HECURA: Exploiting Asymmetry in Performance and Security Requirements for I/O in High-end Computing

HECURA：利​​用高端计算中 I/O 性能和安全要求的不对称性

• 批准号: 0621429
• 负责人: Anand Sivasubramaniam
• 金额: $ 69.97万
• 依托单位: Pennsylvania State Univ University Park
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2006
• 资助国家: 美国
• 起止时间: 2006-08-15 至 2010-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0621429&HistoricalAwards=false
• 关键词: HECURA; Exploiting; Asymmetry; Performance; Security

The growing disparity between processing speeds and I/O performance continues to be a limiting factor in the scalability of large scientific applications. Applications are becoming more data intensive, requiring large storage capacities and high bandwidth access to this storage. Further, application sciences are more collaborative, with sharing of data sets becoming prevalent not just between users/applications of a single organization, but across organizations as well placing even higher performance requirements on the storage system. Given the sensitive nature of many of these applications, in addition to the performance demands, there is an impending need to secure such data from adversarial attacks. The consequences of security breaches can have far reaching consequences, over and beyond the costs of detecting and investigating such breaches. At the same time, one cannot fully confine the data physically since these need to be shared by collaborative applications from different administrative domains. Regulations are also mandating the maintenance of audit records and provenance of data.The motivation for this research is driven by the need to secure storage systems which cater to the demands of high-end applications, while meeting their stringent performance requirements. These two goals - performance and security - are often contradictory, with the mechanisms for optimizing one usually coming at the expense of the other. In the proposed DataVault framework, it is recognized that different environments: (i) have diverse storage architectures, (ii) need to guard against different kinds of threats, and may (iii) have different tolerances for the associated performance overheads when implementing the security mechanisms. Rather than have a one-solution-fits-all approach, The PIs propose to investigate the rich design space - threats, storage architecture, enforcement mechanism, performance - to offer insightful choices that can be useful when deploying/customizing storage systems. DataVault will also include a usable objective-driven policy interface to configure the system for a given set of security and performance needs, while offering a convenient visualization dashboard for security management.

处理速度和 I/O 性能之间不断扩大的差距仍然是大型科学应用程序可扩展性的限制因素。应用程序变得更加数据密集，需要大存储容量和对此存储的高带宽访问。此外，应用科学更具协作性，数据集共享不仅在单个组织的用户/应用程序之间变得普遍，而且在组织之间也变得越来越普遍，并对存储系统提出了更高的性能要求。鉴于许多此类应用程序的敏感性，除了性能需求之外，还迫切需要保护此类数据免受对抗性攻击。安全漏洞的后果可能会产生深远的影响，超出检测和调查此类漏洞的成本。与此同时，人们无法在物理上完全限制数据，因为这些数据需要由来自不同管理域的协作应用程序共享。法规还强制要求维护审计记录和数据来源。这项研究的动机是需要保护存储系统的安全，以满足高端应用程序的需求，同时满足其严格的性能要求。这两个目标（性能和安全性）通常是矛盾的，优化其中一个目标的机制通常会牺牲另一个目标。在拟议的 DataVault 框架中，人们认识到不同的环境：（i）具有不同的存储架构，（ii）需要防范不同类型的威胁，并且（iii）在实施安全性时可能对相关性能开销有不同的容忍度机制。 PI 建议调查丰富的设计空间（威胁、存储架构、执行机制、性能），而不是采用一种万能的解决方案，以提供在部署/定制存储系统时有用的富有洞察力的选择。 DataVault 还将包括一个可用的目标驱动策略界面，用于根据给定的安全和性能需求配置系统，同时为安全管理提供方便的可视化仪表板。