Operating System Security

CamouflageFS: The Camouflage File System
The CamouflageFS is a prototype file system that extends Ext2 to provide a technique for gaining the protection of a longer effective keylength without the associated performance impact due to cryptographic operations.

One of the few quantitative metrics used in evaluating the security of a cryptographic filesystem is the key length of the encryption algorithm; larger key lengths correspond to higher resistance to brute force and other types of attacks. Since accepted cryptographic design principles dictate that larger key lengths also impose higher processing costs, increasing the security of a cryptographic filesystem seems to also increase the overhead of the underlying cipher.

We present a general approach that effectively extends the key length without imposing the concomitant processing overhead. Our scheme is to spread the ciphertext inside an artificially large file, seemingly filled with random bits, according to a key-driven spreading sequence. While CamouflageFS is implemented as a stand-alone file system, its primary mechanisms can easily be integrated into existing cryptographic file systems.


Michael E. Locasto, PhD student, Computer Science Department, Columbia University

Angelos D. Keromytis, Professor, Computer Science Department, Columbia University

The Paper

Michael Locasto and Angelos Keromytis. CamouflageFS: Increasing the Effective Key Length in Cryptographic Filesystems on the Cheap .

(under review)

file address space

One of the primary goals of a filesystem is to efficiently address the portions of a file by keeping track of where file data is on disk. A multi-level indexed allocation filesystem like Ext2 provides an efficient mechanism for finding individual disk blocks based on a byte's position in the file.

a regular file

Usually, a file does not use its entire available address space or the total number of disk blocks available to it. Most files are relatively small (on the order of a few kilobytes of information). The data is logically close in the address space -- it is clustered in the first few index blocks (although the data may be far apart on the physical disk).

spread the data

We create a virtual index by changing the mapping between a byte's position in the file and the index block it is mapped to. Note that we are not concerned with where the data is on disk. The data is now unpredictably spread throughout the available address space. Unix files have long supported an idea like this: file holes. File holes represent unallocated portions of a file index and return null ('\0') data.

fill the empty space with random data

Our technique combines the unpredictable spread of real file data with the dynamic replacement of consistent random data in place of the file holes created by the virtual index mapping. Random data is indistinguishable from encrypted data.

encrypt the real data

Finally, we encrypt the real file data, thus making it indistinguishable from the random 'camouflage' data in the file holes.

Code (Patch Against the Linux 2.4.19 kernel)
User Utilities
Download the utilities sources. There are 2 directories, src/ and binutils/

CamouflageFS Utilities
  • README -- minimal documentation, see the src
  • Makefile -- compile utilities from source
  • cmgfs.h -- header file for data types
  • cinfo.c -- debugging utility
  • cmark.c -- mark a file as camouflaged
  • test64.c -- test for 64-bit file support
  • readfile.c -- a utility like 'cat' to read a cmgfs file
  • writefile.c -- a utility like 'cp' to write a cmgfs file