Databases Reference
In-Depth Information
A potentially more effective approach is to leverage components that are
both tamper-resistant and active, such as general-purpose secure coproces-
sors (SCPUs). By adding a trusted SCPU inside the storage server, we can
guarantee the trustworthiness of records from that server, even if the records
subsequently pass through untrusted and possibly hostile environments inside
or outside the server. The SCPU can run certified code; its close proximity
to the data storage, coupled with its tamper-resistance guarantees, offers the
possibility of higher security assurances at minimal extra cost.
However, SCPUs are not a panacea. The heat dissipation limits caused
by tamper-resistant enclosures reduce the maximum allowable spatial gate
density in an SCPU. As a result, SCPUs are significantly constrained in both
computation ability and memory capacity, being up to one order of magni-
tude slower than ordinary CPUs. Thus to be competitive in the marketplace,
the SCPU cannot run all of the storage server code—additional ordinary un-
trusted CPUs must shoulder much of the computational burden. Even then,
a straightforward implementation (such as having the SCPU sign each new
record as it arrives) will be too inecient, leaving the untrusted CPUs under-
utilized and defeating the intended cost advantage of having fast untrusted
main CPUs and expensive slower secured CPUs. A good implementation must
access the secure hardware sparsely, asynchronously from the main data flow
to and from disk, so that document insertions, deletions, and reads proceed
at the throughput rate of the storage server's ordinary CPUs.
Researchers have proposed such an architecture for compliance storage
and data migration, based on commodity x86 architecture [41]. With a single
SCPU, their approach can support over 2500 record insertions and deletions
per second, using a deferred-signature scheme described below. To minimize
the trusted computing base, their record-level WORM layer identifies records
by monotonically increasing serial numbers and does not support name spaces,
trustworthy indexing or content-based addressing; all of these can be layered
on top of the record-level WORM support.
To achieve such high throughput rates, the SCPU is involved in document
insertions and deletions but not in reads, thus minimizing the overhead if
the workload is dominated by read queries. Clients who perform reads get an
SCPU-certified guarantee that (i) the block was not tampered with, if the read
is successful; and if the read fails, either (ii) the block was deleted according
to its retention policy, or (iii) it never existed on this storage server.
To authenticate the contents of the records on the storage server, one
option is to keep a Merkle tree whose entries are signed by the SCPU. However,
the resulting
O
(log
n
) cost to insert or delete a record, where
n
is the number
of documents, will reduce the throughput of the system, even if the SCPU
updates the Merkle tree in parallel with the activities of the other CPUs. To
address this problem, one can instead label data blocks with monotonically
increasing consecutive serial numbers and then introduce a concept of sliding
“windows” that are authenticated at
O
(1) cost by only signing the window
boundaries [41].
