Fighting Mallory the Insider: Strong Write-Once Read-Many Storage Assurances

Abstract

We introduce a Write-Once Read-Many (WORM) storage system providing strong assurances of data retention and compliant migration, by leveraging trusted secure hardware in close data proximity. This is important because existing compliance storage products and research prototypes are fundamentally vulnerable to faulty or malicious behavior, as they rely on simple enforcement primitives that are ill-suited for their threat model. This is hard because tamper-proof processing elements are significantly constrained in both computation ability and memory capacity-as heat dissipation concerns under tamper-resistant requirements limit their maximum allowable spatial gate-density. We achieve efficiency by 1) ensuring the secure hardware is accessed sparsely, minimizing the associated overhead for expected transaction loads, and 2) using adaptive overhead-amortized constructs to enforce WORM semantics at the throughput rate of the storage server's ordinary processors during burst periods. With a single secure coprocessor, on commodity x86 hardware, the architecture can support unlimited read throughputs and over 2500 write transactions per second.