Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shakeel Butt H. Andres Lagar-Cavilla Abhinav Srivastava Vinod Ganapathy

Similar presentations


Presentation on theme: "Shakeel Butt H. Andres Lagar-Cavilla Abhinav Srivastava Vinod Ganapathy"— Presentation transcript:

1 Shakeel Butt H. Andres Lagar-Cavilla Abhinav Srivastava Vinod Ganapathy Self-service Cloud Computing Published in Proceedings of ACM CCS12

2 2 By 2015, 90% of government agencies and large companies will use the cloud [Gartner, Market Trends: Application Development Software, Worldwide, , 2012] Many new companies & services rely exclusively on the cloud, e.g., Instagram, MIT/Harvard EdX [NYTimes, Active in Cloud, Amazon Reshapes Computing, Aug 28, 2012]

3 Virtualized cloud platforms Hardware Hypervisor Management VM (dom0) Work VM Examples: Amazon EC2, Microsoft Azure, OpenStack, RackSpace Hosting 3

4 Embracing the cloud Lets do Cloud 4

5 Embracing the cloud Trust me with your code & data Cloud ProviderClient You have to trust us as well Cloud operators Problem #1 Client code & data secrecy and integrity vulnerable to attack 5

6 Embracing the cloud Problem #1 Client code & data secrecy and integrity vulnerable to attack 6

7 Embracing the cloud Problem #2 Clients must rely on provider to deploy customized services I need customized malware detection and VM rollback Cloud ProviderClient For now just have checkpointing … Cloud ProviderClient 7

8 Why do these problems arise? Hardware Hypervisor Management VM (dom0) Work VM 8

9 Hypervisor Clients VM Management VM Code Data Checking daemon Sec. Policy Resume guest Process the page Alert user Example: Malware detection 9 ? ? [Example: Gibraltar -- Baliga, Ganapathy, Iftode, ACSAC08]

10 Hypervisor Clients VM Management VM Code Data Checking daemon Sec. Policy Resume guest Process the page Alert user 10 ? ? Problem Clients must rely on provider to deploy customized services

11 Hypervisor Clients VM Management VM Code Data Checking daemon Sec. Policy Resume guest Process the page Alert user 11 ? ? Problem Client code & data secrecy and integrity vulnerable to attack Malicious cloud operator

12 Hypervisor Clients VM Management VM Code Data Checking daemon Sec. Policy Resume guest Process the page Alert user 12 ? ? Problem Client code & data secrecy and integrity vulnerable to attack EXAMPLES: CVE Xen guest root escapes to dom0 via pygrub CVE Integer overflows in libext2fs in e2fsprogs. CVE Directory traversal vulnerability in the shared folders feature for VMWare. CVE Buffer overflow in the backend of XenSource Xen paravirtualized frame buffer. CVE VMWare buffer overflows in VIX API let local users execute arbitrary code in host OS. …. [AND MANY MORE]

13 Hardware Hypervisor Management VM Clients VMs 13 Traditional cloud computing

14 SSC: Self-service cloud computing Hardware Hypervisor Management VM Clients VMs 14

15 Main contributions New hypervisor privilege model Enables four new cloud abstractions –Udom0: Per-client management VMs –Sdom0: System-wide management VM –Service VMs –Mutually-trusted service VMs Protocols for trustworthy VM startup Novel cloud-based services 15

16 Duties of the management VM Manages and multiplexes hardware resourcesManages client virtual machines 16 Management VM (Dom0)

17 System-wide Mgmt. VM (SDom0) Per-Client Mgmt. VM (UDom0) Main technique used by SSC Disaggregate the management VM Manages hardware No access to clients VMs Solves problem #1 Manages clients VMs Allows clients to deploy new services Solves problem #2 17

18 An SSC platform Hardware SSC Hypervisor 18 SDom0 Work VM UDom0 Clients meta-domain Service VM Equipped with a Trusted Platform Module (TPM) chip Trusted Computing Base

19 Hardware SSC Hypervisor 19 SDom0 Work VM UDom0 Service VM 2. Least Privilege 1. Separation of Privilege

20 Cloud ProviderClient But providers want some control Udom0 and service VMs put clients in control of their VMs Sdom0 cannot inspect these VMs Malicious clients can misuse privilege Mutually-trusted service VMs 16 NO data leaks or corruption NO illegal activities or botnet hosting

21 Trustworthy regulatory compliance Hardware SSC Hypervisor 21 SDom0 Work VM UDom0 Mutually -trusted Service VM

22 Traditional privilege model Privileged operation Hypervisor is request from Management VM? YES ALLOW NO DENY 22

23 SSCs privilege model Privileged operation Self-service hypervisor Is the request from clients Udom0? NO YES ALLOW Does requestor have privilege (e.g., clients service VM) DENY NO YES ALLOW 23

24 Hardware SSC Hypervisor 24 SDom0 Bootstrap: the Domain Builder Domain Builder UDom0 Work VM Service VM

25 Hardware SSC Hypervisor 25 SDom0 Bootstrap: the Domain Builder Domain Builder UDom0 Work VM Service VM Must establish an encrypted communication channel

26 1 Hardware SSC Hypervisor 26 Domain Builder Udom0 image, Enc (, ) Udom0

27 Hardware SSC Hypervisor 27 Domain Builder UDom0 DomB builds domain 2 Udom0

28 Enc (, ) Hardware SSC Hypervisor 28 Domain Builder UDom0 DomB installs key, nonce 3

29 Hardware SSC Hypervisor 29 Domain Builder UDom0 Client gets TPM hashes 4

30 Hardware SSC Hypervisor 30 Domain Builder UDom0 Udom0 sends to client 5

31 UDom0 Hardware SSC Hypervisor 31 Domain Builder Client sends Udom0 SSL key 6 Enc ( )

32 Hardware SSC Hypervisor 32 Domain Builder UDom0 SSL handshake and secure channel establishment 7

33 Hardware SSC Hypervisor 33 Domain Builder UDom0 Can boot other VMs securely Work VM Service VM 8 VM image

34 Client meta-domains Hardware Malware detection Firewall and IDS Storage services Service VMs SSC hypervisor Computation Work VM Work VM Work VM Udom0 Trustworthy metering Regulatory compliance Mutually- trusted Service VMs 34

35 Case studies: Service VMs Storage services: Encryption, Intrusion detection Security services: –Kernel-level rootkit detection –System-call-based intrusion detection Data anonymization service Checkpointing service Memory dedupication And compositions of these! 35

36 Evaluation Goals –Measure overhead of SSC Dell PowerEdge R610 –24 GB RAM –8 XEON cores with dual threads (2.3 GHz) –Each VM has 2 vCPUs and 2 GB RAM Results shown only for 2 service VMs –See our CCS12 paper for more 36

37 Storage encryption service VM Sdom0 Storage encryption service VM Clients work VM Backend Block device Frontend Block device Backend Block device Encryption Decryption PlatformUnencrypted (MB/s)Encrypted (MB/s) Xen-legacy Self-service

38 Checkpointing service VM Clients VM Checkpoint service Encrypted Storage service Storage Checkpoint service (Encryption) PlatformUnencrypted (sec)Encrypted (sec) Xen-legacy Self-service

39 Related projects CloudVisor [SOSP11] Xen-Blanket [EuroSys12] 39 Protect client VM data from Dom0 using a thin, bare- metal hypervisor Allow clients to have their own Dom0s on commodity clouds using a thin shim Nested Hypervisor Client VM Dom0 CloudVisor Cloud Hypervisor Client VM Client Dom0 XenBlanket Cloud Dom0

40 Current and future work Novel network services, e.g., trustworthy network traffic metering VM migration in an SSC-based cloud: –Co-location of service VMs and work VMs. –Without exposing details of cloud platform to clients –Pricing and metering issues Cloud market model: Service VMs as cloud apps 40


Download ppt "Shakeel Butt H. Andres Lagar-Cavilla Abhinav Srivastava Vinod Ganapathy"

Similar presentations


Ads by Google