Self-service Cloud Computing

Self-service Cloud Computing Published in Proceedings of ACM CCS 12 Shakeel Butt shakeelb@cs.rutgers.edu Abhinav Srivastava abhinav@research.att.com H. Andres Lagar-Cavilla andres@lagarcavilla.org Vinod Ganapathy vinodg@cs.rutgers.edu

By 2015, 90% of government agencies and large companies will use the cloud [Gartner, Market Trends: Application Development Software, Worldwide, 2012-2016, 2012] Many new companies & services rely exclusively on the cloud, e.g., Instagram, MIT/Harvard EdX [NYTimes, Active in Cloud, Amazon Reshapes Computing, Aug 28, 2012] 2

Virtualized cloud platforms Management (dom0) Work Work Work Hypervisor Hardware Examples: Amazon EC2, Microso= Azure, OpenStack, RackSpace HosDng 3

Embracing the cloud Lets do Cloud 4

Embracing the cloud Trust me with your code & data You have to trust us as well Client Cloud Provider Cloud operators Problem #1 Client code & data secrecy and integrity vulnerable to attack 5

Embracing the cloud Problem #1 Client code & data secrecy and integrity vulnerable to attack 6

Embracing the cloud I need customized malware detection and rollback For now just have checkpointing Client Cloud Provider Client Cloud Provider Problem #2 Clients must rely on provider to deploy customized services 7

Why do these problems arise? Management (dom0) Work Work Work Hypervisor Hardware 8

Example: Malware detection Client s Code Data 1 Management Checking daemon Process the page 2 3? Sec. Policy Hypervisor Resume guest Alert user [Example: Gibraltar - - Baliga, Ganapathy, I=ode, ACSAC 08] 9

Problem Clients must rely on provider to deploy customized services Client s Code Data 1 Management Checking daemon Process the page 2 3? Sec. Policy Hypervisor Resume guest Alert user 10

Problem Client code & data secrecy and integrity vulnerable to attack Client s Code Data Management Checking daemon Process the page 2 3? Sec. Policy 1 Hypervisor Malicious cloud operator Resume guest Alert user 11

Problem Client code & data secrecy and integrity vulnerable to attack Client s Code Hypervisor Data Management Checking daemon Process the page 2 Resume guest? Alert user Sec. Policy EXAMPLES: 3 CVE-2007-4993. Xen guest root escapes to dom0 via pygrub CVE- 2007-5497. Integer overflows in libext2fs in e2fsprogs. CVE- 2008-0923. 1 Directory traversal vulnerability in the shared folders feature for Ware. CVE- 2008-1943. Buffer overflow in the backend of XenSource Xen paravirtualized frame buffer. CVE- 2008-2100. Ware buffer overflows in VIX API let local users execute arbitrary code in host OS.. [AND MANY MORE] 12

Traditional cloud computing Management Client s s Hypervisor Hardware 13

SSC: Self-service cloud computing Management Client s s Hypervisor Hardware 14

Main contributions New hypervisor privilege model Enables four new cloud abstractions Udom0: Per-client management s Sdom0: System-wide management Service s Mutually-trusted service s Protocols for trustworthy startup Novel cloud-based services 15

Duties of the management Manages and mul;plexes hardware resources Manages client virtual machines Management (Dom0) 16

Main technique used by SSC Disaggregate the management Per- Client Mgmt. (UDom0) Manages client s s Allows clients to deploy new services Solves problem #2 System- wide Mgmt. (SDom0) Manages hardware No access to clients s Solves problem #1 17

An SSC platform SDom0 UDom0 Client s meta- domain Service Work Work SSC Hypervisor TPM Hardware Trusted Computing Base 18

1. Separation of Privilege 2. Least Privilege SDom0 UDom0 Service Work Work SSC Hypervisor Hardware 19

But providers want some control NO data leaks or corruption NO illegal activities or botnet hosting Client Cloud Provider Udom0 and service s put clients in control of their s Sdom0 cannot inspect these s Malicious clients can misuse privilege Mutually-trusted service s 16

Trustworthy regulatory compliance SDom0 UDom0 Mutually - trusted Service Work Work SSC Hypervisor Hardware 21

Traditional privilege model Privileged opera;on Hypervisor is request from Management? YES NO ALLOW DENY 22

SSC s privilege model Privileged opera;on Self-service hypervisor Is the request from client s Udom0? YES NO ALLOW Does requestor have privilege (e.g., client s service ) YES NO ALLOW DENY 23

Bootstrap: the Domain Builder SDom0 UDom0 Work Domain Builder Service SSC Hypervisor Hardware 24

Bootstrap: the Domain Builder Must SDom0 establish an encrypted communicadon channel Domain Builder UDom0 Work Service SSC Hypervisor Hardware 25

1 Udom0 image, Enc (, ) Udom0 Domain Builder SSC Hypervisor Hardware 26

2 DomB builds domain Udom0 UDom0 Domain Builder SSC Hypervisor Hardware 27

3 DomB installs key, nonce Enc (, ) UDom0 Domain Builder SSC Hypervisor Hardware 28

4 Client gets TPM hashes UDom0 Domain Builder SSC Hypervisor Hardware 29

5 Udom0 sends to client UDom0 Domain Builder SSC Hypervisor Hardware 30

6 Client sends Udom0 SSL key Enc ( ) UDom0 Domain Builder SSC Hypervisor Hardware 31

7 SSL handshake and secure channel establishment UDom0 Domain Builder SSC Hypervisor Hardware 32

8 Can boot other s securely UDom0 Work image Domain Builder SSC Hypervisor Hardware Service 33

Client meta-domains Udom0 Mutually- trusted Service s Regulatory compliance Service s Storage services Firewall and IDS ComputaDon Work Work Trustworthy metering Malware detecdon Work SSC hypervisor Hardware 34

Case studies: Service s Storage services: Encryption, Intrusion detection Security services: Kernel-level rootkit detection System-call-based intrusion detection Data anonymization service Checkpointing service Memory dedupication And compositions of these! 35

Goals Evaluation Measure overhead of SSC Dell PowerEdge R610 24 GB RAM 8 Xeon cores with dual threads (2.3 GHz) Each has 2 vcpus and 2 GB RAM Results shown only for 2 service s See our CCS 12 paper for more 36

Storage encryption service Sdom0 Storage encrypdon service Client s work Backend Block device Frontend Block device EncrypDon DecrypDon Backend Block device Frontend Block device Plaiorm Unencrypted (MB/s) Encrypted (MB/s) Xen- legacy 81.72 71.90 Self- service 75.88 70.64 37

Checkpointing service Client s Checkpoint Checkpoint service service (EncrypDon) Storage Encrypted Storage service Storage Plaiorm Unencrypted (sec) Encrypted (sec) Xen- legacy 1.840 11.419 Self- service 1.936 11.329 38

Related projects CloudVisor [SOSP 11] Protect client data from Dom0 using a thin, baremetal hypervisor Xen- Blanket [EuroSys 12] Allow clients to have their own Dom0s on commodity clouds using a thin shim Dom0 Client Nested Hypervisor Cloud Dom0 Client Dom0 Client XenBlanket CloudVisor Cloud Hypervisor 39

Current and future work Novel network services, e.g., trustworthy network traffic metering migration in an SSC-based cloud: Co-location of service s and work s. Without exposing details of cloud platform to clients Pricing and metering issues Cloud market model: Service s as cloud apps See Towards a Richer Model of Cloud App Markets, in ACM CCSW 2012. 40