Re: Designing Another File System

Valdis.Kletnieks_at_vt.edu
Date: 11/30/04

  • Next message: Andrew Morton: "Re: 2.6.10-rc2-mm4" 
    To: John Richard Moser <nigelenki@comcast.net>
Date:	Tue, 30 Nov 2004 13:28:42 -0500

    On Mon, 29 Nov 2004 23:32:05 EST, John Richard Moser said:

    (Somebody else can address the performance issues - I'll stick to the
    parts I understand.. ;)

    > - - A design based around preventing information leaking by guaranteed
    > secure erasure of data (insofar that the journal even will finish wiping
    > out data when replaying a transaction)

    Consider carefully what threat model you have here - your choices will be
    constrained by it. If you don't know your threat model, it's time to look
    for other features to design around...

    (your comment indicates a level of confusion regarding what paranoia is desired)

    Note well that you need to define "Guaranteed secure erasure" - at least for
    US DOD contractors, DOD 5220-22.M requires 3 over-writes (a character, its
    complement, and random) and verify). That's good for SECRET and below - but
    TOP SECRET and higher still require physical destruction of the media. Also,
    they punt on the issue of over-writing a sector that's been re-allocated by
    the hardware (apparently the chances of critical secret data being left in
    a reallocated block but still actually readable are "low enough" not to worry).

    Also, 5220-22.M is more concerned with the exposure of "You surplus the machine
    and forgot to wipe the drives" - there's a whole *different* set of rules
    regarding how you keep an attacker who steals the system (physical access
    issues) or gets root access (this is a *tough* one) from scavenging the
    drives....

    > 2) Are there any other security concerns aside from information leaking
    > (deleted data being left over on disk, which may pop up in incompletely
    > written files)?

    Which of the following are you worried about:

    1) On a filesystem that does metadata journalling but not data journalling,
    it's possible for a file to be extended by a write(), the metadata is
    journalled, but the system fails before the actual data makes it to disk. As a
    result, after the system comes up, stale data is present in the file, causing a
    small data exposure and large reliability issues (opening a file with
    OpenOffice will almost certainly cause Very Bad Errors if it's a file that was
    in the process of being saved when the system went down, so you're actually
    reading blocks of somebody else's old Fortran source code...) Note that this
    exposure does *NOT* need you to clear data out of the journal - merely to
    journal data (or find other ways to guarantee you never allocate a stale block
    of data). This is why I suggest that you're unclear regarding your threat
    model.

    2) If you're worried about a well-funded attacker managing to scavenge secure
    data out of the journal, what do you do about the attacker scavenging *the rest
    of the disk, including existing files*? (Hint - cryptoloop is the correct
    answer here, unless you think Jaari Russo is right, in which case *his*
    encrypted filesystem stuff is the right answer).

    Alternatively, you may wish to consider a filesystem that does crypto on a
    per-file basis - be prepared to deal with some very hairy key-management and
    information leakage problems if you pursue this route...

    In any case, both cryptoloop and Jaari's loop-aes address the "disk captured by
    the attacker" issues, but don't do much for "attacker gets root" - that's a
    whole DIFFERENT set of problems...

    -
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  • Next message: Andrew Morton: "Re: 2.6.10-rc2-mm4"

    Relevant Pages

    • Re: Designing Another File System
      ... | for other features to design around... ... I can't make the FS burn the disk, ... | regarding how you keep an attacker who steals the system (physical access ... | 1) On a filesystem that does metadata journalling but not data ...
      (Linux-Kernel)
    • Re: Wondering about raid5
      ... There are raid systems that do not make that assumption, ... > as well have the same corruption going on in RAM. ... that writes are async in unix so even if the disk errors ... >> in any sense through the kernel raid layers, so journalling file ...
      (comp.os.linux.development.system)
    • Re: DVD-RAM slowness and questions
      ... to know when it's done writing to the disk. ... > with a non-journaling filesystem such as ext2 or FAT? ... you've got the wrong idea about journalling, ... > driver responsibility, then how do I know if Linux is doing it? ...
      (comp.os.linux.hardware)
    • Re: File undelete for ext3fs?
      ... I don't understand why people think that journalling is somehow ... If the disk dies, you lose your data. ... and no messup on next reboot can happen. ... Grep the raw disk for their contents. ...
      (comp.os.linux.questions)