130 likes | 217 Views
Agile Survivable Store. PIs: Mustaque Ahamad, Douglas M. Blough, Wenke Lee and H.Venkateswaran PhD Students: Prahlad Fogla, Lei Kong, Subbu Lakshmanan, Arun Subbiah. Motivation. Secure and highly available storage of confidential and critical information Agility
E N D
Agile Survivable Store PIs: Mustaque Ahamad, Douglas M. Blough, Wenke Lee and H.Venkateswaran PhD Students: Prahlad Fogla, Lei Kong, Subbu Lakshmanan, Arun Subbiah
Motivation • Secure and highly available storage of confidential and critical information • Agility • Everyone is good assumption provides better performance but highly vulnerable to compromises by malicious entities • Being paranoid at all times could severely limit performance or availability • Support various types of security (e.g., confidentiality, availability & integrity) • Allow security levels to be changed dynamically based on application needs or perceived level of threats
Agile Store Architecture Server fault detection Distributed store Security manager Clients Client intrusion detection
Availability through Replication • Objects are replicated on multiple servers • Quorum techniques are used to improve performance over full replication • objects are written to a subset of servers (write quorum) • objects are read from a different subset of servers (read quorum) • all write quorums intersect with all read quorums to ensure most up-to-date data is always read • background dissemination updates servers that are not part of a write quorum to provide same availability as full replication • Adaptive quorum protocols are being developed to allow system and quorum sizes to be changed dynamically
Confidentiality through Fragmentation Disseminate along a column f3 f1 f2 Write along a row Read along a row Periodic share renewal
Agility through Intrusion and Fault Detection • Client profiling to detect suspicious client behavior • Monitoring of quorum protocols to detect faulty or compromised servers • to interfere with store, a server must deviate from quorum protocols • deviation from protocols causes server to be detected as faulty • forces compromised servers to behave correctly in order to escape detection
Architecture for Server Fault Detection Distributed store P P Server fault detection Clients
Distribution of Up-To-Date Responses from a Correct Server write quorum size = 34, n = 50, random quorum selection
Proposed Work: Prototype Filesytem Implementation Data Servers Client Agent Data operations Appln FS calls Metadata operations NFS client Agile Store Service BFT metadata Service
Proposed Work: Prototype Details • Application interface • Standard Posix file system calls • Extended API for applications that need flexible control • Metadata service implemented by Byzantine fault-tolerant state machine with strong consistency model • Data servers execute data operations and monitor the behavior of other data servers by acting as proxies • MAC used to prevent faulty proxy server from tampering with data communication
Proposed Work: Prototype Details (cont.) • Data access requests are authenticated and authorized individually by each server • Access control managed at metadata servers and enforced by data servers • All traffic through secure channels • A simple Public Key Infrastructure used for key management • Symmetric keys negotiated when necessary or periodically • Data is fragmented and/or replicated (user-selectable)
Deliverables and Milestones • Initial agile filesystem prototype (crypto infrastructure, replication, fragmentation, basic read/write protocols): Summer 2003 • Full prototype (initial prototype + intrusion/fault detection and reconfiguration): December 2003