Goddess of Justice DB, the database used for storage on IzaroDFS
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.

1365 linhas
62 KiB

  1. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  2. % The Legrand Orange Book
  3. % LaTeX Template
  4. % Version 2.4 (26/09/2018)
  5. %
  6. % This template was downloaded from:
  7. % http://www.LaTeXTemplates.com
  8. %
  9. % Original author:
  10. % Mathias Legrand (legrand.mathias@gmail.com) with modifications by:
  11. % Vel (vel@latextemplates.com)
  12. %
  13. % License:
  14. % CC BY-NC-SA 3.0 (http://creativecommons.org/licenses/by-nc-sa/3.0/)
  15. %
  16. % Compiling this template:
  17. %
  18. % 1) pdflatex main
  19. % 2) makeindex main.idx -s StyleInd.ist
  20. % 3) biber main
  21. % 4) pdflatex main x 2
  22. %
  23. % After this, when you wish to update the bibliography/index use the appropriate
  24. % command above and make sure to compile with pdflatex several times
  25. % afterwards to propagate your changes to the document.
  26. %
  27. % Chapter heading images should have a 2:1 width:height ratio,
  28. % e.g. 920px width and 460px height.
  29. %
  30. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  31. %----------------------------------------------------------------------------------------
  32. % PACKAGES AND OTHER DOCUMENT CONFIGURATIONS
  33. %----------------------------------------------------------------------------------------
  34. \documentclass[12pt,fleqn]{book} % Default font size and left-justified equations
  35. \usepackage[automake]{glossaries}
  36. \usepackage{amssymb}
  37. \usepackage{wasysym}
  38. \usepackage{eurosym}
  39. \usepackage{amsmath}
  40. \usepackage{numprint}
  41. \usepackage{bytefield}
  42. \usepackage{siunitx}
  43. \usepackage{placeins}
  44. \usepackage{pgf-umlsd}
  45. \usepackage{adjustbox}
  46. \usepackage{multirow}
  47. \usepackage{enumitem}
  48. \usepackage{hhline}
  49. \usepackage{pgfplots}
  50. \usepackage{float}
  51. \let\Oldsection\section
  52. \renewcommand{\section}{\FloatBarrier\Oldsection}
  53. \let\Oldsubsection\subsection
  54. \renewcommand{\subsection}{\FloatBarrier\Oldsubsection}
  55. \let\Oldsubsubsection\subsubsection
  56. \renewcommand{\subsubsection}{\FloatBarrier\Oldsubsubsection}
  57. \author{Ludovic `Archivist' Lagouardette}
  58. \title{Advanced Storage system}
  59. \date{2019}
  60. \makeglossaries
  61. \input{structure.tex} % Insert the commands.tex file which contains the majority of the structure behind the template
  62. %\hypersetup{pdftitle={Title},pdfauthor={Author}} % Uncomment and fill out to include PDF metadata for the author and title of the book
  63. %----------------------------------------------------------------------------------------
  64. \begin{document}
  65. %----------------------------------------------------------------------------------------
  66. % TITLE PAGE
  67. %----------------------------------------------------------------------------------------
  68. \begingroup
  69. \thispagestyle{empty} % Suppress headers and footers on the title page
  70. \begin{tikzpicture}[remember picture,overlay]
  71. \node[inner sep=0pt] (background) at (current page.center) {\includegraphics[width=\paperwidth]{background.pdf}};
  72. \draw (current page.center) node [fill=ocre!30!white,fill opacity=0.6,text opacity=1,inner sep=1cm]{\Huge\centering\bfseries\sffamily\parbox[c][][t]{\paperwidth}{\centering Advanced Storage System\\[15pt] % Book title
  73. {\Large Whitepaper}\\[20pt] % Subtitle
  74. {\small Ludovic `Archivist' Lagouardette}}}; % Author name
  75. \end{tikzpicture}
  76. \vfill
  77. \endgroup
  78. \frontmatter
  79. %----------------------------------------------------------------------------------------
  80. % COPYRIGHT PAGE
  81. %----------------------------------------------------------------------------------------
  82. \newpage
  83. ~\vfill
  84. \thispagestyle{empty}
  85. \noindent Copyright \copyright\ 2019 NekoIT\\ % Copyright notice
  86. \noindent \textsc{Published by NekoIT}\\ % Publisher
  87. \noindent\includegraphics[width=8cm]{Pictures/nekoit_title}
  88. \noindent \textsc{https://archivist.nekoit.xyz}\\ % URL
  89. \noindent This document is under intellectual property of NekoIT, reproduction is allowed in digital format only.\\ % License information, replace this with your own license (if any)
  90. \noindent \textit{First printing, 2019} % Printing/edition date
  91. %----------------------------------------------------------------------------------------
  92. % TABLE OF CONTENTS
  93. %----------------------------------------------------------------------------------------
  94. %\usechapterimagefalse % If you don't want to include a chapter image, use this to toggle images off - it can be enabled later with \usechapterimagetrue
  95. \chapterimage{chapter_head_1.jpg} % Table of contents heading image
  96. \cleardoublepage % Forces the first chapter to start on an odd page so it's on the right side of the book
  97. \pagestyle{fancy} % Enable headers and footers again
  98. \chapter{Introduction}
  99. \pagestyle{empty} % Disable headers and footers for the following pages
  100. \tableofcontents % Print the table of contents itself
  101. \pagestyle{fancy} % Enable headers and footers again
  102. \mainmatter
  103. \part{Human friendly specification}
  104. \chapter{The state of cloud storage}
  105. \vspace{-5em}
  106. \begin{center}
  107. {\tiny All brands and companies belong to their rightful owners. We are independent from them and are only quoting them for the sake of comparison.}
  108. \end{center}
  109. \vspace{5em}
  110. \vspace{-3em}\hspace{-1.4em}Nowadays, cloud storage is getting a fair amount of popularity: saving space on mobile devices, backing up important data, getting access on data while using multiple devices.
  111. \section{Competition}
  112. Multiple service providers, from Google to Amazon as well as some other smaller actors have tackled the task of storing data for a variety of use-cases, for a variety of pricing tables and options.
  113. In this section we will take a look at the current state of competition. We do not aim at taking a look at the whole market but at a number of important or interesting actors.
  114. \subsection{Google Drive and Google Cloud Platform}
  115. Google is famous for its economical impact on the software development industry. This is also true of its Google Drive and Google Cloud Platform products.
  116. It is to the point where you can label its product the cheapest way to backup multiple terabytes\autocite{ltt_backup}. You can also quote their other products Google Cloud Storage as a cheap yet very efficient tool tool to store data for applications and websites.
  117. They however do not offer any kind of protection on their services, the data stored on their side is not encrypted and they may use it for advertisement purposes for example. They however are not misleading on their offer even if their product is not privacy centered at all.
  118. \subsection{Amazon Cloud Drive and their variety of services}
  119. We will not expand on how varied and efficient Amazon cloud storage is. They basically provide about all types of storage for any type of data structure from the typical file system to the most advanced layouts of databases.
  120. Their prices are slightly higher than those of Google. Like Google however, they only propose encryption of the data while in transit.
  121. \subsection{Operation Tulip (NextCloud over Ceph)}
  122. An open-source initiative to propose a simple cloud suite with some file storage and some tools like a calendar and an online LibreOffice implementation.
  123. This service is in open beta (can be tested by anyone) and uses some of the most used open source software to hold encrypted data and deal with storage redundancy: Ceph and NextCloud.
  124. It is however not to be used for actively using the data but more as a backup solution and cold storage.
  125. \subsection{Backblaze}
  126. A data backup company that offers multiple solutions with diverse options. They permit the use of forms of secure encryption. They however do not encrypt all of the metadata and reserve the right to sell those to a variety of company.
  127. They also offer a storage for live data in one of their offers. Their prizes are relatively competitive compared to Amazon Cloud Storage for example.
  128. \subsection{Dropbox}
  129. A well used actor in backup cloud storage system. They provide multiple tiers of pricing, from a free offer to multiple paid storage offers. All of them are meant for dead storage for roaming and sharing files.
  130. \subsection{Tarsnap}
  131. A small actor based in Canada. they offer cold storage services, encrypted and open-source on client side. They pricing is on a \textit{"as you go"} basis, pricing network traffic as well as storage used.
  132. \section{Technology}
  133. Multiple technology and they open-source counterparts can be used to handle online data storage. In this section we will explore those possibilities by comparing both commercial and free solutions where possible.
  134. \subsection{Google Spanner and CockroachDB}
  135. Google Spanner and CockroachDB are two database software for geo-replicated databases. They both use a clock based mechanism for handling transactions, making them faster with better clock synchronization. CockroachDB have however lower requirements on clock accuracy that Google Spanner does\autocite{cockroach_atomic}.
  136. Google Spanner is as its name implies a proprietary product from Google. CockroachDB is an open-source project from CockroachLabs made to implement as much of Google Spanner features as possible. It also intends to try to be compatible with PostgreSQL to ease application porting\autocite{cockroach_postgres}.
  137. Both of those tools can be used to implement either a block based storage or an object storage to use to implement a geo-replicated filesystem.
  138. Using CockroachDB as a back-end to implement the system was envisioned, but latency tests made us choose to rather use a custom implemented data server. We however use a very similar way of resolving database conflict (see the sequence diagrams \ref{fig:confirmation_proto} and \ref{fig:2user_confirmation_proto} at page \pageref{fig:confirmation_proto}).
  139. \subsection{Ceph, RADOS and CRUSH}
  140. Ceph is a distributed data storage system. It uses the RADOS (Reliable Autonomic Distributed Object Store), a storage system designed around the idea of placing data in predictable place following a mathematical equation. This is named CRUSH, for Controlled Replication Under Scalable Hashing.
  141. Placement of data in our system follows some concepts from Ceph, RADOS and CRUSH.
  142. This system is currently in development by the CERN. They use it as a back-end for many types of storage, from filesystems to block devices and storage for scientific data before analysis.
  143. Like mentioned in the listing of other actors, the Operation Tulip project are using it to store the files they manipulate. Other not mentioned actors like Ovh use it too for example for storing Virtual Machines and as storage for cloud computing.
  144. \subsection{NextCloud}
  145. NextCloud is an open-source system written in PHP to be used as a front-end for cloud hosting. It supports WebDAV and other protocols as well as providing multiple productivity features from text edition to spreadsheets and calendars.
  146. It however is slow due to having been designed in a programming language unsuitable for performance applications.
  147. It supports end to end encryption.
  148. \section{Hardware and hosting}
  149. Naming it cloud storage doesn't mean the data is in some phantasmagorical place. As such we will study here the possibilities for one to deploy his own cluster of servers to host his own data.
  150. For that we will compare pricing of the hardware required to deploy our solution online for a data size around 50\si{\tera{}B (\pm 5\percent)} of storage.
  151. \begin{table}[h]
  152. \centering
  153. \begin{tabular}{|l|l|l|l|}
  154. \hline
  155. System & Upfront price & Price per GB per year & Amort. (y) \\\hhline{|=|=|=|=|}
  156. SuperMicro SC825TQ-560LP $\times 3$ & USD15100 & USD0.21 & 5 \\
  157. and SuperMicro 5018D-MF (new) & +USD900/m & & \\\hline
  158. HP~ProLiant~DL180-G5 $\times 4$ & USD3350 & USD0.21 & 3 \\
  159. (refurbished) & +USD900/m & & \\\hline
  160. Ovh rented servers $\times 4$ & USD890/m & USD0.21 & 0 \\\hline
  161. \end{tabular}
  162. \textit{It is to be noted that the performance is also decreasing with each category down.}
  163. \caption{Server pricing}
  164. \label{tab:server_pricing}
  165. \end{table}
  166. \subsection{Brand new hardware}
  167. Brand new hardware is generally a real investment for an individual or a new company. It is also a technical choice that can have lifelong consequences on the business as computers are subdivided in families that each have specific features and behaviours.
  168. Of those families, named architectures, we will consider two: the \texttt{x86\_{}64}, also referred as \texttt{amd64}; and the most recent architecture from the \texttt{ARM} group, the \texttt{ARMv8} architecture and its variants.
  169. Both of them share the minimal set of features for a type of storage named a \texttt{memory mapped hash table} to be implementable to a usable degree.
  170. \subsubsection{\texttt{x86\_{}64} architecture}
  171. This architecture is common to most modern computers, laptops, workstations and servers nowadays. It is therefore easy to make software for it and it is well documented.
  172. It however have the huge drawback of being power hungry, having been extended for more and more performance, it tends to be consume lots of power and hence, to require proportional cooling.
  173. Taking for example a server from SuperMicro SC825TQ-560LP, we estimate a price of around 4'500USD per server for the data storage, requiring at least 3 of them, additional ones for ensuring safety in case one of them fails, as well as any other server for handling coordination of data storage.
  174. For that we advise a server of the likes of a SuperMicro 5018D-MF, for which we estimate a price of about 1'600USD if equipped with a proper network card for handling connections to the storage servers properly.
  175. \subsubsection{\texttt{ARMv8} architecture}
  176. This architecture being relatively new, we will not adventure into pricing it, but we think that adapted servers for storage equipped with ThunderX2 CPUs from Cavium would do well as storage server and likewise equipped servers with a ThunderX2 adapted for computationally heavy loads would fit the use case as a coordination server.
  177. This setup is however untested and it would not be possible at the time of redaction of these lines to test it for us. These servers would also not run some operating systems critical for safety of network infrastructure like OpenBSD.
  178. \subsection{Refurbished hardware}
  179. As for refurbished hardware, we looked into the products of professionals in sales of refurbished hardware. We advise for those with small budget a constellation of HP~ProLiant~DL180-G5, with a price per server of about 950USD (disks being new), and any server with a decent enough set of network connectivity to not be a bottleneck.
  180. \subsection{Rented dedicated servers}
  181. As for dedicated servers, we got our eyes on Ovh, which would propose to rent servers for 230USD per month per server with an added 80USD per month for the coordination server. This doesn't encompasses any backup server additionally needed to guarantee fast replication if one of the three servers fails, but it takes into account all hosting costs.
  182. \section{The users}
  183. \begin{figure}[h]
  184. \centering
  185. \begin{tikzpicture}
  186. \begin{axis}[
  187. ybar,
  188. enlargelimits=0.15,
  189. legend style={at={(0.5,-0.15)},
  190. anchor=north,legend columns=-1},
  191. ylabel={\#Percentage on interrogated people},
  192. symbolic x coords={Not so concerned,Concerned,Very concerned},
  193. xtick=data,
  194. nodes near coords,
  195. nodes near coords align={vertical},
  196. ]
  197. \addplot coordinates {(Not so concerned,18.2) (Concerned,13.8) (Very concerned,68.2)};
  198. \end{axis}
  199. \end{tikzpicture}
  200. \caption{Concerns about privacy}
  201. \label{fig:privacy_concerns}
  202. \end{figure}
  203. \begin{figure}
  204. \centering
  205. \begin{tikzpicture}
  206. \begin{axis}[
  207. ybar,
  208. enlargelimits=0.15,
  209. legend style={at={(0.5,-0.15)},
  210. anchor=north,legend columns=-1},
  211. ylabel={\#Percentage on interrogated people},
  212. symbolic x coords={A,B,C,D},
  213. xtick=data,
  214. nodes near coords,
  215. nodes near coords align={vertical},
  216. ]
  217. \addplot coordinates {(A,15.8) (B,52.6) (C,63.2) (D,78.9)};
  218. \end{axis}
  219. \end{tikzpicture}
  220. \begin{minipage}{0.82\textwidth}
  221. \begin{itemize}
  222. \item A: Harddrive encryption (Hardware or commercial solution)
  223. \item B: Harddrive encryption (Open-source solution)
  224. \item C: VPN
  225. \item D: Telegram
  226. \end{itemize}
  227. \end{minipage}
  228. \caption{Use of privacy enabling tools}
  229. \label{fig:privacy_tools}
  230. \end{figure}
  231. \begin{figure}
  232. \centering
  233. \begin{tikzpicture}
  234. \begin{axis}[
  235. ybar,
  236. enlarge x limits=0.15,
  237. ymin=0, ymax=100,
  238. xmin=A, xmax=D,
  239. legend style={at={(0.5,0.0)},
  240. anchor=north,legend columns=-1},
  241. ylabel={\#Percentage on interrogated people},
  242. symbolic x coords={A,B,C,D},
  243. xtick=data,
  244. nodes near coords,
  245. nodes near coords align={vertical},
  246. ]
  247. \addplot coordinates {(A,86.4) (B,9.1) (C,0.0) (D,4.5)};
  248. \end{axis}
  249. \end{tikzpicture}
  250. \begin{minipage}{0.82\textwidth}
  251. \begin{itemize}
  252. \item A: Open-source community approved cryptography
  253. \item B: Government approved cryptography
  254. \item C: Hardware implemented cryptography
  255. \item D: I don't know
  256. \end{itemize}
  257. \end{minipage}
  258. \caption{Opinions on cryptography}
  259. \label{fig:crypto_tools}
  260. \end{figure}
  261. \begin{figure}
  262. \centering
  263. \begin{tikzpicture}
  264. \begin{axis}[
  265. ybar,
  266. enlargelimits=0.15,
  267. legend style={at={(0.5,-0.15)},
  268. anchor=north,legend columns=-1},
  269. ylabel={\#Percentage on interrogated people},
  270. symbolic x coords={Yes (Encrypted),Yes,No},
  271. xtick=data,
  272. nodes near coords,
  273. nodes near coords align={vertical},
  274. ]
  275. \addplot coordinates {(Yes (Encrypted),27.3) (Yes,18.2) (No,54.5)};
  276. \end{axis}
  277. \end{tikzpicture}
  278. \caption{Use of private online data storage}
  279. \label{fig:cloud_usage}
  280. \end{figure}
  281. \chapter{A personal view on privacy}
  282. \vspace{-5em}
  283. \begin{center}
  284. {\tiny This chapter expresses the view of the author of both this documentation and the software associated with it and only of him.}
  285. \end{center}
  286. \vspace{5em}
  287. \vspace{-3em}\hspace{-1.4em}Privacy is a notion of everyday. Everyday people use object made to guarantee some, from curtains to acoustic insulation, from locked doors to security cabinets, privacy is something that concerns doctors, lawyers, engineers, inventors, chefs, military staff\ldots{}
  288. Sometime privacy is an indirect concern: an archival company should not take a peek at your doctor's or lawyer's files and cases. Sometimes such an indirect concern reaches to be a concern of someone through friends, business partners, lovers\ldots{} You would not want someone to learn your friend's secrets through you.
  289. 50 years ago, someone wanting to learn your secrets had to listen on your telephone line, breach in your office and open your safe, go in your house or hire a detective. Today, that person may just be able to buy your secrets.
  290. \vspace{1em}In this chapter we will talk about a variety of topics related to digital privacy, from its premises to its implementation.
  291. \section{On terms of service}
  292. In the software and service industry, terms and conditions of service are the typical way for a company to announce the type of data they collect and the use they make of said data.
  293. Those conditions may also tell a person to who the data sent on their service belongs, some services taking property of, for example, all and any picture uploaded to them.
  294. This is in my opinion problematic from a moral standpoint when it is not explicit that the service acquires your information with your consent but on terms you may not entirely agree with for the simple reason that those terms are buried into a huge quantity of legal information.
  295. The projection of that issue is when the very same terms and conditions allow for the company to sell or provide the information, generally non-anonymized, to a third party without additional demand for consent. This id extremely common in companies that offer services "for free" or for very low prices compared to the cost of the actual service.
  296. \section{On advertisement}
  297. Advertisement is a very close issue to the one above. Most advertisements online run code on the computer than sees the advertisement to ensure the advertisement is seen by a human and not a computer. The advertisement also collect information to uniquely identify the user and link the user to the data in the page and website the user is visiting. This allows the advertisement company to run finely adapted advertisement.
  298. One of the bad consequence of that is what we saw during the Cambridge Analytica incident in 2017, when the company of the same name got tasked to influence voters of the United States of America targeting them specifically on points of the opposing party they were likely not agreeing on with advertisement and viral videos.
  299. In that very scandal, it had appeared the developed database could for example accurately point out users that were in favour of free access to guns\autocite{cambridge_analytica}.
  300. Those are however not the average practices. For example the DuckDuckGo search engine providers only provide advertisement depending on the exact query entered and nothing more, not collecting any data. On a grayer side, Twitter provide access to tweet statistics and advertise this feature to all users, letting you know how they get their money and offering you to go from user to consumer very easily, which is a better practice than silently collecting data for sales to companies only.
  301. \section{On manipulation and political acts}
  302. As technology evolved, we gained power to make links on multiple pieces of data about users like presented in the previous part of this chapter, we also showed how data collection can be used to further a political agenda with targeted advertisement. But this omit the most clear and easily forgotten form of political warfare, collecting the other side's information at the source. This also applies to people that may want to blackmail someone else or just ruin their reputation for hidden motives or just the challenge of it.
  303. Numerous times have we saw such breaches. From the Watergate scandal half a century ago to Apple iCloud breaches in 2014\autocite{bbc_icloud}, stealing data is a typical way of spying on your opponent whatever the game being it political, gambling, contests, art, etc\ldots{} It can also be used to obtain an unfair advantage in trials and other circumstances.
  304. We here see the importance of privacy for public figures just as we saw it for voters in the last part. It goes the same for other methods like viral advertising and scientific cherry-picking when pushing a political agenda.
  305. It is also valid on a bigger scale like for example, standardization of encryption by a country in order to enforce it to be breakable like it happened in 1977 with the DES~56 encryption primitive\autocite{wiki:Data_Encryption_Standard}.
  306. \section{On misrepresentation of encryption}
  307. \begin{center}
  308. \textit{If you want to further your understanding of encryption before proceeding, I advise you to take a read at the \autoref{annex:encryption_popularized}}
  309. \end{center}
  310. \vspace{2em}
  311. \hspace{-1.4em}Encryption is often misrepresented, both by lots of governmental figures and by lots of commercial software providers.
  312. Nowadays, most of the web communications are encrypted and at least partially authenticated. Authentication is done through asymmetrical encryption based systems, contacting an intermediate named a certificate provider. Some of the certificates are included in most mainstream browsers (for example, the certificates of \texttt{google.com} are embedded in Android devices and in Google Chrome), which secures the communication with those entities if the private key is not compromised.
  313. This doesn't mean that any data sent to those services is encrypted once stored on the provider: most providers do not store data encrypted as it brings computing costs up by a very significant margin if they need to access that data.
  314. Similarly, it is considered bad practice to store passwords in a readable format, to protect them, specific cryptographic techniques exist so that it is possible to verify a password from a form of said password transformed with a one way transformation named a cryptographic hash function. That said, some companies still store password in readable form in their databases.
  315. This means that, access should be compromised on the database of a company or within any vulnerable part of their computer system, data could be entirely compromised. This has happened a lot in recent years, and is bound to be a phenomena that multiplies should companies not start caring for their customer's privacy.
  316. Such compromise can happen in various ways, and having physical access to the machine makes it easy to access most if not all data on the machine. Most companies renting their disk space, servers, or computing power from other companies, it means you rely on companies contractors not to sell your data per the terms of their hosting services too, and encryption of the transit of data will not protect you from this issue.
  317. In the meanwhile, all companies play the game of demagogy and present themselves as perfectly secure. Some have the transparency to present you the way their technology works, relying on open-source software to provide their services.
  318. \vspace{1em}There is also the topic of back-doors in those services for governmental checks. The main issue with them is the following: if the government can access your data without you knowing, then virtually anyone can do the same. It adds a critical point of failure in the system. It also means the service is not usable for sensitive topics like defense and military uses.
  319. On an even worrisome topic, some companies boast to feature encryption of user data, while they only ever ensure this encryption on transit, or advertise it while not all of their offers are actually featuring encryption of user data.
  320. \chapter{Izaro storage}
  321. The way we decided to implement our storage focuses on protection, obfuscation and performance. We will here explain the influences and consequences of these ideas.
  322. \section{Goals}
  323. We want to provide an online storage with the following properties:
  324. \vspace{0.6em}First of all, it must be georeplicated. It is not okay to lose service access due to the loss of one server farm on our own side.
  325. \vspace{0.3em}Then, the data must be protected, we ourselves should be entirely unable to read it, we should also be unable to read the metadata.
  326. \vspace{0.3em}Also, any part of the data must be fast enough to access that it is hard to differentiate our service from access of a hard-drive given a good enough network connection, same goes for writing.
  327. \vspace{0.3em}Finally, it must be flexible and adaptable to multiple use-cases.
  328. \vspace{1em}This leads us to the following idea: we are aiming to create a service that can store encrypted data, it must be able to store it in a layout similar to a disk, this way it possesses the same capabilities as a hard drive disk. The key to decrypt the data is stored online but encrypted with the user password. Authentication requires the user to be able to read the password to get a token. It is possible to leave said token disabled and enable it only with a second authentication factor.
  329. We want our system to be protected from the point of view of our customers, as such, we aim at it having a code-base readable and short enough to be explored completely in 3 days by a developer with access to enough documentation.
  330. \section{Principles}
  331. Our project aim to follow the following principles:
  332. \begin{itemize}
  333. \item Principle of least knowledge: if it is possible for us to never have access to a readable form of some data, then we should not make it mandatory or provide alternatives.
  334. \item Principle of greater usage: if it is possible, we have to use the most out of the algorithms we use, be it cryptographic primitives or other algorithms.
  335. \item Principle of openness: we aim to disclose any incident that may happen, and to disclose any request by officials to access anyone's data.
  336. \end{itemize}
  337. The principle of least knowledge is upheld in the very design of the system: only the user can make sense of the address space of both the file system and block device. To provide an analogy, the data is stored in multiple boxes. The user side software randomly labels the boxes and seal them (that seal is the encryption). If you store data that overflows from one box, you will store in multiple boxes. Decrypting any data requires to know which box is the first one and which is the next one, but that very piece of information is not stored on the server: it is stored in one of the sealed boxes.
  338. Furthermore, the labels of each block of data can be used as a piece of the encryption process, this is an example of the principle of greater usage: any additional information that can help make the system safer, we will use it.
  339. As for the openness principle, it is just as stated, we will disclose any demand that are made as soon as they are made as well as our responses to them. We will disclose any security issue or concern we receive. We will provide tools for anyone to be informed of these information through multiple channels.
  340. \section{Data life cycle}
  341. Here is a list of the data that may be collected by us in any interaction with our software. This data is sorted by interaction.
  342. \begin{table}[h]
  343. \centering
  344. \begin{tabular}{lll}
  345. \hline
  346. \ttfamily User action & \ttfamily Data collected & \ttfamily Reason \\\hhline{===}
  347. \multirow{4}{*}{Account creation} & \multicolumn{1}{l}{Email} & \multicolumn{1}{l}{Authentication} \\\cline{2-3}
  348. & \multicolumn{1}{l}{Nickname} & \multicolumn{1}{l}{Authentication} \\\cline{2-3}
  349. & \multicolumn{1}{l}{Password (Obfuscated)} & \multicolumn{1}{l}{Authentication} \\\cline{2-3}
  350. & \multicolumn{1}{l}{Time of creation} & \multicolumn{1}{l}{Bookkeeping} \\\hline
  351. \multirow{1}{*}{Connection} & \multicolumn{1}{l}{Connection time} & \multicolumn{1}{l}{Authentication} \\\hline
  352. \multirow{3}{*}{Payment (below 20\euro)} & \multicolumn{1}{l}{Amount} & \multicolumn{1}{l}{Accounting} \\\cline{2-3}
  353. & \multicolumn{1}{l}{Time of payment} & \multicolumn{1}{l}{Accounting} \\\cline{2-3}
  354. & \multicolumn{1}{l}{Type of payment} & \multicolumn{1}{l}{Accounting} \\\hline
  355. \multirow{4}{*}{Payment (above 20\euro)} & \multicolumn{1}{l}{Amount} & \multicolumn{1}{l}{Accounting} \\\cline{2-3}
  356. & \multicolumn{1}{l}{Time of payment} & \multicolumn{1}{l}{Accounting/Bookkeeping} \\\cline{2-3}
  357. & \multicolumn{1}{l}{Type of payment} & \multicolumn{1}{l}{Accounting} \\\cline{2-3}
  358. & \multicolumn{1}{l}{Invoice address} & \multicolumn{1}{l}{Accounting} \\\hline
  359. \multirow{2}{*}{Writing data} & \multicolumn{1}{l}{Server time} & \multicolumn{1}{l}{Data protection (Consensus system)} \\\cline{2-3}
  360. & \multicolumn{1}{l}{Number of used blocks} & \multicolumn{1}{l}{Accounting/Bookkeeping} \\\hline
  361. \end{tabular}
  362. \caption{Table of collected data}
  363. \label{tab:data_collection}
  364. \end{table}
  365. \chapter{A personal view on business practices}
  366. \section{On selling the user}
  367. \section{On misrepresenting the invisible}
  368. \autocite{apple_sweatshop}
  369. \section{On practice of transparent business}
  370. \part{Functional specification}
  371. \chapter{Client capabilities}
  372. \section{Key header}
  373. \begin{itemize}[label={\Square}]
  374. \item Can be version-controlled
  375. \item Can store a pointer to a root
  376. \item Do not permit retrieval of key alone
  377. \end{itemize}
  378. \section{System root header}
  379. \begin{itemize}[label={\Square}]
  380. \item Is extendable
  381. \item Can store a pointer to a device and its type
  382. \item Can store an attribute pointer to for a device
  383. \end{itemize}
  384. \section{Argus block device}
  385. \begin{itemize}[label={\Square}]
  386. \item Requires enough RAM space to store its metadata for access
  387. \item Reading data is $O(1)$
  388. \item Uses record $x$ and $y$ as $iv$ and/or $nonce$
  389. \item Uses stream position as position
  390. \item Can list multiple keys and ciphers in its header, applied in sequential order
  391. \item Support transactional access
  392. \end{itemize}
  393. \section{Izaro file system}
  394. Let $n$ be the number of files in the file system. Let $m$ be the size of a given file.
  395. \begin{itemize}[label={\Square}]
  396. \item All directory changes are transactional and atomic
  397. \item Opening a file is $O(log~n)$ or better
  398. \item Reading a block from an open file is $O(log~m)$ or better
  399. \item Writing a block from an open file is $O(log~m)$ or better
  400. \item Changing file attributes is atomic
  401. \item Uses record $x$, $y$, and UUID as $iv$ and/or $nonce$
  402. \item Uses file position as position inside files
  403. \item Uses position in block as position inside non-files elements
  404. \item[] On clients implementing a POSIX interface
  405. \begin{itemize}[label={\Square}]
  406. \item Append is atomic if possible
  407. \item Advisory locking is implemented on a file by file basis
  408. \end{itemize}
  409. \item POSIX permissions are implemented
  410. \begin{itemize}[label={\Square}]
  411. \item An association file only modifiable by user 0 (root) maps UIDs to user names
  412. \item Permissions are handled by the client only
  413. \item User 0 (root) can alter any permission
  414. \end{itemize}
  415. \item NT permissions may not be implemented
  416. \begin{itemize}[label={\Square}]
  417. \item NT clients may not perform ACL checks
  418. \item Any NT user can alter file data
  419. \item NT users can not alter file permissions
  420. \item Items created by NT users are created with the permission of their parent item
  421. \end{itemize}
  422. \end{itemize}
  423. \chapter{Front-end capabilities}
  424. \section{Web interface}
  425. \begin{itemize}[label={}]
  426. \item Account management
  427. \begin{itemize}[label={\Square}]
  428. \item Can create an account
  429. \item Can share a 2FA secret
  430. \item Can delete an account
  431. \item Can confirm a payment
  432. \item Can inform of payment lateness
  433. \item Can self-wipe account
  434. \end{itemize}
  435. \item Authentication
  436. \begin{itemize}[label={\Square}]
  437. \item Can generate a token from a connection request
  438. \item Can confirm a token with a 2FA subtoken
  439. \item Can invalidate a token
  440. \item Can generate a shared secret to handle UDP connections
  441. \item Can regenerate a password block from an older password block
  442. \end{itemize}
  443. \item Provides a payment link
  444. \item Provides a link to this document
  445. \item Provides all personal information stored on our side for the logged in user
  446. \item Provide a link to our company balance
  447. \end{itemize}
  448. \section{Heavy-clients}
  449. \begin{itemize}[label={\Square\Square}]
  450. \item[{TD}]
  451. \item Can obtain a shared secret from the data interface
  452. \item Can obtain a token from a connection
  453. \item Can obtain a token from user input
  454. \item Can synchronize a supported filesystem
  455. \item Can display usage statistics
  456. \item Can detect a block device and mount it
  457. \item Can mount IzaroFS using FUSE on systems that support it
  458. \item Can mount IzaroFS in slow mode on other systems
  459. \end{itemize}
  460. \subsection{Command-line interface client}
  461. \begin{itemize}[label={\Square}]
  462. \item Can be called with automated tools
  463. \item Supports callback scripts
  464. \end{itemize}
  465. \subsubsection{General options}
  466. \textit{Any option marked with a * must be order independent provided it is following the command that defines it.}
  467. \begin{itemize}[label={\Square}]
  468. \item \texttt{----help}*: provides a list of commands and of all the general options, if used with a command, display the help page of that command.
  469. \item \texttt{----verbose}*: trips a flag that makes any operations to output their information in \texttt{stderr}
  470. \item \texttt{----out-info}*: trips a flag that makes any operations to output more information in a computer readable format on \texttt{stdout}
  471. \end{itemize}
  472. \subsubsection{Commands}
  473. \begin{itemize}[label={\Square}]
  474. \item \texttt{help}: same as the similar option.
  475. \item \texttt{list}: enter into list mode for the next command, if no further arguments, display a list of all accessible roots and their types if they are known.
  476. \begin{itemize}[label={\Square}]
  477. \item \texttt{help}: provide help on the subcommands
  478. \item \texttt{mountable}: Display all accessible roots that are mountable as file systems.
  479. \item \texttt{in-use}: Display roots that are currently in use.
  480. \item \texttt{connections}: Display all registered connections in a \texttt{csv} format with headers as in \autoref{fig:connection_csv_columns}.
  481. \item \texttt{endpoints}: Display all registered endpoints in a \texttt{csv} format with headers as in \autoref{fig:endpoints_csv_columns}.
  482. \end{itemize}
  483. \item \texttt{mount}: Mount a mountable file system, the identifier of the file system must be provided as next argument. Outputs \texttt{OK} on success and \texttt{KO} on failure.
  484. \begin{itemize}[label={\Square}]
  485. \item \texttt{help}: provide help on the subcommands
  486. \item \texttt{----read-only}*: set up the read only flag of the file system
  487. \end{itemize}
  488. \item \texttt{login}: performs an interactive login sequence, no information is stored on disk.
  489. \begin{itemize}[label={\Square}]
  490. \item \texttt{help}: provide help on the subcommands
  491. \item \texttt{----persistent}*: trips the system into persistent login, with the key stored on the system in a configuration file. If the \texttt{----unsafe} flag is not activated, does nothing.
  492. \item \texttt{----unsafe}*: allows unsafe behaviours.
  493. \end{itemize}
  494. \item \texttt{logout}: performs a logout of the selected user, will also remove persistent logout information. Outputs \texttt{OK} on success and \texttt{KO} on failure.
  495. \item \texttt{umount}: performs the unmounting of the provided filesystem. Outputs \texttt{OK} on success and \texttt{KO} on failure.
  496. \begin{itemize}[label={\Square}]
  497. \item \texttt{help}: provide help on the subcommands
  498. \item \texttt{----NOW}*: forces the unmounting to happen even if unterminated operations are pending.
  499. \end{itemize}
  500. \item \texttt{enable}: enables a storage registered as block device storage. Outputs \texttt{OK} on success and \texttt{KO} on failure.
  501. \begin{itemize}[label={\Square}]
  502. \item \texttt{help}: provide help on the subcommands
  503. \item \texttt{----read-only}*: set up the read only flag of the device and prohibits its use for write operations.
  504. \end{itemize}
  505. \item \texttt{disable}: disables a storage registered as block device storage. Outputs \texttt{OK} on success and \texttt{KO} on failure.
  506. \begin{itemize}[label={\Square}]
  507. \item \texttt{help}: provide help on the subcommands
  508. \item \texttt{----NOW}*: stops the device immediately, ignoring any currently executing operations.
  509. \end{itemize}
  510. \end{itemize}
  511. Computer readable output format should be a subset of JSON, hence readable by any JSON parser, with the values shown in \autoref{fig:computer_readable_output}.
  512. \begin{figure}[h]
  513. \begin{center}
  514. \begin{minipage}[c]{0.9\textwidth}
  515. \begin{itemize}
  516. \item \texttt{status}: \texttt{"OK"} if the command is a success, \texttt{"KO"} if the command failed.
  517. \item \texttt{error\_{}code}: an integer representing the error as a hash of the line of code that failed.
  518. \end{itemize}
  519. \end{minipage}
  520. \end{center}
  521. \caption{Computer readable output contents}
  522. \label{fig:computer_readable_output}
  523. \end{figure}
  524. Multiple types of data are provided as CSV with the separator ``\texttt{|}'' and the first line always being a header.
  525. \begin{figure}[h]
  526. \begin{center}
  527. \begin{minipage}[c]{0.9\textwidth}
  528. \begin{itemize}
  529. \item \texttt{user}: the email address of the user
  530. \item \texttt{token}: the token as an hexadecimal string
  531. \item \texttt{"connected since"}: Unix timestamp in seconds since the connection got opened.
  532. \item \texttt{"server time offset"}: The estimated offset of time between the server and client in microseconds.
  533. \item \texttt{persistent}: \texttt{true} if the connection is stored on disk, \texttt{false} if it is stored only in memory.
  534. \end{itemize}
  535. \end{minipage}
  536. \end{center}
  537. \caption{Connection information}
  538. \label{fig:connection_csv_columns}
  539. \end{figure}
  540. \begin{figure}[h]
  541. \begin{center}
  542. \begin{minipage}[c]{0.9\textwidth}
  543. \begin{itemize}
  544. \item \texttt{user}: the email address of the user that owns the connection used
  545. \item \texttt{"unix user"}: UID of the user that mounted the endpoint
  546. \item \texttt{"endpoint file"}: the file where the endpoint is mounted if applicable, may be a device on NT systems
  547. \item \texttt{"root id"}: the identifier of the root
  548. \end{itemize}
  549. \end{minipage}
  550. \end{center}
  551. \caption{Active endpoint data}
  552. \label{fig:endpoints_csv_columns}
  553. \end{figure}
  554. \subsection{Desktop client}
  555. \textit{Only set to support the core subset of features for heavy-clients.}
  556. The desktop application is expected to work on at least Windows and Linux entirely, and to also work on any system with FUSE for the IzaroFS part.
  557. Any cosmetic shaders should for that reason be made with OpenGL, and at that with a very compatible version. Development of those shaders will be left to some professional specially trained in making shaders.
  558. Those cosmetic items must have a textual fallback accessible by hovering their element. If they represent performance statistics, any visual may be clickable and print the statistics in a file.
  559. \begin{figure}[H]
  560. \centering
  561. \includegraphics[width=0.9\columnwidth]{Pictures/desktopmain}
  562. \caption{Desktop application main view mockup}
  563. \label{fig:mockup-desktopmain}
  564. \end{figure}
  565. On \autoref{fig:mockup-desktopmain}, the circle and pie will actually be replaced by a render graphic whose inner part will spin if and only if time synchronization is happening normally, the outer part will grow brighter if elements of progress are made on the selected file system, and the inner part with transition between green and red through yellow showing data congestion.
  566. Other render elements could be added to the application for aesthetic purposes, at the sole condition they provide a visually appealing way to understand the status of the system.
  567. \begin{figure}[H]
  568. \centering
  569. \includegraphics[width=0.9\columnwidth]{Pictures/loginpage}
  570. \caption{Desktop application login and register page mockup}
  571. \label{fig:mockup-loginpage}
  572. \end{figure}
  573. Behaviour of the login part of the page is expected to be identical to the behaviour of the login command.
  574. \begin{figure}[H]
  575. \centering
  576. \includegraphics[height=0.4\textheight,width=0.9\columnwidth,keepaspectratio]{Pictures/confirmregister}
  577. \caption{Desktop application registration confirmation page mockup}
  578. \label{fig:mockup-confirmregister}
  579. \end{figure}
  580. \begin{figure}[H]
  581. \centering
  582. \includegraphics[height=0.4\textheight,width=0.9\columnwidth,keepaspectratio]{Pictures/newdevice}
  583. \caption{Desktop application block device creation page mockup}
  584. \label{fig:mockup-newdevice}
  585. \end{figure}
  586. \begin{figure}[H]
  587. \centering
  588. \includegraphics[height=0.4\textheight,width=0.9\columnwidth,keepaspectratio]{Pictures/newfs}
  589. \caption{Desktop application Izaro filesystem creation page mockup}
  590. \label{fig:mockup-newfs}
  591. \end{figure}
  592. \section{Data interface}
  593. \begin{itemize}[label={\Square}]
  594. \item[] Supports actions
  595. \begin{itemize}[label={\Square}]
  596. \item Read
  597. \item Write
  598. \item Update
  599. \item Allocate
  600. \item Allocate and push
  601. \item Read and push
  602. \item Pop and write
  603. \item Delete
  604. \item "Delete" and push
  605. \item Assert timestamp
  606. \item Commit
  607. \end{itemize}
  608. \item Can execute a chain of actions
  609. \item Can confirm a chain of actions
  610. \item Can clear unconfirmed actions
  611. \item Can execute a single action and confirm it
  612. \item Can read usage statistics
  613. \item[] Shared systems
  614. \begin{itemize}[label={\Square}]
  615. \item Can lock and unlock a named mutex
  616. \item Can compare and swap a semaphore
  617. \end{itemize}
  618. \item[] Administration
  619. \begin{itemize}[label={\Square}]
  620. \item Can read global statistics
  621. \item Can read list of UUIDs
  622. \item Can list users
  623. \item Can list connections
  624. \item Can wipe account
  625. \item Can register a backend
  626. \end{itemize}
  627. \item[] Automation
  628. \begin{itemize}[label={\Square}]
  629. \item Can replace a dead server
  630. \item Will duplicate if spares available, preferring $A \rightarrow B \rightarrow AB$
  631. \end{itemize}
  632. \end{itemize}
  633. \chapter{Back-end capabilities}
  634. \section{GoJ Database}
  635. \begin{itemize}[label={\Square}]
  636. \item[] Data
  637. \begin{itemize}[label={\Square}]
  638. \item Can read a record
  639. \item Can write a record
  640. \item Can confirm a record
  641. \item Can remove a record
  642. \item Can test existence of a record
  643. \item Can allocate a record
  644. \item Can read a record metadata
  645. \end{itemize}
  646. \item[] Stats
  647. \begin{itemize}[label={\Square}]
  648. \item Can provide stats given the stats format
  649. \item Can alert in case of suspicious stats
  650. \end{itemize}
  651. \item Can stream a list of all records, then stream all transformations that happened since the streaming started
  652. \end{itemize}
  653. \section{Performance requirements}
  654. \begin{itemize}[label={\Square}]
  655. \item Less than 20\% below the server disk performance in terms of latency
  656. \item Assumes available RAM to be at least 0.4\% of the disk capacity
  657. \end{itemize}
  658. \part{Technical specification}
  659. \chapter{Storage layer}
  660. \section{\texttt{izaro-storage}}
  661. \section{\texttt{db\_{}stats}}
  662. \chapter{Coordination layer}
  663. \section{Client to \texttt{izaro-coordinate}}
  664. \section{\texttt{izaro-coordinate} to \texttt{izaro-storage}}
  665. \chapter{Time synchronization}
  666. \section{Steadiness requirement}
  667. \section{Storage side requirement}
  668. \chapter{Client side}
  669. \section{Key blocks and system root layout}
  670. \section{Command line user interface}
  671. \section{Graphical user interface}
  672. \chapter{Block storage system}
  673. \chapter{Native file system}
  674. \appendix
  675. \part{Annexes}
  676. %\setcounter{chapter}{1}
  677. %\renewcommand\thechapter{\Alph{chapter}}
  678. \chapter{Encryption popularized}
  679. \label{annex:encryption_popularized}
  680. \textbf{Encryption: }The act to transform a message into a random looking cipher-text. The original message is often named the plain-text.
  681. \hspace{-1.4em}\textbf{Cipher: }The mathematical function that transforms a plain-text into a cipher-text
  682. \vspace{1.5em}\hspace{-1.4em}Encrypting data can be done in various ways. Each way have its properties and its resistances to certain types of attacks. All modern cryptography is key-based cryptography. It means that the way we encrypt data is not secret, what is secret is a value, named the key, that is used to encrypt the data.
  683. \section{Properties of encryption}
  684. We will here explain some of the properties a cipher can hold.
  685. \subsection{Resistance}
  686. A cipher generally have its resistance expressed as a power of two (e.g.: $2^{103}$) or as a number of bits of entropy (e.g.: $103~bits$). It is to be noted that this scale is not linear: it is exponential.
  687. This means that a cipher that have $104~bits$ of entropy is 2 times harder to break than one with a resistance of $103~bits$ of the same family. Comparing resistance between different families is not relevant.
  688. \subsection{Compactness}
  689. Compactness of a cipher means that if you encrypt a message of side $n$ you will obtain a cipher-text of the same size. Conversely, If a cipher can generates a longer cipher-text than its message, it is said to be not compact.
  690. for example, let's consider a simple cipher: for a message $A$, read it as a number and multiply it with a value that will be the key.
  691. If your message is for example 8 digits, like $00005555$ and the key is $12345678$, the cipher-text will be equal to $5555 \times 12345678 = 68580241290$ which make a 11 digits cipher-text from a 8 digit message.
  692. \subsection{Homomorphism}
  693. Homomorphism means that for a message $A$ and an operation $f : x$ (for example, if $f : x \rightarrow x \times 2$ means the operation of multiplying by 2), if you apply a cipher to $A$ and get a cipher-text $B$, there exist a way to apply $f : x$ to $B$ in such a way that decryption of $B$ gives you the result of applying $f : x$ to $A$.
  694. Expressed more simply, it means the you can execute operations on encrypted data without requiring to decipher it or understand it. Very few encryption mechanisms are fully homomorphic and those are mostly in research\autocite{Gentry:2009:FHE:1834954}.
  695. \section{Types of encryption}
  696. Encryption can express itself in different forms regarding to its way to handle the cryptographic key. Some have only one key, that must be known for encrypting and decrypting the data, we call those symmetrical ciphers; some have two keys, one for encrypting and one for decrypting, we call those asymmetrical ciphers.
  697. \subsection{Symmetrical encryption}
  698. \begin{figure}[h]
  699. \begin{center}
  700. \begin{itemize}
  701. \item AES
  702. \item Chacha20
  703. \item Blowfish
  704. \item Serpent
  705. \item Twofish
  706. \item CAST5
  707. \item RC4
  708. \item DES
  709. \item 3DES
  710. \item Skipjack
  711. \item IDEA
  712. \end{itemize}
  713. \end{center}
  714. \caption{List of symmetrical ciphers}
  715. \label{fig:sym_ciphers}
  716. \end{figure}
  717. \subsection{Asymmetrical encryption}
  718. \begin{figure}[h]
  719. \begin{center}
  720. \begin{itemize}
  721. \item Prime numbers based (RSA)
  722. \item Elliptic curve based (ECDSA)
  723. \item Paillier crypto system
  724. \item Lattice based (NTRU, BLISS\autocite{Gentry:2009:FHE:1834954})
  725. \end{itemize}
  726. \end{center}
  727. \caption{List of asymmetrical ciphers}
  728. \label{fig:asym_ciphers}
  729. \end{figure}
  730. \chapter{Protocols}
  731. \section{\texttt{izaro-storage} queries}
  732. \begin{figure}[h!]
  733. \centering
  734. \begin{bytefield}[bitwidth=1.06em, bitformatting={\tiny\ttfamily}]{32}
  735. \bitheader{0-31} \\
  736. \bitbox{14}{\texttt{unused}}
  737. \bitbox{1}{\texttt{\footnotesize 2S}}
  738. \bitbox{1}{\texttt{\footnotesize B}}
  739. \bitbox{16}{\texttt{operation code (big endian)}} \\
  740. \wordbox{2}{\texttt{request identifier}} \\
  741. \wordbox{1}{\textit{optional\ldots{}} \texttt{continuation}}
  742. \end{bytefield}
  743. \begin{itemize}
  744. \item[] \texttt{2S}: the operation is two-stepped (requires a confirmation to be applied) if set
  745. \item[] \texttt{B}: the operation is a bulk operation if set
  746. \end{itemize}
  747. \caption{Common request format (storage)}
  748. \label{fig:common_format_storage}
  749. \end{figure}
  750. \begin{figure}
  751. \centering
  752. \begin{bytefield}[bitwidth=1.06em]{32}
  753. \bitheader{0-31} \\
  754. \wordbox{1}{$x$ (Big endian integer)} \\
  755. \wordbox{1}{$y$ (Big endian integer)} \\
  756. \wordbox{4}{\texttt{UUID}}
  757. \end{bytefield}
  758. \begin{itemize}
  759. \item[] a zeroed UUID means the record is invalid
  760. \end{itemize}
  761. \caption{Record identifier format}
  762. \label{fig:record_identifier}
  763. \end{figure}
  764. \begin{figure}
  765. \centering
  766. \begin{bytefield}[bitwidth=0.48em, bitformatting={\tiny\ttfamily}]{64}
  767. \bitheader{0,31,63} \\
  768. \wordbox{2}{\texttt{Common request format (storage)}} \\
  769. \wordbox{3}{\texttt{Record identifier}} \\
  770. \wordbox{1}{\textit{optional\ldots{}} \texttt{Timestamp (Big endian integer)}} \\
  771. \end{bytefield}
  772. \begin{itemize}
  773. \item[] Timestamp of 0 or absent means latest valid value
  774. \end{itemize}
  775. \caption{Request format for read (storage)}
  776. \label{fig:read_format_storage}
  777. \end{figure}
  778. \begin{figure}
  779. \centering
  780. \begin{bytefield}[bitwidth=0.46em, bitformatting={\tiny\ttfamily}]{64}
  781. \bitheader{0,31,63} \\
  782. \wordbox{2}{\texttt{Common request format (storage)}} \\
  783. \wordbox{3}{\texttt{Record identifier}} \\
  784. \begin{rightwordgroup}{$16Kio$}
  785. \wordbox[lrt]{1}{\texttt{Database page}} \\
  786. \skippedwords \\\wordbox[lrb]{1}{}
  787. \end{rightwordgroup} \\
  788. \wordbox{1}{\textit{optional\ldots{}} \texttt{Timestamp (Big endian integer)}}
  789. \end{bytefield}
  790. \begin{itemize}
  791. \item[] Timestamp of 0, absent, of maxed as of \footnotesize{\texttt{std::numeric\_limits<uint64\_t>::max()}} means server time should be used
  792. \end{itemize}
  793. \caption{Request format for write (storage)}
  794. \label{fig:write_format_storage}
  795. \end{figure}
  796. \begin{figure}
  797. \centering
  798. \begin{bytefield}[bitwidth=0.48em, bitformatting={\tiny\ttfamily}]{64}
  799. \bitheader{0,31,63} \\
  800. \wordbox{2}{\texttt{Common request format (storage)}} \\
  801. \wordbox{3}{\texttt{Record identifier}} \\
  802. \wordbox{1}{\texttt{Timestamp (Big endian integer)}} \\
  803. \end{bytefield}
  804. \begin{itemize}
  805. \item[] An invalid timestamp does nothing
  806. \end{itemize}
  807. \caption{Request format for confirm (storage)}
  808. \label{fig:confirm_format_storage}
  809. \end{figure}
  810. \begin{figure}
  811. \centering
  812. \begin{bytefield}[bitwidth=0.48em, bitformatting={\tiny\ttfamily}]{64}
  813. \bitheader{0,31,63} \\
  814. \wordbox{2}{\texttt{Common request format (storage)}} \\
  815. \wordbox{3}{\texttt{Record identifier}} \\
  816. \wordbox{1}{\texttt{Timestamp (Big endian integer)}} \\
  817. \end{bytefield}
  818. \begin{itemize}
  819. \item[] An invalid timestamp does nothing, a zeroed timestamp or absent timestamp means remove all, a specific value removes the target value.
  820. \end{itemize}
  821. \caption{Request format for remove (storage)}
  822. \label{fig:remove_format_storage}
  823. \end{figure}
  824. \begin{figure}
  825. \centering
  826. \begin{bytefield}[bitwidth=1.06em, bitformatting={\tiny\ttfamily}]{32}
  827. \bitheader{0,31} \\
  828. \wordbox{4}{\texttt{Common request format (storage)}} \\
  829. \bitbox{32}{\texttt{Size}} \\
  830. \begin{rightwordgroup}{Repeats \\ \texttt{Size} times}
  831. \wordbox{6}{\texttt{Record identifier}} \\
  832. \wordbox{2}{\texttt{Timestamp (Big endian integer)}}
  833. \end{rightwordgroup} \\
  834. \end{bytefield}
  835. \begin{itemize}
  836. \item[] Timestamps are to be interpreted as in the read operation, with the exception they cannot be omitted
  837. \end{itemize}
  838. \caption{Request format for bulk read (storage)}
  839. \label{fig:bulk_read_format_storage}
  840. \end{figure}
  841. \section{\texttt{izaro-storage} replies}
  842. \begin{figure}[h!]
  843. \centering
  844. \begin{bytefield}[bitwidth=0.48em, bitformatting={\tiny\ttfamily}]{64}
  845. \bitheader{0,31,63} \\
  846. \wordbox{3}{\texttt{Record identifier}} \\
  847. \bitbox{64}{\texttt{Timestamp}} \\
  848. \bitbox{64}{\texttt{Offset}} \\
  849. \bitbox{30}{\texttt{Unused}}
  850. \bitbox{1}{\texttt{\tiny R}}
  851. \bitbox{1}{\texttt{\tiny C}}
  852. \end{bytefield}
  853. \begin{itemize}
  854. \item[] \texttt{R}: is set if the record is removed (not eligible for cleanup)
  855. \item[] \texttt{C}: is set if the record is confirmed
  856. \end{itemize}
  857. \caption{Record format (storage)}
  858. \label{fig:record_storage}
  859. \end{figure}
  860. \begin{figure}[h]
  861. \centering
  862. \begin{bytefield}[bitwidth=0.48em, bitformatting={\tiny\ttfamily}]{64}
  863. \bitheader{0,31,63} \\
  864. \bitbox{64}{\texttt{request identifier}} \\
  865. \wordbox[lrt]{5}{\texttt{record information}} \\
  866. \begin{rightwordgroup}{$16Kio$}
  867. \bitbox[lrb]{32}{}
  868. \bitbox[lrt]{32}{} \\
  869. \wordbox[lr]{1}{\vspace{0.96em}\texttt{Database page}} \\
  870. \skippedwords \\\wordbox[lrb]{1}{}
  871. \end{rightwordgroup} \\
  872. \end{bytefield}
  873. \begin{itemize}
  874. \item[-] the request identifier must be equal to the request identifier from the query
  875. \item[-] in case of a write request or confirm request, the database page may be omitted or contain invalid information
  876. \end{itemize}
  877. \caption{Common reply format (storage)}
  878. \label{fig:common_format_reply_storage}
  879. \end{figure}
  880. \begin{figure}[h!]
  881. \centering
  882. \begin{bytefield}[bitwidth=0.48em, bitformatting={\tiny\ttfamily}]{64}
  883. \bitheader{0,31,63} \\
  884. \bitbox{64}{\texttt{request identifier}} \\
  885. \begin{rightwordgroup}{$48o$}
  886. \bitbox[lrt]{64}{} \\
  887. \wordbox[lr]{1}{\vspace{0.96em}\texttt{unused}} \\
  888. \skippedwords \\\wordbox[lrb]{1}{}
  889. \end{rightwordgroup} \\
  890. \bitbox{64}{\texttt{number of unused pages}} \\
  891. \bitbox{64}{\texttt{number of number of free pages due to deletions}} \\
  892. \bitbox{64}{\texttt{number of pages}} \\
  893. \bitbox{64}{\texttt{total size of the record table}} \\
  894. \bitbox{64}{\texttt{total size of the delete table}} \\
  895. \bitbox{64}{\texttt{unreclaimable pages}} \\
  896. \bitbox{64}{\texttt{available records in the table}} \\
  897. \bitbox{64}{\texttt{configured synchronization rate}} \\
  898. \bitbox{64}{\texttt{duration of the last synchronization}} \\
  899. \bitbox{64}{\texttt{longest duration of synchronization}} \\
  900. \bitbox{64}{\texttt{average duration of synchronizations}} \\
  901. \end{bytefield}
  902. \begin{itemize}
  903. \item[-] all values are big endian
  904. \item[-] all times are in \si{\micro\second}
  905. \end{itemize}
  906. \caption{Stats reply format (storage)}
  907. \label{fig:stats_format_reply_storage}
  908. \end{figure}
  909. \section{\texttt{izaro-coordinate} queries}
  910. \begin{figure}[h]
  911. \centering
  912. \begin{bytefield}[bitwidth=0.48em]{64}
  913. \bitheader{0,31,63} \\
  914. \wordbox{1}{\texttt{operation}} \\
  915. \wordbox{2}{\texttt{UUID}} \\
  916. \wordbox{2}{\texttt{token}} \\
  917. \begin{rightwordgroup}{nonce}
  918. \wordbox{1}{\texttt{request identifier}} \\
  919. \wordbox{1}{\texttt{}}
  920. \end{rightwordgroup} \\
  921. \bitbox[lrt]{64}{} \\
  922. \wordbox[lr]{1}{\vspace{0.96em}\texttt{payload}} \\
  923. \skippedwords \\\wordbox[lrb]{1}{}
  924. \end{bytefield}
  925. \begin{itemize}
  926. \item[] a zeroed UUID means administration packet
  927. \end{itemize}
  928. \caption{Data packet}
  929. \label{fig:data_packet}
  930. \end{figure}
  931. \subsection{User payloads}
  932. \begin{figure}[h]
  933. \centering
  934. \begin{bytefield}[bitwidth=0.48em]{64}
  935. \bitheader{0,31,63} \\
  936. \wordbox{3}{\texttt{record identifier}} \\
  937. \wordbox{1}{\texttt{timestamp}} \\
  938. \end{bytefield}
  939. \begin{itemize}
  940. \item[] the data fetched is the last before the timestamp
  941. \item[] the timestamp is aligned on the coordinator's timestamping
  942. \item[] if the timestamp is omitted the last confirmed page is read
  943. \end{itemize}
  944. \caption{Read request}
  945. \label{fig:read_request}
  946. \end{figure}
  947. \begin{figure}[h]
  948. \centering
  949. \begin{bytefield}[bitwidth=0.48em]{64}
  950. \bitheader{0,31,63} \\
  951. \begin{rightwordgroup}{$32Kio$}
  952. \bitbox[lrt]{64}{} \\
  953. \wordbox[lr]{1}{\vspace{0.96em}\texttt{file page}} \\
  954. \skippedwords \\\wordbox[lrb]{1}{}
  955. \end{rightwordgroup} \\
  956. \end{bytefield}
  957. \begin{itemize}
  958. \item[] the data will be stored on the time of the server
  959. \end{itemize}
  960. \caption{Allocate$+$Write request}
  961. \label{fig:allocate_write_request}
  962. \end{figure}
  963. \subsection{Root user payloads}
  964. \section{\texttt{izaro-coordinate} replies}
  965. \begin{figure}[h]
  966. \centering
  967. \begin{bytefield}[bitwidth=0.48em]{64}
  968. \bitheader{0,31,63} \\
  969. \wordbox{1}{\texttt{page count}} \\
  970. \wordbox{3}{\texttt{page max}} \\
  971. \wordbox{3}{\texttt{record identifier}} \\
  972. \end{bytefield}
  973. \begin{itemize}
  974. \item[] the data will be stored on the time of the server
  975. \end{itemize}
  976. \caption{Userdata reply}
  977. \label{fig:userdata_reply}
  978. \end{figure}
  979. \section{\texttt{izaro-coordinate} timing protocol and consensus}
  980. \begin{figure}[h]
  981. \centering
  982. \begin{sequencediagram}
  983. \newthread{a}{: Client}
  984. \newinst[7]{b}{: Server}
  985. \mess[1]{a}{$t_{client}$}{b}
  986. \mess[1]{b}{$t_{client},t_{server}$}{a}
  987. \end{sequencediagram}
  988. \caption{Izaro time synchronization}
  989. \label{fig:time_proto}
  990. \end{figure}
  991. \begin{figure}[h]
  992. \centering
  993. \begin{sequencediagram}
  994. \newthread{a}{: Client \#1}
  995. \newinst[7]{b}{: Server}
  996. \mess[1]{a}{$t_{1}$ data write}{b}
  997. \mess[1]{b}{unconfirmed record}{a}
  998. \begin{callself}{a}{wait $t_{sync}$}{return $t_{2}$}
  999. \end{callself}
  1000. \mess[1]{a}{$t_{1} - t_{sync} < x < t_{2}$ unconfirmed read}{b}
  1001. \mess[1]{b}{same unconfirmed record}{a}
  1002. \mess[1]{a}{confirm record}{b}
  1003. \mess[1]{b}{confirmed record}{a}
  1004. \end{sequencediagram}
  1005. \caption{Izaro single user write confirmation}
  1006. \label{fig:confirmation_proto}
  1007. \end{figure}
  1008. \begin{figure}[h]
  1009. \centering
  1010. \begin{footnotesize}
  1011. \begin{sequencediagram}
  1012. \newinst{da}{: Client \#1}
  1013. \newinst[4]{dc}{: Server}
  1014. \newinst[4]{db}{: Client \#2}
  1015. \mess[1]{da}{$t_{1}$ data write}{dc}
  1016. \mess[1]{dc}{unconfirmed record $A$}{da}
  1017. \begin{callself}{da}{wait $t_{sync}$}{return $t_{2}$}
  1018. \postlevel\postlevel
  1019. \postlevel\postlevel
  1020. \end{callself}
  1021. \mess[1]{da}{$t_{1} - t_{sync} < x < t_{2}$ unconfirmed read}{dc}
  1022. \mess[1]{dc}{self unconfirmed record is first}{da}
  1023. \postlevel
  1024. \mess[1]{da}{confirm record}{dc}
  1025. \mess[1]{dc}{confirmed record}{da}
  1026. \prelevel\prelevel
  1027. \prelevel\prelevel
  1028. \prelevel\prelevel
  1029. \prelevel\prelevel
  1030. \prelevel\prelevel
  1031. \prelevel\prelevel
  1032. \prelevel\prelevel
  1033. \prelevel\prelevel
  1034. \prelevel\prelevel
  1035. \mess[1]{db}{$t_{1}'$ data write}{dc}
  1036. \mess[1]{dc}{unconfirmed record $B$}{db}
  1037. \begin{callself}{db}{wait $t_{sync}$}{return $t_{2}'$}
  1038. \postlevel\postlevel
  1039. \postlevel\postlevel
  1040. \end{callself}
  1041. \mess[1]{db}{$t_{1}'-t_{sync} < x < t_{2}'$ unconfirmed read}{dc}
  1042. \mess[1]{dc}{self unconfirmed record is not first}{db}
  1043. \begin{callself}{db}{retry}{}
  1044. \end{callself}
  1045. \end{sequencediagram}
  1046. \end{footnotesize}
  1047. \caption{Izaro dual user write confirmation and cancellation}
  1048. \label{fig:2user_confirmation_proto}
  1049. \end{figure}
  1050. \backmatter
  1051. %----------------------------------------------------------------------------------------
  1052. % BIBLIOGRAPHY
  1053. %----------------------------------------------------------------------------------------
  1054. \chapter*{Bibliography}
  1055. \addcontentsline{toc}{chapter}{\textcolor{ocre}{Bibliography}} % Add a Bibliography heading to the table of contents
  1056. %------------------------------------------------
  1057. %\section*{Books}
  1058. %\addcontentsline{toc}{section}{Books}
  1059. \printbibliography[heading=bibempty]
  1060. \printglossary
  1061. %------------------------------------------------
  1062. \listoftables
  1063. %------------------------------------------------
  1064. \listoffigures
  1065. %------------------------------------------------
  1066. %\section*{Books}
  1067. %\addcontentsline{toc}{section}{Books}
  1068. %\printbibliography[heading=bibempty,type=book]
  1069. %----------------------------------------------------------------------------------------
  1070. % INDEX
  1071. %----------------------------------------------------------------------------------------
  1072. \cleardoublepage % Make sure the index starts on an odd (right side) page
  1073. \phantomsection
  1074. \setlength{\columnsep}{0.75cm} % Space between the 2 columns of the index
  1075. \addcontentsline{toc}{chapter}{\textcolor{ocre}{Index}} % Add an Index heading to the table of contents
  1076. \printindex % Output the index
  1077. \end{document}