Assuring Integrity of Dataflow Processing in Large-Scale Cloud Systems

1. Assuring Integrity of Dataflow Processing in Large-Scale Cloud Systems Juan Du Co-advised by: Dr. Xiaohui (Helen) Gu, Dr. Douglas Reeves Department of Computer Science North Carolina State University

2. Outline • Background • Multi-tenant cloud systems • Service integrity attack • Service Integrity Assurance • RunTest [ASIACCS’10] • Conclusion and Ongoing Work 2

3. Multi-Tenant Cloud Systems Platform for Software as a Service (SaaS) • f2 • f3 • f3 • f2 • f1 • P1 • P2 • …,f1(di),… • …,f2(f1(di)),… • …,f3(f2(f1(di))),… • f1 • f4 • P3 • P2 • P3 • …di,… • P1 • P3 • …di,… • …,f3(f2(f1(di))),… • User • Portal 3

4. Service Integrity Attack • f2 • f3 • P1 • P2 • f2 • f3 • f1 • …,f0(f1(di)),… • …,f1(di),… • P3 • …,f3(f0(f1(di))),… • f1 • P2 • f4 • P3 • …di,… • P1 • P3 • …di,… • …,f3(f0(f1(di))),… • User • Portal • Service providers come from different security domains • Not all data processing components are trustworthy 4

5. Previous Work • Distributed dataflow processing • focuses on resource and performance management issues. • usually assumes that all data processing components are trustworthy. • Trust management in distributed systems • Distributed messaging systems [Haeberlen, et al. SOSP 2007] • Pub-sub overlay [Srivatsa, et al., CCS 2005] • Virtualized datacenters [Berger, et al., SIGOPS 2008] • None of them addressed secure and scalable dataflow processing in multi-tenant cloud systems 5

6. Previous Work (cont.) • Byzantine fault-tolerance • in Wide area networks [Amir, et al., DSN 2006] • Generally has scalability issues. • Security in SOA • WS-Security v1.1 [Oasis, 2006] • Focuses on integrity and confidentiality of web service messages through encryption and authentication. • Attacks can go beyond messaging security. 6

7. RunTest RunTest: Assuring Integrity of Dataflow Processing in Cloud Computing Infrastructures. Juan Du, Wei Wei, Xiaohui Gu, Ting Yu. ACM Symposium on Information, Computer and Communications Security (ASIACCS), Beijing, China, April, 2010. Detect integrity attack Randomized data attestation Attestation Graph Pinpoint malicious nodes 7

8. Integrity Attestation Graph Randomized data attestation Capture consistency/inconsistency relationships between pairs of components • f1 • f2 • f1 • f2 • f1(d2’) • s4 • f2(f1(d2’)) • s1 • f1(d1) • f2(f1(d1)) • d1 • d2’ • s1 • s4 • d2 • d1 • s5 • s2 • f1(d1’) • f2(f1(d1’)) • d1’ • Portal • 1 • 0.3 • 1 • 0.6 • d2 • f2(f1(d2)) • f1(d1)=f1(d1’) • Portal • s6 • s3 • f1(d2) • s2 • s3 • s5 • 0.6 • s6 • f2(f1(d1))=f2(f1(d1’)) • 0.3 • f1(d2) != f1(d2’) 8

9. Pinpoint Malicious Service Providers • clique P1 Proposition 1: All good nodes form a consistency clique. 1 P5 P2 1 Assume: Good nodes take majority in each service function. P3 P4 9

10. Identify Attack Patterns • clique • clique • clique • Number of cliques • Weights on the edges 10

11. Experimental Evaluation • Implementation • On top of IBM System S • Experiment setup • Tested on NCSU virtual computing lab (VCL) • Use about 10 blade servers • Each host run CentOS 5.2 64-bit with Xen 3.0.3 11

12. Detection Rate Can achieve 100% detection rate under different attack patterns 12

13. Comparison Full Time Majority Voting (pu = 1, r = 5) Immediate detection Not scalable RunTest Scalable, small pu and r => less attestation traffic A short delay in detection, small pu and r => takes longer to detect 13

14. Conclusion • The first attempt to address service integrity of dataflow processing applications in multi-tenant cloud systems • Scalable runtime service attestation • Light-weight • Randomized data attestation • Black-box approach • Application-level input replay and result consistency check • Effective • High detection rate and no false alarm 14

15. Ongoing Work • Support stateful service functions • Relax the assumptions for malicious service providers • can take majority in service functions • Must be minority in overall system 15

16. Thank you! Questions? 16