Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shakeel Butt H. Andres Lagar-Cavilla Abhinav Srivastava Vinod Ganapathy

Published byJake Darby Modified over 10 years ago

Similar presentations

Presentation on theme: "Shakeel Butt H. Andres Lagar-Cavilla Abhinav Srivastava Vinod Ganapathy"— Presentation transcript:

1 Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu Self-service Cloud Computing Published in Proceedings of ACM CCS12

2 2 By 2015, 90% of government agencies and large companies will use the cloud [Gartner, Market Trends: Application Development Software, Worldwide, 2012-2016, 2012] Many new companies & services rely exclusively on the cloud, e.g., Instagram, MIT/Harvard EdX [NYTimes, Active in Cloud, Amazon Reshapes Computing, Aug 28, 2012]

3 Virtualized cloud platforms Hardware Hypervisor Management VM (dom0) Work VM Examples: Amazon EC2, Microsoft Azure, OpenStack, RackSpace Hosting 3

4 Embracing the cloud Lets do Cloud 4

5 Embracing the cloud Trust me with your code & data Cloud ProviderClient You have to trust us as well Cloud operators Problem #1 Client code & data secrecy and integrity vulnerable to attack 5

6 Embracing the cloud Problem #1 Client code & data secrecy and integrity vulnerable to attack 6

7 Embracing the cloud Problem #2 Clients must rely on provider to deploy customized services I need customized malware detection and VM rollback Cloud ProviderClient For now just have checkpointing … Cloud ProviderClient 7

8 Why do these problems arise? Hardware Hypervisor Management VM (dom0) Work VM 8

9 Hypervisor Clients VM Management VM Code Data Checking daemon Sec. Policy Resume guest 1 1 2 2 3 3 Process the page Alert user Example: Malware detection 9 ? ? [Example: Gibraltar -- Baliga, Ganapathy, Iftode, ACSAC08]

10 Hypervisor Clients VM Management VM Code Data Checking daemon Sec. Policy Resume guest 1 1 2 2 3 3 Process the page Alert user 10 ? ? Problem Clients must rely on provider to deploy customized services

11 Hypervisor Clients VM Management VM Code Data Checking daemon Sec. Policy Resume guest 1 1 2 2 3 3 Process the page Alert user 11 ? ? Problem Client code & data secrecy and integrity vulnerable to attack Malicious cloud operator

12 Hypervisor Clients VM Management VM Code Data Checking daemon Sec. Policy Resume guest 1 1 2 2 3 3 Process the page Alert user 12 ? ? Problem Client code & data secrecy and integrity vulnerable to attack EXAMPLES: CVE-2007-4993. Xen guest root escapes to dom0 via pygrub CVE-2007-5497. Integer overflows in libext2fs in e2fsprogs. CVE-2008-0923. Directory traversal vulnerability in the shared folders feature for VMWare. CVE-2008-1943. Buffer overflow in the backend of XenSource Xen paravirtualized frame buffer. CVE-2008-2100. VMWare buffer overflows in VIX API let local users execute arbitrary code in host OS. …. [AND MANY MORE]

13 Hardware Hypervisor Management VM Clients VMs 13 Traditional cloud computing

14 SSC: Self-service cloud computing Hardware Hypervisor Management VM Clients VMs 14

15 Main contributions New hypervisor privilege model Enables four new cloud abstractions –Udom0: Per-client management VMs –Sdom0: System-wide management VM –Service VMs –Mutually-trusted service VMs Protocols for trustworthy VM startup Novel cloud-based services 15

16 Duties of the management VM Manages and multiplexes hardware resourcesManages client virtual machines 16 Management VM (Dom0)

17 System-wide Mgmt. VM (SDom0) Per-Client Mgmt. VM (UDom0) Main technique used by SSC Disaggregate the management VM Manages hardware No access to clients VMs Solves problem #1 Manages clients VMs Allows clients to deploy new services Solves problem #2 17

18 An SSC platform Hardware SSC Hypervisor 18 SDom0 Work VM UDom0 Clients meta-domain Service VM Equipped with a Trusted Platform Module (TPM) chip Trusted Computing Base

19 Hardware SSC Hypervisor 19 SDom0 Work VM UDom0 Service VM 2. Least Privilege 1. Separation of Privilege

20 Cloud ProviderClient But providers want some control Udom0 and service VMs put clients in control of their VMs Sdom0 cannot inspect these VMs Malicious clients can misuse privilege Mutually-trusted service VMs 16 NO data leaks or corruption NO illegal activities or botnet hosting

21 Trustworthy regulatory compliance Hardware SSC Hypervisor 21 SDom0 Work VM UDom0 Mutually -trusted Service VM

22 Traditional privilege model Privileged operation Hypervisor is request from Management VM? YES ALLOW NO DENY 22

23 SSCs privilege model Privileged operation Self-service hypervisor Is the request from clients Udom0? NO YES ALLOW Does requestor have privilege (e.g., clients service VM) DENY NO YES ALLOW 23

24 Hardware SSC Hypervisor 24 SDom0 Bootstrap: the Domain Builder Domain Builder UDom0 Work VM Service VM

25 Hardware SSC Hypervisor 25 SDom0 Bootstrap: the Domain Builder Domain Builder UDom0 Work VM Service VM Must establish an encrypted communication channel

26 1 Hardware SSC Hypervisor 26 Domain Builder Udom0 image, Enc (, ) Udom0

27 Hardware SSC Hypervisor 27 Domain Builder UDom0 DomB builds domain 2 Udom0

28 Enc (, ) Hardware SSC Hypervisor 28 Domain Builder UDom0 DomB installs key, nonce 3

29 Hardware SSC Hypervisor 29 Domain Builder UDom0 Client gets TPM hashes 4

30 Hardware SSC Hypervisor 30 Domain Builder UDom0 Udom0 sends to client 5

31 UDom0 Hardware SSC Hypervisor 31 Domain Builder Client sends Udom0 SSL key 6 Enc ( )

32 Hardware SSC Hypervisor 32 Domain Builder UDom0 SSL handshake and secure channel establishment 7

33 Hardware SSC Hypervisor 33 Domain Builder UDom0 Can boot other VMs securely Work VM Service VM 8 VM image

34 Client meta-domains Hardware Malware detection Firewall and IDS Storage services Service VMs SSC hypervisor Computation Work VM Work VM Work VM Udom0 Trustworthy metering Regulatory compliance Mutually- trusted Service VMs 34

35 Case studies: Service VMs Storage services: Encryption, Intrusion detection Security services: –Kernel-level rootkit detection –System-call-based intrusion detection Data anonymization service Checkpointing service Memory dedupication And compositions of these! 35

36 Evaluation Goals –Measure overhead of SSC Dell PowerEdge R610 –24 GB RAM –8 XEON cores with dual threads (2.3 GHz) –Each VM has 2 vCPUs and 2 GB RAM Results shown only for 2 service VMs –See our CCS12 paper for more 36

37 Storage encryption service VM Sdom0 Storage encryption service VM Clients work VM Backend Block device Frontend Block device Backend Block device Encryption Decryption PlatformUnencrypted (MB/s)Encrypted (MB/s) Xen-legacy81.7271.90 Self-service75.8870.64 37

38 Checkpointing service VM Clients VM Checkpoint service Encrypted Storage service Storage Checkpoint service (Encryption) PlatformUnencrypted (sec)Encrypted (sec) Xen-legacy1.84011.419 Self-service1.93611.329 38

39 Related projects CloudVisor [SOSP11] Xen-Blanket [EuroSys12] 39 Protect client VM data from Dom0 using a thin, bare- metal hypervisor Allow clients to have their own Dom0s on commodity clouds using a thin shim Nested Hypervisor Client VM Dom0 CloudVisor Cloud Hypervisor Client VM Client Dom0 XenBlanket Cloud Dom0

40 Current and future work Novel network services, e.g., trustworthy network traffic metering VM migration in an SSC-based cloud: –Co-location of service VMs and work VMs. –Without exposing details of cloud platform to clients –Pricing and metering issues Cloud market model: Service VMs as cloud apps 40

Download ppt "Shakeel Butt H. Andres Lagar-Cavilla Abhinav Srivastava Vinod Ganapathy"

Similar presentations

1

1
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.

© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2003 Chapter 3 Data Transmission.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2003 Chapter 3 Data Transmission.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
Processes and Operating Systems

Processes and Operating Systems
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
RXQ.11.4.1 Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment (11.3.2.1)

RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
Document #07-2I RXQ.11.4.1 Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.

Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
What causes the commodity price boom? AGRI Green Team Seminar on the Health Check May 15, 2008 AGRI-G1 Agricultural Policy Analysis and Perspectives DG.

What causes the commodity price boom? AGRI Green Team Seminar on the Health Check May 15, 2008 AGRI-G1 Agricultural Policy Analysis and Perspectives DG.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Create an Application Title 1A - Adult Chapter 3.

Create an Application Title 1A - Adult Chapter 3.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 10 second questions

Year 6 mental test 10 second questions

Similar presentations

Ads by Google