A Layered Approach to Securing Network File Systems

保护网络文件系统的分层方法

• 批准号: 0310493
• 负责人: Erez Zadok
• 金额: $ 40万
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2003
• 资助国家: 美国
• 起止时间: 2003-08-15 至 2007-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0310493&HistoricalAwards=false
• 关键词: Layered; Approach; Securing; Network; File

CCR-0310493A Layered Approach to Securing Network File SystemsErez ZadokFile systems protect important data, but existing file systems are not secure enough for today's needs. Moreover, file system development is difficult. This project investigates and develops an infrastructure for easy development of highly-secure and efficient file systems, using an incremental, layered approach, with a focus on network-based file systems. The main technique used is called "stacking": a method for one file system to pass through the operations and data to one or more other file systems. With stacking it is possible to intercept file system operations and then control them as needed. Examples of file systems that are being developed include strong transparent encryption, transparent checksumming for integrity, versioning, transparent virus detection, load-balancing, replication, sand-boxing, hooks for Intrusion Detection Systems (IDSs), and more.Stackable file systems placement is investigated for three different locations along the data path. (1) on clients, offering end-to-end assurances; (2) on servers, enabling powerful IDS capabilities; and (3) on intermediate proxies, transparently controlling file servers with minimal site impact.The significance of this work is that it creates OS infrastructure that will allow future developers to build highly-secure and efficient file systems easily; several working file system examples are developed; and enhancements are investigated for general OS support for secure file systems. This research and teaching will usher a new era of secure file system development.

CCR-0310493一种保护网络文件系统的分层方法Erez Zadok文件系统保护重要数据，但现有的文件系统不足以满足当今的需要。 此外，文件系统开发也很困难。 该项目研究和开发一个基础设施，以方便开发高度安全和高效的文件系统，使用增量，分层的方法，重点是基于网络的文件系统。使用的主要技术称为“堆叠”：一个文件系统将操作和数据传递到一个或多个其他文件系统的方法。通过堆叠，可以拦截文件系统操作，然后根据需要控制它们。 正在开发的文件系统的例子包括强透明加密、完整性透明校验和、版本控制、透明病毒检测、负载平衡、复制、沙箱、入侵检测系统（IDS）钩子等。（2）在服务器上，实现强大的IDS功能;（3）在中间代理上，透明地控制文件服务器，使站点影响最小。这项工作的意义在于，它创建了操作系统基础设施，使未来的开发人员能够轻松构建高度安全和高效的文件系统;开发了几个工作文件系统示例;和增强的安全文件系统的一般操作系统的支持。 这项研究和教学将迎来一个新时代的安全文件系统的发展。