Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service.

Slides:

Advertisements

Similar presentations

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

Advertisements

Self-service Cloud Computing Vinod Ganapathy Department of Computer Science Rutgers University.

Shakeel Butt H. Andres Lagar-Cavilla Abhinav Srivastava Vinod Ganapathy

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

High Availability Deep Dive What’s New in vSphere 5 David Lane, Virtualization Engineer High Point Solutions.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

Towards High-Availability for IP Telephony using Virtual Machines Devdutt Patnaik, Ashish Bijlani and Vishal K Singh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

Data Center Virtualization: Open vSwitch Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Authors: Thomas Ristenpart, et at.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Virtualization for Cloud Computing

Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

5205 – IT Service Delivery and Support

1 Enabling Secure Internet Access with ISA Server.

Self-service Cloud Computing Shakeel Butt Department of Computer Science Rutgers University.

Additional SugarCRM details for complete, functional, and portable deployment.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Enabling Innovation Inside the Network Jennifer Rexford Princeton University

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.

Auditing Cloud Administrators Using Information Flow Tracking Afshar David ACM Scalable Trusted Computing.

Data Center Virtualization: Xen and Xen-blanket

Benefits: Increased server utilization Reduced IT TCO Improved IT agility.

Secure Out-of-band Remote Management Using Encrypted Virtual Serial Consoles in IaaS Clouds Kenichi Kourai Tatsuya Kajiwara Kyushu Institute of Technology.

Improving Network I/O Virtualization for Cloud Computing.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

The Open Source Virtual Lab: a Case Study Authors: E. Damiani, F. Frati, D. Rebeccani, M. Anisetti, V. Bellandi and U. Raimondi University of Milan Department.

Zero-copy Migration for Lightweight Software Rejuvenation of Virtualized Systems Kenichi Kourai Hiroki Ooba Kyushu Institute of Technology.

Politecnico di Torino Dipartimento di Automatica ed Informatica TORSEC Group Performance of Xen’s Secured Virtual Networks Emanuele Cesena Paolo Carlo.

COMS E Cloud Computing and Data Center Networking Sambit Sahu

High Performance Computing on Virtualized Environments Ganesh Thiagarajan Fall 2014 Instructor: Yuzhe(Richard) Tang Syracuse University.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Self-service Cloud Computing Presented by: Yu Bai (ybai181) Butt, S., Lagar-Cavilla, H. A., Srivastava, A., & Ganapathy, V. (2012, October). Self-service.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.

The xCloud and Design Alternatives Presented by Lavone Rodolph.

Bart Miller – October 22 nd,  TCB & Threat Model  Xen Platform  Xoar Architecture Overview  Xoar Components  Design Goals  Results  Security.

Self-service Cloud Computing by Jack Luo Shakeel Butt (Rugtgers University) H.Andres Lagar-Cavilla (GridCentric Inc.) Abhinav Srivastava (AT&T Labs-Research)

Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.

Operating Systems Security

Security Vulnerabilities in A Virtual Environment

System Center Lesson 4: Overview of System Center 2012 Components System Center 2012 Private Cloud Components VMM Overview App Controller Overview.

Full and Para Virtualization

Web Technologies Lecture 13 Introduction to cloud computing.

Slide 1/20 "PerfSight: Performance Diagnosis for Software Dataplanes." Wu, Wenfei, Keqiang He, and Aditya Akella ACM ICM, Presented by: Ayush Patwari.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology.

The Big Picture Trust in cloud infrastructure

Chapter 6: Securing the Cloud

Breaking Up is Hard to Do

CIS 332 Course Experience Tradition / snaptutorial.com

Shohei Miyama Kenichi Kourai Kyushu Institute of Technology, Japan

Northbound API Dan Shmidt | January 2017

Concept of VLAN (Virtual LAN) and Benefits

I'm Kenichi Kourai from Kyushu Institute of Technology.

Sai Krishna Deepak Maram, CS 6410

SCONE: Secure Linux Containers Environments with Intel SGX

Shielding applications from an untrusted cloud with Haven

Presentation transcript:

Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service Cloud Platform

Client security on cloud platforms Cloud providers and administrators are all powerful. Clients have little choice but to trust them. 2

Client data exposed to attack Implications – Attacks Malicious attacks perpetrated by employees: –“Insider” attacks by cloud provider’s employees –Cited as important concern in [Gartner 2008] Exploits against cloud admin interfaces: –Plethora of examples: CVE , CVE , CVE , CVE , CVE , … 3

Implications – Deploying services Cloud clients largely restricted to in-VM security tools Deployment and configuration of powerful security tools entrusted to cloud provider: –VM introspection tools –Network-level middleboxes 4 Clients have limited flexibility

Self-service Cloud Computing Our Solution – SSC [ACM CCS 2012] De-privilege cloud admins Transfer privilege to clients Main ideas: –Privilege separation –Least privilege Implemented via hypervisor modifications 5

Contributions of this paper Control plane for a cloud platform consisting of SSC hypervisors 6 Client’s PerspectiveProvider’s Perspective Deploying custom network middleboxes Unified administrative interface Specifying VM dependencies VM dependency-aware migration

Traditional cloud platforms Hardware Hypervisor Provider’s Management VM (dom0) Client VM 7

Privilege allocation Hardware Hypervisor Provider’s Management VM (dom0) Client VM 8

Hypervisor Client’s VM Management VM Code Data Checking daemon Sec. Policy Resume guest Process the page Alert user Example: Malware detection 9 ? ?

Hypervisor Client’s VM Management VM Code Data Checking daemon Sec. Policy Resume guest Process the page Alert user 10 ? ? Flexibility Problem Clients rely on provider/admins to deploy the service

Hypervisor Client’s VM Management VM Code Data Checking daemon Sec. Policy Resume guest Process the page Alert user 11 ? ? Security Problem Client code & data secrecy and integrity vulnerable to attack Malicious cloud operator

Privilege allocation in SSC Hardware SSC Hypervisor Provider’s Management VM 12 Client Mgmt. VM Client VM

Duties of the management VM Manages and multiplexes hardware resourcesManages client virtual machines 13 Management VM (Dom0)

System-wide Mgmt. VM (one per physical host) Per-Client Mgmt. VM Main technique used by SSC Disaggregate the management VM SDom0 Manages hardware No access to client VMs UDom0 Manages client’s VMs Allows clients to deploy new services 14

An SSC platform Hardware SSC Hypervisor 15 SDom0 Trusted Computing Base Work VM UDom0 Work VM UDom0 Work VM Security VM UDom0

Cloud control plane 16 Client’s interface to the cloud Cloud Controller Node controller (in Sdom0) Udom0 Node controller (in Sdom0) Udom0 Dom0 Hypervisor Node Controller Client VM Client VM images

Cloud control plane From the client’s perspective: –Interfaces with the client to get VM images –Is the client’s administrative interface From the cloud provider’s perspective: –Manages VM placement and migration –Abstracts away platform details, hiding them from the client’s view 17

Need for an SSC control plane Traditional control plane software unaware of SSC abstractions Two implications: 1.Poor flexibility: –Client cannot specify VM dependencies –Client cannot specify middlebox placement 2.Poor security: –Udom0s on individual platforms may expose cloud provider topology to malicious clients 18

SSC-aware control plane Enhanced dashboard interface to abstract details of individual Udom0s Allows specification of: –VM dependency constraints –Middlebox placement topologies Transparently handles VM migration and placement –Please see paper for details on our VM migration protocol 19

SSC-aware control plane 20 Client’s interface to the cloud Cloud Controller Node controller (in Sdom0) Udom0 Node controller (in Sdom0) Udom0 Sdom0 SSC Hypervisor Node Controller Client VMUDom0 Client VM images Client switches

Client interface 21 Client’s interface to the cloud Cloud Controller Node controller (in Sdom0) Udom0 Node controller (in Sdom0) Udom0 Sdom0 SSC Hypervisor Node Controller Client VMUDom0 Client VM images Client switches 1 1

Example scenario 22 Web Server (web_vm)

Example scenario 23 Web Server (web_vm) VMI tool (vmi_vm) MUST_COLOCATE

Example scenario 24 Web Server (web_vm) VMI tool (vmi_vm) SSL Proxy (ssl_vm) MUST_COLOCATE

Example scenario 25 Web Server (web_vm) VMI tool (vmi_vm) SSL Proxy (ssl_vm) Firewall (firewall_vm) MUST_COLOCATE MAY_COLOCATE

VM dependency constraints VM web_vm; // Client’s Web server VM vmi_vm; // VMI-based Memory introspection tool VM ssl_vm; // SSL proxy for the Web server VM firewall_vm; // VM running the Snort NIDS web_vm.name = “MyWeb”; web_vm.image = Apache.img; vmi_vm.name =...; vmi_vm.image =...; ssl_vm.name =...; ssl_vm.image =...; firewall_vm.name =...; firewall_vm.image =...; Grant_Privilege (vmi_vm, web_vm, Kern_Mem); Set_Backend (ssl_vm, web_vm, NET, MUST_COLOCATE); Set_Backend (firewall_vm, ssl_vm, NET, MAY_COLOCATE); 26

Cloud controller 27 Client’s interface to the cloud Cloud Controller Node controller (in Sdom0) Udom0 Node controller (in Sdom0) Udom0 Sdom0 SSC Hypervisor Node Controller Client VMUDom0 Client VM images Client switches 2 2

Cloud controller’s tasks Solves a constraint-satisfaction problem –All MUST_COLOCATE constraints satisfied –Output is a set of VM placements Communicates VM placements to individual node controllers –Sends network switch configurations for backend VMs (Set_Backend) –Also sends permission requirements for VMs (Grant_Privilege) 28 2

Udom0 and switches 29 Client’s interface to the cloud Cloud Controller Node controller (in Sdom0) Udom0 Node controller (in Sdom0) Udom0 Sdom0 SSC Hypervisor Node Controller Client VMUDom0 Client VM images Client switches 3 3

Udom0 and switches Each physical host that runs a client VM has a Udom0 and software switches –We use Open vSwitch for switches Udom0 handles Grant_Privilege requests, and enables system services Software switches configured to handle Set_Backend requests and accommodate middleboxes 30 3

Example of middlebox placement 31 Host A Host B Inbound traffic firewall_vm Open vSwitch VM ssl_vm Open vSwitch VM web_vm Traffic scanned by firewall_vm

Evaluation Goals –Measure overhead of control plane components Dell PowerEdge R610 running Xen-4.3 –24 GB RAM –8 Xeon cores with dual threads (2.3 GHz) –Each VM has 2 vCPUs and 2 GB RAM Results shown only for one case study –See our paper for more 32

Baseline overhead for middleboxes 33 SAMEHOST Ping requests Client VM Middlebox Measurement host DIFFHOST Client VM Open vSwitch Measurement host Middlebox Open vSwitch

Baseline overhead for middleboxes SetupThroughput (Mbps)RTT (ms) Traditional925.4 ± SSC924 ± (1.6x) 34 SetupThroughput (Mbps)RTT (ms) Traditional848.4 ± SSC425.8 ± (2.3x) SAMEHOST DIFFHOST

Example: Network metering 35 Client VM Open vSwitch Metering Open vSwitch Client VM Open vSwitch Client VM Open vSwitch

Network metering overhead SetupThroughput (Mbps) Traditional924.8 ± 1.1 SSC924 ± SetupThroughput (Mbps) Traditional845.4 ± 11.1 SSC424.3 ± 3.1 SAMEHOST DIFFHOST

See paper for more Network intrusion detection Network access control Host+network (hybrid) intrusion detection Evaluation of VM migration overheads 37

Related work Client security: –CloudVisor [SOSP’11], Xoar [SOSP’11], Intel SGX, Haven [OSDI’14], Overshadow [ASPLOS’08] Client flexibility with nested VMs: –XenBlanket [EuroSys’12] Client-controlled middleboxes with SDN: –SIMPLE [SIGCOMM’13], FlowTags [NSDI’14], CloudNaaS [SOCC’11] 38

Shakeel Vinod Abhinav Thank You.

BACKUP SLIDES 40

SSC versus Haven/Intel SGX SGX allows clients to create enclaves, which are opaque to cloud providers Benefits of Intel SGX over SSC: –Cloud provider is untrusted –Ability to defend against memory snooping –Strong, cryptographic security guarantees Benefits of SSC over Intel SGX: –Mutually-trusted domains allow provider to monitor client –Mimics cloud setting of VMs over hypervisors 41

Cloudvisor and XenBlanket CloudVisor [SOSP’11]Xen-Blanket [EuroSys’12] 42 Protect client VM data from Dom0 using a thin, bare- metal hypervisor Allow clients to have their own Dom0s on commodity clouds using a thin shim Nested Hypervisor Client VM Dom0 CloudVisor Cloud Hypervisor Client VM Client Dom0 XenBlanket Cloud Dom0

Cloud ProviderClient Providers want some control Udom0 and service VMs put clients in control of their VMs Sdom0 cannot inspect these VMs Malicious clients can misuse privilege Mutually-trusted service VMs 16 NO data leaks or corruption NO illegal activities or botnet hosting

Traditional privilege model Privileged operation Hypervisor is request from Management VM? YES ALLOW NO DENY 44

SSC’s privilege model Privileged operation Self-service hypervisor Is the request from client’s Udom0? NO YES ALLOW Does requestor have privilege (e.g., client’s service VM) DENY NO YES ALLOW 45