Self-service Cloud Computing

Transcription

1 Self-service Cloud Computing Published in Proceedings of ACM CCS 12 Shakeel Butt Abhinav Srivastava H. Andres Lagar-Cavilla Vinod Ganapathy

2 By 2015, 90% of government agencies and large companies will use the cloud [Gartner, Market Trends: Application Development Software, Worldwide, , 2012] Many new companies & services rely exclusively on the cloud, e.g., Instagram, MIT/Harvard EdX [NYTimes, Active in Cloud, Amazon Reshapes Computing, Aug 28, 2012] 2

3 Virtualized cloud platforms Management (dom0) Work Work Work Hypervisor Hardware Examples: Amazon EC2, Microso= Azure, OpenStack, RackSpace HosDng 3

4 Embracing the cloud Lets do Cloud 4

5 Embracing the cloud Trust me with your code & data You have to trust us as well Client Cloud Provider Cloud operators Problem #1 Client code & data secrecy and integrity vulnerable to attack 5

6 Embracing the cloud Problem #1 Client code & data secrecy and integrity vulnerable to attack 6

7 Embracing the cloud I need customized malware detection and rollback For now just have checkpointing Client Cloud Provider Client Cloud Provider Problem #2 Clients must rely on provider to deploy customized services 7

8 Why do these problems arise? Management (dom0) Work Work Work Hypervisor Hardware 8

9 Example: Malware detection Client s Code Data 1 Management Checking daemon Process the page 2 3? Sec. Policy Hypervisor Resume guest Alert user [Example: Gibraltar - - Baliga, Ganapathy, I=ode, ACSAC 08] 9

10 Problem Clients must rely on provider to deploy customized services Client s Code Data 1 Management Checking daemon Process the page 2 3? Sec. Policy Hypervisor Resume guest Alert user 10

11 Problem Client code & data secrecy and integrity vulnerable to attack Client s Code Data Management Checking daemon Process the page 2 3? Sec. Policy 1 Hypervisor Malicious cloud operator Resume guest Alert user 11

12 Problem Client code & data secrecy and integrity vulnerable to attack Client s Code Hypervisor Data Management Checking daemon Process the page 2 Resume guest? Alert user Sec. Policy EXAMPLES: 3 CVE Xen guest root escapes to dom0 via pygrub CVE Integer overflows in libext2fs in e2fsprogs. CVE Directory traversal vulnerability in the shared folders feature for Ware. CVE Buffer overflow in the backend of XenSource Xen paravirtualized frame buffer. CVE Ware buffer overflows in VIX API let local users execute arbitrary code in host OS.. [AND MANY MORE] 12

13 Traditional cloud computing Management Client s s Hypervisor Hardware 13

14 SSC: Self-service cloud computing Management Client s s Hypervisor Hardware 14

15 Main contributions New hypervisor privilege model Enables four new cloud abstractions Udom0: Per-client management s Sdom0: System-wide management Service s Mutually-trusted service s Protocols for trustworthy startup Novel cloud-based services 15

16 Duties of the management Manages and mul;plexes hardware resources Manages client virtual machines Management (Dom0) 16

17 Main technique used by SSC Disaggregate the management Per- Client Mgmt. (UDom0) Manages client s s Allows clients to deploy new services Solves problem #2 System- wide Mgmt. (SDom0) Manages hardware No access to clients s Solves problem #1 17

18 An SSC platform SDom0 UDom0 Client s meta- domain Service Work Work SSC Hypervisor TPM Hardware Trusted Computing Base 18

19 1. Separation of Privilege 2. Least Privilege SDom0 UDom0 Service Work Work SSC Hypervisor Hardware 19

20 But providers want some control NO data leaks or corruption NO illegal activities or botnet hosting Client Cloud Provider Udom0 and service s put clients in control of their s Sdom0 cannot inspect these s Malicious clients can misuse privilege Mutually-trusted service s 16

21 Trustworthy regulatory compliance SDom0 UDom0 Mutually - trusted Service Work Work SSC Hypervisor Hardware 21

22 Traditional privilege model Privileged opera;on Hypervisor is request from Management? YES NO ALLOW DENY 22

23 SSC s privilege model Privileged opera;on Self-service hypervisor Is the request from client s Udom0? YES NO ALLOW Does requestor have privilege (e.g., client s service ) YES NO ALLOW DENY 23

24 Bootstrap: the Domain Builder SDom0 UDom0 Work Domain Builder Service SSC Hypervisor Hardware 24

25 Bootstrap: the Domain Builder Must SDom0 establish an encrypted communicadon channel Domain Builder UDom0 Work Service SSC Hypervisor Hardware 25

26 1 Udom0 image, Enc (, ) Udom0 Domain Builder SSC Hypervisor Hardware 26

27 2 DomB builds domain Udom0 UDom0 Domain Builder SSC Hypervisor Hardware 27

28 3 DomB installs key, nonce Enc (, ) UDom0 Domain Builder SSC Hypervisor Hardware 28

29 4 Client gets TPM hashes UDom0 Domain Builder SSC Hypervisor Hardware 29

30 5 Udom0 sends to client UDom0 Domain Builder SSC Hypervisor Hardware 30

31 6 Client sends Udom0 SSL key Enc ( ) UDom0 Domain Builder SSC Hypervisor Hardware 31

32 7 SSL handshake and secure channel establishment UDom0 Domain Builder SSC Hypervisor Hardware 32

33 8 Can boot other s securely UDom0 Work image Domain Builder SSC Hypervisor Hardware Service 33

34 Client meta-domains Udom0 Mutually- trusted Service s Regulatory compliance Service s Storage services Firewall and IDS ComputaDon Work Work Trustworthy metering Malware detecdon Work SSC hypervisor Hardware 34

35 Case studies: Service s Storage services: Encryption, Intrusion detection Security services: Kernel-level rootkit detection System-call-based intrusion detection Data anonymization service Checkpointing service Memory dedupication And compositions of these! 35

36 Goals Evaluation Measure overhead of SSC Dell PowerEdge R GB RAM 8 Xeon cores with dual threads (2.3 GHz) Each has 2 vcpus and 2 GB RAM Results shown only for 2 service s See our CCS 12 paper for more 36

37 Storage encryption service Sdom0 Storage encrypdon service Client s work Backend Block device Frontend Block device EncrypDon DecrypDon Backend Block device Frontend Block device Plaiorm Unencrypted (MB/s) Encrypted (MB/s) Xen- legacy Self- service

38 Checkpointing service Client s Checkpoint Checkpoint service service (EncrypDon) Storage Encrypted Storage service Storage Plaiorm Unencrypted (sec) Encrypted (sec) Xen- legacy Self- service

39 Related projects CloudVisor [SOSP 11] Protect client data from Dom0 using a thin, baremetal hypervisor Xen- Blanket [EuroSys 12] Allow clients to have their own Dom0s on commodity clouds using a thin shim Dom0 Client Nested Hypervisor Cloud Dom0 Client Dom0 Client XenBlanket CloudVisor Cloud Hypervisor 39

40 Current and future work Novel network services, e.g., trustworthy network traffic metering migration in an SSC-based cloud: Co-location of service s and work s. Without exposing details of cloud platform to clients Pricing and metering issues Cloud market model: Service s as cloud apps See Towards a Richer Model of Cloud App Markets, in ACM CCSW