Abstract
Modern cloud computing infrastructures use virtual machine monitors (VMMs) that often include a large and complex administrative domain with privileges to inspect client VM state. Attacks against or misuse of the administrative domain can compromise client security and privacy. Moreover, these VMMs provide clients inflexible control over their own VMs, as a result of which clients have to rely on the cloud provider to deploy useful services, such as VM introspection-based security tools.
This paper discusses the self-service cloud computing (SSC) project that addresses these two shortcomings. SSC splits administrative privileges between a system-wide domain and per-client administrative domains. Each client can manage and perform privileged system tasks on its own VMs, thereby providing flexibility. The system-wide administrative domain cannot inspect the code, data or computation of client VMs, thereby ensuring security and privacy. SSC also allows providers and clients to establish mutually trusted services that can check regulatory compliance while respecting client privacy. We have used a prototype implementation of SSC atop the Xen hypervisor to build user domains to perform privileged tasks such as memory introspection, storage intrusion detection, and anomaly detection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that a client cannot modify this stream without tampering with the code of the MTSD. The provider ensures that the MTSD was booted correctly (Fig. 3(c)), and SSC’s privilege model prevents the client from modifying a running MTSD.
References
Butt, S., Lagar-Cavilla, H.A., Srivastava, A., Ganapathy, V.: Self-service cloud computing. In: ACM CCS (2012)
Butt, S., Ganapathy, V., Srivastava, A.: On the control plane of a self-service cloud platform. In: ACM SOCC (2014)
Butt, S.: Self-service Cloud Computing. Ph.D. thesis, Rutgers University, January 2015
CVE-2007-4993: Xen guest root escapes to dom0 via pygrub
CVE-2007-5497: Integer overflows in libext2fs in e2fsprogs
CVE-2008-0923: Directory traversal vulnerability in the shared folders feature for VMWare
CVE-2008-1943: Buffer overflow in the backend of XenSource Xen paravirtualized frame buffer
CVE-2008-2100: VMWare buffer overflows in VIX API let local users execute arbitrary code in host OS
Kortchinsky, K.: Hacking 3D (and breaking out of VMWare). In: BlackHat USA (2009)
Gartner: Assesing the Security Risks of Cloud Computing. http://www.gartner.com/DisplayDocument?id=685308
Chen, P.M., Noble, B.: When virtual is better than real. In: HotOS (2001)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS (2003)
Clark, C., Fraser, K., Hand, S., Hansen, J.G., Jul, E., Limpach, C., Pratt, I., Warfield, A.: Live migration of virtual machines. In: USENIX NSDI (2005)
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Computer meteorology: monitoring compute clouds. In: HotOS (2009)
Berger, S., Caceres, R., Goldman, K., Perez, R., Sailer, R., van Door, L.: vTPM: virtualizing the trusted platform module. In: USENIX Security (2006)
Kauer, B.: OSLO: improving the security of trusted computing. In: USENIX Security (2007)
Group, T.C.: TPM main spec., l2 v1.2 r116. http://www.trustedcomputinggroup.org/resources/tpm_main_specification
Keller, E., Szefer, J., Rexford, J., Lee, R.: Eliminating the hypervisor attack surface for a more secure cloud. In: ACM CCS (2011)
Zhang, F., Chen, J., Chen, H., Zang, B.: CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: ACM SOSP (2011)
Santos, N., Rodrigues, R., Gummadi, K., Saroiu, S.: Policy-sealed data: a new abstraction for building trusted cloud services. In: USENIX Security (2012)
Danev, B., Masti, R., Karame, G., Capkun, S.: Enabling secure VM-vTPM migration in private clouds. In: ACSAC (2011)
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: USENIX Security (2004)
Colp, P., Nanavati, M., Zhu, J., Aiello, W., Coker, G., Deegan, T., Loscocco, P., Warfield, A.: Breaking up is hard to do: security and functionality in a commodity hypervisor. In: ACM SOSP (2011)
LeVasseur, J., Uhlig, V., Stoess, J., Gotz, S.: Unmodified device driver reuse and improved system dependability via virtual machines. In: ACM/USENIX OSDI (2004)
Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J., van Doorn, L.: Building a MAC-based security architecture for the xen hypervisor. In: ACSAC (2005)
Payne, B., Carbone, M., Lee, W.: Secure and flexible monitoring of virtual machines. In: ACSAC (2007)
Srivastava, A., Giffin, J.T.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)
Baliga, A., Ganapathy, V., Iftode, L.: Detecting kernel-level rootkits using data structure invariants. IEEE TDSC 8(5), 670–684 (2011)
Payne, B., Carbone, M., Sharif, M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security & Privacy (2008)
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: USENIX Security (2008)
Giffin, J.T.: Model Based Intrusion Detection System Design and Evaluation. Ph.D. thesis, University of Wisconsin-Madison (2006)
Srivastava, A., Raj, H., Giffin, J., England, P.: Trusted VM snapshots in untrusted cloud infrastructures. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 1–21. Springer, Heidelberg (2012)
Waldspurger, C.A.: Memory resource management in VMWare ESX server. In: USENIX/ACM OSDI (2002)
Intel: (September 2013) Intel document 329298–001US
Hoekstra, M., Lal, R., Pappachan, P., Rozas, C., Phegade, V.: Using innovative instructions to create trustworthy software solutions. In: HASP (2013)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: ACM Conference on Computer and Communications Security (CCS) (2009)
Popa, R., Redfield, C., Zeldovich, N., Balakrishnan, H.: Cryptdb: protecting confidentiality with encrypted query processing. In: ACM SOSP (2011)
Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with Haven. In: OSDI (2014)
Santos, N., Rodrigues, R., Ford, B.: Enhancing the OS against security threats in system administration. In: Narasimhan, P., Triantafillou, P. (eds.) Middleware 2012. LNCS, vol. 7662, pp. 415–435. Springer, Heidelberg (2012)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: ACM SOSP (2003)
Microsoft: Hyper-V Architecture. http://msdn.microsoft.com/en-us/library/cc768520(BTS.10).aspx
Hand, S., Warfield, A., Fraser, K., Kotsovinos, E., Magenheimer, D.: Are VMMs microkernels done right? In: HotOS (2005)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: ACM SOSP (2007)
McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: efficient TCB reduction and attestation. In: IEEE Symposium on Security & Privacy (2010)
Steinberg, U., Kauer, B.: NOVA: a microhypervisor-based secure virtualization architecture. In: ACM Eurosys (2010)
Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: ACM SOSP (2009)
Wang, Z., Jang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: IEEE Symposium on Security & Privacy (2010)
Murray, D., Milos, G., Hand, S.: Improving xen security through disaggregation. In: ACM VEE (2008)
Williams, D., Elnikety, E., Eldehiry, M., Jamjoom, H., Huang, H., Weatherspoon, H.: Unshackle the cloud! In: HotCloud (2011)
Williams, D., Jamjoom, H., Weatherspoon, H.: The xen-blanket: virtualize once, run everywhere. In: ACM EuroSys (2012)
Acknowledgments
This paper reports work that was done together with my Ph.D. student Shakeel Butt and collaborators Andres Lagar-Cavilla and Abhinav Srivastava. Portions of this work have appeared in ACM CCS 2012, ACM SOCC 2014, and in Shakeel Butt’s Ph.D. thesis. We are thankful to the NSF for their support of parts of this work via grants CNS-0831268, CNS-0915394, CNS-0952128 and CNS-1420815. We also thank Microsoft Research India for their research gift and Sriram Rajamani, Kapil Vaswani, Aditya Nori and Manuel Costa for discussions on SSC and the Intel SGX.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Ganapathy, V. (2015). Reflections on the Self-service Cloud Computing Project. In: Jajoda, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2015. Lecture Notes in Computer Science(), vol 9478. Springer, Cham. https://doi.org/10.1007/978-3-319-26961-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-26961-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26960-3
Online ISBN: 978-3-319-26961-0
eBook Packages: Computer ScienceComputer Science (R0)