Exploring infrastructure support for app-based services on cloud platforms

Abstract Major infrastructure-as-a-cloud (IaaS) providers have recently been building marketplaces of “cloud apps,” which are VMs pre-installed with a variety of software stacks. Clients of cloud computing leverage such markets by downloading and instantiating the apps that best suit their computing needs, thereby saving the effort needed to configure and build VMs from scratch. We posit that the notion of cloud apps as defined by these marketplaces is nascent and does not allow apps to leverage the benefits of virtual machine (VM) introspection technology developed over the past decade. We envision a marketplace of apps that can interact with client VMs in a rich set of ways to provide a number of services that are currently supported only by cloud providers. This allows clients to deploy services such as VM introspection-based security tools and network middleboxes on their work VMs without requiring the cloud provider to deploy these services on their behalf. This paper presents models to support such a marketplace of expressive cloud apps. We present a study of the design space of these models to understand their performance and deployment tradeoffs. We also consider the design of a permissions-based framework to contain untrusted third-party cloud apps. Finally, we demonstrate the utility of our models by building and evaluating a number of security tools built as cloud apps.

[1]  Nikolaos Pitropakis,et al.  Behaviour reflects personality: detecting co-residence attacks on Xen-based cloud environments , 2015, International Journal of Information Security.

[2]  Nikolaos Pitropakis,et al.  Till All Are One: Towards a Unified Cloud IDS , 2015, TrustBus.

[3]  Abhinav Srivastava,et al.  Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections , 2008, RAID.

[4]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[5]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[6]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[7]  Vyas Sekar,et al.  Design and Implementation of a Consolidated Middlebox Architecture , 2012, NSDI.

[8]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[9]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[10]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[11]  Hakim Weatherspoon,et al.  The Xen-Blanket: virtualize once, run everywhere , 2012, EuroSys '12.

[12]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[13]  Muli Ben-Yehuda,et al.  The Turtles Project: Design and Implementation of Nested Virtualization , 2010, OSDI.

[14]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[15]  Abhinav Srivastava,et al.  Self-service cloud computing , 2012, CCS '12.

[16]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[17]  Abhinav Srivastava,et al.  On the Control Plane of a Self-service Cloud Platform , 2014, SoCC.

[18]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[19]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[20]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[21]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[22]  Abhinav Srivastava,et al.  Towards a richer model of cloud app markets , 2012, CCSW '12.

[23]  Ahmad-Reza Sadeghi,et al.  AmazonIA: when elasticity snaps back , 2011, CCS '11.

[24]  Ion Stoica,et al.  A policy-aware switching layer for data centers , 2008, SIGCOMM '08.

[25]  Peng Ning,et al.  Managing security of virtual machine images in a cloud environment , 2009, CCSW '09.