The Iris System: Tidying Up Under the Rug

Virtualization helps conceal hardware complexity, one of its many benefits for programmers and administrators. But it’s also a rug under which security and reliability concerns can be all too easily swept.

Here’s a simple example. Suppose that a file system replicates data across two storage devices to prevent data loss in the advent of a drive crash. If these storage devices are virtual, they can well reside on the same physical hard drive. One physical drive crash, then, will wipe out the file system.

A drawback of fluid logical-to-physical resource mapping is uncertainty it creates about the physical configuration, location, and administration of underlying hardware. Virtualization amplifies software risks too, such as accidental or malicious state rollbacks.

RSA Labs has a long-term research program that aims to restore to both service providers and tenants the security visibility concealed by virtualization and cloud migration. A key element is an idea we call a security inlay, a module transparently introduced into virtualization infrastructure with hooks that make it easier to monitor systems’ security postures. Good inlays, we believe, can actually provide better visibility than even a traditional data center affords.

The Iris system, for example, can serve attractively as a security inlay to render virtualized storage more trustworthy.  Iris ensures the freshness and integrity of data retrieved from storage—any kind of storage in any location. If a corruption or rollback affects retrieved data, Iris will detect it. Iris is also the first system that enables practical, dynamic Proofs of Retrievability (PoRs). It can verify on the fly that all of the data in a file system is intact—down to the last bit. Magically, this operation in Iris touches only a small fraction of the contents of the file system.

One deployment option for Iris is as a security inlay. A tenant’s applications in a VM can, using Iris, detect corruption of retrieved data blocks; Iris is transparent, moreover, to the OS in the VM. At the same time, the tenant can remotely verify the intactness of the file system on demand. In this configuration, Iris brings two benefits: (1) It incorporates potentially untrustworthy storage into the trust perimeter of a tenant’s VMs and (2) It offers a new path or tool for monitoring file system state, and thus auditing compliance with data-retention requirements and regulations. (Note that Iris doesn’t do anything to improve availability or prevent failures: Other inlays or complementary mechanisms are needed to address these complementary issues.)

Here’s a figure illustrating this deployment of Iris.

Image may be NSFW.
Clik here to view.

Iris deployed as a security inlay in the virtualization substrate. The dotted lines here denote trust perimeters assuming a trustworthy OS.

You can learn more about Iris from our research paper here. The paper won an award a couple of months ago, incidentally, thanks to the excellent work of its lead author, Emil Stefanov, a student at UC Berkeley who worked on Iris during a summer internship at RSA Labs.