skip to main content
10.1145/1179559.1179565acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Scalable security for large, high performance storage systems

Published: 30 October 2006 Publication History

Abstract

New designs for petabyte-scale storage systems are now capable of transferring hundreds of gigabytes of data per second, but lack strong security. We propose a scalable and efficient protocol for security in high performance, object-based storage systems that reduces protocol overhead and eliminates bottlenecks, thus increasing performance without sacrificing security primitives. Our protocol enforces security using cryptographically secure capabilities, with three novel features that make them ideal for high performance workloads: a scheme for managing coarse grained capabilities, methods for describing client and file groups, and strict security control through capability lifetime extensions. By reducing the number of unique capabilities that must be generated, metadata server load is reduced. Combining and caching client verifications reduces client latencies and workload because metadata and data requests are more frequently serviced by cached capabilities. Strict access control is handled quickly and efficiently through short-lived capabilities and lifetime extensions.We have implemented a prototype of our security protocol and evaluated its performance and scalability using a high performance file system workload. Our numbers demonstrate the ability of our protocol to drastically reduce client security latency to nearly zero. Additionally, our approach improves MDS performance considerably, serving over 99% of all file access requests with cached capabilities. OSD scalability is greatly improved; our solution requires 95 times fewer capability verifications than previous solutions.

References

[1]
Aguilera, M.K., Ji, M., Lillibridge, M., MacCormick, J., Oertli, E., Andersen, D., Burrows, M., Mann, T., and Thekkath, C.A. Block-level security for network-attached disks. In Proceedings of the Second USENIX Conference on File and Storage Technologies (FAST) (San Francisco, CA, 2003), pp. 159--174.
[2]
Amer, A., Long, D.D.E., Pâris, J.-F., and Burns, R.C. File access prediction with adjustable accuracy. In Proceedings of the International Performance Conference on Computers and Communication (IPCCC '02) (Phoenix,Apr.2002), IEEE.
[3]
Azagury, A., Canetti, R., Factor, M., Halevi, S., Henis, E., Naor, D., Rinetzky, N., Rodeh, O., and Satran, J. A two layered approach for securing an object store network. In IEEE Security in Storage Workshop (2002), pp. 10--23.
[4]
Braam, P.J. The Lustre storage architecture. http://www.lustre.org/documentation.html,Cluster File Systems, Inc., Aug. 2004.
[5]
Factor, M., Nagle, D., Naor, D., Riedel, E., and Satran, J. The OSD security protocol. In Proceedings of the 3rd International IEEE Security in Storage Workshop (2005), pp. 29--39.
[6]
Gibson, G.A., Nagle, D.F., Amiri, K., Butler, J., Chang, F. W., Gobioff, H., Hardin, C., Riedel, E., Rochberg, D., and Zelenka, J. A cost-efective, high-bandwidth storage architecture. In Proceedings of the 8th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (San Jose, CA, Oct. 1998), pp. 92--103.
[7]
Gobioff, H. Security for a High Performance Commodity Storage Subsystem PhD thesis, Carnegie Mellon University, July 1999. Also available as Technical Report CMU-CS-99-160.
[8]
Merkle, R.C. Secrecy, authentication, and public key systems PhD thesis, Stanford University, 1979.
[9]
Oldfield, R.A., Maccabe, A.B., Arunagiri, S., Kordenbrock, T., Riesen, R., Ward, L., and Widener, P. Lightweight I/O for scientific applications. Tech. rep., Sandia National Laboratories, SAND2006-3057, May 2006.
[10]
Olson, C.A., and Miller, E.L. Secure capabilities for a petabyte-scale object-based distributed file system. In Proceedings of the 2005 ACM Workshop on Storage Security and Survivability (Fairfax, VA, Nov. 2005).
[11]
Panasas. http://www.panasas.com.
[12]
Reed, B.C., Chron, E.G., Burns, R.C., and Long, D.D.E. network-attached storage. IEEE Micro 20 1 (Jan. 2000),49--57.
[13]
Schwan, P. Lustre: Building a file system for 1000-node clusters. In Proceedings of the 2003 Linux Symposium (July 2003).
[14]
Singh, A., Gopisetty, S., Duyanovich, L., Voruganti, K., Pease, D., and Liu, L. Security vs performance: Tradeoffs using a trust framework. In Proceedings of the 22nd IEEE/13th NASA Goddard Conference on Mass Storage Systems and Technologies (2005).
[15]
Wang, F., Xin, Q., Hong, B., Brandt, S.A., Miller, E.L., Long, D.D.E., and McLarty, T.T. File system workload analysis for large scale scientific computing applications. In Proceedings of the 21st IEEE/12th NASA Goddard Conference on Mass Storage Systems and Technologies (College Park,MD, Apr. 2004), pp. 139--152.
[16]
Weil, S.A., Brandt, S.A., Miller, E.L., Long, D.D.E., and Maltzahn, C. Ceph: A scalable, high-performance distributed file system. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI) (Seattle, WA, Nov. 2006).
[17]
Weil, S.A., Brandt, S.A., Miller, E.L., and Maltzahn, C. CRUSH: Controlled, scalable, decentralized placement of replicated data. In Proceedings of the 2006 ACM/IEEE Conference on Supercomputing (SC '06) (Tampa, FL, Nov. 2006), ACM.

Cited By

View all
  • (2021)Formalization and Analysis of Ceph Using Process AlgebraIEICE Transactions on Information and Systems10.1587/transinf.2021EDP7070E104.D:12(2154-2163)Online publication date: 1-Dec-2021
  • (2020)An Integrated Indexing and Search Service for Distributed File SystemsIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2020.299065631:10(2375-2391)Online publication date: 1-Oct-2020
  • (2018)How to Best Share a Big SecretProceedings of the 11th ACM International Systems and Storage Conference10.1145/3211890.3211896(76-88)Online publication date: 4-Jun-2018
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
StorageSS '06: Proceedings of the second ACM workshop on Storage security and survivability
October 2006
94 pages
ISBN:1595935525
DOI:10.1145/1179559
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2006

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. capabilities
  2. object-based storage
  3. scalability

Qualifiers

  • Article

Conference

CCS06
Sponsor:

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)9
  • Downloads (Last 6 weeks)2
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2021)Formalization and Analysis of Ceph Using Process AlgebraIEICE Transactions on Information and Systems10.1587/transinf.2021EDP7070E104.D:12(2154-2163)Online publication date: 1-Dec-2021
  • (2020)An Integrated Indexing and Search Service for Distributed File SystemsIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2020.299065631:10(2375-2391)Online publication date: 1-Oct-2020
  • (2018)How to Best Share a Big SecretProceedings of the 11th ACM International Systems and Storage Conference10.1145/3211890.3211896(76-88)Online publication date: 4-Jun-2018
  • (2018)Password-based protection of clustered segments in distributed memory systemsJournal of Parallel and Distributed Computing10.1016/j.jpdc.2018.01.003115:C(29-40)Online publication date: 1-May-2018
  • (2018)Access right management by extended password capabilitiesInternational Journal of Information Security10.1007/s10207-017-0390-017:5(603-612)Online publication date: 1-Oct-2018
  • (2016)Authenticated Key Exchange Protocols for Parallel Network File SystemsIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2015.238844727:1(92-105)Online publication date: 1-Jan-2016
  • (2016)Access control lists in password capability environmentsComputers and Security10.1016/j.cose.2016.08.00562:C(317-327)Online publication date: 1-Sep-2016
  • (2015)Password systemsComputers and Electrical Engineering10.1016/j.compeleceng.2015.02.01247:C(318-326)Online publication date: 1-Oct-2015
  • (2011)CaPaSInternational Journal of High Performance Systems Architecture10.1504/IJHPSA.2011.0455063:4(216-232)Online publication date: 1-Feb-2011
  • (2011)Employing Object-Based Storage Devices to Embed File Access Control in StorageIntelligent Automation & Soft Computing10.1080/10798587.2011.1064312917:1(1-11)Online publication date: Jan-2011
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media