Securing Disk and Storage Systems

Storage systems in high-end computing environments face a variety of challenges. Each environment has unique security requirements, data types may require different mechanisms, and applications may have performance requirements that necessitate tradeoffs. However, security and performance are not orthogonal concerns, as security is often introduced across I/O paths (e.g., due to cryptographic operations).

Disks are increasing in computing power and with the advent of devices such as hybrid hard drives that contain NVRAM for ancillary storage, a platform for enforcing a tightly constrained security perimeter around sensitive dat is now available. In effect, modern disks may be used to provide a smaller and more stable trusted computing base.

Rootkits are prevalent and difficult to defend against. They become even more dangerous when they are persistent across reboots on a system; that is, they are loaded as part of the boot process and can prevent patching or system repair. We have developed rootkit-resistant disks that use ancillary metadata to label critical blocks on the drive, such as system binaries and configuration files, to become immutable against modification. These blocks may only be modified if a security token is directly attached to the disk controller. By enforcing this immutability at the drive level, we prevent a compromised operating system from infecting the disk, and prevent rootkit installation on the drive itself; eliminating a rootkit becomes a matter of rebooting the system.

In addition, we are investigating new policy architectures that meet security requirements and evaluate performance optimizations in storage systems, through architecture enhancements, security policies, protocol improvements, and cryptographic constructions. Our QDSL queueing model optimizes performance and Goodness of Service (e.g., response time, degree of offered security) given baseline security and power requirements.

For centralized storage solutions such as SAN or NAS, the iSCSI protocol is often run to retrieve information from these remote storage services. IPsec is relied upon to provide transport security. However, IPsec causes degradation of network throughput, by 58% for AH and 74% for ESP for the Linux 2.6 kernel and 8 KB packet sizes. To reduce this degradation, we introduce lazy mechanisms that reduce server loads. With lazy decryption, encrypted data is stored on the server, and only clients decrypt information, while with lazy authentication, authentication of the data is delayed until it is accessed and processed by the client.

We are continuing to investigate policy and optimizations alternatives and performing detailed simulations and experiments to better understand the tradeoffs and challenges associated with storage system performance and security.

Related Publications

Kevin Butler, Stephen McLaughlin, and Patrick McDaniel. Kells: A Protection Framework for Portable Data. 26th Annual Computer Security Applications Conference (ACSAC), Austin, TX, USA. December 2010.

Kevin Butler, Stephen McLaughlin, and Patrick McDaniel. Rootkit-Resistant Disks. 15th ACM Conference on Computer and Communicaions Security (CCS'08), Alexandria, VA, October 2008. [Full Paper: pdf]

Shiva Chaitanya, Bhuvan Urgaonkar, and Anand Sivasubramaniam, QDSL: a queuing model for systems with differential service levels. SIGMETRICS Perform. Eval. Rev. 36, 1 (Jun. 2008), 289-300. [Full Paper: pdf]

Kevin Butler, Stephen McLaughlin, and Patrick McDaniel, Non-Volatile Memory and Disks: Avenues for Policy Architectures. First Computer Security Architecture Workshop (CSAW 2007), Alexandria, VA, November 2007. [Full Paper: pdf]

Shiva Chaitanya, Kevin Butler, Anand Sivasubramaniam, Patrick McDaniel, and Murali Vilayannur. Design, Implementation, and Evaluation of Security in iSCSI-Based Network Storage Systems. Second International Workshop on Storage Security and Survivability (StorageSS 2006), Alexandria, VA, October 2006. [Full Paper: pdf]