In today’s systems, policies protecting stored data and mechanisms for their enforcement are spread across many software components, increasing the risk of violation due to bugs, vulnerabilities and misconfigurations. We suggest Guardat to addresses this problem. Users, developers and administrators specify file protection policies declaratively, concisely and separate from code, and Guardat enforces these policies by mediating I/O in the storage layer. Thus, policy enforcement relies only on the integrity of the Guardat controller and any external policy dependencies. The semantic gap between the storage layer enforcement and per-file policies is bridged using cryptographic attestations from Guardat. We show experimentally that the overhead is low.
Protecting Persistent Data
Techniques to Protect Confidentiality and Integrity of Persistent and In-Memory Data
Anjo Lucas Vahldiek-OberwagnerPhD Thesis, 2018.
Pesos: Policy Enhanced Secure Object store
Robert Krahn, Bohdan Trach, Anjo Vahldiek-Oberwagner, Thomas Knauth, Pramod Bhatotia, Christof FetzerACM EuroSys, 2018.
Guardat: Enforcing data policies at the storage layer
Anjo Vahldiek-Oberwagner, Eslam Elnikety, Aastha Mehta, Deepak Garg, Peter Druschel, Rodrigo Rodrigues, Johannes Gehrke, Ansley PostACM EuroSys, 2015.