Control Plane Security in Self-service Cloud Platforms

Slide Note
Embed
Share

Exploring the risks and implications of client security on cloud platforms, this content discusses potential attacks, limitations in deploying services, and a proposed solution called SSC. The paper highlights the need for privilege separation and least privilege principles to enhance cloud security.

aki_enc
aki_enc Follow

Uploaded on Oct 10, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. On the Control Plane of a Self-service Cloud Platform Shakeel Butt - Rutgers University & NVidia Vinod Ganapathy - Rutgers University Abhinav Srivastava - AT&T Labs Research

  2. Client security on cloud platforms Cloud providers and administrators are all powerful. Clients have little choice but to trust them. 2

  3. Implications Attacks Client data exposed to attack Malicious attacks perpetrated by employees: Insider attacks by cloud provider s employees Cited as important concern in [Gartner 2008] Exploits against cloud admin interfaces: Plethora of examples: CVE-2007-4993, CVE- 2007-5497, CVE-2008-0923, CVE-2008-1943, CVE-2008-2100, 3

  4. Implications Deploying services Clients have limited flexibility Cloud clients largely restricted to in-VM security tools Deployment and configuration of powerful security tools entrusted to cloud provider: VM introspection tools Network-level middleboxes 4

  5. Our Solution SSC [ACM CCS 2012] Self-service Cloud Computing De-privilege cloud admins Transfer privilege to clients Main ideas: Privilege separation Least privilege Implemented via hypervisor modifications 5

  6. Contributions of this paper Control plane for a cloud platform consisting of SSC hypervisors Client s Perspective Provider s Perspective Deploying custom network middleboxes Unified administrative interface Specifying VM dependencies VM dependency-aware migration 6

  7. Traditional cloud platforms Provider s Management VM (dom0) Client VM Client VM Client VM Hypervisor Hardware 7

  8. Privilege allocation Provider s Management VM (dom0) Client VM Client VM Client VM Hypervisor Hardware 8

  9. Example: Malware detection Management VM Client s VM Checking daemon Data Code 2 Process the page Sec. Policy ? 3 1 Resume guest Alert user Hypervisor 9

  10. Flexibility Problem Clients rely on provider/admins to deploy the service Management VM Client s VM Checking daemon Data Code 2 Process the page Sec. Policy ? 3 1 Resume guest Alert user Hypervisor 10

  11. Security Problem Client code & data secrecy and integrity vulnerable to attack Management VM Client s VM Checking daemon Data Code 2 Process the page Sec. Policy ? 3 1 Malicious cloud operator Resume guest Alert user Hypervisor 11

  12. Privilege allocation in SSC Provider s Management VM Client Mgmt. VM Client VM Client VM SSC Hypervisor Hardware 12

  13. Duties of the management VM Manages and multiplexes hardware resources Manages client virtual machines Management VM (Dom0) 13

  14. Main technique used by SSC Disaggregate the management VM SDom0 UDom0 Manages hardware No access to client VMs Manages client s VMs Allows clients to deploy new services System-wide Mgmt. VM (one per physical host) Per-Client Mgmt. VM 14

  15. An SSC platform SDom0 Work VM VM VM Work UDom0 UDom0 UDom0 Security Work VM VM Work VM Work SSC Hypervisor Hardware Trusted Computing Base 15

  16. Cloud control plane Node controller (in Sdom0) Node controller (in Sdom0) Controller Node Client VM Client VM Cloud Controller Dom0 Udom0 Udom0 Hypervisor Client s interface to the cloud Client VM images 16

  17. Cloud control plane From the client s perspective: Interfaces with the client to get VM images Is the client s administrative interface From the cloud provider s perspective: Manages VM placement and migration Abstracts away platform details, hiding them from the client s view 17

  18. Need for an SSC control plane Traditional control plane software unaware of SSC abstractions Two implications: 1. Poor flexibility: Client cannot specify VM dependencies Client cannot specify middlebox placement 2. Poor security: Udom0s on individual platforms may expose cloud provider topology to malicious clients 18

  19. SSC-aware control plane Enhanced dashboard interface to abstract details of individual Udom0s Allows specification of: VM dependency constraints Middlebox placement topologies Transparently handles VM migration and placement Please see paper for details on our VM migration protocol 19

  20. SSC-aware control plane Node controller (in Sdom0) Node controller (in Sdom0) Controller Node Client VM switches UDom0 Client Cloud Controller Sdom0 Udom0 Udom0 SSC Hypervisor Client s interface to the cloud Client VM images 20

  21. Client interface 1 Node controller (in Sdom0) Node controller (in Sdom0) Controller Node Client VM switches UDom0 Client Cloud Controller Sdom0 Udom0 Udom0 SSC Hypervisor 1 Client s interface to the cloud Client VM images 21

  22. Example scenario Web Server (web_vm) 22

  23. Example scenario MUST_COLOCATE MUST_COLOCATE VMI tool (vmi_vm) Web Server (web_vm) 23

  24. Example scenario MUST_COLOCATE MUST_COLOCATE MUST_COLOCATE MUST_COLOCATE SSL Proxy (ssl_vm) VMI tool (vmi_vm) Web Server (web_vm) 24

  25. Example scenario MUST_COLOCATE MUST_COLOCATE MUST_COLOCATE MUST_COLOCATE SSL Proxy (ssl_vm) VMI tool (vmi_vm) Web Server (web_vm) MAY_COLOCATE MAY_COLOCATE Firewall (firewall_vm) 25

  26. VM dependency constraints VM web_vm; // Client s Web server VM vmi_vm; // VMI-based Memory introspection tool VM ssl_vm; // SSL proxy for the Web server VM firewall_vm; // VM running the Snort NIDS web_vm.name = MyWeb ; web_vm.image = Apache.img; vmi_vm.name = ...; vmi_vm.image = ...; ssl_vm.name = ...; ssl_vm.image = ...; firewall_vm.name = ...; firewall_vm.image = ...; Grant_Privilege (vmi_vm, web_vm, Kern_Mem); Set_Backend (ssl_vm, web_vm, NET, MUST_COLOCATE); Set_Backend (firewall_vm, ssl_vm, NET, MAY_COLOCATE); 26

  27. Cloud controller 2 2 Node controller (in Sdom0) Node controller (in Sdom0) Controller Node Client VM switches UDom0 Client Cloud Controller Sdom0 Udom0 Udom0 SSC Hypervisor Client s interface to the cloud Client VM images 27

  28. Cloud controllers tasks 2 Solves a constraint-satisfaction problem All MUST_COLOCATE constraints satisfied Output is a set of VM placements Communicates VM placements to individual node controllers Sends network switch configurations for backend VMs (Set_Backend) Also sends permission requirements for VMs (Grant_Privilege) 28

  29. Udom0 and switches 3 switches3 Node controller (in Sdom0) Node controller (in Sdom0) Controller Node Client VM UDom0 Client Cloud Controller Sdom0 Udom0 Udom0 SSC Hypervisor Client s interface to the cloud Client VM images 29

  30. Udom0 and switches 3 Each physical host that runs a client VM has a Udom0 and software switches We use Open vSwitch for switches Udom0 handles Grant_Privilege requests, and enables system services Software switches configured to handle Set_Backend requests and accommodate middleboxes 30

  31. Example of middlebox placement Host B Host A Inbound traffic Open vSwitch VM Open vSwitch VM ssl_vm firewall_vm web_vm Traffic scanned by firewall_vm 31

  32. Evaluation Goals Measure overhead of control plane components Dell PowerEdge R610 running Xen-4.3 24 GB RAM 8 Xeon cores with dual threads (2.3 GHz) Each VM has 2 vCPUs and 2 GB RAM Results shown only for one case study See our paper for more 32

  33. Baseline overhead for middleboxes SAMEHOST Ping requests Measurement host Middlebox Client VM DIFFHOST Open vSwitch Open vSwitch Measurement host Client VM Middlebox 33

  34. Baseline overhead for middleboxes SAMEHOST Setup Traditional SSC Throughput (Mbps) 925.4 0.5 924 1.2 RTT (ms) 0.38 0.62 (1.6x) DIFFHOST Setup Traditional SSC Throughput (Mbps) 848.4 11.2 425.8 5.5 RTT (ms) 0.69 1.6 (2.3x) 34

  35. Example: Network metering Open vSwitch Open vSwitch Open vSwitch Open vSwitch Metering Client VM Client VM Client VM 35

  36. Network metering overhead SAMEHOST Setup Traditional SSC Throughput (Mbps) 924.8 1.1 924 0.4 DIFFHOST Setup Traditional SSC Throughput (Mbps) 845.4 11.1 424.3 3.1 36

  37. See paper for more Network intrusion detection Network access control Host+network (hybrid) intrusion detection Evaluation of VM migration overheads 37

  38. Related work Client security: CloudVisor [SOSP 11], Xoar [SOSP 11], Intel SGX, Haven [OSDI 14], Overshadow [ASPLOS 08] Client flexibility with nested VMs: XenBlanket [EuroSys 12] Client-controlled middleboxes with SDN: SIMPLE [SIGCOMM 13], FlowTags [NSDI 14], CloudNaaS [SOCC 11] 38

  39. Thank You. Shakeel Butt - shakeelb@cs.rutgers.edu Vinod Ganapathy - vinodg@cs.rutgers.edu Abhinav Srivastava - abhinav@research.att.com

  40. BACKUP SLIDES 40

  41. SSC versus Haven/Intel SGX SGX allows clients to create enclaves, which are opaque to cloud providers Benefits of Intel SGX over SSC: Cloud provider is untrusted Ability to defend against memory snooping Strong, cryptographic security guarantees Benefits of SSC over Intel SGX: Mutually-trusted domains allow provider to monitor client Mimics cloud setting of VMs over hypervisors 41

  42. Cloudvisor and XenBlanket CloudVisor [SOSP 11] Xen-Blanket [EuroSys 12] Protect client VM data from Dom0 using a thin, bare- metal hypervisor Allow clients to have their own Dom0s on commodity clouds using a thin shim Client VM Client Dom0 Client VM Dom0 Cloud Dom0 XenBlanket Nested Hypervisor CloudVisor Cloud Hypervisor 42

  43. Providers want some control NO NO data leaks or corruption illegal activities or botnet hosting Client Cloud Provider Udom0 and service VMs put clients in control of their VMs Sdom0 cannot inspect these VMs Malicious clients can misuse privilege Mutually-trusted service VMs 16

  44. Traditional privilege model Privileged operation Hypervisor is request from Management VM? YES NO ALLOW DENY 44

  45. SSCs privilege model Privileged operation Self-service hypervisor Is the request from client s Udom0? YES NO Does requestor have privilege (e.g., client s service VM) NO YES ALLOW ALLOW DENY 45

Related


State-of-the-art Analysis of VM-based Cloud Management Platforms

State-of-the-art Analysis of VM-based Cloud Management Platforms

kolb_926
Integrated Verification and Repair in Control Plane

Integrated Verification and Repair in Control Plane

buddy
Understanding General Plane Waves in Electromagnetic Theory

Understanding General Plane Waves in Electromagnetic Theory

philippa
Secure Cloud Applications with Intel SGX - OSDI 2014 Presentation Summary

Secure Cloud Applications with Intel SGX - OSDI 2014 Presentation Summary

albritton_a
Enhancing Mobile-Cloud Computing with Autonomous Agents Framework

Enhancing Mobile-Cloud Computing with Autonomous Agents Framework

yjay
Online Procurement Auctions for Resource Pooling in Client-Assisted Cloud Storage Systems

Online Procurement Auctions for Resource Pooling in Client-Assisted Cloud Storage Systems

addingt
Simplify Label Design with Label.Cloud

Simplify Label Design with Label.Cloud

urso_rz
Integrating Cloud Service and Security Management Systems

Integrating Cloud Service and Security Management Systems

tong654
Chi: A Scalable and Programmable Control Plane for Distributed Stream Processing

Chi: A Scalable and Programmable Control Plane for Distributed Stream Processing

mcrib
Cloud-Optimized HDF5 Files Overview

Cloud-Optimized HDF5 Files Overview

gianni
Overview of 5G System Architecture and User Plane Functionality

Overview of 5G System Architecture and User Plane Functionality

bel_del
Secure State Migration in the Data Plane Overview

Secure State Migration in the Data Plane Overview

arran
Progress in Cloud Communications Strategy for Canadians and Employees

Progress in Cloud Communications Strategy for Canadians and Employees

boho_an
Paper Plane Design and Flight Test

Paper Plane Design and Flight Test

hiro
Comparison of Erector Spinae Plane Block vs Serratus Anterior Plane Block in Thoracic Surgery Recovery

Comparison of Erector Spinae Plane Block vs Serratus Anterior Plane Block in Thoracic Surgery Recovery

jones
Introduction to Plane Table Surveying in Civil Engineering

Introduction to Plane Table Surveying in Civil Engineering

riley-james
Plane Sweep Algorithms in Computational Geometry

Plane Sweep Algorithms in Computational Geometry

gnid
Understanding Cloud Security Threats and Vulnerabilities

Understanding Cloud Security Threats and Vulnerabilities

mesa_i
Optimal VM Dimensioning for Data Plane VNFs in Telco Cloud Environments

Optimal VM Dimensioning for Data Plane VNFs in Telco Cloud Environments

ade_fr
Overview of Cloud Standard APIs and Contextualization Methods

Overview of Cloud Standard APIs and Contextualization Methods

dcar
Understanding Cloud Federation and Identity Management

Understanding Cloud Federation and Identity Management

islarose
Emerging Trends in Cloud Databases: Challenges and Opportunities

Emerging Trends in Cloud Databases: Challenges and Opportunities

phuong_o
Cloud_cci: Comprehensive Overview of Available Data and Evaluation

Cloud_cci: Comprehensive Overview of Available Data and Evaluation

ksned
Overview of VIIRS Cloud Properties Products and Requirements

Overview of VIIRS Cloud Properties Products and Requirements

alexande

More Related Content

Cloud Adoption and Organizational Change Management Program Overview
Cloud Adoption and Organizational Change Management Program Overview
Achieving Secure and Scalable Data Access Control in Cloud Computing
Achieving Secure and Scalable Data Access Control in Cloud Computing
Characterization of 3G Control-Plane Signaling Overhead
Characterization of 3G Control-Plane Signaling Overhead
Arrakis: The Operating System is the Control Plane
Arrakis: The Operating System is the Control Plane
Ensuring Cloud Security: Strategies for a Safe Transition
Ensuring Cloud Security: Strategies for a Safe Transition
Challenges and Solutions in Elastic Cloud Security
Challenges and Solutions in Elastic Cloud Security
Exploring Cloud Cryptography for Secure Data Processing
Exploring Cloud Cryptography for Secure Data Processing
Overview of Cloud Computing: Benefits, Models, and Platforms
Overview of Cloud Computing: Benefits, Models, and Platforms
Understanding Marketing Control and Its Importance in Business
Understanding Marketing Control and Its Importance in Business
Role-based Access Control Policies and Security Properties Overview
Role-based Access Control Policies and Security Properties Overview
Avoco's Cloud-Based Information Card Selector: Enhancing Usability and Security
Avoco's Cloud-Based Information Card Selector: Enhancing Usability and Security
Comprehensive Cloud Security Measures and Solutions
Comprehensive Cloud Security Measures and Solutions
Oblivious RAM: Enhancing Data Privacy in Cloud Computing
Oblivious RAM: Enhancing Data Privacy in Cloud Computing
EGI Federated Cloud Infrastructure Overview
EGI Federated Cloud Infrastructure Overview
Introduction to Database Security and Countermeasures
Introduction to Database Security and Countermeasures
Database Security Measures and Controls
Database Security Measures and Controls
United States Coast Guard Cloud Strategy Overview
United States Coast Guard Cloud Strategy Overview
Overview of Cloud Computing Technologies and Business Implications
Overview of Cloud Computing Technologies and Business Implications
Understanding Cloud Computing Cost Comparison
Understanding Cloud Computing Cost Comparison
Cloud VR Network Requirements and Development Strategy in July 2022
Cloud VR Network Requirements and Development Strategy in July 2022
Understanding Cloud Computing: Benefits and Risks
Understanding Cloud Computing: Benefits and Risks
Cloud Load Balancing Overview and Requirements
Cloud Load Balancing Overview and Requirements
GOES-16 Cloud Mask and Top Properties Update in AWIPS-2 NWS/OBS
GOES-16 Cloud Mask and Top Properties Update in AWIPS-2 NWS/OBS
NESDIS Cloud Framework: Revolutionizing Data-Agnostic Cloud Computing
NESDIS Cloud Framework: Revolutionizing Data-Agnostic Cloud Computing