Hazel: Secure and Efficient Disaggregated Storage

TL;DR

Hazel is a novel storage management system that enhances disaggregated NVMe-oF storage with strong security guarantees and high performance, utilizing innovative control and data path optimizations including counter-leasing and a new Merkle Tree structure.

Contribution

Hazel extends NVMe-oF with a security-aware control plane and optimized data path, introducing counter-leasing and a disaggregated Merkle Tree for secure, efficient storage management.

Findings

Achieves 1-2% performance degradation in various workloads

Provides strong confidentiality, integrity, and freshness guarantees

Supports offloading to CC-capable smart NICs

Abstract

Disaggregated storage with NVMe-over-Fabrics (NVMe-oF) has emerged as the standard solution in modern supercomputers and data center clusters, achieving superior performance, resource utilization, and power efficiency. Simultaneously, confidential computing (CC) is becoming the de facto security paradigm, enforcing stronger isolation and protection for sensitive workloads. However, securing state-of-the-art storage with traditional CC methods struggles to scale and compromises performance or security. To address these issues, we introduce Hazel, a storage management system that extends the NVMe-oF protocol capabilities and adheres to the CC threat model, providing confidentiality, integrity, and freshness guarantees. Hazel offers an appropriate control path with novel concepts such as counter-leasing. Hazel also optimizes data path performance by leveraging NVMe metadata and introducing a new disaggregated Hazel Merkle Tree (HMT), all while remaining compatible with NVMe-oF. For additional efficiency, Hazel also supports offloading to CC-capable smart NIC accelerators. We prototype Hazel on an NVIDIA BlueField-3 and demonstrate that it can achieve as little as 1-2% performance degradation for synthetic patterns, AI training, IO500, and YCSB.