Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service.

Published byKristin Wood Modified over 9 years ago

Similar presentations

Presentation on theme: "Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service."— Presentation transcript:

1 Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service Cloud Platform

2 Client security on cloud platforms Cloud providers and administrators are all powerful. Clients have little choice but to trust them. 2

3 Client data exposed to attack Implications – Attacks Malicious attacks perpetrated by employees: –“Insider” attacks by cloud provider’s employees –Cited as important concern in [Gartner 2008] Exploits against cloud admin interfaces: –Plethora of examples: CVE-2007-4993, CVE- 2007-5497, CVE-2008-0923, CVE-2008-1943, CVE-2008-2100, … 3

4 Implications – Deploying services Cloud clients largely restricted to in-VM security tools Deployment and configuration of powerful security tools entrusted to cloud provider: –VM introspection tools –Network-level middleboxes 4 Clients have limited flexibility

5 Self-service Cloud Computing Our Solution – SSC [ACM CCS 2012] De-privilege cloud admins Transfer privilege to clients Main ideas: –Privilege separation –Least privilege Implemented via hypervisor modifications 5

6 Contributions of this paper Control plane for a cloud platform consisting of SSC hypervisors 6 Client’s PerspectiveProvider’s Perspective Deploying custom network middleboxes Unified administrative interface Specifying VM dependencies VM dependency-aware migration

7 Traditional cloud platforms Hardware Hypervisor Provider’s Management VM (dom0) Client VM 7

8 Privilege allocation Hardware Hypervisor Provider’s Management VM (dom0) Client VM 8

9 Hypervisor Client’s VM Management VM Code Data Checking daemon Sec. Policy Resume guest 1 1 2 2 3 3 Process the page Alert user Example: Malware detection 9 ? ?

10 Hypervisor Client’s VM Management VM Code Data Checking daemon Sec. Policy Resume guest 1 1 2 2 3 3 Process the page Alert user 10 ? ? Flexibility Problem Clients rely on provider/admins to deploy the service

11 Hypervisor Client’s VM Management VM Code Data Checking daemon Sec. Policy Resume guest 1 1 2 2 3 3 Process the page Alert user 11 ? ? Security Problem Client code & data secrecy and integrity vulnerable to attack Malicious cloud operator

12 Privilege allocation in SSC Hardware SSC Hypervisor Provider’s Management VM 12 Client Mgmt. VM Client VM

13 Duties of the management VM Manages and multiplexes hardware resourcesManages client virtual machines 13 Management VM (Dom0)

14 System-wide Mgmt. VM (one per physical host) Per-Client Mgmt. VM Main technique used by SSC Disaggregate the management VM SDom0 Manages hardware No access to client VMs UDom0 Manages client’s VMs Allows clients to deploy new services 14

15 An SSC platform Hardware SSC Hypervisor 15 SDom0 Trusted Computing Base Work VM UDom0 Work VM UDom0 Work VM Security VM UDom0

16 Cloud control plane 16 Client’s interface to the cloud Cloud Controller Node controller (in Sdom0) Udom0 Node controller (in Sdom0) Udom0 Dom0 Hypervisor Node Controller Client VM Client VM images

17 Cloud control plane From the client’s perspective: –Interfaces with the client to get VM images –Is the client’s administrative interface From the cloud provider’s perspective: –Manages VM placement and migration –Abstracts away platform details, hiding them from the client’s view 17

18 Need for an SSC control plane Traditional control plane software unaware of SSC abstractions Two implications: 1.Poor flexibility: –Client cannot specify VM dependencies –Client cannot specify middlebox placement 2.Poor security: –Udom0s on individual platforms may expose cloud provider topology to malicious clients 18

19 SSC-aware control plane Enhanced dashboard interface to abstract details of individual Udom0s Allows specification of: –VM dependency constraints –Middlebox placement topologies Transparently handles VM migration and placement –Please see paper for details on our VM migration protocol 19

20 SSC-aware control plane 20 Client’s interface to the cloud Cloud Controller Node controller (in Sdom0) Udom0 Node controller (in Sdom0) Udom0 Sdom0 SSC Hypervisor Node Controller Client VMUDom0 Client VM images Client switches

21 Client interface 21 Client’s interface to the cloud Cloud Controller Node controller (in Sdom0) Udom0 Node controller (in Sdom0) Udom0 Sdom0 SSC Hypervisor Node Controller Client VMUDom0 Client VM images Client switches 1 1

22 Example scenario 22 Web Server (web_vm)

23 Example scenario 23 Web Server (web_vm) VMI tool (vmi_vm) MUST_COLOCATE

24 Example scenario 24 Web Server (web_vm) VMI tool (vmi_vm) SSL Proxy (ssl_vm) MUST_COLOCATE

25 Example scenario 25 Web Server (web_vm) VMI tool (vmi_vm) SSL Proxy (ssl_vm) Firewall (firewall_vm) MUST_COLOCATE MAY_COLOCATE

26 VM dependency constraints VM web_vm; // Client’s Web server VM vmi_vm; // VMI-based Memory introspection tool VM ssl_vm; // SSL proxy for the Web server VM firewall_vm; // VM running the Snort NIDS web_vm.name = “MyWeb”; web_vm.image = Apache.img; vmi_vm.name =...; vmi_vm.image =...; ssl_vm.name =...; ssl_vm.image =...; firewall_vm.name =...; firewall_vm.image =...; Grant_Privilege (vmi_vm, web_vm, Kern_Mem); Set_Backend (ssl_vm, web_vm, NET, MUST_COLOCATE); Set_Backend (firewall_vm, ssl_vm, NET, MAY_COLOCATE); 26

27 Cloud controller 27 Client’s interface to the cloud Cloud Controller Node controller (in Sdom0) Udom0 Node controller (in Sdom0) Udom0 Sdom0 SSC Hypervisor Node Controller Client VMUDom0 Client VM images Client switches 2 2

28 Cloud controller’s tasks Solves a constraint-satisfaction problem –All MUST_COLOCATE constraints satisfied –Output is a set of VM placements Communicates VM placements to individual node controllers –Sends network switch configurations for backend VMs (Set_Backend) –Also sends permission requirements for VMs (Grant_Privilege) 28 2

29 Udom0 and switches 29 Client’s interface to the cloud Cloud Controller Node controller (in Sdom0) Udom0 Node controller (in Sdom0) Udom0 Sdom0 SSC Hypervisor Node Controller Client VMUDom0 Client VM images Client switches 3 3

30 Udom0 and switches Each physical host that runs a client VM has a Udom0 and software switches –We use Open vSwitch for switches Udom0 handles Grant_Privilege requests, and enables system services Software switches configured to handle Set_Backend requests and accommodate middleboxes 30 3

31 Example of middlebox placement 31 Host A Host B Inbound traffic firewall_vm Open vSwitch VM ssl_vm Open vSwitch VM web_vm Traffic scanned by firewall_vm

32 Evaluation Goals –Measure overhead of control plane components Dell PowerEdge R610 running Xen-4.3 –24 GB RAM –8 Xeon cores with dual threads (2.3 GHz) –Each VM has 2 vCPUs and 2 GB RAM Results shown only for one case study –See our paper for more 32

33 Baseline overhead for middleboxes 33 SAMEHOST Ping requests Client VM Middlebox Measurement host DIFFHOST Client VM Open vSwitch Measurement host Middlebox Open vSwitch

34 Baseline overhead for middleboxes SetupThroughput (Mbps)RTT (ms) Traditional925.4 ± 0.50.38 SSC924 ± 1.20.62 (1.6x) 34 SetupThroughput (Mbps)RTT (ms) Traditional848.4 ± 11.20.69 SSC425.8 ± 5.51.6 (2.3x) SAMEHOST DIFFHOST

35 Example: Network metering 35 Client VM Open vSwitch Metering Open vSwitch Client VM Open vSwitch Client VM Open vSwitch

36 Network metering overhead SetupThroughput (Mbps) Traditional924.8 ± 1.1 SSC924 ± 0.4 36 SetupThroughput (Mbps) Traditional845.4 ± 11.1 SSC424.3 ± 3.1 SAMEHOST DIFFHOST

37 See paper for more Network intrusion detection Network access control Host+network (hybrid) intrusion detection Evaluation of VM migration overheads 37

38 Related work Client security: –CloudVisor [SOSP’11], Xoar [SOSP’11], Intel SGX, Haven [OSDI’14], Overshadow [ASPLOS’08] Client flexibility with nested VMs: –XenBlanket [EuroSys’12] Client-controlled middleboxes with SDN: –SIMPLE [SIGCOMM’13], FlowTags [NSDI’14], CloudNaaS [SOCC’11] 38

39 Shakeel Butt-shakeelb@cs.rutgers.edu Vinod Ganapathy-vinodg@cs.rutgers.edu Abhinav Srivastava-abhinav@research.att.com Thank You.

40 BACKUP SLIDES 40

41 SSC versus Haven/Intel SGX SGX allows clients to create enclaves, which are opaque to cloud providers Benefits of Intel SGX over SSC: –Cloud provider is untrusted –Ability to defend against memory snooping –Strong, cryptographic security guarantees Benefits of SSC over Intel SGX: –Mutually-trusted domains allow provider to monitor client –Mimics cloud setting of VMs over hypervisors 41

42 Cloudvisor and XenBlanket CloudVisor [SOSP’11]Xen-Blanket [EuroSys’12] 42 Protect client VM data from Dom0 using a thin, bare- metal hypervisor Allow clients to have their own Dom0s on commodity clouds using a thin shim Nested Hypervisor Client VM Dom0 CloudVisor Cloud Hypervisor Client VM Client Dom0 XenBlanket Cloud Dom0

43 Cloud ProviderClient Providers want some control Udom0 and service VMs put clients in control of their VMs Sdom0 cannot inspect these VMs Malicious clients can misuse privilege Mutually-trusted service VMs 16 NO data leaks or corruption NO illegal activities or botnet hosting

44 Traditional privilege model Privileged operation Hypervisor is request from Management VM? YES ALLOW NO DENY 44

45 SSC’s privilege model Privileged operation Self-service hypervisor Is the request from client’s Udom0? NO YES ALLOW Does requestor have privilege (e.g., client’s service VM) DENY NO YES ALLOW 45

Download ppt "Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service."

Similar presentations

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.
Self-service Cloud Computing Vinod Ganapathy Department of Computer Science Rutgers University.

Self-service Cloud Computing Vinod Ganapathy Department of Computer Science Rutgers University.
Shakeel Butt H. Andres Lagar-Cavilla Abhinav Srivastava Vinod Ganapathy

Shakeel Butt H. Andres Lagar-Cavilla Abhinav Srivastava Vinod Ganapathy
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
High Availability Deep Dive What’s New in vSphere 5 David Lane, Virtualization Engineer High Point Solutions.

High Availability Deep Dive What’s New in vSphere 5 David Lane, Virtualization Engineer High Point Solutions.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.

The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
Towards High-Availability for IP Telephony using Virtual Machines Devdutt Patnaik, Ashish Bijlani and Vishal K Singh.

Towards High-Availability for IP Telephony using Virtual Machines Devdutt Patnaik, Ashish Bijlani and Vishal K Singh.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Data Center Virtualization: Open vSwitch Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking.

Data Center Virtualization: Open vSwitch Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking.
Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

Similar presentations

Ads by Google