Upload
roberta-douglas
View
213
Download
0
Embed Size (px)
Citation preview
Efficient Proactive Security for Sensitive Data Storage
Arun Subbiah
Douglas M. Blough
School of ECE, Georgia Tech{arun, dblough}@ece.gatech.edu
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
2
Autonomic Proactive
Detect failures Repair
Distributed Data Storage System
Autonomic
Periodic refresh
Proactive
Autonomic / self-healing / adaptive– Detect storage node failure / compromise, then repair
Proactive security and fault-tolerance– Refresh and renew, don’t rely on failure detector
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
3
Failure Detector for Byzantine Quorum Systems
Integrated into a distributed filesystem prototype L. Kong, A. Subbiah, M. Ahamad, and D. M. Blough, "A Reconfigurable Byzantine Quorum
Approach for the Agile Store," SRDS 2003 L. Kong, D. J. Manohar, A. Subbiah, M. Sun, M. Ahamad, and D. M. Blough, "Agile Store:
Experience with Quorum-Based Data Replication Techniques for Adaptive Byzantine Fault Tolerance," SRDS 2005
FD
FD
FD
FD
FD
Diagnosis Server
Byzantine Quorum System
Users
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
4
Failure Detector Performance in Byzantine Quorum Systems
Probability of detection
badp
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
5
Proactive Security – Integrity and Confidentiality Protection
p
SVR1 SVR2 SVR3
Time Interval 1
Time Interval 2
Time Interval 3
Time Interval 4
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
6
Proactive Security – Confidentiality Protection
Data storage using perfect secret sharing
Problem: Perfect secret sharing schemes have high computation overhead; do not scale with large amounts of data
Solution: The GridSharing Framework: Use XOR and replication
A. Subbiah and D. M. Blough, "An Approach for Fault Tolerant and Secure Data Storage in Collaborative Work Environments," Workshop on Storage Security and
Survivability, ACM CCS, 2005
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
7
Computation Overheads for Perfect Secret Sharing
Verifiable secret sharing: Feldman’s scheme with Shamir’s scheme– Computation times during encoding and decoding over 700 ms
• For any 3 out of 5 shares scheme
Compare with AES (Rijndael) symmetric key encryption– Encryption and decryption times approx. 205 μs
Perfect secret sharing is over 3000 times slower than symmetric-key encryption
The GridSharing framework: < 1 ms
Computation times for an 8 KB data block on a Pentium 4 3GHz computer.
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
8
Proactive Security – Integrity Protection
Each server periodically checks the integrity of its stored data with other servers.
Repair if any corruptions are detected.
Assume metadata is replicated at all servers
Users
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
9
A Proactively-Secure Document Store
Users upload / download encrypted documents. Documents stored at all the servers. Experiments run on the Emulab cluster (http://www.emulab.net).
Users
100 Mbps LAN 1 Gbps
LAN
Time Interval Marker
Diagnosis Server
All machines: 3 GHz, 64-bit Xeon, 2 GB RAM, 146 GB hard disk
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
10
Throughput Measurement
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
11
Storage Repair Rate
Efficient Proactive Security for Sensitive Data StorageArun Subbiah, Douglas M. Blough {arun, dblough}@ece.gatech.edu
12
PhD Work
Byzantine-fault detection algorithms– Integrated with Reconfigurable Quorums to give Agile Store.
Coding techniques for distributed storage– First secret sharing technique that scales with large amounts of data.
Protocol design for integrity and confidentiality protection Prototype implementation and performance evaluation
– First practical proactively-secure data store.
– Scales to 100s GB of data.
More info: http://www.arunsubbiah.com