Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
10.1145/3339252.3339262acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Strong Tenant Separation in Cloud Computing Platforms

Published: 26 August 2019 Publication History

Abstract

Cloud computing, with its large, homogeneous infrastructures, has a high sensitivity to security incidents due to the multitude of affected services and tenants. To contain a potential attacker within a compromised subsystem, a strict separation between individual resources, e.g. virtual servers and networks, must be established. However, this separation usually relies on the integrity of the entire cloud platform. Due to the considerable size and complexity of the software powering these platforms and recently found attacks on hardware components, i.e. Spectre and Meltdown, this may not always represent a reasonable assumption.
Thus, we propose a novel concept that enforces a strong separation by transparently combining different methods. Where possible, we isolate components at the network level, a principle that is both well understood and proven in practice for several decades. Yet, specific attention is paid to maintain a high level of resource pooling, which is regarded as one of the main advantages of cloud computing. The approach shows a significant reduction of the Trusted Computing Base of the predominant state-of-the-art cloud platform OpenStack, without sacrificing functionality or performance experienced by the tenants. A simulation based on a real cloud workload shows that the overhead falls below ten percent in large platforms.

References

[1]
David G Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, and Scott Shenker. 2007. Holding the Internet Accountable. In Proceedings of the 6th ACM SIGCOMM Workshop on Hot Topics in Networks.
[2]
Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H. Lai. 2018. SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution. http://arxiv.org/abs/1802.09085
[3]
Catalin Cimpanu. 2018. Cisco removed its seventh backdoor account this year, and that's a good thing. https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/
[4]
Byron Cook, Kareem Khazem, Daniel Kroening, Serdar Tasiran, Michael Tautschnig, and Mark R. Tuttle. 2018. Model Checking Boot Code from AWS Data Centers. In Computer Aided Verification. 467--486.
[5]
Nelson Elhage. 2011. Virtunoid: A KVM Guest→Host privilege escalation exploit. https://media.blackhat.com/bh-us-11/Elhage/BH_US_11_Elhage_Virtunoid_WP.pdf
[6]
Amazon Web Services Incorporated. 2019. Amazon EC2 Instance Types. https://aws.amazon.com/ec2/instance-types/
[7]
Pramod Jamkhedkar, Jakub Szefer, Diego Perez-Botero, Tianwei Zhang, Gina Triolo, and Ruby B. Lee. 2013. A Framework for Realizing Security on Demand in Cloud Computing. In 5th IEEE International Conference on Cloud Computing Technology and Science Proceedings. 371--378.
[8]
Seongwook Jin, Jeongseob Ahn, Jinho Seol, Sanghoon Cha, Jaehyuk Huh, and Seungryoul Maeng. 2015. H-SVM: Hardware-Assisted Secure Virtual Machines under a Vulnerable Hypervisor. IEEE Trans. Comput. 64, 10 (2015), 2833--2846.
[9]
Shahin Kamali. 2015. Efficient Bin Packing Algorithms for Resource Provisioning in the Cloud. In ALGOCLOUD 2015 Revised Selected Papers of the First International Workshop on Algorithmic Aspects of Cloud Computing, Vol. 9511. 84--98.
[10]
Eric Keller, Jakub Szefer, Jennifer Rexford, and Ruby B. Lee. 2010. NoHype: Virtualized Cloud Infrastructure without the Virtualization. In ISCA '10 Proceedings of the 37th annual international symposium on Computer architecture. 350--361.
[11]
Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre attacks: Exploiting speculative execution. (2018). http://arxiv.org/abs/1801.01203
[12]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, et al. 2018. Meltdown: Reading kernel memory from user space. In 27th USENIX Security Symposium. 973--990.
[13]
Peter Mell and Tim Grance. 2011. The NIST Definition of Cloud Computing.
[14]
Tiago Rosado and Jorge Bernardino. 2014. An Overview of Openstack Architecture. In Proceedings of the 18th International Database Engineering & Applications Symposium (IDEAS '14). 366--367.
[15]
Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues. 2009. Towards Trusted Cloud Computing. In Proceedings of the conference on Hot topics in cloud computing.
[16]
William Stallings. 2015. Foundations of Modern Networking (1 ed.). Addison-Wesley.
[17]
Jakub Szefer and Ruby B. Lee. 2011. A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing. In 31st International Conference on Distributed Computing Systems Workshops. 248--252.
[18]
Jakub Szefer and Ruby B. Lee. 2012. Architectural Support for Hypervisor-Secure Virtualization. In ASPLOS XVII Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems. 437--450.
[19]
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the Keys to the Intel {SGX} Kingdom with Transient Out-of-Order Execution. In 27th USENIX Security Symposium. 991--1008.
[20]
Jo Van Bulck, Frank Piessens, and Raoul Strackx. 2017. SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control. In 2nd Workshop on System Software for Trusted Execution (SysTEX'17).
[21]
Rafal Wojtczuk. 2008. Adventures with a certain Xen vulnerability (in the PVFB backend). https://invisiblethingslab.com/resources/misc08/xenfb-adventures-10.pdf

Cited By

View all
  • (2023)Ausgangssituation und technische GrundlagenIndustrielle Datenanalyse10.1007/978-3-658-42779-5_3(21-39)Online publication date: 23-Dec-2023
  • (2021)Demo: Leveraging SDN in Critical Infrastructures2021 24th Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN)10.1109/ICIN51074.2021.9385545(86-88)Online publication date: 1-Mar-2021

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security
August 2019
979 pages
ISBN:9781450371643
DOI:10.1145/3339252
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. OpenStack
  2. cloud platforms
  3. isolation
  4. tenant separation

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ARES '19

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)15
  • Downloads (Last 6 weeks)3
Reflects downloads up to 21 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2023)Ausgangssituation und technische GrundlagenIndustrielle Datenanalyse10.1007/978-3-658-42779-5_3(21-39)Online publication date: 23-Dec-2023
  • (2021)Demo: Leveraging SDN in Critical Infrastructures2021 24th Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN)10.1109/ICIN51074.2021.9385545(86-88)Online publication date: 1-Mar-2021

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media