Employing Object-Based Storage Devices to Embed File Access Control in Storage

This paper presents a proposal to em bed the file access control into object-based storage devices (OSD) to achieve powerf ul storage security with rich semantics; and two application pr ototypes, the OSD-based intrusion detection ( ID) and the f iner-grained (than the f ile-level) acce ss control, are im plemented to show its feasibility. To embed file access control into st orage, one of vital challenges is how to connect a file with its corresponding storage units and its access control rule. In this design, OSD itself can com plete the connec tion—for I D, the one ( file) to one ( object) relationship is used to link f iles and thei r storage objects/access rules together by the storage. As the r elationship is extended to one to m ore, one file can be divided into several objects in accordance with its access cont rol semantics; then assigning users with different access permissions based on the f ile’s internal structure (which is the m eaning of the finer-grained access control) is feasible. In addition, the OSD standard is discussed to extend to define new object attributes f or file access control. Both prototypes are built based on the OSD r eference implementation provided by Intel. Testing results show that the extra overheads introduced by this design are acceptable.