Académique Documents
Professionnel Documents
Culture Documents
I NTRODUCTION
Security Goals
Applications
VFSP
DiskFormatter
PFS
Filesystem
Stack
change_acl()
change_owner()
Kernel
FSLoader
DDb
i/o &
DMA
read()
write()
mmap()
Driver
Support
Shared
Memory
CacheMgr
change_acl()
Authorization
Disk
IPC
Disk
Limitations
FSDr
PolicyMgr
Hardware
1.2
Client P
D ESIGN
AND I MPLEMENTATION OF
PFS
Filesystem drivers manage file and directory metadata. A single component implementing all filesystem
drivers would need to hold privileges to access blocks
in every disk partition. PFS instead defines a separate, isolated component FSDr to execute filesystem
driver code for a single disk partition r. Initially,
when partition r is first created, PolicyMgr designates
FSDr as owner of all blocks within r. Later, when
an application process P creates or enlarges a file,
VFS Components
Credentials-based Authorization
E VALUATION
PFS/-Nexus
UFS/-Nexus
KFS/-Nexus
Ext2:Fuse/Linux
FAT32/Linux
decomposed, user-mode
monolithic, user-mode
monolithic, kernel-mode
monolithic, user-mode
monolithic, kernel-mode
Kernel-mode
Sh. mem.
DDRM
User-mode
Driver lib.
SATA driver
FAT32 driver
VFS layer
PolicyMgr
Misc.
Kernel-mode
Sh. mem.
DDRM
User-mode
Driver lib.
SATA driver
FAT32 driver
VFS layer
PolicyMgr
Misc
Kernel-mode
Sh. mem.
SATA driver
FAT32 driver
VFS layer
PolicyMgr
Misc.
User-mode
n/a
Kernel-mode
Block layer
Fuse layer
VFS layer
Partitions
ACLs
Common
User-mode
Fuse layer
Ext2 driver
Kernel-mode
Block layer
FAT32 driver
VFS layer
Partitions
ACLs
Common
User-mode
n/a
1,900
4,658
49,839
28,216
7,230
1,915
2,267
4,562
1,713
4,594
49,839
28,029
6,442
771
1,689
4,081
1,673
28,029
6,442
771
1,689
4,081
0
11,051
4,908
4,796
3,658
504
31,348
3,341
28,728
11,051
5,304
4,796
3,658
504
31,348
0
Total Contributions
All code
100,587
TCB for DAC
8,825
TCB for isolation 6,558
Total Contributions
All code
97,159
TCB for DAC
97,159
TCB for isolation 6,311
Total Contributions
All code
42,685
TCB for DAC
42,685
TCB for isolation 42,685
Total Contributions
All code
88,334
TCB for DAC
88,334
TCB for isolation 56,265
Total Contributions
All code
56,661
TCB for DAC
56,661
TCB for isolation 56,661
(a)
(b)
(c)
(d)
(e)
Fig. 2. Lines of code for PFS (a) and two alternative designs, UFS (b) and KFS (c), including related -Nexus
code, for Ext2 with Fuse on Linux (d), and for FAT32 on Linux (e). Totals indicate lines of code contributed to
TCBs for two security goals. KFS counts are estimates. Linux counts exclude disk driver code.
so it would no doubt succumb to even a modest redteam attack. Moreover, such an exercise would mostly
shed light on insecure coding practices rather than on
the consequences of instantiating security principles
in the design of a filesystem. So we instead examine
TCB sizes, believing this to be a more useful way to
gauge the utility of the PFS approach to implementing
a filesystem stack.
Figure ?? details the overall size of the code base
for PFS and four alternative filesystems:
UFS, a monolithic user-mode implementation
that places all filesystem code in a single component executing as a process above the -Nexus
kernel.
KFS, a monolithic kernel-mode design that places
all filesystem code within the -Nexus kernel.
Because -Nexus does not support kernel-mode
drivers, we did not implement this design but instead made estimates based on the size of various
components within PFS and UFS.
Ext2:Fuse, a monolithic user-mode implementation based on Fuse [?] and running on Linux. We
used Ext2 here because a suitable FAT32 driver
was not available for Fuse.
FAT32, a monolithic kernel-mode implementation
of FAT32 for Linux.
In all cases, we include only code relating to the
filesystem and exclude the bulk of the kernel and operating system code base. For Linux, we also excluded
disk driver code since it always executes within the
Linux kernel, even for user-mode Fuse filesystems.1
1. The selection criteria we used is admittedly subjective, but was
intended to clarify the impact of design decisions and minimize
artifacts. For example, if we had counted disk driver code for Linux,
as we did for -Nexus, all Linux code bases and TCBs would
appear larger by a constant amount and, consequently, it would
exaggerate the benefits of PFS.
Performance
48.5 ms
open/close latency
enumerate latency
read latency
read throughput
0.0
17.4 s
3.4 s
59.0 ms
6.7 ms
1.0 s
uncached
46 MB/s
3560 MB/s
1.0
2.0
cached
3.0
4.0
5.0
6.0
4 R ELATED W ORK
Prior work considers how to design and implement
secure filesystems using a variety of approaches. It is
instructive to classify these approaches according to
the degree of trust required between various principals that comprise and use the filesystem, e.g. users,
programs, local disks, or remote storage services.
Untrusted local disks: Many filesystems (e.g. [?],
[?]) use cryptography within the kernel or in
separate process to protect against theft of locally
installed disks. Typically, all such filesystem code
is in the TCB for DAC enforcement. Note that the
system may implicitly trust local disks even if the
filesystem does not explicitly do so. A disk with
compromised firmware, for example, may have
direct hardware access to system memory.
Untrusted remote storage: Data can be encrypted
before storing it remotely [?], [?], [?], [?], [?].
Consequently, the remote storage service holds
few privileges beyond the ability to deny service,
removing it from TCBs for isolation and enforcing
DAC. If part of the filesystem stack executes
as a process or library, or if local kernel-mode
disk drivers are eliminated, then TCBs are further
reduced.
Untrusted programs: Filesystem writes can be
selectively suppressed [?] or audited [?] to addresses the threat posed by programs that users
do not fully trust.
CFS [?], pStore [?], TrustedDB [?], and VPFS [?]
use cryptographic approaches to protect the confidentiality and integrity of data stored on behalf of
Taos [?] was pioneering in its use of an expressive logic to support authorization with fine-grained
principals, and the Echo filesystem it hosted built on
that support to great effect. It is not surprising then
that -Nexus primitives on which PFS relies resemble
those provided by Taos: authenticated IPC channels,
support for delegation, and a shared cache in which
applications can store validated credentials.
Outside of filesystems, the principles guiding the
design of PFS are well known, if not always followed, yet they can still be controversial. As just
one example, Bernstein [?] uses Qmail to highlight
the benefits of minimizing TCBs. Actually, PFS has
an internal structure similar to Qmail: functionality
is decomposed across numerous fine-grained components, components are mutually suspicious of each
other and hold as few privileges as possible, and
guards are located on the communications channels
between components. But Bernstein also argues that
Least Privilege is fundamentally wrong since it is
often taken as a prescription to (i) identify existing
components of the system, (ii) enumerate all privileges those components hold, then (iii) successively
remove privileges so long as the system continues
to function. Unsurprisingly, trustworthiness is not the
outcome.
We take Least Privilege as a mandate to guide the
decomposition of a system so that security-critical
privileges are held by few (and small) components.
While we hope that our experience instantiating Least
Privilege and other security principles in the design
of PFS will transfer to other systems, our approach
required domain-specific knowledge to decide how
to best decompose the filesystem stack. In addition
to manual techniques, Buyens et al. [?] discuss a
variety of partially-automated program-restructuring
techniques for decomposing systems into sets of lessprivileged components.
At a more fundamental level, Smith and Marchesini [?] argue that the model of subjects, objects, and
privileges, upon which both Mutual Suspicion and
Least Privilege rest, may no longer be adequate: is a
text file or a Web page an inactive object that is acted
upon, or is it an active subject that makes requests
and may hold privileges?
R EFERENCES
[1]
[2]
[3]
[4]
M. Schroeder, Cooperation of mutually suspicious subsystems in a computer utility, Ph.D. dissertation, Massachusetts
Institute of Technology, Cambridge, MA, 1972.
J. P. Anderson, Computer security technology planning
study, ESD/AFSC, Hanscom AFB, Bedford, MA, Tech. Rep.
ESD-TR-73-51, Vol. 2, Oct. 1972, NTIS AD758206.
J. H. Saltzer and M. D. Schroeder, The protection of information in computer systems, Proc. IEEE, vol. 63, no. 9, pp.
12781308, Sep. 1975.
G. H. Nibaldi, Specification of a trusted computing base
(TCB), MITRE Corp., Bedford, MA, Tech. Rep. M79-228, Nov.
1979, NTIS ADA108831.
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]