Overview

Computing and communicating through the Web makes it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview; a lost or stolen laptop can expose personal photos or messages; or a legal investigation can subpoena the entire contents of a home or work computer, uncovering incriminating or just embarrassing details from the past.

Our research seeks to protect the privacy of past, archived data — such as copies of emails maintained by an email provider — against accidental, malicious, and legal attacks. Specifically, we wish to ensure that all copies of certain data become unreadable after a user-specified time, without any specific action on the part of a user, without needing to trust any single third party to perform the deletion, and even if an attacker obtains both a cached copy of that data and the user's cryptographic keys and passwords.

Vanish is a research project aimed at meeting this challenge through a novel integration of cryptographic techniques with distributed systems. We initially implemented a proof-of-concept Vanish prototype that uses the million-node Vuze BitTorrent DHT to create self-destructing data. For a description of our Vuze-based self-destructing data system, please refer to our paper.

Thanks to research done by others, we found that the initial Vuze DHT implementation on which Vanish was based was not adequately protected against Sybil attacks that seek to harvest data from the DHT. In part, this was due to overly eager replication for availability, and in part, it is due to the fact that existing DHTs were not designed with such attacks in mind. In response, we have been working with Paul Gardner from Vuze, Inc. to implement, deploy, and evaluate at scale measures for improving Vuze's security against Sybil-driven data-harvesting attacks. Specifically, our measures: (1) limit the excessive amount of replication that currently exists in Vuze, and (2) limit the ability of an attacker to perform large-scale Sybil attacks. Our evaluation shows that our combined defenses significantly raise the bar against Sybil data-harvesting attacks. A comprehensive evaluation of all of our defenses is currently underway and will be available shortly.

In addition, we are investigating new directions and architectures for self-destructing data. We believe that the future for self-destructing data is to leverage multiple back-end storage systems (both DHTs and other types of distributed structures) in such a way that compromising Vanish would require compromising all of the storage systems. As a proof of concept of this idea, in Sept. 2009 we released a new prototype that splits the keys across both Vuze DHT and OpenDHT. In collaboration with Vinnie Moscaritolo from PGP Corporation, we are now investigating new storage backends for Vanish that have fundamentally different properties and threat models than DHTs. Once again, new developments in self-destructing data are underway, so stay tuned -- we will describe the latest advances in Vanish research on our publications page as they become available.

Research Contributions

Overall, we have thus far made several significant contributions to the self-destructing data problem and beyond; some of these contributions are already published, while others are still in the works:

We defined an ambitious research agenda for self-destructing data in the cloud. A significant requirement in this agenda is deletion without trusting any single party. This agenda is introduced in a paper that appeared at USENIX Security '09. We designed and built a prototype distributed-trust self-destructing data system based on the Vuze DHT. A description and preliminary evaluation of our prototype is included in our USENIX Security '09 paper Following the demonstration of Vuze's susceptibility to Sybil data-crawling attacks, we designed, implemented and deployed security-enhancing features to the live million-node Vuze DHT. We are currently working on a paper that demonstrates these features. We designed new alternative structures for self-destructing data based on geographically distributed servers and hierarchical secret sharing. Our next paper will also include descriptions of these new structures. Inspired by our efforts to make the Vuze DHT mold Vanish better, we designed a next-generation "active" DHT, called Comet, that expands the application space for key-value storage systems by building support for application-specific customizations into these systems. A paper describing Comet will appear at OSDI '10.

People

Acknowledgements

This work is supported by NSF grants NSF-0846065, NSF-0627367, and NSF-614975, an Alfred P. Sloan Research Fellowship, the Wissner-Slivka Chair, and a gift from Intel Corporation.