Object storage integrity and consistency

The goal of ESCUDO-CLOUD is to give the users control over data stored in the cloud. This comprises both the confidentiality and the integrity of the data stored on a cloud service that is not trusted. In settings where a single client accesses the data, ordinary symmetric-cryptography schemes can be used for data protection. In settings where multiple clients access the data, the situation becomes more difficult, as concurrent actions must be synchronized.

VICOS is a system for verification of integrity and consistency of cloud object storage. It enables a group of mutually trusting clients to detect data-integrity and consistency violations when accessing cloud storage. VICOS aims at services where multiple clients cooperate on data stored remotely on a potentially misbehaving service. VICOS enforces strong consistency guarantees, supports wait-free client semantics for most operations, and has low computation and communication overhead. The consistency achieved by VICOS and is called fork-linearizability that any two clients either have fully consistent views or (from some point) they are forked and do not receive any updates from each other. Also, clients can use out-of-band communication to determine whether they are forked.

The VICOS system protects data stored on cloud (object) storage services, such as OpenStack Swift or Amazon S3.




The VICOS system consists of three components:

  1. A cloud object store (COS) service, as offered by commercial providers. It maintains the object data (bulk data) stored by the clients using VICOS.
  2. The VICOS server that runs remotely as a cloud services accessed by the VICOS client; it stores integrity-specific metadata of the object data being outsourced to the cloud storage service. The metadata is protected through the Authenticated data structure Integrity Protocol (AIP) for a simple key-value store.
  3. The VICOS client enables clients to access the cloud-storage service and transparently protect the integrity and consistency of their object data. It exposes the cloud object store interface to a client application. During each operation, the VICOS client consults the cloud object store (using a COS API) for the object data itself and the VICOS server for integrity-specific metadata (through an AIP client). The integrity-specific metadata consists of a unique key of an object in the COS and its cryptographic hash.

The cloud object store and the VICOS server are both in the untrusted domain; they may, in fact, collude against the clients.

Related Publications