Article

Secure file system versioning at the block level

Authors:
Jake Wires

University of British Columbia

University of British Columbia
View Profile

,
Michael J. Feeley

University of British Columbia

University of British Columbia
View Profile

EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007March 2007Pages 203–215https://doi.org/10.1145/1272996.1273018

Published:21 March 2007Publication History

EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007

Pages 203–215

ABSTRACT

In typical file systems, valuable data is vulnerable to being accidentally or maliciously deleted or overwritten. Versioning file systems protect data from accidents by transparently retaining old versions, but do less well in protecting data from malicious attack. These systems remain vulnerable to attackers who gain unauthorized access to prune old file versions, who bypass the file system to directly manipulate storage, or who exploit bugs in any part of the operating system.

This paper presents VDisk, a secure, block-level versioning system that adds file-grain versioning to a standard, unmodified file system. VDisk consists of a set of untrusted user-mode tools and a trusted, secure kernel that is implemented within an isolated Xen virtual machine domain. The secure kernel is designed to be simple and thus trustworthy. This kernel logs file-system updates to a secure log, exports a read-only view of the log to the rest of the system and securely removes unwanted versions from the log. Secure cleaning is implemented in a two-level manner. An untrusted, user-mode cleaner selects log entries for reclamation and submits cleaning requests to the trusted VDisk kernel along with a proof that the request satisifies the device's version-retention policy. The secure kernel verifies the proof and updates the log.

References

MySQL, http://www.mysql.com.Google Scholar
M. G. Baker, J. H. Hartman, M. D. Kupfer, K. W. Shirriff, and J. K. Ousterhout. Measurements of a distributed file system. In SOSP '91: Proceedings of the thirteenth ACM Symposium on Operating Systems Principles, pages 198--212. ACM Press, 1991. Google ScholarDigital Library
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Symposium on Operating Systems Principles, pages 164--177, New York, NY, USA, 2003. ACM Press. Google ScholarDigital Library
S. Chutani, O. T. Anderson, M. L. Kazar, B. W. Leverett, W. A. Mason, and R. N. Sidebotham. The Episode File System. In Proceedings of the USENIX Winter 1992 Technical Conference, pages 43--60, San Fransisco, CA, USA, 1992.Google Scholar
B. Cornell, P. Dinda, and F. Bustamante. Wayback: A user-level versioning file system for linux. In USENIX Annual Technical Conference, FREENIX Track, 2004. Google ScholarDigital Library
G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Operating Systems Review, 36(SI):211--224, 2002. Google ScholarDigital Library
D. Ellard. Trace-based analyses and optimizations for network storage servers. PhD thesis, Harvard Computer Science Technical Report TR-11-04, May 2004. Google ScholarDigital Library
D. Ellard, J. Ledlie, P. Malkani, and M. Seltzer. Passive NFS tracing of email and research workloads. In Second Annual USENIX File and Storage Technologies Conference (FAST'03), pages 203--216, March 2003. Google ScholarDigital Library
D. R. Engler, M. F. Kaashoek, and J. O. Jr. Exokernel: An operating system architecture for application-level resource management. In Symposium on Operating Systems Principles, pages 251--266, 1995. Google ScholarDigital Library
M. D. Flouris and A. Bilas. Clotho: Transparent data versioning at the block I/O level. 12th NASA/IEEE Conference on Mass Storage Systems and Technologies, 2004.Google Scholar
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles, pages 193--206, 2003. Google ScholarDigital Library
T. J. Gibson and E. L. Miller. Long-term file activity patterns in a UNIX workstation environment. In The Fifteenth IEEE Symposium on Mass Storage Systems, March 1998.Google Scholar
D. K. Gifford, R. M. Needham, and M. D. Schroeder. The cedar file system. Communications of the ACM, 31(3):288--298, 1988. Google ScholarDigital Library
D. Grune. Concurrent Versions System, A Method for Independent Cooperation. IR 113, Vrije Universiteit, 1986.Google Scholar
D. Hitz, J. Lau, and M. Malcolm. File system design for an NFS file server appliance. In Proceedings of the USENIX Winter 1994 Technical Conference, pages 235--246, San Fransisco, CA, USA, 17--21 1994. Google ScholarDigital Library
J. E. Johnson and W. A. Laing. Overview of the Spiralog File System. Digital Technical Journal of Digital Equipment Corporation, 8(2):5--14, 1996. Google ScholarDigital Library
S. T. King and P. M. Chen. Backtracking intrusions. In Symposium on Operating Systems Principles, pages 223--236, 2003. Google ScholarDigital Library
E. K. Lee and C. A. Thekkath. Petal: Distributed virtual disks. In Proceedings of the Seventh International Conference on Architectural Support for Programming Languages and Operating Systems, pages 84--92, Cambridge, MA, 1996. Google ScholarDigital Library
J. MacDonald, P. N. Hilfinger, and L. Semenzato. PRCS: The project revision control system. Lecture Notes in Computer Science, 1439:33+, 1998. Google ScholarDigital Library
K. McCoy. VMS File System Internals. Digital Press, 1990. Google ScholarDigital Library
C. B. Morrey III and D. Grunwald. Peabody: The time travelling disk. In IEEE Symposium on Mass Storage Systems, pages 241--253, 2003. Google ScholarDigital Library
J. H. Morris, M. Satyanarayanan, M. H. Conner, J. H. Howard, D. S. Rosenthal, and F. D. Smith. Andrew: a distributed personal computing environment. Communications of the ACM, 29(3):184--201, 1986. Google ScholarDigital Library
K. Muniswamy-Reddy, C. P. Wright, A. Himmer, and E. Zadok. A versatile and user-oriented versioning file system. In Third USENIX Conference on File and Storage Technologies (FAST 2004), San Francisco, CA, USA, March/April 2004. USENIX Association. Google ScholarDigital Library
J. K. Ousterhout, H. D. Costa, D. Harrison, J. A. Kunze, M. Kupfer, and J. G. Thompson. A trace-driven analysis of the UNIX 4.2 BSD file system. In SOSP '85: Proceedings of the tenth ACM symposium on Operating systems principles, pages 15--24. ACM Press, 1985. Google ScholarDigital Library
H. Patterson, S. Manley, M. Federwisch, D. Hitz, S. Kleiman, and S. Owara. SnapMirror: File-system-based asynchronous mirroring for disaster recovery. In First USENIX Conference on File and Storage Technologies, 2002. Google ScholarDigital Library
Z. Peterson and R. Burns. Ext3cow: a time-shifting file system for regulatory compliance. ACM Transactions on Storage, 1(2):190--212, 2005. Google ScholarDigital Library
D. Presotto, R. Pike, K. Thompson, and H. Trickey. Plan 9: A distributed system. In Sprint 1991 EurOpen, May 1991.Google Scholar
D. Roselli, J. Lorch, and T. Anderson. A comparison of file system workloads. In USENIX 2000 Technical Conference, pages 41--54, 2000. Google ScholarDigital Library
M. Rosenblum and J. K. Ousterhout. The design and implementation of a log-structured file system. ACM Transactions on Computer Systems, 10(1):26--52, 1992. Google ScholarDigital Library
D. S. Santry, M. J. Feeley, N. C. Hutchinson, A. C. Veitch, R. W. Carton, and J. Ofir. Deciding when to forget in the Elephant File System. In Symposium on Operating Systems Principles, pages 110--123, 1999. Google ScholarDigital Library
M. Sivathanu, L. N. Bairavasundaram, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Life or death at the block-level. In Symposium on Operating Systems Design and Implementation, pages 379--394, 2004. Google ScholarDigital Library
M. Sivathanu, V. Prabhakaran, A. Arpaci-Dusseau, and R. Arpaci-Dusseau. Improving storage system availability with D-GRAID. In Third USENIX Conference on File and Storage Technologies (FAST 2004), pages 15--30, March 2004. Google ScholarDigital Library
C. A. N. Soules, G. R. Goodson, J. D. Strunk, and G. Ganger. Metadata efficiency in versioning file systems. In Second USENIX Conference on File and Storage Technologies (FAST 2003), San Francisco, CA, USA, 2003. Google ScholarDigital Library
J. D. Strunk, G. R. Goodson, M. L. Scheinholtz, C. A. Soules, and G. R. Ganger. Design and implementation of a self-securing storage device. In Symposium on Operating Systems Design and Implementation, pages 165--179, October 2000.Google ScholarCross Ref
W. F. Tichy. RCS: A system for version control. Software---Practice and Experience, 15(7):637--654, 1985. Google ScholarDigital Library
A. Warfield, R. Ross, K. Fraser, C. Limpach, and S. Hand. Parallax: Managing storage for a million machines. In The 10th USENIX Workshop on Hot Topics in Operating Systems (HotOS-X), June 2005. Google ScholarDigital Library
A. Whitaker, R. S. Cox, and S. D. Gribble. Using time travel to diagnose computer problems. In Symposium on Operating Systems Design and Implementation, pages 77--90, 2004.Google ScholarDigital Library
A. Whitaker, R. S. Cox, M. Shaw, and S. D. Gribble. Constructing services with interposable virtual hardware. In First Symposium on Networked Systems Design and Implementation, pages 169--182, 2004. Google ScholarDigital Library
Q. Yang, W. Xiao, and J. Ren. TRAP-array: A disk array architecture providing timely recovery to any point-in-time. In ISCA '06: Proceedings of the 33rd International Symposium on Computer Architecture, pages 289--301, 2006. Google ScholarDigital Library

Index Terms

Secure file system versioning at the block level
1. Information systems
  1. Information storage systems
    1. Storage management
2. Software and its engineering
  1. Software organization and properties
    1. Contextual software domains
      1. Operating systems
        File systems management
        Memory management

Recommendations

Secure file system versioning at the block level
EuroSys'07 Conference Proceedings

In typical file systems, valuable data is vulnerable to being accidentally or maliciously deleted or overwritten. Versioning file systems protect data from accidents by transparently retaining old versions, but do less well in protecting data from ...
Read More
File Versioning for Block-Level Continuous Data Protection
ICDCS '09: Proceedings of the 2009 29th IEEE International Conference on Distributed Computing Systems

Block-level continuous data protection (CDP) logs every disk block update so that disk updates within a time window are undoable. Standard file servers and DBMS servers can enjoy the data protection service offered by block-level CDP without any ...
Read More
Secure deletion for a versioning file system
FAST'05: Proceedings of the 4th conference on USENIX Conference on File and Storage Technologies - Volume 4

We present algorithms and an architecture for the secure deletion of individual versions of a file. The principal application of this technology is federally compliant storage; it is designed to eliminate data after a mandatory retention period. However,...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007
March 2007
431 pages
ISBN:9781595936363
DOI:10.1145/1272996
ACM SIGOPS Operating Systems Review Volume 41, Issue 3
EuroSys'07 Conference Proceedings
June 2007
386 pages
ISSN:0163-5980
DOI:10.1145/1272998
Issue’s Table of Contents
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 21 March 2007
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate241of1,308submissions,18%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 14
  Total Citations
  View Citations
- 824
  Total Downloads
- Downloads (Last 12 months)7
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Secure file system versioning at the block level

EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007

ABSTRACT

References

Cited By

Index Terms

Recommendations

Secure file system versioning at the block level

File Versioning for Block-Level Continuous Data Protection

Secure deletion for a versioning file system