Pesos: Policy Enhanced Secure Object Store

Robert Krahn, Bohdan Trach, Anjo Vahldiek-Oberwagner, Thomas Knauth, Pramod Bhatotia, Christof Fetzer

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

49 Scopus citations

Abstract

Third-party storage services pose the risk of integrity and confidentiality violations as the current storage policy enforcement mechanisms are spread across many layers in the system stack. To mitigate these security vulnerabilities, we present the design and implementation of Pesos, a Policy Enhanced Secure Object Store (Pesos) for untrusted third-party storage providers. Pesos allows clients to specify per-object security policies, concisely and separately from the storage stack, and enforces these policies by securely mediating the I/O in the persistence layer through a single unified enforcement layer. More broadly, Pesos exposes a rich set of storage policies ensuring the integrity, confidentiality, and access accounting for data storage through a declarative policy language. Pesos enforces these policies on untrusted commodity platforms by leveraging a combination of two trusted computing technologies: Intel SGX for trusted execution environment (TEE) and Kinetic Open Storage for trusted storage. We have implemented Pesos as a fully-functional storage system supporting many useful end-to-end storage features, and a range of effective performance optimizations. We evaluated Pesos using a range of micro-benchmarks, and real-world use cases. Our evaluation shows that Pesos incurs reasonable performance overheads for the enforcement of policies while keeping the trusted computing base (TCB) small.

Original languageEnglish
Title of host publicationProceedings of the 13th EuroSys Conference, EuroSys 2018
PublisherAssociation for Computing Machinery, Inc
ISBN (Electronic)9781450355841
DOIs
StatePublished - 23 Apr 2018
Externally publishedYes
Event13th EuroSys Conference, EuroSys 2018 - Porto, Portugal
Duration: 23 Apr 201826 Apr 2018

Publication series

NameProceedings of the 13th EuroSys Conference, EuroSys 2018
Volume2018-January

Conference

Conference13th EuroSys Conference, EuroSys 2018
Country/TerritoryPortugal
CityPorto
Period23/04/1826/04/18

Keywords

  • Intel SGX
  • Kinetic disks
  • Policy language
  • Storage security

Fingerprint

Dive into the research topics of 'Pesos: Policy Enhanced Secure Object Store'. Together they form a unique fingerprint.

Cite this