Project Infinite: A rootkit or an amazing Cloud-based feature?
Many people love Dropbox, but all those files that we store still have a footprint on our systems. Dropbox, though, with Project Infinite, is now moving towards placeholder files, where files are stored in the Cloud, but there are not stored locally. The footprint will just be the metadata of the file.
This now shows that users trust the Cloud, and that we are increasing moving to an always-on Internet connection. Previously OneDrive supported this feature, but, in Windows 10, it took a step backwards to only support the current Dropbox method. It is thought that Microsoft removed the feature, as users found the setup confusing, and that they had incompatibility problems, including problems with accessing Cloud-based files from the command prompt.
Dropbox, though, seems to have solved both these problems. The new Dropbox feature will still show a green check mark on the file if it is stored locally, but a cloud icon for files that are only stored in the Cloud. When the files are opened, they will be downloaded onto the local computer.
Dropbox's thinking is that they can catch file operations better within the kernel, and to make an intervention then. In this way Dropbox almost becomes a core part of the operation system, and will identify if a file is stored locally (with the green tick) or within the Cloud (with the grey cloud icon):
Users will then have the option to store a file locally:
Why kernel level access?
Some, though, are now questioning the integration with Dropbox will have on a computer, especially with its access into the kernel, and it's potential to be a backdoor into a computer. Any flaws in the software could open-up the whole computer to an intruder. Very few programs, such as virus scanners, are allowed kernel level access to a computer, and their code must thus be rigorously checked to identify any potential flaws. Dropbox's thinking is that they can catch file operations better within the kernel, and to make an intervention then.
Dropbox say the kernel part was required as they tried to implement a user-space equivalent on Mac OS X, but the performance of it was poor. For this they initially used FUSE (Filesystems in Userspace) for their prototypes. With FUSE non-privileged users can gain access to the file system without requiring a kernel change.
In Unix-like systems it is part of the kernel and Mac OS X can be updated to supported it, but its downside is that it requires that programs have the libfuse library linked into the program. The Dropbox team found out that there are many operations which occur when using FUSE, and that this significantly degraded performance:
But it was in the security of FUSE that Dropbox had most worries, and it was this worry and the performance one that has driven them to writing kernel level integration.
Fixing flaws in the Dropbox concept
A core driver for the kernel integration is possibly to overcome a major weakness within the Dropbox concept, in that the owners of files have little control over what other users do with their files. In this way a project team might share sensitive documents with the rest of the team, but where one of the users simply copies the folder into another place on their system.
The Dropbox concept is thus we can share files across many users, but there is little protection in those users creating copies of the files within another folder, as the files are actually resident on their computers. Thus is because Dropbox cannot control these copy functions. If Dropbox gain access to the kernel level, just like a virus scanner, they can make an intervention, and stop files from being copied, renamed and deleted. This will give Dropbox the same level of control as the operating system has on the rights of files. The concepts of local rights of users will thus reduce, and be overruled by Cloud-based users.
Kernel level - the best place for trust
The performance side will extensively scale-up Dropbox's scope, and will thus it will have a significant effect on the system, so the only way to reduce any overheads it to dive into the kernel and view the file operations at their lowest level. If you are interested, this is exactly what Dr Jamie Graves, now CEO at Zonefox, did many years ago:
Conclusions
As someone who fills any size of disk that I get, I love this new feature, and can't wait for it to be implemented. Often I "unsync" files locally so as not to store them locally, but I can't see them unless I go to the Web client. So the new Dropbox feature will make it feel like the files are there, and, hopefully, to access them from the command line. It's another step to us living completely in the Cloud.
For the security features, it's a bit risk for any company to focus on integrating with the kernel, and their coding and testing has to be at the highest level possible. Any flaws could open-up billions of computers around the world, and be responsible for a large-scale data leakage. With performance, the FUSE system has been proven to provide too much of any overhead, and too open to security problems. So Dropbox are hoping that their coders and pen testers have done their job, and that there will be 0% flaws.
Statement from Dropbox
Here is the statement from Dropbox on questions related to their Infinite project:
We wanted to address some comments about Project Infinite and the kernel. It’s important to understand that many pieces of everyday software load components in the kernel, from simple device drivers for your mouse to highly complex anti-virus programs. We approach the kernel with extreme caution and respect. Because the kernel connects applications to the physical memory, CPU, and external devices, any bug introduced to the kernel can adversely affect the whole machine. We’ve been running this kernel extension internally at Dropbox for almost a year and have battle-tested its stability and integrity.
File systems exist in the kernel, so if you are going to extend the file system itself, you need to interface with the kernel. In order to innovate on the user’s experience of the file system, as we are with Project Infinite, we need to catch file operation events on Dropbox files before other applications try to act on those files. After careful design and consideration, we concluded that this kernel extension is the smallest and therefore most secure surface through which we can deliverProject Infinite. By focusing exclusively on Dropbox file actions in the kernel, we can ensure the best combination of privacy and usability.
We understand the concerns around this type of implementation, and our solution takes into consideration the security and stability of our users’ experience, while providing what we believe will be a really useful feature.