Databases Reference
In-Depth Information
•
Current products address the trustworthiness issues that arise during the
backup process. However, they do not ensure that a record is trustworthy
throughout its entire life cycle, from creation, through migration to newer
storage servers, to eventual deletion.
•
Current compliance storage products aim to address the problem of doc-
ument retention; no product supports structured data, e.g., provides a
trustworthy relational database management system.
We discuss these open problems and potential solutions in the sections that
follow.
5 Resistance to Physical Attack
Our insider adversary Mallory has physical access to the storage media. To
limit the damage that he can do, one potential approach is to house the storage
in a tamperproof or tamper-evident box. However, such a box would trap heat,
making it necessary to run the storage server at lower speeds and reducing its
cost-effectiveness. Thus this solution is unlikely to be popular with customers
or vendors. Further, disks do fail and require replacement, which is hard to
reconcile with the notion of tamper-evidence.
As one example of vulnerability to physical attack, consider recent US
patent 6879454 for an IBM disk-based WORM system whose drives selectively
and permanently disable their write mode by using programmable read only
memory (PROM) circuitry: “One method of use employs selectively blow-
ing a PROM fuse in the arm electronics of the hard disk drive to prevent
further writing to a corresponding disk surface in the hard disk drive. A
second method of use employs selectively blowing a PROM fuse in processor-
accessible memory, to prevent further writing to a section of logical block
addresses (LBAs) corresponding to a respective set of data sectors in the
hard disk drive”.
Unfortunately, this method does not provide strong WORM guarantees.
Using off-the-shelf resources, an insider can open the storage medium enclo-
sures to gain physical access to the underlying data and to any flash-based
checksum storage. She can then surreptitiously replace a device by copying
an illicitly modified version of the stored data onto a identical replacement
unit. Maintaining integrity-authenticating checksums at device or software
level does not prevent this attack, due to the lack of tamper-resistant storage
for keying material. The adversary can access integrity checksum keys and
construct a new matching checksum for the modified data on the replacement
device, thus remaining undetected. This attack will still be effective if we add
tamper-resistant storage for keying material [11], because a superuser is likely
to have access to keys while they are in active use: achieving reasonable data
throughputs will require integrity keys to be available in main memory for the
main (untrusted) run-time data processing components.
