Securing Disk and Storage Systems

Storage systems in high-end computing environments face a variety of challenges. Each environment has unique security requirements, data types may require different mechanisms, and applications may have performance requirements that necessitate tradeoffs. However, security and performance are not orthogonal concerns, as security is often introduced across I/O paths (e.g., due to cryptographic operations).

We are investigating new policy architectures that meet security requirements and evaluate performance optimizations in storage systems, through architecture enhancements, security policies, protocol improvements, and cryptographic constructions.

With hybrid hard drives that contain both magnetic spinning disks and non-volatile flash memory, we can use NVRAM as a repository for security metadata and on-disk processing capabilities for storage-level policy enforcement. By using integrity sets consisting of several disk blocks, we can trade off NVRAM storage against disk performance, which is helped by the spatial locality of information on disks.

For centralized storage solutions such as SAN or NAS, the iSCSI protocol is often run to retrieve information from these remote storage services. IPsec is relied upon to provide transport security. However, IPsec causes degradation of network throughput, by 58% for AH and 74% for ESP for the Linux 2.6 kernel and 8 KB packet sizes. To reduce this degradation, we introduce lazy mechanisms that reduce server loads. With lazy decryption, encrypted data is stored on the server, and only clients decrypt information, while with lazy authentication, authentication of the data is delayed until it is accessed and processed by the client.

We are continuing to investigate policy and optimizations alternatives and performing detailed simulations and experiments to better understand the tradeoffs and challenges associated with storage system performance and security.

Related Publications

Kevin Butler, Steven McLaughlin, and Patrick McDaniel, Non-Volatile Memory and Disks: Avenues for Policy Architectures. First Computer Security Architecture Workshop (CSAW 2007), Alexandria, VA, November 2007. To appear.

Shiva Chaitanya, Kevin Butler, Anand Sivasubramaniam, Patrick McDaniel, and Murali Vilayannur, Design, Implementation, and Evaluation of Security in iSCSI-Based Network Storage Systems. Second International Workshop on Storage Security and Survivability (StorageSS 2006), Alexandria, VA, October 2006. [Full Paper: pdf]