous system performance with ARM interconnect and CCIX

Inexpensive Coordination in Hardware

Cascade Mapping: Optimizing Memory Efficiency for Flash-based Key-value Caching

SATA-IP Introduction. Agenda

Silent Shredder: Zero-Cost Shredding For Secure Non-Volatile Main Memory Controllers

Deduplication Storage System

SMORE: A Cold Data Object Store for SMR Drives

Developing deterministic networking technology for railway applications using TTEthernet software-based end systems

Extended Specification. P ProDesk 400 G2.5 Core i GHz 4 GB 500 GB. Personal computer small form factor

CSAIL. Computer Science and Artificial Intelligence Laboratory. Massachusetts Institute of Technology

Transcription:

Authenticated Storage Using Small Trusted Hardware Hsin-Jung Yang, Victor Costan, Nickolai Zeldovich, and Srini Devadas Massachusetts Institute of Technology November 8th, CCSW 2013

Cloud Storage Model

Privacy Cloud Storage Requirements Sol: encryption at the client side Availability Sol: appropriate data replication Integrity Sol: digital signatures & message authentication codes Freshness Hard to guarantee due to replay attacks

Cloud Storage: Replay Attack User A Cloud Server User B

Cloud Storage: Replay Attack User A Cloud Server User B

Cloud Storage: Replay Attack User A Cloud Server User B

Cloud Storage: Replay Attack User A Cloud Server User B

Cloud Storage: Replay Attack User A Cloud Server User B

Cloud Storage: Replay Attack User A Cloud Server User B

Cloud Storage: Replay Attack User A Cloud Server User B

Cloud Storage: Replay Attack User A Cloud Server User B

Cloud Storage: Replay Attack User A Cloud Server User B

Cloud Storage: Replay Attack User A Cloud Server User B

Cloud Storage: Replay Attack Software solution: Two users contact with each other directly User A Cloud Server User B

Solution: Adding Trusted Hardware

Solution: Adding Trusted Hardware

Solution: Adding Trusted Hardware single chip

Solution: Adding Trusted Hardware single chip Secure NVRAM

Solution: Adding Trusted Hardware single chip Secure NVRAM Computational Engines

Solution: Adding Trusted Hardware single chip Secure NVRAM Computational Engines Slow under NVRAM process!

Solution: Adding Trusted Hardware state chip (S chip) Secure NVRAM Computational Engines processing chip (P chip)

Solution: Adding Trusted Hardware Smart Card state chip (S chip) Secure NVRAM Computational Engines processing chip (P chip) Fast! FPGA / ASIC

Solution: Adding Trusted Hardware Smart Card state chip (S chip) Secure NVRAM Computational Engines securely paired processing chip (P chip) Fast! FPGA / ASIC

Outline Motivation: Cloud Storage and Security Challenges System Design Threat Model & System Overview Security Protocols Crash Recovery Mechanism Implementation Evaluation Conclusion

Threat Model

Threat Model Untrusted connections Disk attacks and hardware failures Untrusted server that may (1) send wrong response (2) pretend to be a client (3) maliciously crash (4) disrupt P chip s power Clients may try to modify other s data

Threat Model Untrusted connections Disk attacks and hardware failures Untrusted server that may (1) send wrong response (2) pretend to be a client (3) maliciously crash (4) disrupt P chip s power Clients may try to modify other s data

Threat Model Untrusted connections Disk attacks and hardware failures Untrusted server that may (1) send wrong response (2) pretend to be a client (3) maliciously crash (4) disrupt P chip s power Clients may try to modify other s data

Threat Model Untrusted connections Disk attacks and hardware failures Untrusted server that may (1) send wrong response (2) pretend to be a client (3) maliciously crash (4) disrupt P chip s power Clients may try to modify other s data

System Overview Client <-> S-P chip: HMAC key S-P chip: integrity/freshness checks, system state storage & updates sign responses Server: communication, scheduling, disk IO

Security Protocols Message Authentication Memory Authentication Write Access Control System State Protection against Power Loss

Design: Message Authentication Untrusted network between client and server Sol: HMAC Technique Session-based protocol (HMAC key) PubEK, Ecert (PubEK, PrivEK) {HMAC key} PubEK {HMAC key} PubEK decrypt the key Client Server S-P Chip pair HMAC key {HMAC key} PubEK HMAC key (encrypted HMAC key)

Security Protocols Message Authentication Memory Authentication Write Access Control System State Protection against Power Loss

Design: Memory Authentication Data protection against untrusted disk Block-based cloud storage API Fixed block size (1MB) Write (block number, block) Read (block number) block Easy to reason about the security Disk B 1 B 2 B 3 B 4

Design: Memory Authentication Solution: Merkle tree h 1..8 h 1..4 h 5..8 h 12 =H(h 1 h 2 ) h 12 h 34 h 56 h 78 h 1 =H(B 1 ) h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 B 1 B 2 B 3 B 4 B 5 B 6 B 7 B 8 Disk is divided into many blocks

Design: Memory Authentication Solution: Merkle tree h 1..8 Root Hash (securely stored) h 1..4 h 5..8 h 12 =H(h 1 h 2 ) h 12 h 34 h 56 h 78 h 1 =H(B 1 ) h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 B 1 B 2 B 3 B 4 B 5 B 6 B 7 B 8 Disk is divided into many blocks

Design: Memory Authentication Solution: Merkle tree h 1..8 Root Hash (securely stored) h 1..4 h 5..8 h 12 =H(h 1 h 2 ) h 12 h 34 h 56 h 78 verify h 1 =H(B 1 ) h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 B 1 B 2 B 3 B 4 B 5 B 6 B 7 B 8 Disk is divided into many blocks

Design: Memory Authentication Solution: Merkle tree h 1..8 Root Hash (securely stored) h 1..4 h 5..8 h 12 =H(h 1 h 2 ) h 12 h 34 h 56 h 78 verify h 1 =H(B 1 ) h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 B 1 B 2 B 3 B 4 B 5 B 6 B 7 B 8 Disk is divided into many blocks

Merkle Tree Caching Caching policy is controlled by the server Cache management commands: LOAD, VERIFY, UPDATE P chip Node # Hash Verified Left child Right child 1 fabe3c05d8ba995af93e Y Y N 2 e6fc9bc13d624ace2394 Y Y Y 4 53a81fc2dcc53e4da819 Y N N 5 b2ce548dfa2f91d83ec6 Y N N

Security Protocols Message Authentication Memory Authentication Write Access Control System State Protection against Power Loss

Design: Write Access Control Goal: to ensure all writes are authorized and fresh Coherence model assumption: Clients should be aware of the latest update Unique write access key (Wkey) Share between authorized writers and the S-P chip Wkey B 1 B 2 B 3 B 4 S-P Chip pair Revision number (V id ) Increase during each write operation

Design: Write Access Control Protect Wkey and V id Add another layer at the bottom of Merkle tree h 78 h 78 h' 8 Root Hash (securely stored) h 1..8 h 8 =H(B 8 ) h 8 h 8 =H(B 8 ) h 8 h 1..4 h 5..8 B 8 B 8 H(Wkey) V id h 12 h 34 h 56 h 78 h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 B 1 B 2 B 3 B 4 B 5 B 6 B 7 B 8

Security Protocols Message Authentication Memory Authentication Write Access Control System State Protection against Power Loss

Design: System State Protection Goal: to avoid losing the latest system state Server may interrupt the P chip s supply power Solution: root hash storage protocol Client Server P chip S chip request hold response release response store state

Design: Crash Recovery Mechanism Goal: to recover the system from crashes Even if the server crashes, the disk can be recovered to be consistent with the root hash stored on the S chip Solution:

Implementation ABS (authenticated block storage) server architecture

ABS client model Implementation

Performance Evaluation Experiment configuration Disk size: 1TB Block size: 1MB Server: Intel Core i7-980x 3.33GHz 6-core processor with 12GB of DDR3-1333 RAM FPGA: Xilinx Virtex-5 XC5VLX110T Client: Intel Core i7-920x 2.67GHz 4-core processor FPGA-server connection: Gigabit Ethernet Client-server connection: Gigabit Ethernet

Fast network: File System Benchmarks (Mathmatica) Latency: 0.2ms Bandwidth: 1Gbit/s pure writes reads + writes pure reads

Slow network: File System Benchmarks (Mathmatica) Latency: 30.2ms Bandwidth: 100Mbit/s pure writes reads + writes pure reads

File System Benchmarks (Modified Andrew Benchmark) Slow network: Latency: 30.2ms Bandwidth: 100Mbit/s

Customized Solutions Hardware requirements Demand Focused Performance Budget Connection PCIe x16 (P) / USB (S) USB Hash Engine 8 + 1 (Merkle) 0 + 1 (Merkle) Tree Cache large none Response Buffer 2 KB 300 B Estimated performance Demand Focused Performance Budget Randomly Write Randomly Read Throughput 2.4 GB/s 377 MB/s Latency 12.3 ms + 32 ms 2.7 ms + 32 ms Throughput Latency 2.4 GB/s 0.4 ms # HDDs supported 24 4

Customized Solutions Hardware requirements Demand Focused Performance Budget Connection PCIe x16 (P) / USB (S) USB Hash Engine 8 + 1 (Merkle) 0 + 1 (Merkle) Tree Cache large none Response Buffer 2 KB 300 B Estimated performance Demand Focused Performance Budget Randomly Write Randomly Read Throughput 2.4 GB/s 377 MB/s Latency 12.3 ms + 32 ms 2.7 ms + 32 ms Throughput Latency 2.4 GB/s 0.4 ms # HDDs supported 24 4 Single chip!

Conclusion We build an authenticated storage system Efficiently ensure data integrity and freshness Prevent unauthorized/replayed writes Can be recovered from accidentally/malicious crashes The system has 10% performance overhead on the network with 30 ms latency and 100 Mbit/s bandwidth We provide customized solutions With limited resources: single-chip solution With more hardware resources: two-chip solution

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback