As critical data are increasingly stored in electronic form, it is imperative that the critical data be stored reliably in a tamper-proof manner. Furthermore, a growing subset of electronic data (e.g., electronic mail, instant messages, drug development logs, medical records, etc.) is subject to regulations governing long-term retention and availability of the data. Recent high-profiled accountability issues at large public companies have further caused regulatory bodies such as the Securities and Exchange Commission (SEC) to tighten their regulations. For instance, Securities Exchange Commission Rule 17a-4, which went into effect in May 2003, specifies storage requirements for email, attachments, memos, and instant messaging as well as routine phone conversations.
A requirement in many such regulations is that data must be stored reliably in non-erasable, non-rewritable storage such that the data, once written, cannot be altered or overwritten. Such storage is commonly referred to as WORM (Write-Once Read-Many) storage as opposed to WMRM (Write-Many Read-Many) storage, which can be written many times.
Conventional WORM storage media comprises WORM tape, ablative WORM optical disk, and magnetic WORM disk. For ablative WORM-based optical CD, the non-overwritable property is inherent in the physical media. Although conventional WORM technology has proven to be useful, it would be desirable to present additional improvements. Writing data to ablative WORM optical disk invokes a permanent change to media itself and cannot be reversed. However, for existing tape-based and magnetic hard-disk based WORM storage system, the media is rewriteable and the WORM property is guaranteed in microcode rather than by media itself.
Guaranteeing the WORM property in microcode rather than by the media introduces a potential trust problem. The data stored on the rewritable media can be modified by malicious applications through another I/O interface that does not support WORM-safe microcode. Conventional rewritable media has no means of protection to prevent data from being overwritten. Once the rewritable media is disconnected from the media drive (disk controller or tape drive) that implements the WORM feature, the data on the media can be overwritten by non-WORM tape drives or disk controllers.
The use of rewritable media as WORM storage is attractive because the random access performance of magnetic hard disks is orders of magnitude improved over that of optical WORM disks. In practice, the fast read performance of rewritable magnetic disks is desirable to meet the search requirement of the current data regulations. One conventional approach to providing WORM storage with rewritable media is to lock the whole storage enclosure (disks, WORM controllers) physically together to avoid tampering. This approach protects the rewritable media from being altered by intruding non-WORM controllers. However, a super key can easily tamper a physical lock. This approach further imposes difficulties and overhead on storage management.
WORM properties of a storage system can be guaranteed on a software level, a firmware level, or a media level. Implementing a WORM property at the media level (e.g., inside hard drives) requires significant changes to the existing commodity hardware. Data storage and access regulations are continually changing, requiring flexibility in configuring WORM storage. The overhead of altering any logic in hardware is usually larger than that of upgrading microcode or software. However, conventional rewritable storage such as a hard drive typically does not provide a programmable environment. Consequently, a WORM storage based on customized hard drives may be unable to meet changes in data regulations.
Implementing a WORM property in a programmable level such as that of a firmware level or software level provides the flexibility required to comply with continually changing data regulations. However, once the binding of the media and the WORM logic is implemented in the firmware level or the software level, the media content can be easily altered.
One conventional approach uses a physical lock on an enclosure in which the components of the WORM storage system reside. The physical lock ensures that the rewritable hard drives and the WORM logic implemented in a storage controller or a processor are physically bound together. Consequently, a malicious adversary has no opportunity to tamper the hard disks through a non-WORM storage controller. However, the anti-tampering barrier of a physical lock is low. For example, an intruder can use a super key to open the locked enclosure. Another conventional approach uses magnetic latches to lock the rewritable disks into an enclosure together with the WORM logic. Such physical binding, however, requires extensive changes to current systems and limits incremental growth.
Another conventional approach uses password verifications to bind the WORM logic with the rewritable storage. This approach requires no hardware modifications. Certain commodity hard drives already have built-in hard-drive password protection. However, authentication passwords can be easily tampered. The following is a scenario describing how an intruder tampers a password-based authentication. Assume the WORM logic is implemented in the firmware of a disk controller. Suppose a controller and disk pair comprises a controller C0 and a disk D0. A malicious controller and disk pair comprises a malicious controller C1 and a malicious disk D1.
The controller C0 and disk D0 operate in an open, accessible environment or cabinet such that disks can be freely plugged in and out. The intruder removes the disk D0 from the cabinet. The intruder inserts the malicious disk D1 to steal the password of the controller C0. Once disk D1 has this password, the disk D1 passes it the password to malicious controller C1. Now the intruder can use this password to authenticate malicious controller C1 with disk D0 and alter the data on disk D0.
To comply with continually changing regulations for data storage and use rewritable media as WORM data storage, data management systems require a configuration that maximizes performance, flexibility, and growth capability. A secure binding of WORM logic and storage media is desired to achieve true data immutability without sacrificing ease of storage management tasks such as failure recovery, etc. What is therefore needed is a system, a computer program product, and an associated method for providing a virtual binding for a WORM storage system on rewritable media. The need for such a solution has heretofore remained unsatisfied.