Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Cloud Administrators Using Information Flow Tracking Afshar David ACM Scalable Trusted Computing.

Published byGary Long Modified over 9 years ago

Similar presentations

Presentation on theme: "Auditing Cloud Administrators Using Information Flow Tracking Afshar David ACM Scalable Trusted Computing."— Presentation transcript:

1 Auditing Cloud Administrators Using Information Flow Tracking Afshar Ganjalia.ganjali@utoronto.ca David Lielie@eecg.utoronto.ca ACM Scalable Trusted Computing Workshop Raleigh, North Carolina October 2012

2 Cloud Computing Is Not Trusted 2

3 Admins at Infrastructure-as-a-Service (IaaS) Providers 3 VMM User VM Management Stack

4 Restricting Admins Is Not the Solution 4 VMM User VM Management Stack I cannot: Install commodity applications I want. Change system configurations. Write my own scripts in Perl or Python. Monitor resource usages. See the logs for troubleshooting.

5 H-one Provides Logs for Auditing 5 We propose auditing.  H-one performs no access control. Auditing has been used in other domains. Auditing deters misbehaving. Helps to assign liability of events. No unnecessary restrictions for admins. Auditing has 2 stages:  Generating logs  Inspecting the logs

6 What are the logging challenges in H-one? 6 GOALS Complete Effici ent Privacy Preserving Data: From VMs to Admins From Admins to VMs Minimal Storage Costs Logs related to different customers should be separate. To achieve these goals H-one uses Information Flow Tracking

7 Example 1: Benign Admin Tasks: VM Backup 7 VMM User VMManagement Stack Disk Kernel User Disk Image H-one Module

8 Example 2: Benign Admin Tasks: Backup for 2 VMs 8 VMM User VM 2User VM 1Management Stack Disk Kernel Disk 1 Disk 2 H-one Module

9 Example 3: Adversarial Admin 9 VMM User VMManagement Stack Disk Kernel 01011 User Disk Image H-one Module

10 Using Information Flow Tracking 10 GOALS Complete Effici ent Privacy Preserving H-one tracks any data flow inside management stack. By following information flows, just the required data at appropriate points get logged. Tracking flows lets us know leaked data belong to which user.

11  We use Xen hypervisor for our prototype.  We use a customized LSM module for labeling and tracking information flows protecting the integrity of the H-one logging system  We use the concept of the “exporter” processes similar to DStar paper for tracking networking communications. N. Zeldovich, S. Boyd-Wickizer, and D. Mazieres, “Securing Distributed Systems with Information Flow Control,” in Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2008, pp. 293–308. Implementation 11

12  Information Flow Tracking reduces the logging cost.  Our filtering daemon can further reduce the log size in specific scenarios based on the context.  Filtering daemon understands the legitimate flows of information and filters the corresponding logs. Realtime Filtering of Logs 12

13 13 Questions ?! Discussion ?!

14 Label Propagation 14

15 15 Questions ?! Discussion ?!

Download ppt "Auditing Cloud Administrators Using Information Flow Tracking Afshar David ACM Scalable Trusted Computing."

Similar presentations

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Managing NymBoxes for Identity and Tracking Protection David Wolinsky, Daniel Jackowitz, and Bryan Ford Yale University.

Managing NymBoxes for Identity and Tracking Protection David Wolinsky, Daniel Jackowitz, and Bryan Ford Yale University.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
© 2011 VMware Inc. All rights reserved Confidential VMware’s Journey to the Cloud: Leveraging Hyperic for Portal Infrastructure Monitoring March 2012.

© 2011 VMware Inc. All rights reserved Confidential VMware’s Journey to the Cloud: Leveraging Hyperic for Portal Infrastructure Monitoring March 2012.
Xen , Linux Vserver , Planet Lab

Xen , Linux Vserver , Planet Lab
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 14: Troubleshooting Windows Server 2003 Networks.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 14: Troubleshooting Windows Server 2003 Networks.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.

Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.

N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
Minerva Infrastructure Meeting – October 04, 2011.

Minerva Infrastructure Meeting – October 04, 2011.
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

Similar presentations

Ads by Google