1 / 60

Self-service Cloud Computing

Self-service Cloud Computing. Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University. The modern computing spectrum. Web browsers a nd other apps. Smartphones and tablets. The Cloud. Security concerns are everywhere!. Can I trust Gmail with my

brigette-abdiel
Download Presentation

Self-service Cloud Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Self-service Cloud Computing VinodGanapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University

  2. The modern computing spectrum Web browsers and other apps Smartphones and tablets The Cloud

  3. Security concerns are everywhere! Can I trust Gmail with my personal conversations? Can I trust my browser with my saved passwords? Is that gaming app compromising my privacy?

  4. Today’s talk Web browsers and other apps Smartphones and tablets The Cloud

  5. Self-service Cloud Computing

  6. What is the Cloud? A distributed computing infrastructure, managed by 3rd-parties, with which we entrust our code and data.

  7. What is the Cloud? A distributed computing infrastructure, managed by 3rd-parties, with which we entrust our code and data. • Comes in many flavours: *-aaS • Infrastructure-aaS, Platform-aaS, Software-aaS, Database-aaS, Storage-aaS, Security-aaS, Desktop-aaS, API-aaS, etc. • Many economic benefits • No hardware acquisition/maintainence costs • Elasticity of resources • Very affordable: a few ¢/hour

  8. By 2015, 90% of government agencies and large companies will use the cloud [Gartner, “Market Trends: Application Development Software, Worldwide, 2012-2016,” 2012] • Many new companies & services rely exclusively on the cloud, e.g., Instagram, MIT/Harvard EdX[NYTimes, “Active in Cloud, Amazon Reshapes Computing,” Aug 28, 2012]

  9. Virtualized cloud platforms Management VM (dom0) Work VM Work VM Work VM Hypervisor Hardware Examples: Amazon EC2, Microsoft Azure, OpenStack, RackSpace Hosting

  10. Embracing the cloud Lets do Cloud

  11. Embracing the cloud Trust me with your code & data Client Cloud Provider Problem #1 Client code & data secrecy and integrity vulnerable to attack You have to trust us as well Cloud operators

  12. Embracing the cloud Problem #1 Client code & data secrecy and integrity vulnerable to attack

  13. Embracing the cloud I need customized malware detection and VM rollback For now just have checkpointing … Client Client Cloud Provider Cloud Provider Problem #2 Clients must rely on provider to deploy customized services

  14. Why do these problems arise? Management VM (dom0) Work VM Work VM Work VM Hypervisor Hardware

  15. Example: Malware detection Management VM Client’s VM Checking daemon Data Code 2 Process the page Sec. Policy ? 3 1 Resume guest Alert user Hypervisor [Example: Gibraltar -- Baliga, Ganapathy, Iftode, ACSAC’08]

  16. Management VM Client’s VM Checking daemon Data Code 2 Process the page Sec. Policy ? 3 1 Problem Clients must rely on provider to deploy customized services Resume guest Alert user Hypervisor

  17. Management VM Client’s VM Checking daemon Data Code 2 Process the page Sec. Policy ? 3 1 Problem Client code & data secrecy and integrity vulnerable to attack Malicious cloud operator Resume guest Alert user Hypervisor

  18. Management VM Client’s VM Checking daemon Data Code 2 Process the page Sec. Policy ? • EXAMPLES: • CVE-2007-4993. Xen guest root escapes to dom0 via pygrub • CVE-2007-5497. Integer overflows in libext2fs in e2fsprogs. • CVE-2008-0923. Directory traversal vulnerability in the shared folders feature for VMWare. • CVE-2008-1943. Buffer overflow in the backend of XenSourceXenparavirtualized frame buffer. • CVE-2008-2100. VMWare buffer overflows in VIX API let local users execute arbitrary code in host OS. • …. [AND MANY MORE] 3 1 Problem Client code & data secrecy and integrity vulnerable to attack Resume guest Alert user Hypervisor

  19. Our solution SSC: Self-service cloud computing Management VM Client’s VMs Hypervisor Hardware

  20. Outline • Disaggregation and new privilege model • Technical challenges: • Balancing provider’s and client’s goals • Secure bootstrap of client’s VMs • Experimental evaluation • Future directions and other projects

  21. Duties of the management VM Manages and multiplexes hardware resources Manages client virtual machines Management VM (Dom0)

  22. Main technique used by SSC Disaggregate the management VM Per-Client Mgmt. VM (UDom0) • Manages client’s VMs • Allows clients to deploy new services Solves problem #2 • Manages hardware • No access to clients VMs System-wide Mgmt. VM (SDom0) Solves problem #1

  23. Embracing first principles Principle of separation of privilege Per-Client Mgmt. VM (UDom0) System-wide Mgmt. VM (SDom0)

  24. Embracing first principles Principle of least privilege Per-Client Mgmt. VM (UDom0) System-wide Mgmt. VM (SDom0)

  25. An SSC platform Client’s meta-domain SDom0 Work VM Service VM UDom0 Work VM SSC Hypervisor Hardware Equipped with a Trusted Platform Module (TPM) chip

  26. SSC’s privilege model Privileged operation Self-service hypervisor Is the request from client’s Udom0? NO NO YES YES Does requestor have privilege (e.g., client’s service VM) ALLOW ALLOW DENY

  27. Key technical challenges • Providers want some control • To enforce regulatory compliance (SLAs, etc.) • Solution: Mutually-trusted service VMs • Building domains in a trustworthy fashion • Sdom0 is not trusted • Solution: the Domain Builder • Establishing secure channel with client • Sdom0 controls all the hardware! • Solution: Secure bootstrap protocol

  28. Providers want some control NO data leaksor corruption NO illegal activitiesor botnet hosting • Udom0 and service VMs put clients in control of their VMs • Sdom0 cannot inspect these VMs • Malicious clients can misuse privilege • Mutually-trusted service VMs Client Cloud Provider

  29. Trustworthy regulatory compliance SDom0 Work VM Mutually-trusted Service VM UDom0 Work VM SSC Hypervisor Hardware

  30. Bootstrap: the Domain Builder SDom0 Work VM UDom0 Domain Builder Service VM SSC Hypervisor Hardware

  31. Bootstrap: the Domain Builder Must establish an encrypted communicationchannel SDom0 Work VM UDom0 Domain Builder Service VM SSC Hypervisor Hardware

  32. Secure bootstrap protocol • Goal: Build Udom0, and establish an SSL channel with client • Challenge: Sdom0 controls the network! • Implication: Evil twin attack

  33. An evil twin attack SDom0 UDom0 Domain Builder Udom0 SSC Hypervisor Hardware

  34. Udom0 image, Enc ( , ) 1 Domain Builder Udom0 SSC Hypervisor Hardware

  35. DomB builds domain 2 UDom0 Udom0 Domain Builder SSC Hypervisor Hardware

  36. DomB installs key, nonce 3 Enc ( , ) UDom0 Domain Builder SSC Hypervisor Hardware

  37. Client gets TPM hashes 4 UDom0 Domain Builder SSC Hypervisor Hardware

  38. Udom0 sends to client 5 UDom0 Domain Builder SSC Hypervisor Hardware

  39. Client sends Udom0 SSL key 6 UDom0 Enc ( ) Domain Builder SSC Hypervisor Hardware

  40. SSL handshake and secure channel establishment 7 UDom0 Domain Builder SSC Hypervisor Hardware

  41. Can boot other VMs securely 8 Work VM UDom0 Domain Builder Service VM VM image SSC Hypervisor Hardware

  42. Client meta-domains Service VMs Mutually-trusted Service VMs Computation Storage services Work VM Udom0 Regulatory compliance Firewall and IDS Work VM Malware detection Work VM Trustworthy metering SSC hypervisor Hardware

  43. Case studies: Service VMs • Storage services: Encryption, Intrusion detection • Security services: • Kernel-level rootkit detection • System-call-based intrusion detection • Data anonymization service • Checkpointing service • Memory deduplication • And compositions of these!

  44. Evaluation • Goals • Measure overhead of SSC • Dell PowerEdge R610 • 24 GB RAM • 8 XEON cores with dual threads (2.3 GHz) • Each VM has 2 vCPUs and 2 GB RAM • Results shown only for 2 service VMs • Our ACM CCS’12 paper presents many more

  45. Storage encryption service VM Sdom0 Client’s work VM Backend Block device Frontend Block device

  46. Storage encryption service VM Sdom0 Storage encryption service VM Client’s work VM Encryption Backend Block device Frontend Block device Backend Block device Frontend Block device Decryption

  47. Checkpointing service VM Client’s VM Checkpoint service Storage

  48. Checkpointing service VM Client’s VM Checkpoint service (Encryption) Storage Encrypted Storage service

  49. Related projects Protect client VM data from Dom0 using a thin, bare-metal hypervisor Allow clients to have their own Dom0s on commodity clouds using a thin shim Dom0 Client VM CloudDom0 Client Dom0 Client VM Nested Hypervisor XenBlanket CloudVisor Cloud Hypervisor

  50. SSC is a cloud model that … … Improves security and privacy of client code and data … Enhances client control over their VMs … Imposes low runtime performance overheads …Provides me with a rich source of problems for future work 

More Related