SeMiNAS: A Secure Middleware for Wide-Area Network-Attached Storage

Transcription

1 SeMiNAS: A Secure Middleware for Wide-Area Network-Attached Storage Ming Chen Erez Zadok {mchen, ezk}@cs.stonybrook.edu Arun O. Vasudevan [email protected] Kelong Wang [email protected]

2 Outline Ø Background & Motivation Design Implementation Evaluation Conclusions June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 2

3 Cloud Computing June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 3

4 Security Concerns of Cloud l Raised by cloud nature u Opaque & intangible u Multi-tenant u Large exploit surface u Complexity (buggy) l Intensified by high-profile incidents u Silent data corruption u Leak of intimate photos of celebrities u Leak of user accounts and credentials June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 4

5 Securing Cloud Storage WAN WAN Clients Office-1 LAN Untrusted Public Clouds New challenges: 1. Cost-efficiency despite high latency 2. Heterogeneous clients & clouds 3. Complex storage stack +++ Virt LAN Clients Office-2 Network stacks Cloud services FS (Unionfs, Overlayfs) Block (Device Mappers) Device (RAID, FTL) Net-Dist +++ June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 5

6 Outline þ Background & Motivation Ø Design Implementation Evaluation Conclusions June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 6

7 SeMiNAS Architecture NFSv4 LAN WAN SeMiNAS Clients Office-1 Clients Untrusted Public Clouds WAN SeMiNAS NFSv4 LAN Office-2 Clients Untrusted Public Cloud Benefits of a middleware: 1. Easy management (a few proxies vs. many clients) 2. Simple key distribution without trusted third parties 3. Fit well with WAN caching and firewalls June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 7

8 Why Use NFSv4? l Advantages over vendor-specific key-value stores u Open, pervasive, and standard POSIX-compliant and cross-platform interoperability Suffering less from data or vendor lock-in u Optimized for WAN Compound procedures Delegations u Richer semantics Simplify application development More optimizations: server-side copying, ADB l Advantages over older versions u Easier administration with a single port u More scalable with pnfs Amazon EFS u More secure with RPCSEC_GSS, ACL, and Labeled NFS June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 8

9 SeMiNAS Data Path LAN nfs_write(p ) Client 1 Client 2 nfs_read(): P Caching Layer Auth- Encrypt Layer Insert(P) <C, M> = AuthEncrypt(K, P) Lookup(): P <P, V> = AuthDecrypt(K, C, M) Persistent Cache SeMiNAS WAN write_plus(c, M) read_plus(): <C, M> Cloud June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 9

10 Meta-Data Management l Each SeMiNAS proxy has u Each proxy knows public keys of all proxies u Distributed via a secret channel or manually l Each file has a unique symmetric file key u Encrypted by master key pairs u Encrypt each block with GCM: l File layout: <SID, PubKey, PriKey> June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 10

11 NFSv4-Based Optimizations (1) l NFS Data-Integrity extensions NFS Client SeMiNAS LAN NFS Server WAN Alternatives Concatenate a block and its MAC as a separate file. Uses a separate file for all MACs of a file. Map a block to a larger block in cloud (16è20KB). Drawbacks Break close-toopen consistency Add extra I/O and disk seeks Waste space for small block sizes OS HBA Kernel Device June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 11

12 NFSv4-Based RPCs in Optimizations NFS (2) In NFSv3, every operation is implemented as an RPC NFSv4 supports compound procedures by which several operations can be grouped into a single RPC l Compound Better performance Procedures in wide area networks a) Reading data from a file in v3. b) Reading data using a compound procedure in v4. l SeMiNAS Compounds 1. Write header after creating a file 2. Read header after opening a file 3. Update header Naming before in NFS closing a dirty file 4. Read header when getting attributes NSF provides clients transparent access to a remote file system by letting a client mount (part of) a remote file system into its own local file system 5. Get attributes A sever can export a directory after (i.e., writing make a directory to and its a entries file available to clients) An exported directory can be mounted into a client s local name space June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 12 11

13 Outline þ Background & Motivation þ Design Ø Implementation Evaluation Conclusions June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 13

14 SeMiNAS Implementation l NFS-Ganesha: a user-land NFS server u File System Abstraction Layer (FSAL) back-ends u FSAL_VFS, FSAL_PROXY, and stackable FSALs SeMiNAS Proxy NFS Server NFS Frontend NFS Frontend FSAL_PCACHE FSAL_SECNFS FSAL_PROXY NFS-Ganesha WAN FSAL_VFS NFS-Ganesha Kernel OS / HBA June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 14

15 Extending DIX to NFS l Data Integrity extensions (DIX) in NFS u READ_PLUS u WRITE_PLUS June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 15

16 l Details Implementation Details u Added caching and security layers in NFS-Ganesha u Added support of multiple stackable layers u Extended DIX further to NFS u Cryptographic C++ library: cryptopp u Pass all applicable xfstests cases l Development efforts u 25 man-months of 3 graduate students over 3 years u Added 13,000 lines of C/C++ code to NFS-Ganesha u Fixed 11 NFS-Ganesha and 4 kernel bugs June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 16

17 Outline þ Background & Motivation þ Design þ Implementation Ø Evaluation Conclusions June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 17

18 Setup & Workloads l Experimental setup u Five NFS clients: 1G RAM; 6-core CPU; 10GbE NIC u SeMiNAS proxy: 64G RAM; 6-core CPU;10GbE NIC for LAN; 1GbE NIC for WAN; 200GB SSD for cache u Server: 64G RAM; 6-core CPU; 1GbE NIC; 20GB virtual SCSI DIX disk backed by RAM l Workloads Micro-Workloads Random file read/write File creation File deletion Filebench Workloads NFS Server Web Proxy Mail Server June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 18

19 Different R/W Ratios Normalized Speed (%) (%) Normalized Speed (%) (%) ms 40 30ms 20ms 20 20ms 20 10ms 10ms 01:5 1:4 1:3 1:2 1:1 2:1 3:1 4:1 5:1 1:5 1:4 1:3 write intensive Read-to-Write 1:2 1:1 Ratio 2:1 3:1 4:1 5:1 read intensive write intensive Read-to-Write Ratio read intensive (a) (a) Persistent Persistent Cache Cache (FSAL (FSAL PCACHE) PCACHE) Off Off ms 40 30ms 40 20ms 20ms 20 10ms 20 10ms 01:5 1:4 1:3 1:2 1:1 2:1 3:1 4:1 5:1 1:5 1:4 1:3 write intensive Read-to-Write 1:2 1:1 Ratio 2:1 3:1 4:1 5:1 write intensive Read-to-Write Ratio read read intensive intensive (b) (b) Persistent Persistent Cache Cache (FSAL (FSAL PCACHE) PCACHE) On On Figure Relative throughput of of SeMiNAS to tothe thebaseline June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 19-46%è+4% Throughput Throughput (Ops/Sec) (Ops/Sec) Figure Figure7. 7. Thro -8%è+4% NFS NFSclient clientand file filecreations creationsan a headers) headers) togeth togeth The The number cause cause all all threa threa tween tweenthe theproxy alescing opport Nagle Nagleis isuseless requests are are co c

20 File-Creation Workload +35% l SeMiNAS makes file creation faster u TCP Nagle Algorithm u Multiple threads sharing one TCP connection u SeMiNAS write extra file headers June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 20

21 Filebench NFS-Server Workload l SeMiNAS performance penalty u 8 17% without cache u 18 26% with cache u Decreases as network delay increases June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 21

22 Filebench Web-Proxy Workload load, Throughput (Ops/Sec) Gamma Shape Parameter (log 10 ) (a) 10ms Network Delay baseline-nocache baseline-cache seminas-nocache seminas-cache Gamma Shape Parameter (log 10 ) (b) 30ms Network Delay bes to eline ance tains Figure 9. Web-proxy results with different access patterns, one NFS client, and 100 threads. A larger value of the shape parameter means less locality in the access pattern. l SeMiNAS makes web-proxy u 4 6% slower without cache u 9 19% faster with cache (because of TCP Nagle) of the files, but varied the Gamma s shape parameter (k) to emulate access patterns with different degrees of locality. June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 22

23 Outline þ Background & Motivation þ Design þ Implementation þ Evaluation Ø Conclusions June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 23

24 Conclusions l We proposed SeMiNAS to secure cloud storage l We designed SeMiNAS to u Be a middleware u Take advantages of NFSv4 compounds, and u Data Integrity extensions l We implemented SeMiNAS based on u Add security stackable file-systems layers u Extend DIX to NFS l We evaluated SeMiNAS: u small performance penalty less than 26% u performance boost by up to 19% June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 24

25 Limitations & Future Work l Limitations u Not safe against replay attacks u Does not handle side-channel attacks l Future work u Efficiently detect replay attacks Avoid using expensive Merkle trees Synchronize file versions among proxies u File- and directory-name encryption u Transactional Compounds June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 25

26 SeMiNAS: A Secure Middleware for Wide-Area Network-Attached Storage Ming Chen Erez Zadok {mchen, ezk}@cs.stonybrook.edu Q&A Arun O. Vasudevan [email protected] Kelong Wang [email protected]

27 Network File System (NFS) l An IETF standardized storage protocol l Provides transparent remote file access l Shares files over networks June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 27

28 l Benchmaster Methodology u Automate multiple runs of experiments u Launch workloads concurrently on clients u Periodically collect system statistics l Workloads u Data-intensive workloads u Metadata-intensive workloads u Delegation workloads u Filebench macro-workloads June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 28

29 Random Read/Write 1:1 Read-Write Ratio -10% -34% 5:1 Read-Write Ratio June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 1:5 Read-Write Ratio 29

30 File-Deletion Workload -18% l Caching makes file deletion slower u Introduce extra network round-trip u Remove cache upon unlink() l However, SeMiNAS does not make file deletion slower June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 30

31 SeMiNAS NFS NFS NFS NFS LAN WAN SeMiNAS Clients Office-1 Clients Untrusted Public Clouds WAN SeMiNAS LAN Office-2 Clients Untrusted Public Cloud u Goal: Securely and efficiently store and share files in cloud for geo-distributed organizations. u Approach: take advantages of new opportunities in NFSv4 and Data Integrity extensions (DIX). June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 31

32 Kurma Architecture June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 32

33 Kurma Components <BK, BV> file system meta-data June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 33