Survivable information storage systems
ABSTRACT As society increasingly relies on digitally stored and accessed
information, supporting the availability, integrity and confidentiality
of this information is crucial. We need systems in which users can
securely store critical information, ensuring that it persists, is
continuously accessible, cannot be destroyed and is kept confidential. A
survivable storage system would provide these guarantees over time and
despite malicious compromises of storage node subsets. The PASIS
architecture flexibly and efficiently combines proven technologies
(decentralized storage system technologies, data redundancy and
encoding, and dynamic self-maintenance) for constructing information
storage systems whose availability, confidentiality and integrity
policies can survive component failures and malicious attacks
- SourceAvailable from: psu.edu[Show abstract] [Hide abstract]
ABSTRACT: We discuss the design and evaluation of a secure and fault tolerant storage infrastructure for un-trusted distributed computing environments. Previous designs of storage systems for this space have tended to use decoupled mechanisms for achieving fault tolerance and security. Our design, based on cryptographic properties of error-correction codes, combines redundancy (for fault tolerance) and encryption (for security) in a single unified framework. Our protocol can handle Byzantine faults and ensures confidentiality in a completely un-trusted environment. We qualitatively demonstrate the practicability of this approach. We also carry out quantitative comparison of our scheme and two other approaches, viz., Pure replication based techniques and SecureIDA scheme, and discuss their mertis and demerits.
- [Show abstract] [Hide abstract]
ABSTRACT: Users are storing ever-increasing amounts of information digitally, driven by many factors including government regulations and the public's desire to digitally record their personal histories. Unfortunately, many of the security mechanisms that modern systems rely upon, such as encryption, are poorly suited for storing data for indefinitely long periods of time; it is very difficult to manage keys and update cryptosystems to provide secrecy through encryption over periods of decades. Worse, an adversary who can compromise an archive need only wait for cryptanalysis techniques to catch up to the encryption algorithm used at the time of the compromise in order to obtain “secure” data. To address these concerns, we have developed POTSHARDS, an archival storage system that provides long-term security for data with very long lifetimes without using encryption. Secrecy is achieved by using unconditionally secure secret splitting and spreading the resulting shares across separately managed archives. Providing availability and data recovery in such a system can be difficult; thus, we use a new technique, approximate pointers, in conjunction with secure distributed RAID techniques to provide availability and reliability across independent archives. To validate our design, we developed a prototype POTSHARDS implementation. In addition to providing us with an experimental testbed, this prototype helped us to understand the design issues that must be addressed in order to maximize security.TOS. 01/2009; 5.
Conference Paper: Long-term threats to secure archives.[Show abstract] [Hide abstract]
ABSTRACT: Archival storage systems are designed for a write-once, read-maybe usage model which places an emphasis on the long-term preserva- tion of their data contents. In contrast to traditional stor age systems in which data lifetimes are measured in months or possibly years, data lifetimes in an archival system are measured in decades. Se- cure archival storage has the added goal of providing controlled ac- cess to its long-term contents. In contrast, public archiva l systems aim to ensure that their contents are available to anyone. Since secure archival storage systems must store data over much longer periods of time, new threats emerge that affect the security landscape in many novel, subtle ways. These security threats en- danger the secrecy, availability and integrity of the archi val storage contents. Adequate understanding of these threats is essential to effectively devise new policies and mechanisms to guard against them. We discuss many of these threats in this new context to fi ll this gap, and show how existing systems meet (or fail to meet) these threats.Proceedings of the 2006 ACM Workshop On Storage Security And Survivability, StorageSS 2006, Alexandria, VA, USA, October 30, 2006; 01/2006
0018-9162/00/$10.00 © 2000 IEEE
C O V E R F E A T U R E
The PASIS architecture flexibly and efficiently combines proven
technologies for constructing information storage systems whose
availability, confidentiality, and integrity policies can survive component
failures and malicious attacks.
continuously accessible, cannot be destroyed, and is
kept confidential. A survivable storage system would
provide these guarantees over time and despite mali-
cious compromises of storage node subsets. The PASIS
architecture combines decentralized storage system
technologies, data redundancy and encoding, and
dynamic self-maintenance to create survivable infor-
s society increasingly relies on digitally
stored and accessed information, support-
ing the availability, integrity, and confiden-
tiality of this information is crucial. We
need systems in which users can securely
store critical information, ensuring that it persists, is
TECHNOLOGIES FOR SURVIVABLE STORAGE
Survivable systems operate from the fundamental
design thesis that no individual service, node, or user
can be fully trusted: Having some compromised enti-
ties must be viewed as the common case rather than
the exception. Survivable systems, then, must repli-
cate and distribute data and services across many
Survivable information storage systems entrust data
persistence to sets of nodes rather than to individual
nodes. Individual storage nodes must not be able to
expose information to anyone; otherwise, compro-
mising a single storage node would let an attacker
bypass access-control policies.
To achieve survivability, storage systems must be
decentralized and must spread information among
independent storage nodes. To be manageable, sur-
vivable systems must monitor and repair themselves
to avoid unchecked degradation over time.
Decentralized storage systems
Most existing distributed systems store information
on, at most, a few servers, making them central so that
they are targeted failure points for accidents and mali-
cious attacks. Replacing centralized approaches with
highly decentralized systems is a first step toward sur-
vivable information storage. Fortunately, much work
has been done in cluster storage systems—such as
xFS,1NASD,2and Petal.3These systems all provide
applications with a single, unified view of the storage
system while distributing or replicating data and meta-
data across many storage nodes. With a single-system
image of storage, client applications don’t need to deal
with the complications of data distribution and ser-
Decentralized storage systems partition information
among nodes using data distribution and redundancy
schemes commonly associated with disk array systems
such as RAID (redundant array of independent disks)4
ensuring scalable performance and fault tolerance. For
example, the Petal system stores portions of a file on
different storage nodes, replicating each data block on
two nodes. When users need to access data, they con-
tact a subset of the storage nodes in the system for the
desired information blocks. Although decentralized
storage systems were devised for scalability and toler-
ance of infrequent faults, their elimination of single
failure points provides a starting point for developing
survivable storage systems.
Data redundancy and encoding
Availability and confidentiality of information are
primary goals of many information systems. Most sys-
tems enhance availability by providing full replication,
but a few systems employ erasure-resilient correction
codes, which use less space. Client-side encryption can
protect information confidentiality even when stor-
age nodes are compromised.
Threshold schemes—also known as secret-sharing
schemes or information dispersal protocols—offer an
alternative to these approaches that provides both
information confidentiality and availability. These
schemes encode, replicate, and divide information into
multiple pieces, or shares, that can be stored at differ-
ent storage nodes. The system can only reconstruct the
information when enough shares are available.
For survivable information storage systems, thresh-
old schemes have several advantages over replication
• Threshold schemes provide considerable ver-
satility because they divide information into a
variable number of shares and require a vari-
able fraction of the shares to reconstruct the
information. This flexibility creates a trade-off
between information confidentiality and avail-
ability. For example, requiring fewer shares for
reconstruction means that fewer storage nodes
must survive attacks to maintain availability,
but also that fewer storage nodes must be com-
promised for an attacker to learn information.
• Most options within the trade-off spectrum are
more space efficient than maintaining replicas on
• Some threshold schemes offer encoding and
decoding that are orders of magnitude faster than
• Threshold schemes provide information confiden-
tiality from storage nodes without requiring users
or client systems to remember or share secret keys.
Over time, all systems need maintenance. The
decentralized nature of survivable storage systems
makes maintenance difficult and therefore error
prone. Truly survivable systems automatically per-
form some self-maintenance to avoid undesirable con-
ditions. Self-maintenance includes regular monitoring
for potential problems, such as failed or compromised
nodes, performance bottlenecks, and denial-of-service
For example, a storage node’s failure reduces the
number of additional failures that can occur before
information is lost. Rebuilding the contents of the lost
storage node on a spare replacement restores full
redundancy. Another example of self-maintenance is
the adjustment of threshold scheme parameters based
on observed performance and reliability.
Survivable storage systems have great difficulty cop-
ing with undesirable requests from legitimate user
accounts. These requests can originate from malicious
users, rogue programs run by unsuspecting users (for
example, e-mail viruses), or intruders exploiting com-
promised user accounts. Unfortunately, since there is
no way for the system to distinguish an intruder from
the real user, the system must treat them similarly.
Thus, the intruder can read or write anything to which
the real user has access. Even after detecting the intru-
sion, users and system administrators face daunting
tasks: determining the damage the intrusion caused
and restoring the user’s data to a safe state. The
“Surviving Malicious User Activities” sidebar explains
how self-securing storage offers a partial solution to
THE PASIS ARCHITECTURE
The PASIS architecture, shown in Figure 1, com-
bines decentralized storage systems, data redundancy
and encoding, and dynamic self-maintenance to
achieve survivable information storage. A PASIS sys-
tem uses threshold schemes to spread information
across a decentralized collection of storage nodes.
Client-side agents communicate with the collection of
storage nodes to read and write information, hiding
decentralization from the client system. Automated
Figure 1. The PASIS architecture. Client systems and storage nodes are attached to the
network. Client applications interact with a PASIS storage system through a PASIS
agent. Storage devices and repair agents that monitor system status comprise the
monitoring and repair agents on storage nodes pro-
vide self-maintenance features.
Several current and prior efforts employ similar
architectures to achieve survivability. For example, the
Intermemory Project5and the Eternity Service6pro-
posal use decentralization and threshold schemes for
long-term availability and integrity of archived write-
once digital information. The e-Vault7and Delta-48
projects do the same for online read-and-write infor-
mation storage. Delta-4 additionally addresses infor-
mation confidentiality and other system services, such
as authentication. All of these projects have advanced
the understanding of these technologies and their roles
in survivable storage systems, but such systems have
not yet achieved widespread use.
Because these technologies are believed to enhance
storage system survivability, we have focused our
efforts on designing survivable systems with perfor-
mance and manageability on a par with simpler, con-
ventional approaches. Only when such systems exist
will survivable information systems be widely
PASIS system components and operation
A PASIS system includes clients and servers. The
servers, or storage nodes, provide persistent storage of
shares; the clients provide all other aspects of PASIS
functionality. Specifically, PASIS clients include agent
programs that communicate with collections of PASIS
servers to collect necessary shares and combine them
using threshold schemes. This approach helps the sys-
tem scale and simplifies its decentralized trust model.
In fact, some system configurations can employ PASIS
servers that are ignorant of decentralization and thresh-
old schemes; for example, in our simplest demonstra-
tion, the PASIS client uses shared folders on Microsoft’s
Network Neighborhood as storage nodes. More
advanced storage servers are clearly possible.
As with any distributed storage system, PASIS
requires a mechanism that translates object names—
for example, file names—to storage locations. A direc-
tory service maps the names of information objects
stored in a PASIS system to the names of the shares
that comprise the information object. A share’s name
has two parts: the name of the storage node on which
the share is located and the local name of the share
on that storage node. A PASIS file system can embed
the information needed for this translation in direc-
tory entries. For example, our PASIS implementation
of NFS (Network File System) functions in this way.
As the “General Threshold Schemes” sidebar
describes, a p-m-n threshold scheme breaks informa-
tion into n shares so that any m of the shares can
reconstruct the information and fewer than p shares
reveal no information. To service a read request, the
• Looks up, in the directory service, the names of
the n shares that comprise the object.
• Sends read requests to at least m of the n storage
• Collects the responses. If it receives fewer than
m responses, the client retries the failed requests.
Alternatively, the client can send read requests to
other previously unselected storage nodes. This
step continues until the client has collected m dis-
• Performs the appropriate threshold operation on
the received shares to reconstruct the original
Self-securing storage prevents intruders
from undetectably tampering with or per-
manently deleting stored data. Since there
is no way to differentiate intruders from
legitimate users, self-securing storage
devices consider all requests to be suspect.
These self-contained, self-controlling stor-
age devices—for example, enhanced disk
drives or PASIS storage nodes—internally
version all data and audit all requests for a
guaranteed amount of time, such as a week
or a month. This provides system admin-
istrators with a window of time during
which to detect and recover from intru-
sions. Using this information after an intru-
sion, administrators can figure out what
the intruder did and quickly recover the
true user’s information. Further, since the
device maintains unscrubbable audit
logs—that is, they cannot be erased by
client-side intruders—security personnel
can use the logs to partially identify the
propagation of intruder-tainted informa-
tion around the system.
Experiments and evaluations indicate
that self-securing storage is feasible.1In
particular, performance can be compara-
ble to traditional storage devices, and stor-
age capacities allow reasonable versioning
window guarantees. For example, one or
more weeks’ worth of all changes to all
data can be kept on modern storage
devices at reasonable cost. Further, with
sustained 60 to 100 percent per year
capacity growth, the length of this win-
dow is expected to grow. With the ability
to keep all versions of all data for several
weeks, self-securing storage will be an
important tool for surviving client and
user account intrusions.
1. J. Strunk et al., “Design and Implementa-
tion of a Self-Securing Storage Device,”
Tech. Report CMU-CS-00-129, School of
Computer Science, Carnegie Mellon Univ.,
May 2000, to appear in OSDI 2000.
Surviving Malicious User Activities
Performing a write in PASIS requires more steps
than performing a read. The write process is similar to
a read, but does not complete until at least n – m + 1
(or m,whichever is greater) storage nodes have stored
their shares. That is, a write must ensure that fewer
than m shares have not been overwritten to preclude
reading m shares that were not updated. To maintain
full availability, all n must be updated.
In addition, consider two clients, A and B, writing
to the same object, D, concurrently. Because PASIS
storage nodes are independent components of a dis-
tributed system, no assumptions should be made
about the order in which the storage nodes see the
writes. Thus, some storage nodes could have shares
for DA, while others could have shares for DB. A sim-
ilar problem arises if a client accidentally or mali-
ciously updates only a subset of the shares.
One approach to handling concurrency problems
assumes that a higher-level system addresses them.
There are domains in which this approach is feasible.
For example, information belonging to a single user
and distributed applications that manage their own
concurrency can use a storage system that does not
guarantee correctness of concurrent writes.
For general-purpose use, a PASIS system must pro-
vide a mechanism that guarantees atomicity of opera-
tions. One such mechanism, atomic group multicast,
guarantees that all correct group members process mes-
sages from other correct members in the same order.
Atomic group multicast technology has been developed
A p-m-n general threshold scheme breaks information into n
shares so that
• every shareholder has one of the shares,
• any mof the shareholders can reconstruct the information,
• a group of fewer than pshareholders gains no information.
Clearly, m must be less than or equal to n, and p must be less
than or equal to m. Figure A illustrates some simple threshold
Secret-sharing schemes are m-m-n threshold schemes that
trade off information confidentiality and information availabil-
ity; the higher the confidentiality guarantee, the more shares
required to reconstruct the original information object.1-3Secret-
sharing schemes can be thought of as a combination of splitting
and replication techniques.
Figure B demonstrates how Blakley’s secret-sharing scheme
works in an m-dimensional space.1Secrets (information) are
points in the space, and shares are multidimensional planes.
Fewer than m shares represent a multidimensional plane that
contains the secret. However, since all points in the field being
considered are part of the plane, no information is revealed.
With m shares, a single point of intersection—the secret—is
determined. Shamir’s secret-sharing scheme, developed at the
same time as Blakley’s, is based on interpolating the coefficients
of a polynomial by evaluating the polynomial at certain points.2
Ramp schemes implement the full range of general p-m-n
threshold schemes.4Ramp schemes operate like secret-sharing
schemes up to p shares and like information dispersal schemes
with p or more shares.
Threshold schemes can be used instead of cryptographic tech-
niques to guarantee the confidentiality of information, and the
two techniques can also be combined. For example, short secret
sharing encrypts the original information with a random key,
stores the encryption key using secret sharing, and stores the
encrypted information using information dispersal.5Short secret
sharing offers a different set of trade-offs between confidentiality
and storage requirements than general threshold schemes. The
confidentiality of the information stored by short secret sharing
hinges on the difficulty of analyzing the information gained by
Figure A. Examples of simple threshold schemes: (a) Replication (1-1-n)
increases information availability by increasing the storage required by a
factor of n. Replication provides no information confidentiality because
each share contains an entire copy of the original information object. (b)
Splitting (n-n-n) increases information confidentiality by increasing the
storage required by a factor of n. Splitting decreases information
availability because all n shares must be available. (c) Decimation (1-n-
n) divides information objects into n pieces and stores each piece sepa-
rately. Decimation decreases information availability because all shares
must be available; it offers no information-theoretic confidentiality
because each share exposes 1/n of the original information. (d) Rabin’s7
information dispersal algorithm (1-m-n) offers a range of information stor-
age solutions that trade off between information availability and required
storage. Like decimation, information algorithms do not offer
General Threshold Schemes
for several secure distributed systems, such as Rampart9
and BFS.10Unfortunately, atomic group multicast can
be expensive in large and faulty environments because
the group members often must exchange many rounds
of messages to reach agreement.
PASIS architecture characteristics
The PASIS architecture provides better confiden-
tiality, availability, durability, and integrity of infor-
mation than conventional replication—but at a cost in
To compare the PASIS architecture to a conven-
tional information storage system, consider a PASIS
installation with 15 storage nodes that uses a 3-3-6
threshold scheme and uniformly distributes shares
among storage nodes. The conventional installation,
on the other hand, organizes 15 servers into five server
groups, each storing 20 percent of the information on
a primary server and two backup replica servers. Table
1 summarizes this comparison.
Confidentiality determines a system’s ability to
ensure that only authorized clients can access stored
information. To breach the conventional system’s con-
fidentiality, an intruder only needs to compromise a
single storage node that has a replica of the desired
object. In a PASIS system, an intruder must compro-
mise several storage nodes to breach confidentiality.
Availability describes a system’s ability to serve a
specific request. For comparison purposes, assume
that each storage node fails independently with a
collecting shares, because the information gained pertains to the
encrypted information object.
An extension to threshold schemes is cheater detection.6In a
threshold scheme that provides cheater detection, shares are con-
structed in such a fashion that a client reconstructing the origi-
nal information object can tell, with high probability, whether
any shares have been modified. This technique allows strong
information-integrity guarantees. Cheater detection can also be
implemented using cryptographic techniques, such as adding
digests to information before storing it.
Table A shows the properties of some p-m-n threshold
1. G. Blakley, “Safeguarding Cryptographic Keys,” Proc. Nat’l Com-
puter Conf., American Federation of Information Processing Soci-
eties, Montvale, N.J., 1979, pp. 313-317.
2. A. Shamir, “How to Share a Secret,” Comm. ACM,Nov. 1979, pp.
3. E. Karnin, J. Greene, and M. Hellman, “On Secret Sharing Sys-
tems,” IEEE Trans. Information Theory, Jan. 1983, pp. 35-41.
4. A. De Santis and B. Masucci, “Multiple Ramp Schemes,” IEEE
Trans. Information Theory, July 1999, pp. 1720-1728.
5. H. Krawczyk, “Secret Sharing Made Short,” Advances in Cryptol-
ogy, D.R. Stinson, ed., Springer-Verlag, Berlin, 1993, pp. 136-146.
6. M. Tompa and H. Woll, “How to Share a Secret with Cheaters,”
J. Cryptology, Feb. 1988, pp. 133-138.
7. M. Rabin, “Efficient Dispersal of Information for Security, Load
Balancing, and Fault Tolerance,” J. ACM, Apr. 1989, pp. 335-
a1x + b1
a2x + b2
a3x + b3
Figure B. Blakley’s secret-sharing scheme, with m = 2 and n = 3.
Table A. Properties of some p-m-n threshold schemes.
Information dispersal algorithm
Short secret sharing
Perfect, then incremental
n/(1 + m − p)
n/m + nε
XOR of data
Data Encryption Standard
De Santis and Masucci4
probability of 0.001. With this assumption, the PASIS
system has two orders of magnitude higher availabil-
ity than the conventional system.
Durability is a system’s ability to recover informa-
tion when storage nodes are destroyed. In the con-
ventional system, an intruder must destroy three
storage nodes (an entire server group) to maliciously
erase information. In the PASIS system, an intruder
must destroy four storage nodes to erase information.
Integrityis a system’s ability to ensure that it correctly
serves requests. To maliciously affect a read request in
a PASIS system, an intruder must compromise the m
storage nodes serving the read request (assuming a
share-verification scheme is in place). In a conventional
system, an intruder compromising a primary server can
cause it to return arbitrary values to read requests.
Required storage is the extra storage space a sys-
tem needs beyond a single-copy baseline. In a PASIS
system, the storage required depends on the threshold
scheme being used. For example, secret sharing
requires the same storage as replication, whereas infor-
mation dispersal requires less storage than replication.
Latency is the delay a system experiences when it
serves a request. In a conventional system, a client
processes a read or write request by exchanging mes-
sages with a single server. In a PASIS system, messages
must be exchanged with multiple storage nodes, which
can significantly impact performance. However, some
threshold schemes require that mservers each provide
S/m of a dispersed object’s S bytes. For large objects,
network and client bandwidth limitations can poten-
tially hide the overhead of contacting m servers.
PASIS architecture performance trade-offs
Threshold schemes can increase an information
storage system’s confidentiality, availability, and
integrity. However, such schemes present trade-offs
among information confidentiality, information avail-
ability, and storage requirements:
• As n increases, information availability increases
(it’s more probable that m shares are available),
but the storage required for the information
increases (more shares are stored) and confiden-
tiality decreases (there are more shares to steal).
• As m increases, the storage required for the infor-
mation decreases (a share’s size is proportional to
1/(1 + m – p)), but so does its availability (more
shares are required to reconstruct the original
object). Also, as m increases, each share contains
less information; this may increase the number of
shares that must be captured before an intruder can
reconstruct a useful portion of the original object.
• As p increases, the information system’s confi-
dentiality increases, but the storage space required
for the dispersed information also increases.
Table 1. Comparison of PASIS and conventional systems.
Percentage of information revealed if
one storage node is compromised
Percentage of information revealed if
three storage nodes are compromised
Probability that the system cannot serve
a read request if each node fails with
Number of nodes that must be destroyed
to erase a piece of information
Percentage of information erased when
the above occurs
Nodes that must be compromised to
falsely serve a read request
Nodes that must be compromised to
modify stored information without
4.4 percentUp to 60 percent
Availability1.5 x 10−11
Durability4 3 (a server group)
1.1 percent20 percent
Integrity 3 (m nodes)1 (primary server)
4 (greater(n – m + 1, m)) 1 (primary server)
(factor by which data
6× (n×)3× (n×)
Reading small objects
Reading large objects
Significantly higher latency for PASIS
With this flexibility, selecting the most appropriate
threshold scheme for a given environment is not trivial.
Clients can also make trade-offs in terms of how
they interact with storage nodes that hold shares. Even
though only m shares are required to reconstruct an
object, a client can over-request shares. That is, a client
can send read requests to between m and n storage
nodes. By over-requesting, the client reduces the risk
of a data storage node’s liability to a data storage node
being unavailable or slow.
Automatic trade-off selection
For the PASIS architecture to be as effective as possi-
ble, it must make the full flexibility of threshold schemes
available to clients. We believe this option requires auto-
mated selection of appropriate threshold schemes on a
per-object basis. This selection should combine object
characteristics and observations about the current sys-
tem environment. For example, a PASIS client could use
short secret sharing to store an object larger than a par-
ticular size, and conventional secret sharing to store
smaller objects. The size that determines which thresh-
old scheme to use could be a function of the object type,
current system performance, or both.
As another example, an object marked as archival—
for which availability and integrity are the most impor-
tant storage characteristics—should use an extra-large
n. For read/write objects, increased write overhead
makes large n values less desirable. Moreover, if the
archival object is also marked as public—such as a Web
page—the client should ignore confidentiality guaran-
tees when selecting the threshold scheme.
System performance observations can also be used
to dynamically improve per-request performance. For
example, clients can request shares from the m stor-
age nodes that have responded most quickly to their
recent requests. Storage nodes can also help clients
make these decisions by providing load information or
by asking them to look elsewhere when long response
times are expected.
As mentioned earlier, clients can use over-request-
ing to improve performance. For example, in an ad
hoc network with poor message-delivery guarantees,
a PASIS client could notice the request loss rate and
increase the number of shares requested on a read. On
the other hand, in a very busy environment, the excess
load on storage nodes inherent to over-requesting can
component failures and malicious attacks. The main
challenges in deploying these systems relate to their
engineering. Specifically, we need implementation
techniques to help these systems achieve performance
roven technologies exist for constructing infor-
mation storage systems whose availability, con-
fidentiality, and integrity policies can survive
and manageability competitive with today’s nonsur-
vivable storage systems. We believe this requirement
can be met by aggressively exploiting the flexibility
offered by general threshold schemes within the
PASIS architecture. More information about PASIS
is available at http://PASIS.ices.cmu.edu/. ✸
Our PASIS work is supported by DARPA/ISO’s Intru-
sion Tolerant Systems program (Air Force contract num-
ber F30602-99-2-0539-AFRL) and by the Pennsylva-
nia Infrastructure Technology Alliance. We thank the
many members of the PASIS team, including Ergin
Guney, Qi He, Semih Oguz, Joe Ordia, Yaron Rachlin,
Xiaofeng Wang, and Mike Vande Weghe, for their
efforts and for helping us to develop these ideas. We also
thank Mike Vande Weghe and the anonymous review-
ers for helping to improve the quality of this article.
1. T. Anderson et al., “Serverless Network File Systems,”
ACM Trans. Computer Systems, Feb. 1996, pp. 41-79.
2. G. Gibson et al., “A Cost-Effective, High-Bandwidth
Storage Architecture,” Proc. 8th Int’l Conf. Architectural
Support for Programming Languages and Operating Sys-
tems, ACM Press, New York, 1998, pp. 92-103.
3. E. Lee and C. Thekkath, “Petal: Distributed Virtual
Disks,” Proc. 7th Int’l Conf. Architectural Support for
Programming Languages and Operating Systems,ACM
Press, New York, 1996, pp. 84-92.
4. P. Chen et al., “RAID: High-Performance, Reliable Sec-
ondary Storage,” ACM Computing Surveys,June 1994,
5. A. Goldberg and P. Yianilos, “Prototype Implementa-
tion of Archival Intermemory,” Proc. Advances in Dig-
ital Libraries (ADL 98), IEEE CS Press, Los Alamitos,
Calif., 1998, pp. 147-156.
6. R. Anderson, “The Eternity Service,” Proc. PRAGO-
CRYPT 96, CTU Publishing House, Prague, 1996.
7. A. Iyengar et al., “Design and Implementation of a
Secure Distributed Data Repository,” Proc. 14th IFIP
Int’l Information Security Conf. (SEC 98), ACM Press,
New York, 1998.
8. Y. Deswarte, L. Blain, and J. Fabre, “Intrusion Toler-
ance in Distributed Computing Systems,” Proc. IEEE
Symp. Security and Privacy, IEEE CS Press, Los Alami-
tos, Calif., 1991, pp. 110-121.
9. M. Reiter, “Secure Agreement Protocols: Reliable and
Atomic Group Multicast in Rampart,” Proc. 2nd ACM
Conf. Computer and Communication Security, ACM
Press, New York, 1998, pp. 68-80.
10. M. Castro and B. Liskov, “Practical Byzantine Fault Tol-
erance,” Operating Systems Review, ACM Press, New
York, 1999, pp. 173-186.
Jay J. Wylieis a PhD student in the Electrical and Com-
puter Engineering Department at Carnegie Mellon Uni-
versity. His research interests include distributed systems
and security. Wylie received an MS in electrical and com-
puter engineering from Carnegie Mellon University. He
is a member of the IEEE. Contact him at jwylie@cmu.
Michael W. Bigriggis a project scientist with the Insti-
tute for Complex Engineered Systems at Carnegie Mel-
lon University. His research interests include software
engineering for embedded and reliable information sys-
tems, specifically programming languages and systems.
He received an MS in computer science from the Uni-
versity of Pittsburgh. Contact him at firstname.lastname@example.org.
John D. Strunk is a PhD student in the Electrical and
Computer Engineering Department at Carnegie Mellon
University. His research interests include computer sys-
tem security, storage systems, and distributed systems.
Strunk received an MS in electrical and computer engi-
neering from Carnegie Mellon University. He is a mem-
ber of IEEE. Contact him at email@example.com.
Gregory R. Gangeris an assistant professor of electri-
cal and computer engineering at Carnegie Mellon Uni-
versity. His research interests include computer oper-
ating systems, storage, security, networking, and dis-
tributed systems. Ganger received a PhD in computer
science and engineering from the University of Michi-
gan, Ann Arbor. He is a member of the IEEE and the
ACM. Contact him at firstname.lastname@example.org.
Han Kılıççöte is a research engineer at the Institute for
Complex Engineered Systems at Carnegie Mellon Uni-
versity. On leave from CMU, Kılıççöte currently is at
Atoga Systems Inc. His research interests include com-
puter networks, distributed systems, and computer secu-
rity. He received a PhD in civil engineering from
Carnegie Mellon University. He is a member of the IEEE
and the ACM. Contact him at email@example.com.
Pradeep K. Khosla is the Philip and Marsha Dowd
professor of engineering and robotics and head of the
Electrical and Computer Engineering Department at
Carnegie Mellon University. His research interests
include mechatronics, agent-based design and control,
software engineering for real-time systems, collabo-
rating robotic systems, gesture-based programming,
and distributed information systems. Khosla earned
a PhD from Carnegie Mellon University. He is an
IEEE fellow. Contact him at firstname.lastname@example.org.
The MIS and
Guide to Advanced
Computer Society members
Find out in
How will it
How will it
Now available from the Computer Society Press