1. Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 10 09/15/2011 Security and Privacy in Cloud Computing

2. Securing Cloud Computations 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan2 Goal: Learn about techniques for verifying computations outsourced to a cloud Review Assignment #5 Du et al., RunTest: Assuring Integrity of Dataflow Processing in Cloud Computing Infrastructures, AsiaCCS 2010

3. Outsourcing Computations Goal? – Outsource a computation by sending the following to a cloud A computation (e.g., a (sequence of operations)) Input data – Get back the final result data set 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan3

4. Outsourcing Computations: Examples Send a large scale image processing job to a cloud Analyzing a large scale data set 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan4

5. Outsourcing Computations: Model Dataflow computing is the dominant model Declares how things connect (unlike imperative programming, which focuses on how things happen) Data objects flow from one node to another, Each node applies a specific function to data inputs to produce output data 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan5

6. Verifying Dataflow Computations in a Cloud 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan6 Scenario User sends her data processing job to the cloud. Clouds provide dataflow operation as a service (e.g., MapReduce, Hadoop etc.) Problem: Users have no way of evaluating the correctness of results

7. Threat Model Assets: – Confidentiality of Input data Output data Intermediate data Functions – Integrity of computations 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan7

8. Threat Model Attacker: – The cloud provider, or an intruder who controls part of the cloud – The attacker can (selectively) modify code running on the inputs, create invalid outputs etc. 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan8

9. Map Reduce Most popular dataflow computing system Invented by Google and at one time widely used for indexing webpages and pageranks Allows large scale reliable computation 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan9

10. MapReduce Overview … Reduce Phase DFS … Map Phase Master M2 R1 Input P1... … Pr B2 … Bn B1 M1 Local Write Read from DFS P1 … Pr P1 … Pr Assign MapTask Assign ReduceTask Remote Read Output 1 Output r Write to DFS … Intermediate Result DFS 10/32 Rr ReducerMapper Mn 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan10

11. MapReduce: The Map Step v k kv kv map v k v k … kv Input key-value pairs Intermediate key-value pairs … kv 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan11

12. MapReduce: The Reduce Step kv … kv kv kv Intermediate key-value pairs group reduce kvkvkv … kv … kv kvv vv Key-value groups Output key-value pairs 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan12

13. Word Count using MapReduce map(key, value): // key: document name; value: text of document for each word w in value: emit(w, 1) reduce(key, values): // key: a word; value: an iterator over counts result = 0 for each count v in values: result += v emit(result)

14. MapReduce – WordCount Application Hello World, Bye World! Hello MapReduce, Goodbye to MapReduce. Welcome to ACSAC, Goodbye to ACSAC. Reduce Phase DFS Map Phase Intermediate Result DFS M1M2M3 (Hello, 1) (Bye, 1) (World, 1) (Welcome, 1) (to, 1) (ACSAC, 1) (Goodbye, 1) (ACSAC, 1) (Hello, 1) (to, 1) (MapReduce, 1) (Goodbye, 1) (MapReduce, 1) R1 R2 (Hello, 2) (Bye, 1) (Welcome, 1) (to, 3) (World, 2) (ACSAC, 2) (Goodbye, 2) (MapReduce, 2) 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan14

15. Verification in Clouds Problem Given just the inputs to each node, how to verify the computation done in a cloud Possible approaches? Re-computation Sampling Replication Auditing Attestation Trusted computing 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan15

16. Re-computation Key idea: – Re-do the computation Advantages: – 100% guarantee that any mistakes will always be detected Disadvantages: – Worst case cost (a check requires equal time and same computation cost as the original computation) 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan16

17. Sampling Key idea: – Feed known values in the inputs, check for known outcomes in the corresponding outputs Advantages – Efficient Disadvantages: – A clever attacker can figure out the test inputs and be honest for that cycle 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan17

18. Replication Key idea: – Replicate the same computation using multiple set of nodes – Use majority voting to verify correctness Advantages: – Computationally faster (same speed since all computations can run in parallel) Disadvantages: – Costly, since multiple copies of same computations need to be run – Can be defeated by a clever adversary 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan18

19. Auditing Key idea: – Have each node sign inputs, what it has done, and outputs – Later, an auditor can check for correct computation Advantages: – Provides non-repudiation – Allows forensic investigation Disadvantages: – Adds to computation time due to the crypto – Expensive audits 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan19

20. Attestation Key idea: – Verify a code or path of a computation Advantages: – Can ensure that the correct code was run on the data Disadvantages: – Expensive to compute 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan20

21. Trusted Computing Key idea: – Ensure that the cloud nodes are using trustworthy configuration and software Advantages Disadvantages 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan21

22. Summary Verifying computations is difficult Provably secure approaches are often very computation-intensive, and therefore not practical 09/20/2011Fall 2011 Lecture 10 | UAB | Ragib Hasan22