SeMiNAS: A Secure Middleware for Wide-Area Network-Attached Storage

Similar documents
Four Reasons To Start Working With NFSv4.1 Now

Distributed File System Choices: Red Hat Storage, GFS2 & pnfs

2012 Oracle Corporation

Benchmarking FreeBSD. Ivan Voras

Chapter 11 Distributed File Systems. Distributed File Systems

Network File System (NFS)

NFSv4.1 Server Protocol Compliance, Security, Performance and Scalability Testing - Implement RFC, Going Beyond POSIX Interop!

The Evolution of Cloud Storage - From "Disk Drive in the Sky" to "Storage Array in the Sky" Allen Samuels Co-founder & Chief Architect

Network File System (NFS) Pradipta De

Linux Powered Storage:

Taking Linux File and Storage Systems into the Future. Ric Wheeler Director Kernel File and Storage Team Red Hat, Incorporated

Network Attached Storage. Jinfeng Yang Oct/19/2015

Scala Storage Scale-Out Clustered Storage White Paper

A Virtual Filer for VMware s Virtual SAN A Maginatics and VMware Joint Partner Brief

Microsoft Exchange Server 2003 Deployment Considerations

We mean.network File System

Big data management with IBM General Parallel File System

Why is it a better NFS server for Enterprise NAS?

On- Prem MongoDB- as- a- Service Powered by the CumuLogic DBaaS Platform

PARALLELS CLOUD STORAGE

Violin: A Framework for Extensible Block-level Storage

Comparing the Network Performance of Windows File Sharing Environments

Quantum StorNext. Product Brief: Distributed LAN Client

Client-aware Cloud Storage

Repeater. BrowserStack Local. browserstack.com 1. BrowserStack Local makes a REST call using the user s access key to browserstack.

EMC ISILON AND ELEMENTAL SERVER

AIX NFS Client Performance Improvements for Databases on NAS

A Filesystem Layer Data Replication Method for Cloud Computing

Sun Storage Perspective & Lustre Architecture. Dr. Peter Braam VP Sun Microsystems

10th TF-Storage Meeting

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Open Source, Scale-out clustered NAS using nfs-ganesha and GlusterFS

September 2009 Cloud Storage for Cloud Computing

Amazon Cloud Storage Options

An Open Source Wide-Area Distributed File System. Jeffrey Eric Altman jaltman *at* secure-endpoints *dot* com

Best practices for Implementing Lotus Domino in a Storage Area Network (SAN) Environment

Solaris For The Modern Data Center. Taking Advantage of Solaris 11 Features

Storage Sync for Hyper-V. Installation Guide for Microsoft Hyper-V

Security in Storage Networks A Current Perspective

How To Get To A Cloud Storage And Byod System

Next Generation Now: Red Hat Enterprise Linux 6 Virtualization A Unique Cloud Approach. Jeff Ruby Channel Manager jruby@redhat.com

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

REQUIREMENTS LIVEBOX.

Sync Security and Privacy Brief

Enabling High performance Big Data platform with RDMA

IOmark- VDI. Nimbus Data Gemini Test Report: VDI a Test Report Date: 6, September

IP SAN Fundamentals: An Introduction to IP SANs and iscsi

NFSv4.1, the latest version of the NFS protocol, has improvements

Chapter 11: File System Implementation. Operating System Concepts with Java 8 th Edition

Burst Technology bt-loganalyzer SE

Chronicle: Capture and Analysis of NFS Workloads at Line Rate

How To Test The Multix File System Performance

Storage Virtualization in Cloud

Hyper-V over SMB Remote File Storage support in Windows Server 8 Hyper-V. Jose Barreto Principal Program Manager Microsoft Corporation

Eucalyptus User Console Guide

CS 416: Opera-ng Systems Design

WAN Optimization with Cisco s WAAS

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

SMB in the Cloud David Disseldorp

Lecture 11. RFS A Network File System for Mobile Devices and the Cloud

Windows Server on WAAS: Reduce Branch-Office Cost and Complexity with WAN Optimization and Secure, Reliable Local IT Services

Datacenter Operating Systems

Web Technologies: RAMCloud and Fiz. John Ousterhout Stanford University

Memory Channel Storage ( M C S ) Demystified. Jerome McFarland

Cloud Storage. Parallels. Performance Benchmark Results. White Paper.

Cisco Application Networking for IBM WebSphere

Cisco Application Networking for BEA WebLogic

A Study of Application Performance with Non-Volatile Main Memory

Introduction to Highly Available NFS Server on scale out storage systems based on GlusterFS

Flexible Storage Allocation

ZooKeeper. Table of contents

Distributed Systems. REK s adaptation of Prof. Claypool s adaptation of Tanenbaum s Distributed Systems Chapter 1

SGFS: Secure, Flexible, and Policy-based Global File Sharing

Dell EqualLogic Best Practices Series

On Benchmarking Popular File Systems

Cloud Computing and Amazon Web Services

Microsoft SMB Running Over RDMA in Windows Server 8

Comparing SMB Direct 3.0 performance over RoCE, InfiniBand and Ethernet. September 2014

Diagram 1: Islands of storage across a digital broadcast workflow

VDI Optimization Real World Learnings. Russ Fellows, Evaluator Group

Load Balancer Comparison: a quantitative approach. a call for researchers ;)

Using Synology SSD Technology to Enhance System Performance Synology Inc.

TCP Offload Engines. As network interconnect speeds advance to Gigabit. Introduction to

InfiniBand Software and Protocols Enable Seamless Off-the-shelf Applications Deployment

<Insert Picture Here> Oracle Cloud Storage. Morana Kobal Butković Principal Sales Consultant Oracle Hrvatska

IOmark- VDI. HP HP ConvergedSystem 242- HC StoreVirtual Test Report: VDI- HC b Test Report Date: 27, April

Accelerating I/O- Intensive Applications in IT Infrastructure with Innodisk FlexiArray Flash Appliance. Alex Ho, Product Manager Innodisk Corporation

Encrypt-FS: A Versatile Cryptographic File System for Linux

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Maxta Storage Platform Enterprise Storage Re-defined

Transcription:

SeMiNAS: A Secure Middleware for Wide-Area Network-Attached Storage Ming Chen Erez Zadok {mchen, ezk}@cs.stonybrook.edu Arun O. Vasudevan aov@nutanix.com Kelong Wang kelong@dssd.com

Outline Ø Background & Motivation Design Implementation Evaluation Conclusions June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 2

Cloud Computing June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 3

Security Concerns of Cloud l Raised by cloud nature u Opaque & intangible u Multi-tenant u Large exploit surface u Complexity (buggy) l Intensified by high-profile incidents u Silent data corruption u Leak of intimate photos of celebrities u Leak of user accounts and credentials June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 4

Securing Cloud Storage WAN WAN Clients Office-1 LAN Untrusted Public Clouds New challenges: 1. Cost-efficiency despite high latency 2. Heterogeneous clients & clouds 3. Complex storage stack +++ Virt LAN Clients Office-2 Network stacks Cloud services FS (Unionfs, Overlayfs) Block (Device Mappers) Device (RAID, FTL) Net-Dist +++ June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 5

Outline þ Background & Motivation Ø Design Implementation Evaluation Conclusions June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 6

SeMiNAS Architecture NFSv4 LAN WAN SeMiNAS Clients Office-1 Clients Untrusted Public Clouds WAN SeMiNAS NFSv4 LAN Office-2 Clients Untrusted Public Cloud Benefits of a middleware: 1. Easy management (a few proxies vs. many clients) 2. Simple key distribution without trusted third parties 3. Fit well with WAN caching and firewalls June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 7

Why Use NFSv4? l Advantages over vendor-specific key-value stores u Open, pervasive, and standard POSIX-compliant and cross-platform interoperability Suffering less from data or vendor lock-in u Optimized for WAN Compound procedures Delegations u Richer semantics Simplify application development More optimizations: server-side copying, ADB l Advantages over older versions u Easier administration with a single port u More scalable with pnfs Amazon EFS u More secure with RPCSEC_GSS, ACL, and Labeled NFS June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 8

SeMiNAS Data Path LAN nfs_write(p ) Client 1 Client 2 nfs_read(): P Caching Layer Auth- Encrypt Layer Insert(P) <C, M> = AuthEncrypt(K, P) Lookup(): P <P, V> = AuthDecrypt(K, C, M) Persistent Cache SeMiNAS WAN write_plus(c, M) read_plus(): <C, M> Cloud June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 9

Meta-Data Management l Each SeMiNAS proxy has u Each proxy knows public keys of all proxies u Distributed via a secret channel or manually l Each file has a unique symmetric file key u Encrypted by master key pairs u Encrypt each block with GCM: l File layout: <SID, PubKey, PriKey> June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 10

NFSv4-Based Optimizations (1) l NFS Data-Integrity extensions NFS Client SeMiNAS LAN NFS Server WAN Alternatives Concatenate a block and its MAC as a separate file. Uses a separate file for all MACs of a file. Map a block to a larger block in cloud (16è20KB). Drawbacks Break close-toopen consistency Add extra I/O and disk seeks Waste space for small block sizes OS HBA Kernel Device June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 11

NFSv4-Based RPCs in Optimizations NFS (2) In NFSv3, every operation is implemented as an RPC NFSv4 supports compound procedures by which several operations can be grouped into a single RPC l Compound Better performance Procedures in wide area networks a) Reading data from a file in v3. b) Reading data using a compound procedure in v4. l SeMiNAS Compounds 1. Write header after creating a file 2. Read header after opening a file 3. Update header Naming before in NFS closing a dirty file 4. Read header when getting attributes NSF provides clients transparent access to a remote file system by letting a client mount (part of) a remote file system into its own local file system 5. Get attributes A sever can export a directory after (i.e., writing make a directory to and its a entries file available to clients) An exported directory can be mounted into a client s local name space June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 12 11

Outline þ Background & Motivation þ Design Ø Implementation Evaluation Conclusions June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 13

SeMiNAS Implementation l NFS-Ganesha: a user-land NFS server u File System Abstraction Layer (FSAL) back-ends u FSAL_VFS, FSAL_PROXY, and stackable FSALs SeMiNAS Proxy NFS Server NFS Frontend NFS Frontend FSAL_PCACHE FSAL_SECNFS FSAL_PROXY NFS-Ganesha WAN FSAL_VFS NFS-Ganesha Kernel OS / HBA June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 14

Extending DIX to NFS l Data Integrity extensions (DIX) in NFS u READ_PLUS u WRITE_PLUS June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 15

l Details Implementation Details u Added caching and security layers in NFS-Ganesha u Added support of multiple stackable layers u Extended DIX further to NFS u Cryptographic C++ library: cryptopp u Pass all applicable xfstests cases l Development efforts u 25 man-months of 3 graduate students over 3 years u Added 13,000 lines of C/C++ code to NFS-Ganesha u Fixed 11 NFS-Ganesha and 4 kernel bugs June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 16

Outline þ Background & Motivation þ Design þ Implementation Ø Evaluation Conclusions June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 17

Setup & Workloads l Experimental setup u Five NFS clients: 1G RAM; 6-core CPU; 10GbE NIC u SeMiNAS proxy: 64G RAM; 6-core CPU;10GbE NIC for LAN; 1GbE NIC for WAN; 200GB SSD for cache u Server: 64G RAM; 6-core CPU; 1GbE NIC; 20GB virtual SCSI DIX disk backed by RAM l Workloads Micro-Workloads Random file read/write File creation File deletion Filebench Workloads NFS Server Web Proxy Mail Server June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 18

Different R/W Ratios Normalized Speed (%) (%) Normalized Speed (%) (%) 120 120 100 100 80 80 60 60 40 30ms 40 30ms 20ms 20 20ms 20 10ms 10ms 01:5 1:4 1:3 1:2 1:1 2:1 3:1 4:1 5:1 1:5 1:4 1:3 write intensive Read-to-Write 1:2 1:1 Ratio 2:1 3:1 4:1 5:1 read intensive write intensive Read-to-Write Ratio read intensive (a) (a) Persistent Persistent Cache Cache (FSAL (FSAL PCACHE) PCACHE) Off Off 120 120 100 100 80 80 60 60 30ms 40 30ms 40 20ms 20ms 20 10ms 20 10ms 01:5 1:4 1:3 1:2 1:1 2:1 3:1 4:1 5:1 1:5 1:4 1:3 write intensive Read-to-Write 1:2 1:1 Ratio 2:1 3:1 4:1 5:1 write intensive Read-to-Write Ratio read read intensive intensive (b) (b) Persistent Persistent Cache Cache (FSAL (FSAL PCACHE) PCACHE) On On Figure 5. 5. Relative throughput of of SeMiNAS to tothe thebaseline June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 19-46%è+4% Throughput Throughput (Ops/Sec) (Ops/Sec) 80 80 60 60 40 40 20 20 0 0 Figure Figure7. 7. Thro -8%è+4% NFS NFSclient clientand file filecreations creationsan a headers) headers) togeth togeth The The number cause cause all all threa threa tween tweenthe theproxy alescing opport Nagle Nagleis isuseless requests are are co c

File-Creation Workload +35% l SeMiNAS makes file creation faster u TCP Nagle Algorithm u Multiple threads sharing one TCP connection u SeMiNAS write extra file headers June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 20

Filebench NFS-Server Workload l SeMiNAS performance penalty u 8 17% without cache u 18 26% with cache u Decreases as network delay increases June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 21

Filebench Web-Proxy Workload load, Throughput (Ops/Sec) 1000 800 600 400 200 0 0.001 0.01 0.1 1 10 Gamma Shape Parameter (log 10 ) (a) 10ms Network Delay 1000 800 600 400 200 baseline-nocache baseline-cache seminas-nocache seminas-cache 0 0.001 0.01 0.1 1 10 Gamma Shape Parameter (log 10 ) (b) 30ms Network Delay bes to eline ance tains Figure 9. Web-proxy results with different access patterns, one NFS client, and 100 threads. A larger value of the shape parameter means less locality in the access pattern. l SeMiNAS makes web-proxy u 4 6% slower without cache u 9 19% faster with cache (because of TCP Nagle) of the files, but varied the Gamma s shape parameter (k) to emulate access patterns with different degrees of locality. June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 22

Outline þ Background & Motivation þ Design þ Implementation þ Evaluation Ø Conclusions June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 23

Conclusions l We proposed SeMiNAS to secure cloud storage l We designed SeMiNAS to u Be a middleware u Take advantages of NFSv4 compounds, and u Data Integrity extensions l We implemented SeMiNAS based on u Add security stackable file-systems layers u Extend DIX to NFS l We evaluated SeMiNAS: u small performance penalty less than 26% u performance boost by up to 19% June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 24

Limitations & Future Work l Limitations u Not safe against replay attacks u Does not handle side-channel attacks l Future work u Efficiently detect replay attacks Avoid using expensive Merkle trees Synchronize file versions among proxies u File- and directory-name encryption u Transactional Compounds https://github.com/sbu-fsl/txn-compound June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 25

SeMiNAS: A Secure Middleware for Wide-Area Network-Attached Storage Ming Chen Erez Zadok {mchen, ezk}@cs.stonybrook.edu Q&A Arun O. Vasudevan aov@nutanix.com Kelong Wang kelong@dssd.com

Network File System (NFS) l An IETF standardized storage protocol l Provides transparent remote file access l Shares files over networks June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 27

l Benchmaster Methodology u Automate multiple runs of experiments u Launch workloads concurrently on clients u Periodically collect system statistics l Workloads u Data-intensive workloads u Metadata-intensive workloads u Delegation workloads u Filebench macro-workloads June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 28

Random Read/Write 1:1 Read-Write Ratio -10% -34% 5:1 Read-Write Ratio June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 1:5 Read-Write Ratio 29

File-Deletion Workload -18% l Caching makes file deletion slower u Introduce extra network round-trip u Remove cache upon unlink() l However, SeMiNAS does not make file deletion slower June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 30

SeMiNAS NFS NFS NFS NFS LAN WAN SeMiNAS Clients Office-1 Clients Untrusted Public Clouds WAN SeMiNAS LAN Office-2 Clients Untrusted Public Cloud u Goal: Securely and efficiently store and share files in cloud for geo-distributed organizations. u Approach: take advantages of new opportunities in NFSv4 and Data Integrity extensions (DIX). June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 31

Kurma Architecture June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 32

Kurma Components <BK, BV> 1 2 3 file system meta-data June 6, 2016 SeMiNAS (ACM SYSTOR 2016) 33

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information