KR102386219B1 - Method And System for Policy-Based Versioning based on SGX-SSD - Google Patents

Abstract

This embodiment is connected to a host server by wire or wirelessly, and includes an enclave in which a unique key value, Kdev' , is stored, and data transmitted from the host server is decrypted using Kdev' . ), includes an enclave in which Kdev , the same key value as that of PV-SSD (Policy-based File Versioning SSD) based on SGX (Software Guard Extension) and Kdev' , is stored, and configuration variables (CP, Configuration Parameter) from the user. ) and SPM (Secure Policy Manager) that receives a command requesting any one of creation, change, and deletion of file policy, encrypts it using Kdev and transmits it to the PV-SSD It provides an SGX-SSD system and a policy-based file version management method using the SGX-SSD system, including.

Description

Method And System for Policy-Based Versioning based on SGX-SSD}

This embodiment relates to a policy-based version management method using an SGX-SSD and an SGX-SSD system.

The content described in this section merely provides background information for the present embodiment and does not constitute the prior art.

Recently, due to a data tampering attack on backup data/devices using malware such as ransomware, the integrity of data in storage is being damaged. . Accordingly, studies are being made to ensure data integrity of a storage device by versioning data (see Non-Patent Document 1).

For example, Intel Software Guard Extension (SGX) is a software security technology based on Skylake, a 6th generation model of Intel's microarchitecture, and is a security-related instruction set built into the CPU. SGX provides a Trusted Execution Environment (TEE) by providing a trusted memory area called an enclave in which access is restricted even by a system with high privileges (see Non-Patent Document 2). However, the SGX-based storage device has a problem in that it cannot guarantee Trust I/O because input/output through a UI (User Interface) is transmitted to the storage device through an unreliable device (host server, etc.).

Project Almanac is an example of a version-managed solid state disk (SSD), and provides a function of preserving versions of all data in a storage device by a user for a certain period (see Non-Patent Document 1). However, in Project Almanac, data recovery is performed by the user only after the malicious code is detected. There has been a problem in that data restoration is not guaranteed in the case of code intrusion. This problem is also caused by the malicious code itself by generating numerous input/output (I/O) in the device to shorten the data retention period.

However, setting an excessively long data retention period in response to malicious code causes space overhead and wastes resources. On the other hand, a too short data retention period causes the above-described problem.

Accordingly, it is necessary to develop a storage device that can respond to delayed attacks of malicious codes while taking advantage of the advantages of SGX. Specifically, it is necessary to develop a storage device that provides policy-based versioning (PV), which can ensure reliability of input/output, which is a problem with SGX, and ensure data restoration of important files without spatial overhead. Do.

Xiaohao Wang, Yifan Yuan, You Zhou, Chance C Coats, and Jian Huang. Project almanac: A time-traveling solid-state drive. In Proceedings of the EuroSys Conference, 2019. Victor Costan and Srinivas Devadas. Intel sgx explained. IACR Cryptology ePrint Archive, 2016(086):1-118, 2016.

According to one aspect of this embodiment, by providing an SGX-based policy-based version management SSD (PV-SSD), the Trust I of SSD, which allows the user's input to be safely transferred to the SSD while passing through a host server whose reliability is unknown Its main purpose is to provide /O.

According to another aspect of the present embodiment, another main object is to provide data integrity by preventing tampering of data stored in the SSD from malicious code having a long latency period.

Furthermore, according to another aspect of this embodiment, a file semantics corresponding to each block is applied to an SSD in which data management is performed in block units, thereby providing a policy-based version management method based on file units. It has another main purpose.

According to one aspect of this embodiment, SGX (Software Guard Extension)-based SPM (Secure Policy Manager) running on a host server and SGX (Software Guard Extension)-based PV connected to the host server by wire or wirelessly In the file policy management method using the SGX-SSD system including -SSD (Policy-based File Versioning Solid State Disk), in order to set a file policy, a user interface (UI: an input process of receiving, from a user, a command for requesting any one of creation, change, and deletion of all or part of a configuration parameter (CP) and a file policy through a user interface; a transmission process in which the SPM encrypts the input using Kdev , which is a unique key value stored in an enclave of the SPM, and transmits it to the PV-SSD; and the PV-SSD decrypts the input using Kdev' , which is a unique key value stored in the enclave of the PV-SSD, and generates, changes, and changes the file policy according to the command extracted from the decrypted input It provides a file policy management method using the SGX-SSD system, including a policy management process of performing any one of deletion, wherein the Kdev and the Kdev' have the same key value.

According to another aspect of this embodiment, in the file input/output method using an SGX-SSD system that is connected to a host server by wire or wirelessly and includes a PV-SSD that performs the file policy management method according to the present embodiment, the host The process of receiving file I/O from the user through the server; a piggyback transmission process in which the host server constructs a piggyback set based on the file input/output and transmits it to the PV-SSD; OOB in which the PV-SSD parses the piggyback set and stores all or part of the parsed data in an out-of-band region of a physical page corresponding to the file storage process; and a VVB setting process in which the PV-SSD sets a Version Validity Bitmap (VVB) bit corresponding to the physical page.

According to another aspect of this embodiment, in the selective version control method using the SGX-SSD system including the PV-SSD for performing the file input/output method according to the present embodiment, the PV-SSD implements a greedy algorithm A victim block determination process for determining a victim block using; and a garbage collection (GC, Garbage Collection) process of erasing the victim block.

According to another aspect of this embodiment, in a file restoration method using an SGX-SSD system including a PV-SSD that is connected to a host server by wire or wirelessly and performs the file input/output method according to the present embodiment, the host server a restoration request process of receiving restoration information, which is either restoration time point or restoration version, and a file path of a restoration target file from the user; a loading process in which a file system driven on the host server loads all LBAs (Logical Block Addresses) corresponding to the restoration target file; a restoration information transmission process of transmitting a message in which the file path, the restoration information, and the loaded LBA list are stored to the PV-SSD; a page search process in which the PV-SSD uses the transmitted LBA list to find a page related to the version with respect to the version corresponding to the restoration information; and a file content restoration process of restoring the file content by rearranging the pages related to the version using the data block offset stored in the OOB area. A method of restoring files using an SSD system is provided.

According to another aspect of this embodiment, in the SGX-SSD system based on SGX (Software Guard Extension) including an enclave, it is connected to a host server by wire or wirelessly, and from a user An SGX-based PV-SSD (Policy-based file) that includes an enclave in which a hard-coded unique key value, Kdev' , is stored, and decrypts data transmitted from the host server using the Kdev' . Versioning SSD); and an enclave in which Kdev , which is the same key value as Kdev' , is stored, and a command to request any one of creation, change, and deletion of all or part of configuration parameters (CP) and file policies from the user (command ), encrypts it using the Kdev and transmits it to the PV-SSD.

As described above, according to the present disclosure, there is an effect of securing Trust I/O of the SSD by providing an SGX-based policy-based version management SSD (PV-SSD).

In addition, as version management with different policies is implemented according to the importance of data, there is an effect of ensuring data integrity, such as recovering important data stored in SSDs even in data tampering attacks of malicious codes with a long incubation period. there is.

Furthermore, there is an effect of enabling file-based policy-based version management in an SSD where it is difficult to manage file semantic-based policy due to data management in block units.

1 is a conceptual diagram illustrating a file policy management method of the SGX-SSD system according to the present embodiment.
2 is a conceptual diagram illustrating a file input/output method of the SGX-SSD system according to the present embodiment.
3A and 3B are flowcharts illustrating a file policy management method according to the present embodiment.
4A and 4B are flowcharts illustrating a file input/output method according to the present embodiment.
5 is a flowchart illustrating a garbage collection process of the SGX-SSD system according to the present embodiment.
6 is a flowchart illustrating a file restoration method of the SGX-SSD system according to the present embodiment.
7 is a graph showing the performance analysis result of the SGX-SSD system according to the present embodiment.

Hereinafter, some embodiments of the present invention will be described in detail with reference to exemplary drawings. In adding reference numerals to the components of each drawing, it should be noted that the same components are given the same reference numerals as much as possible even though they are indicated on different drawings. In addition, in describing the present invention, if it is determined that a detailed description of a related known configuration or function may obscure the gist of the present invention, the detailed description thereof will be omitted.

In addition, in describing the components of the present invention, terms such as first, second, (a), (b), etc. may be used. These terms are only for distinguishing the elements from other elements, and the essence, order, or order of the elements are not limited by the terms. Throughout the specification, when a part 'includes' or 'includes' a certain element, this means that other elements may be further included, rather than excluding other elements, unless otherwise stated. . In addition, the '... Terms such as 'unit' and 'module' mean a unit that processes at least one function or operation, which may be implemented as hardware or software or a combination of hardware and software.

DETAILED DESCRIPTION The detailed description set forth below in conjunction with the appended drawings is intended to describe exemplary embodiments of the present invention and is not intended to represent the only embodiments in which the present invention may be practiced.

In this embodiment, SGX (Software Guard Extension) is assumed to be Intel SGX for convenience of description, but is not limited thereto. For example, if it is an instruction set that provides a Trusted Execution Environment (TEE) that divides a trusted memory part and an untrusted memory part like SGX, the present invention refers to It could be SGX.

In this embodiment, a policy means a policy for the purpose of versioning of each file. Therefore, in the present embodiment, policy-based version management refers to the retention period (RT: Retention Time) and the backup cycle (BC: Backup Cycle) for old versions (OVs) of each file stored in storage. ), all or part of the maximum number of versions is set/changed/deleted, but is not necessarily limited thereto. For example, policy-based version management in another embodiment may set/change/delete a policy for each previous version of the same file.

1 is a conceptual diagram illustrating a file policy management method of the SGX-SSD system according to the present embodiment.

The file policy management of the SGX-SSD system 10 according to the present embodiment is an SGX-based Secure Policy Manager ( 100 ) driven in a host server and SGX connected to the host server by wire or wirelessly. It is performed by PV-SSD (Policy-based File Versioning Solid State Disk, 120) based. The SGX-SSD system 10 shown in FIG. 1 is according to an embodiment of the present disclosure, and not all configurations shown in FIG. 1 are essential components, and are included in the SGX-SSD system 10 in another embodiment. Some components that have been used may be added, changed, or deleted. For example, the SGX-SSD system 10 of another embodiment may further include a PV-SSD other than the illustrated PV-SSD 122 to perform version management of a plurality of PV-SSDs with one SPM 100 . . The SGX-SSD system 10 of another embodiment is implemented in the form of using the SSD resource provided by the cloud server, so the PV-SSD including a device performing the function provided by the PV-SSD 120 (120) may be omitted.

Hereinafter, each configuration for performing file policy management on the SGX-SSD system 10 will be described.

The SPM 100 creates/modifies/deletes (create)/modify/delete a configuration parameter (CP), which is a parameter related to a file policy input by a user into the host server, and a policy. delete) is transmitted to the PV-SSD 120 using a resource of the host server. The SPM 100 may be implemented as a module of an app (app or application) executed in a host server connected to the PV-SSD 120 or a module of the host server itself, but in another embodiment performs the function of the SPM It may be implemented as a separate device for

In this embodiment, the environment setting variables input by the user may include all or part of policy information, a file path, a retention period, a backup cycle, and the maximum number of versions. However, since the user sets/changes/deletes the version control policy of a specific file through input, it is assumed that the environment setting variable input by the user includes at least the file path.

The SPM 100 includes an enclave provided by the SGX. At this time, the SPM 100 and the PV-SSD 120 store Kdev, which is a unique key value set by the user, in each enclave. This Kdev setting may be due to hardcoding by the user. In the present disclosure, for convenience, Kdev stored in the SPM 100 is indicated as Kdev (102) , and Kdev stored in the PV-SSD 120 is indicated as Kdev' (122), but in each The saved Kdev and Kdev' have the same value.

Intel SGX does not provide Trust I/O, so it is not known whether the input from the host server is trusted or not. Accordingly, the SPM 100 drives all processors including the operating system (OS) on the host server by executing the SMM (System Management Mode) before there is input/output (I/O) of the user. suspends (suspend) and enables the SPM (100) to use hardware resources with high privileges. When the SMM is executed, the operating system mode is stopped and the process stored in the system management memory (SMRAM) of the SMM is executed, thereby protecting the user's input from the ring-0 privilege theft by malicious code. In this case, the SMM is preferably Aurora's SMM, but is not limited thereto, and other SMMs may be used as long as the SMM can guarantee the integrity and confidentiality of user input data.

Until the user's input is finished, the SMM forms a secret session with the SPM 100 . When the user's input is finished, the SMM transfers the user's input to the enclave of the SPM 100 through a secret session. After the input is passed to the enclave, the SMM terminates.

The SPM 100 generates an encrypted message obtained by encrypting the user's input using the Kdev 102 . SPM 100 generates a message authentication code (MAC: Message Authentication Code) based on the encrypted message and Kdev (102). The SPM 100 causes the host server to transmit the generated encrypted message and message authentication code to the PV-SSD.

When the encryption message and the message authentication code transmitted to the PV-SSD are verified as reliable, the SPM 100 responds to the PV-SSD as a response that it is trusted from the PV-SSD. A response encrypted by Kdev ' (122) and a message authentication code generated based on the encrypted response and Kdev' (122) are transmitted. The SPM 100 decrypts the received message authentication code using the Kdev 102 to verify the response, and decrypts the encrypted response.

The PV-SSD 120 is connected to the host server by wire or wirelessly, receives the user's policy creation/change/deletion commands and environment setting variables, and policy management that performs any one of policy creation/change/deletion according to the command perform the function The PV-SSD 120 includes all or part of a policy verifier 124 , a request handler 126 , a policy manager 128 , and policy metadata 129 . The PV-SSD 120 shown in FIG. 1 is according to an embodiment of the present disclosure, and not all blocks shown in FIG. 1 are essential components, and some included in the PV-SSD 120 in another embodiment. Blocks can be added, changed, or deleted. For example, in another embodiment, the PV-SSD 120 may further include a policy limiter for restricting policy change.

The verification unit 124 receives the user's input in the form of an encrypted message and message authentication code, and verifies the encrypted authentication code using Kdev' (122) to verify the encrypted authentication code and transmit the user's input to the host server or SPM (100) Make sure this is reliable. As a result of the verification, if the host server or SPM is reliable, the encrypted message decrypted using Kdev' 122 is transmitted to the request processing unit 126 . The verification unit 124 encrypts a response related to the received message using Kdev ' (122), and generates a message authentication code using the encrypted response and Kdev' (122). The verification unit 124 transmits the encrypted response and one message authentication code to the host server so that the SPM 100 verifies it.

The request processing unit 126 parses the decrypted encrypted message, extracts the file policy command and environment setting variables included in the encrypted message, and delivers it to the policy manager 128 .

The policy manager 128 creates, changes, or deletes the policy metadata 129 according to the extracted file policy command and environment setting variables to store and manage the policies related to the file version.

In this case, the policy metadata may be a hash table that stores a policy entry, which is a data structure in which environment setting variables are stored. In this case, the policy metadata may be searched by the policy manager 128 using a hash key using a file path. In another embodiment, the policy metadata may be a linked list or a tree.

A method of managing a file policy using the SGX-SSD system according to the present embodiment will be described later with reference to FIGS. 3A and 3B.

2 is a conceptual diagram illustrating a file input/output method of the SGX-SSD system according to the present embodiment.

The file input/output of the SGX-SSD system 10 according to this embodiment is wired or wireless with the app 200, the file system 202 and the host server that are driven on the host server. It is performed based on SGX-based PV-SSD (Policy-based File Versioning Solid State Disk, 120) connected to The SGX-SSD system 10 shown in FIG. 2 is according to an embodiment of the present disclosure, and not all configurations shown in FIG. 2 are essential components, and are included in the SGX-SSD system 10 in another embodiment. Some components that have been used may be added, changed, or deleted.

Hereinafter, each configuration for performing file input/output on the SGX-SSD system 10 will be described.

The app 200 receives file input/output (file I/O) input from the user using the host server resource, and transmits the received file input/output to the file system 202 in the form of block-unit data in the PV-SSD format. Send to 120. Unlike the file policy creation/change/deletion input received in the SMM environment, the file input/output received from the app may not guarantee data integrity and confidentiality.

The file system 202 receives the file input/output from the app and transmits it to the PV-SSD 120 as block unit data.

The file system 202 is based on the file system of the host server, but is not necessarily limited thereto, and may be a separately inserted file system. In this embodiment, a policy is created/changed/deleted based on file semantic, but data storage is performed in block units in the host server and the PV-SSD 120 . Accordingly, when there is file input/output, the file system 202 requests block I/O to the block layer of the host server and transmits it to the PV-SSD 120 in the form of block unit data. do. The file system 202 piggybacks file input/output to data blocks. Here, piggyback is a data transmission method in which the receiving side does not immediately send an acknowledgment of the received data, but sends an acknowledgment field to the existing data frame only when there is data to be transmitted later. The piggybacked piggyback set further includes data indicating whether or not it has been piggybacked. The file system 202 may piggyback file input/output by configuring it as a piggyback set further including a file path of an input/output target file, and a file offset. In this case, the file offset may be a data block offset in units of data blocks in which files are stored.

The PV-SSD 120 parses the file input/output or piggyback set received from the host server or file system 202, stores it in an Out-Of-Band (OOB) 220 on the PV-SSD 120, and needs VVB (Version Validity Bitmap, 222) is set according to The OOB 220 is a spare area that exists in a physical page of each file, and may indicate a bad block or store an error correction code (ECC) or file system information. The VVB 222 is a bitmap indicating whether each physical page is to be reserved or reclaimed.

The PV-SSD 120 may store all or part of the parsed data in the OOB 220 area corresponding to a physical page of the input/output file. The PV-SSD 120 may set or reset the VVB bit to correspond to the version management policy of the input/output file according to the input/output command type (eg, read/write) of the input/output file. The OOB 220 and the VVB 222 may be located on a NAND flash memory of the PV-SSD 120 . In the present embodiment, the SGX-SSD system 10 assumes that the OOB 220 and the VVB 222 are separate memory regions, but is not limited thereto, and in another embodiment, the OOB 220 and the VVB 222 are not limited thereto. may be implemented as one memory area each having its own function.

The PV-SSD 120 determines whether a policy set in the input/output target file exists by referring to information on whether or not piggyback is included in the received piggyback set. Data to be stored in the OOB 220 area and the value of the VVB 222 bit to be set are changed according to the determination result. In a specific embodiment, when it is determined that the policy set in the input/output file exists, the PV-SSD 120 sets the parsed piggyback set (file path and block offset, which are information included in the piggyback set) among the parsed data. , WT (Written Time), BP (Back Pointer), and LPA (Logical Page Address) of the input/output file are stored in the corresponding OOB 220 area, and the VVB bit is set to 1. In this case, the BP is a pointer indicating a physical page in which the previous version of the file is stored. If it is determined that the policy set in the input/output file does not exist, only the LPA is stored in the corresponding OOB area, and the VVB bit is set to 0.

A method of performing file input/output using the SGX-SSD system according to the present embodiment will be described later with reference to FIGS. 4A and 4B.

The SGX-SSD system according to this embodiment can respond to malicious code attacks in various scenarios. Table 1 shows a scenario for a malicious code attack (eg, ring-0 attack) to which the SGX-SSD system according to this embodiment can respond.

Disk Attack attack scenario detail (1) File Attack File tampering attack by malware (2) Policy Deletion Attack Malware inserts policy delete command (DELETE) to cause PV-SSD to delete policy (3) Version Attack Exceeding the number of allowable file versions through continuous overwrite attacks by malicious code (4) File System Corruption Malware corrupts the host server's file system Man-in-the-middle Attack (5) Contents, LBA Tampering Attack Malicious code transforms the LBA contents corresponding to the file requested by the user to write (6) Piggyback Set Deletion The malicious code deletes the piggyback set transmitted during the file input/output process, causing the PV-SSD to misunderstand that a policy corresponding to file input/output does not exist.

SGX-SSD system attack scenarios of malicious code are largely divided into disk attack and man-in-the-middle attack. The disk attack is an attack that directly tampers data permanently stored in the PV-SSD 120 . The man-in-the-middle attack is an attack in which a malicious code installs a malicious module in a host server and falsifies a message transmitted by the host server to the PV-SSD 120 .

The response method of the SGX-SSD system according to the disk attack scenario according to this embodiment is as follows.

(1) In case of file tampering attack, SGX-SSD can respond by restoring the file to the file version at the time before the intrusion of malicious code.

(2) If there is a policy tampering attack, as the verification unit 124 of the PV-SSD 120 verifies the policy using the Kdev' 122 , the execution of the tampered policy creation/change/deletion command may be refused. can

(3) If there is a version modification attack, the user can protect important files by not specifying the environment setting variable corresponding to the maximum number of versions or setting it to infinity only for important files using the SGX-SSD system.

(4) If there is a file system modification attack, the PV-SSD 120 finds all the physical pages corresponding to the file in question, matches each file, recombines the files, and then proceeds to restore the file. The user can re-implement the SGX-SSD system by connecting the PV-SSD 120 in which the restored file is stored with another host server.

A file restoration method of the SGX-SSD system will be described later with reference to FIG. 6 .

The response method of the SGX-SSD system according to the man-in-the-middle attack scenario according to this embodiment is as follows.

(5) and (6) If there is an attack on the LBA or piggyback set, it can be countered by restoring the file to the file version at the time before the intrusion of the malicious code.

3A and 3B are flowcharts illustrating a file policy management method according to the present embodiment.

3A shows a process performed on a host server in a file policy management method.

The user executes SPM through the host server (S300).

The SPM 100 temporarily suspends the operation of all processors including the operating system, and executes the SMM to enable the resource of the host server to be used with high authority (S310).

The user inputs any one of a command to create/change/delete a policy related to an environment setting variable and a specific file under an environment in which the SMM is executed (S320).

The SMM transmits the user's input to the enclave of the SPM 100 through the secret session (S330).

The SMM terminates the process (S340).

The SPM 100 encrypts the transmitted user's input, generates an encrypted message and a message authentication code, and transmits it to the PV-SSD 120 (S350).

3B shows a process performed on the PV-SSD 120 among the file policy management methods.

The verification unit 124 of the PV-SSD 120 verifies the data integrity of the encrypted message by determining the reliability of the SPM or the host server using the message authentication code Kdev' (122) (S360). The verification unit 124 or the request processing unit 126 decrypts the encrypted message (S360).

The policy management unit 126 creates/changes/deletes a policy according to a policy command included in the decrypted message (S370).

The verification unit 124 generates an encrypted response message and message authentication code in order to respond that the reliability of the SPM has been confirmed (S380) and transmits it to the SPM 100 (S390). However, steps S380 and S390 may be performed together with step S360 or immediately after step S360.

4A and 4B are flowcharts illustrating a file input/output method according to the present embodiment.

File I/O, in particular, file version management occurs when file write is performed, so Figs. 4A and 4B assume a case where file I/O of file write occurs.

4A shows a process performed on a host server in a file policy management method.

The user inputs or commands a file input/output through the app 200 (S400).

The file system 202 piggybacks the file input/output to the data block (S410).

The host server transmits the piggy-backed data, which is the piggy-back set, to the PV-SSD 120 (S420).

4B shows a process performed on the PV-SSD 120 among the file policy management methods.

The PV-SSD 120 parses the piggyback set to extract data such as a file path and a data block offset (S430).

The PV-SSD 120 records the parsed data in the OOB 220 area of the physical page (S440).

Since a new version of the file is generated according to the file writing, the PV-SSD 120 updates the VVB bit corresponding to the physical page of the current version and previous versions of the file (S450). For example, when a previous version exceeding the maximum number of versions occurs, all VVB bits of physical pages corresponding to the version are reset to 0. Alternatively, if there is no policy set in the file, the VVB bit corresponding to the current version of the physical page is set to 0. If there is a policy corresponding to the file and there is no policy expiration problem, the corresponding VVB bit is set or reset to 0.

5 is a flowchart illustrating a garbage collection process of the SGX-SSD system according to the present embodiment.

Garbage collection is a memory management technique that deletes blocks by determining a victim block when there is insufficient memory in the storage device. At this time, the pages in the memory block are reclaimed to become a free state.

The PV-SSD 120 determines a victim block ( S500 ). In this case, a greedy algorithm may be used as a method for determining the victim block. Here, the greedy algorithm is an algorithm that finds the optimal solution of the entire problem in an optimization problem by finding the optimal solution of problems with the same problem but smaller size in order to find the optimal solution of the whole problem.

The PV-SSD 120 checks 510 whether a valid page is included in the victim block. Here, the valid page means a page about the current version of the files.

When the valid page is included in the victim block, the PV-SSD 120 copies the valid page to a block other than the victim block ( S520 ).

PV-SSD 120 performs selective version management to preserve and preserve (S514) by copying the page to another block when the page included in the victor block is not valid but is an OV page (Old Version page) (S512) do. In this case, the OV page means that it has not expired according to a policy among pages related to previous versions of files. Specifically, if the retention period is set in the policy, it means that the retention period has not passed, or if the maximum number of versions is set in the policy, it means that the sequence of the corresponding versions does not exceed the maximum number of versions due to file input/output. That is, expiration means that a corresponding policy exists in a specific page in which the OV is stored, and the corresponding OV is not subject to preservation according to the policy (eg, retention period or maximum number of versions). The PV-SSD 120 differentiates whether pages that are not valid pages are OV pages or invalid pages that are not OV pages through selective version control.

After step S520 or S514 is performed, the PV-SSD 120 deletes the victim block (S530).

6 is a flowchart illustrating a file restoration method of the SGX-SSD system according to the present embodiment.

At this time, the file restoration is assumed to be performed when there is a user's request or command, but is not necessarily limited thereto. For example, when there is an attack by a malicious code in the SGX-SSD system 10, the PV-SSD 120 may search for modified data and perform auto-recovery of data of the previous version.

The user inputs the restoration information that is either the restoration point or the restoration version and the file path of the restoration target file to the host server (S600).

At this time, if the reliability of the host server is not clear such as the authority of the host server is stolen by malicious code or the data in the host server is tampered with (S610), the file system 202 running on the host server provides the file path and restoration information of the file to be restored. is transmitted to the PV-SSD 120 (S612).

In this case, the PV-SSD 120 searches all physical pages corresponding to the restoration target file to find all LPAs (Logical Page Addresses) corresponding to the restoration target file ( S614 ). The PV-SSD searches for a logical page corresponding to the restoration target file by using the LPA, and navigates a chain of the corresponding LPN (Logical Page Number) (S630).

If the host server is reliable, the file system 202 loads all LBAs (Logical Block Addresses) corresponding to the restoration target file, and the file path of the restoration target file, restoration information, and the loaded LBA list are stored. The message is transmitted to the PV-SSD 120 (S620). The PV-SSD searches for a logical page corresponding to the restoration target file by using the LBA list, and navigates the corresponding LPN chain (S630).

By performing step S630, the PV-SSD 120 may find pages related to the previous version of the restoration target file corresponding to the restoration information (S630).

The PV-SSD 120 reorganizes (rearrange) pages related to the previous version based on the data block offset stored in the OOB area corresponding to the physical page in the page related to the previous version corresponding to the restoration information to rearrange the file contents. content) is restored (S640).

The PV-SSD 120 transmits the restored file content to the host server to overwrite the restoration target file, thereby completing the restoration procedure (S650).

7 is a graph showing the performance analysis result of the SGX-SSD system according to the present embodiment.

For performance analysis of the SGX-SSD system according to the present embodiment, a prototype of PV-SSD is implemented in Jasmine OpenSSD, and a virtual file system (VFS, Virtual File System) and a kernel (VFS, Virtual File System) and kernel ( The driver code of the kernel) was modified. In addition, in order to induce garbage collection, the usable storage space (partition) of the SSD is limited to 1 GB, and all pages in the SSD are initialized as invalid pages. Performance evaluation was made by measuring the workload that occurred when performing overwrite. At this time, performance evaluation of Project Almanac, a prior art, was also performed.

7 (a) and (b) show a workload in which overwriting is performed on a file of 20 MB and a file of 32 KB, respectively. As can be seen from (a) and (b) of Figure 7, it can be seen that the performance of the SGX-SSD system is superior to that of Project Almanac regardless of the file size. In both cases, the throughput of the SGX-SSD system was higher than that of Project Almanac, and the memory capacity ratio was lower than that of Project Almanac. As can be seen in FIG. 7 , this trend was conspicuous when the size of the file was large.

The difference in performance is that, in Project Almanac, the retention period of file versions is constant, and version control is performed on all files as overwriting is performed. Even if it is performed, it occurs because version control is performed only on some files. The smaller the file size, the more often the invalid page and the OV page coexist within one block, so garbage collection overhead occurs and the performance difference between each is somewhat reduced.

Although it is described that each process is sequentially executed in FIGS. 3 to 6 , this is merely illustrative of the technical idea of an embodiment of the present invention. In other words, a person of ordinary skill in the art to which an embodiment of the present invention pertains may change the order described in 3 to 6 or execute at least one of each process without departing from the essential characteristics of an embodiment of the present invention. Since it will be possible to apply various modifications and variations by executing the process in parallel, it is not limited to the time series sequence of FIGS. 3 to 6 .

Various implementations of the systems and techniques described herein may be implemented in digital electronic circuitry, integrated circuitry, field programmable gate array (FPGA), application specific integrated circuit (ASIC), computer hardware, firmware, software, and/or combination can be realized. These various implementations may include being implemented in one or more computer programs executable on a programmable system. The programmable system includes at least one programmable processor (which may be a special purpose processor) coupled to receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device. or may be a general-purpose processor). Computer programs (also known as programs, software, software applications or code) contain instructions for a programmable processor and are stored on a "computer-readable recording medium".

The computer-readable recording medium includes all types of recording devices in which data readable by a computer system is stored. These computer-readable recording media are non-volatile or non-transitory, such as ROM, CD-ROM, magnetic tape, floppy disk, memory card, hard disk, magneto-optical disk, and storage device. It may be a medium, and may further include a transitory medium such as a data transmission medium. In addition, the computer-readable recording medium may be distributed in a network-connected computer system, and the computer-readable code may be stored and executed in a distributed manner.

Various implementations of the systems and techniques described herein may be implemented by a programmable computer. Here, the computer includes a programmable processor, a data storage system (including volatile memory, non-volatile memory, or other types of storage systems or combinations thereof), and at least one communication interface. For example, a programmable computer may be one of a server, a network appliance, a set-top box, an embedded device, a computer expansion module, a personal computer, a laptop, a Personal Data Assistant (PDA), a cloud computing system, or a mobile device.

The above description is merely illustrative of the technical idea of this embodiment, and various modifications and variations will be possible without departing from the essential characteristics of the present embodiment by those skilled in the art to which this embodiment belongs. Accordingly, the present embodiments are intended to explain rather than limit the technical spirit of the present embodiment, and the scope of the technical spirit of the present embodiment is not limited by these embodiments. The protection scope of this embodiment should be interpreted by the following claims, and all technical ideas within the scope equivalent thereto should be interpreted as being included in the scope of the present embodiment.

10: SGX-SSD system 100: SPM
102:Kdev 120: PV-SSD
122:Kdev'124: verification unit
126: request processing unit 128: policy manager
129: Policy metadata
200: app 202: file system
220: OOB 222: VVB

Claims (20)

SGX (Software Guard Extension)-based SPM (Secure Policy Manager) running on a host server and SGX (Software Guard Extension)-based PV-SSD (Policy-based File Versioning) connected to the host server by wire or wirelessly In a file policy management method using an SGX-SSD system including a solid state disk,
In order to set a file policy, all or part of a configuration parameter (CP) from a user through a user interface (UI) driven on the host server and creation, change, and file policy an input process of receiving a command for requesting any one of deletion;
a transmission process in which the SPM encrypts the input using Kdev , which is a unique key value stored in an enclave of the SPM, and transmits it to the PV-SSD; and
The PV-SSD decrypts the input using Kdev' , which is a unique key value stored in the enclave of the PV-SSD, and creates, changes and deletes the file policy according to the command extracted from the decrypted input Including the policy management process to perform any one of
The Kdev and the Kdev' have the same key value, and are hard-coded to the SPM and the PV-SSD, respectively.
A file policy management method using the SGX-SSD system, characterized in that SGX (Software Guard Extension)-based SPM (Secure Policy Manager) running on a host server and SGX (Software Guard Extension)-based PV-SSD (Policy-based File Versioning) connected to the host server by wire or wirelessly In a file policy management method using an SGX-SSD system including a solid state disk,
In order to set a file policy, all or part of a configuration parameter (CP) from a user through a user interface (UI) driven on the host server and creation, change, and file policy an input process of receiving a command for requesting any one of deletion;
a transmission process in which the SPM encrypts the input using Kdev , which is a unique key value stored in an enclave of the SPM, and transmits it to the PV-SSD; and
The PV-SSD decrypts the input using Kdev' , which is a unique key value stored in the enclave of the PV-SSD, and creates, changes and deletes the file policy according to the command extracted from the decrypted input Including the policy management process to perform any one of
The Kdev and the Kdev' have the same key value,
The environment setting variable includes policy information, a file path, a retention period (RT, Retention Time), a backup cycle (BC, Backup Cycle) and a maximum number of versions,
The file policy management method using the SGX-SSD system, characterized in that the input includes at least the file path. 3. The method of claim 2,
The input process is
A file policy management method using an SGX-SSD system, characterized in that the operation of all processors including the operating system (OS) of the host server is temporarily suspended, and input is received in an environment in which SMM (System Management Mode) is executed. 4. The method of claim 3,
The input process is
Forms a secret session between the enclave of the SPM and the SMM before the user's input ends,
The transmission process is
The file policy management method using the SGX-SSD system, characterized in that the SMM sends the input to the enclave of the SPM through the secret session. 5. The method of claim 4,
The transmission process is
The SPM generates an encrypted message by using the Kdev to encrypt the input, and generates a message authentication code (MAC, Message Authentication Code) based on the Kdev and the encrypted message, and the encrypted message and the message authentication code A file policy management method using an SGX-SSD system, characterized in that it is transmitted to the PV-SSD. 6. The method of claim 5,
The policy management process is
The PV-SSD verifies the encrypted authentication code transmitted using the Kdev' , and if the verification result is that the SPM is reliable, the encrypted message is parsed to extract data from the input, and the extracted data is A file policy management method using an SGX-SSD system, characterized in that any one of creation, change, and deletion of policy metadata is performed according to the command including: 7. The method of claim 6,
The policy metadata is
It is implemented as a hash table in which a policy entry, which is a data structure in which the environment setting variable including the file path is stored, is stored, and the hash table is searched using the file path. File policy management method using SGX-SSD system. In a file input/output method using an SGX-SSD system that is connected to a host server by wire or wirelessly and includes a PV-SSD that performs the file policy management method according to claim 1,
receiving file I/O from a user through the host server;
a piggyback transmission process in which the host server constructs a piggyback set based on the file input/output and transmits it to the PV-SSD;
OOB in which the PV-SSD parses the piggyback set and stores all or part of the parsed data in an out-of-band region of a physical page corresponding to the file storage process; and
and a VVB setting process in which the PV-SSD sets a Version Validity Bitmap (VVB) bit corresponding to the physical page. 9. The method of claim 8,
The piggyback transmission process is
A file system running on the host server configures a piggyback set including a file path and a data block offset of the file in relation to the file input/output. , A file input/output method using an SGX-SSD system, characterized in that piggyback transfer is performed to a data block in the PV-SSD. 10. The method of claim 9,
The OOB storage process is
If there is no policy corresponding to the file, storing an LPA (Logical Page Address) corresponding to the file in the OOB area,
When there is a policy corresponding to the file, all or part of the data included in the piggyback set, the LPA, WT (Written Time) and BP (Back Pointer) are stored in the OOB area. File input/output method using SSD system. 11. The method of claim 10,
The VVB setting process is
If there is no policy corresponding to the file, the VVB bit is set to 0,
When there is a policy corresponding to the file, the file input/output method using the SGX-SSD system, characterized in that the VVB Bit is set to 1. In the selective version management method using the SGX-SSD system including the PV-SSD performing the file input/output method according to claim 8,
a victim block determination process in which the PV-SSD determines a victim block; and
The selective version management method using the SGX-SSD system, characterized in that it includes a garbage collection (GC, Garbage Collection) process of erasing the big team block. 13. The method of claim 12,
Selective version management using the SGX-SSD system, characterized in that the method further includes a copying process of copying the valid page to another block when the valid page is included in the victim block after the victim block is determined Way. 14. The method of claim 13,
The copy process is
SGX, characterized in that when the page included in the victim block is invalid, the page is differentiated whether the page is an invalid page or an OV page (Old Version page), and if the page is an OV page, the page is copied to another block -Optional version control method using SSD system. 15. The method of claim 14,
The division is
When the page is an old version of a file stored, a policy corresponding to the file exists, and the page has not expired according to the policy, the page is classified as an OV page An optional version control method using the SGX-SSD system. In a file restoration method using an SGX-SSD system that is connected to a host server by wire or wirelessly and includes a PV-SSD that performs the file input/output method according to claim 8,
a restoration request process of receiving restoration information that is either restoration time point or restoration version and a file path of a restoration target file from a user through the host server;
a loading process in which a file system driven on the host server loads all LBAs (Logical Block Addresses) corresponding to the restoration target file;
a restoration information transmission process of transmitting a message in which the file path, the restoration information, and the loaded LBA list are stored to the PV-SSD;
a page search process in which the PV-SSD uses the transmitted LBA list to find a page related to the version with respect to the version corresponding to the restoration information; and
SGX-SSD comprising a file content restoration process of restoring file content by rearranging pages related to the version using a data block offset stored in the OOB area; How to restore files using the system. 17. The method of claim 16,
The page navigation process is
SGX-SSD characterized in that it is performed by searching a logical page corresponding to the restoration target file using the LBA list and navigating an LPN (Logical Page Number) corresponding to the logical page. How to restore files using the system. 17. The method of claim 16,
The file restoration method using the SGX-SSD system, characterized in that the PV-SSD further comprises an overwrite process of overwriting the restoration target file by transmitting the file content to the host server. 17. The method of claim 16,
The restoration information transmission process is
When the reliability of the file system is unclear, a message in which the file path and the restoration information are stored is transmitted to the PV-SSD,
The page navigation process is
What is performed by searching all physical pages corresponding to the restoration target file to find all LPAs (Logical Page Addresses) corresponding to the restoration target file
A file restoration method using the SGX-SSD system, characterized in that In the SGX (Software Guard Extension)-based SGX-SSD system including an enclave,
It is connected to a host server by wire or wirelessly, and includes an enclave in which Kdev' , which is a unique key value set by a user, is stored, and the data transmitted from the host server is decrypted using the Kdev' . SGX-based PV-SSD (Policy-based file Versioning SSD); and
A command that includes an enclave in which Kdev , which is the same key value as Kdev' , is stored, and requests any one of creation, change, and deletion of all or part of configuration parameters (CP) and file policies from the user including an SPM (Secure Policy Manager) that receives the input and encrypts it using the Kdev and transmits it to the PV-SSD,
The Kdev and the Kdev' are SGX-SSD system, characterized in that it comprises hard-coded in each of the SPM and the PV-SSD.

Images