Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for Education and Research in Information Assurance and Security (CERIAS), and School of Electrical and Computer Engineering at Purdue University
Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion
Why application service hosting? –Reflection of the vision of Utility Computing –Outsourcing –CDN services What is challenging? –Private house vs. apartment building –Openness –Sharing –Mutual isolation, confinement, and protection Motivations
To build a value-added secure application service hosting platform based on a shared infrastructure, achieving: –On-demand creation and provisioning –Isolation –Protection –Accountability –Privacy Goals
Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion
SODA Service-On-Demand Architecture –On-demand creation and provisioning –Isolation Two-level application service hosting platform –Key technique: Virtualization
SODA Host (physical) AS AS’ SODA Architecture
Virtualization: Key Technique Two-level OS structure –Host OS –Guest OS Strong isolation –Administration isolation –Installation isolation –Fault / attack Isolation –Recovery, migration, and forensics One SODA host Host OS … Guest OS AS 1 AS n
For detailed information about SODA: –Xuxian Jiang, Dongyan Xu, "SODA: a Service-On- Demand Architecture for Application Service Hosting Utility Platforms", Proceedings of The 12th IEEE International Symposium on High Performance Distributed Computing (HPDC-12), Seattle, WA, June 2003."SODA: a Service-On- Demand Architecture for Application Service Hosting Utility Platforms"HPDC-12
Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion
Security and Protection Controlled communication IDS in guest OS kernel Untamperable logging ( ‘ blackbox ’ -ing) Host OS … Guest OS AS 1 AS n
Virtual machine (with IP address) SODA host (Invisible on Internet) Controlled Communication
Kernort : IDS in Guest OS Kernel Guest OS
VM-based IDS: deployed in each VM Inside guest OS kernel: a unique vista point –Customizable without affecting host OS –Clearer view –Untamperable logging (saved to SODA host) –Fail-close instead of fail-open Kernort : IDS in Guest OS Kernel (2)
Kernort : IDS in Guest OS Kernel (3) Kernort sensor Renewable signature set Event-driven (system call and packet reception) Kernort blackbox Untamperable logging Privacy preservation of ASes Analyzer Exhaustive signature matching Detection of complex attack patterns Session replay
Kernort : IDS in Guest OS Kernel (4)
Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion
System Performance Overhead
Network Throughput & Latency Slowdown
Real-Time Alert
Session Re-play
Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion
Related Work Utility computing architectures –IBM Oceano, HP UDC Grid platforms –Computation: Globus, Condor, Legion, NetSolve, Harness, Cactus –Storage and data: SRB, NeST, Data Grid, OceanStore Shared infrastructure –PlanetLab, Emulab
Related Work Intrusion detection systems –Snort, VMM-based, retrospection Virtualization technologies –Virtual super computer (aggregation): NOW, HPVM –Virtual OS, isolation kernel (slicing): VMWare, Xen (Cambridge), Denali (UW), UML, UMLinux, Virtual Private Server (Ensim) –Grid computing on VM: Virtuoso (Northwestern), Entropia –Virtual cluster: Cluster-on-Demand (Duke) Resource isolation –GARA, QLinux (UMass), Virtual service (UMich), Resource Container, Cluster Reserves (Rice)
New challenges in application service hosting platform –Openness, sharing, mutual isolation, confinement, and protection Two-level architecture for service provisioning Efficient security & protection mechanisms for ASHP –Virtual switching and firewalling –Kernort –Untamperable logging Conclusion
Thank you. For more information:
Backup Slides
Kernort vs. conventional IDS Problems with traditional IDS –Encrypted traffic (e.g. ssh) makes NIDS less effective –App-level IDS process will be “ killed ”, once a machine is compromised –Log may be tampered with –Fail-open Inside guest OS kernel: a unique vista point –Customizable without affecting host OS –Clearer view –Untamperable logging (saved to SODA host) –Fail-close instead of fail-open