1. Writing on Wind and Water*: Storage Security in the Cloud Ari Juels Chief Scientist RSA © 2011 RSA Laboratories Workshop on Cryptography and Security in the Cloud Zurich, Switzerland 15 March 2011 *Catullus 70

2. The Cloud

3. Cryptographers ’ view of the Cloud

4. Trojans viruses evil-minded cloud providers faulty software faulty hardware

5. Auditors ’ view of the Cloud

6. A Cloud Auditor / Tenant RSA Labs Research Program: Remote Cloud Security Checkups Challenge Response Idea: Restore transparency to Cloud to achieve stronger security / compliance without trusting Cloud itself Do you have security property X?

7. Cloud storage MegArchive Corp. Seattle, USA Alice MiniFile Inc. Bangalore, India Bob Liverpool, UK Peer-to-peer network My Wedding Photos ! One day, Alice’s machine crashes, so she contacts MegArchive…

8. Other financially motivated service degradation MegArchive moves Alice’s file to a slow disk array –File is there, but retrieval is unacceptably slow MegArchive uses cheap storage that degrades over time MegArchive throws away a portion of Alice’s file to save space –Most users don’t retrieve their backup files anyway Question: How can Alice be sure that she can retrieve her file in its entirety?

9. Proofs of Retrievability Property X = The tenant’s files are intact

10. PORs: Proofs of Retrievability Alice would like to ensure that her file F is retrievable –She may also want to ensure compliance with a Service-Level Agreement (SLA) The simple approach: Alice periodically downloads F This is resource-intensive! What about spot-checking instead?

11. Spot checking: Preparation Alice F Archive f2f2 f1f1 f3f3 f1f1 f2f2 f3f3

12. Spot checking: Verification Alice F f1f1 f2f2 f3f3 Archive f2f2 f3f3 ~ ~ f1f1 ~~ = ?

13. Spot checking: Verification Alice F f1f1 f2f2 f3f3 Archive f2f2 f3f3 ~ ~ f1f1 ~~ X

14. Spot checking Alice f1f1 f2f2 f3f3 Archive f2f2 f3f3 F ~ ~ f1f1 ~~ Pros: Alice needn’t download all of F Can detect large erasure / corruption Cons: Alice must store chunks of F Can’t detect small erasure / corruption

15. Message Authentication Code (MAC) refinement: Preparation Alice Archive f2f2 f1f1 f3f3 k MAC k [f 1 ] c1c1 c2c2 c3c3 F

16. MAC refinement: Preparation Alice F Archive f2f2 f1f1 f3f3 k c2c2 MAC k [f 1 ] c1c1 c3c3

17. MAC refinement: Preparation Alice F Archive f2f2 f1f1 f3f3 k c2c2 c1c1 c3c3

18. MAC refinement: Verification Alice F Archive f2f2 f3f3 k c2c2 c1c1 c3c3 Pros: Alice needn’t store any of F Can detect large erasure / corruption Cons: Can’t detect small erasure / corruption F ~ f1f1

19. Error correcting code F Archive parity bits * decoder F With ECC to encode F → F*, big error in F* needed to induce any error in F In effect, we can amplify errors in stored file

20. ECC + MAC Alice F Archive f2f2 f1f1 f3f3 k c2c2 c1c1 c3c3 parity bits f4f4 c4c4 F*F* Pros: Alice needn’t store any of F—only key k Alice can detect any corruption in F w.h.p. (= large corruption in F * )

21. PORs: The business plan Where is quick detection of file loss helpful? Backup! Idea: –Use PORs to verify backed up files –In case of failure, change providers or restore from primary copy Another application: Quality of storage in backup –E.g., are my files on disk or on tapes conveyed by mule from a mountain bunker?

22. Where PORs blow up Alice Server challenge response F*F* challenge response challenge response X What’s Alice to do??? E.g., T-Mobile

23. RAID (Redundant Array of Inexpensive Disks) File block Parity block F F1F1 F 1  F 2  F 3 F3F3 F2F2

24. F F1F1 F3F3 F2F2 The Cloud isn’t necessarily so nice What if service providers lose data but… don’t tell you until it’s too late? X XX Provider AProvider BProvider CProvider D

25. HAIL: A High-Availability and Integrity Layer for Cloud Storage Property X = The tenant’s files can survive service-provider failures

26. Mobile adversary A mobile adversary moves from device to device, corrupting as it goes—potentially silently Mobile adversary models, e.g., system failures / corruptions over time, virus propagation RAID isn’t designed for this kind of adversary –Designed for limited, readily detectable failures in devices you own—the benign case

27. Mobile adversary In cryptography, usual approach to mobile adversary is proactive

28. Mobile adversary In cryptography, usual approach to mobile adversary is proactive Another, cheaper possibility is reactive: We detect and remediate –Like whack-a-mole! PORs can provide detection here…

29. Applying PORs ParityData F

30. Applying PORs F

31. POR Alice

32. HAIL: High Availability and Integrity Layer RAID-type redundancy allows us to tolerate t provider failures POR bounds number of failures at t thanks to “whack-a-mole” Other optimizations: Use crypto tricks / row redundancy to get MACs “for free.”

33. HAIL: Putting it all together HAIL offers an abstraction of high-integrity file system Robust to Byzantine, mobile adversary Modest storage / server overhead, thanks to “free MACs” Minimal-bandwidth checking, thanks to POR techniques, e.g., aggregation

34. HAIL: The business plan RAID led to a new business model –Shift from monolithic, high-performance drive to cheaper drives with redundancy –EMC vs. IBM HAIL: New model in the Cloud? –Fuse together cheap cloud providers to provide high- quality abstraction –E.g., Memopal offers $0.02 / GB / Month storage on a 5-year contract vs. Amazon at $0.15 / GB / Month –??? vs. Amazon, Atmos, Azure, etc.?

35. Another challenge: The physical layer Amazon claims to store three distinct copies of my file for resilience. Can they prove it? –POR won’t do the trick, nor will downloading! Alice F F F F or ? FFFF

36. Virtualization is a complication Erasure coding across disks… Disk 1Disk 2Disk 3Disk 4Disk 5 My file can survive two disk crashes!

37. Virtualization is a complication Erasure coding across disks… Disk 1Disk 2Disk 3Disk 4Disk 5 My file can survive two disk crashes! Virtual A single disk crash can destroy my file! X

38. How to Tell if Your Cloud Files Are Vulnerable to Drive Crashes Property X = The tenant’s files can survive drive crashes

39. Our goal: Prove disk-crash resilience Claim: File can survive two disk crashes! The Challenge: How can a cloud provider prove that certain bits sit on certain disks? Disk 1Disk 2Disk 3Disk 4Disk 5

40. The Pizza Oven Protocol Eeta Pizza PiCheapskate Pizza “Six pizzas!”

41. The Pizza Oven Protocol “Six pizzas!” X Eeta Pizza PiCheapskate Pizza X

42. The Pizza Oven Protocol Eeta Pizza PiCheapskate Pizza Cheapskate now claims it can survive an oven failure! How can Eeta Pizza Pi verify without visiting???

43. The Pizza Oven Protocol Suppose that: A pizza oven bakes one pizza at a time, and takes 10 minutes The Cheapskate truck takes 15 minutes to deliver to Eeta Pizza Pi “Six pizzas!” Eeta Pizza PiCheapskate Pizza T0T0 T1T1 T 1 – T 0 = 45 mins?

44. A Cloud Auditor / Tenant Remote Cloud Security Checkups Challenge Response X = 1.Tenant’s files are intact (POR) 2.Tenant’s files can survive service-provider failures (HAIL) 3.Tenant’s files can survive drive crashes Do you have security property X?

45. To Learn More A. Juels and B. Kaliski. Proof of Retrievability (PORs) for Large Files. ACM CCS ‘07. K. D. Bowers, A Juels, and A. Oprea: HAIL: a high-availability and integrity layer for cloud storage. ACM CCS ‘09. Kevin Bowers, Ari Juels, and Alina Oprea. Proofs of Retrievability: Theory and Implementation. CCSW ‘09. K. Bowers, M. van Dijk, A. Juels, A. Oprea, and R. Rivest. How to Tell if Your Cloud Files Are Vulnerable to Drive Crashes. In submission. 2011. (Available on ePrint.) Y. Zhang, A. Juels, A. Oprea, and M. Reiter. HomeAlone: Co-Residency Detection in the Cloud via Side-Channel Analysis. IEEE S&P. 2011. To appear. Property X = “Are my virtual machines physically isolated?”