Design and implementation of the Sun network filesystem
Innovations in Internetworking
The design and implementation of a log-structured file system
SOSP '91 Proceedings of the thirteenth ACM symposium on Operating systems principles
A cryptographic file system for UNIX
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Unifying File System Protection
Proceedings of the General Track: 2002 USENIX Annual Technical Conference
Model-Based Failure Analysis of Journaling File Systems
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors
Proceedings of the 11th workshop on ACM SIGOPS European workshop
Using model checking to find serious file system errors
ACM Transactions on Computer Systems (TOCS)
Reducing TCB complexity for security-sensitive applications: three case studies
Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Analysis and evolution of journaling file systems
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
How to build a trusted database system on untrusted storage
OSDI'00 Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4
Soft updates: a technique for eliminating most synchronous writes in the fast filesystem
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
Generalized file system dependencies
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
VPFS: building a virtual private file system with a small trusted computing base
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
EIO: error handling is occasionally correct
FAST'08 Proceedings of the 6th USENIX Conference on File and Storage Technologies
Taming subsystems: capabilities as universal resource access control in L4
Proceedings of the Second Workshop on Isolation and Integration in Embedded Systems
SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
| Hi-index | 0.00 |
The Virtual Private File System (VPFS) [1] was built to protect confidentiality and integrity of application data against strong attacks. To minimize the trusted computing base (i.e., the attack surface) it was built as a stacked file system, where a small isolated component in a microkernel-based system reuses a potentially large and complex untrusted file system; for example, as provided by a more vulnerable guest OS in a separate virtual machine. However, its design ignores robustness issues that come with sudden power loss or crashes of the untrusted file system. This paper addresses these issues. To minimize damage caused by an unclean shutdown, jVPFS carefully splits a journaling mechanism between a trusted core and the untrusted file system. The journaling approach minimizes the number of writes needed to maintain consistent information in a Merkle hash tree, which is stored in the untrusted file system to detect attacks on integrity. The commonly very complex and error-prone recovery functionality of legacy file systems (in the order of thousands of lines of code) can be reused with little increase of complexity in the trusted core: less than 350 lines of code deal with the security-critical aspects of crash recovery. jVPFS shows acceptable performance better than its predecessor VPFS, while providing much better protection against data loss.