Inevitable Failure: The Flawed Trust Assumption in the Cloud

IaaS clouds offer customers on-demand computing resources such as virtual machine, network and storage. To provision and manage these resources, cloud users must rely on a variety of cloud services. However, a wide range of vulnerabilities have been identified in these cloud services that may enable an adversary to compromise customers' computations or even the cloud platform itself. Using the motivation for adding mandatory access to commercial operating systems, we argue for the development of a secure cloud operating system (SCOS) to enforce mandatory access control (MAC) over cloud services and customer instances. To better understand the concrete challenges of building a SCOS, we examine the OpenStack cloud platform from two perspectives: (1) how attacks propagate across cloud services and (2) how adversaries leverage vulnerabilities in cloud services to attack hosts. Using this information, we review the application of three MAC approaches employed by "secure" commercial systems to evaluate their practical effectiveness for controlling cloud services. While MAC enforcement can improve security for cloud services, several threats remain unchecked. We outline a set of additional security policy goals that a SCOS must enforce to control threats from potentially compromised cloud services comprehensively. While we do not actually construct a SCOS in this paper, we hope that this study will initiate discussions that may lead to practical designs.

[1]  F. J. Corbató,et al.  Introduction and overview of the multics system , 1965, AFIPS '65 (Fall, part I).

[2]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[3]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[4]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[5]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[6]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[7]  Roger R. Schell,et al.  Designing the GEMSOS security kernel for security and performance , 1985 .

[8]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[9]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[10]  Daniel F. Sterne,et al.  A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[11]  Stephen Smalley,et al.  The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments , 2000 .

[12]  Phil Kearns,et al.  Domain and Type Enforcement for Linux , 2000, Annual Linux Showcase & Conference.

[13]  Axel Schairer,et al.  Verification of a Formal Security Model for Multiapplicative Smart Cards , 2000, ESORICS.

[14]  Clem Cole,et al.  Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference , 2001 .

[15]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[16]  Robert N. M. Watson,et al.  TrustedBSD: Adding Trusted Operating System Features to FreeBSD , 2001, USENIX Annual Technical Conference, FREENIX Track.

[17]  Somesh Jha,et al.  Detecting Manipulated Remote Call Streams , 2002, USENIX Security Symposium.

[18]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[19]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[20]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[21]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[22]  David Caplan,et al.  SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open Source Software Development Series) , 2006 .

[23]  Hong Chen,et al.  Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems , 2009, NDSS.

[24]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[25]  F. J. Corbat INTRODUCTION AND OVERVIEW OF THE MULTICS SYSTEM , 2010 .

[26]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[27]  Ahmad-Reza Sadeghi,et al.  AmazonIA: when elasticity snaps back , 2011, CCS '11.

[28]  Abhinav Srivastava,et al.  Self-service cloud computing , 2012, CCS '12.

[29]  Benjamin Farley,et al.  Resource-freeing attacks: improve your cloud performance (at your neighbor's expense) , 2012, CCS.

[30]  Trent Jaeger,et al.  Process firewalls: protecting processes during resource access , 2013, EuroSys '13.

[31]  Michael K. Reiter,et al.  Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud , 2013, CCS.

[32]  Trent Jaeger,et al.  JIGSAW: Protecting Resource Access by Inferring Programmer Expectations , 2014, USENIX Security Symposium.