Pileus: protecting user resources from vulnerable cloud services

Cloud computing platforms are now constructed as distributed, modular systems of cloud services, which enable cloud users to manage their cloud resources. However, in current cloud platforms, cloud services fully trust each other, so a malicious user may exploit a vulnerability in a cloud service to obtain unauthorized access to another user's data. To date, over 150 vulnerabilities have been reported in cloud services in the OpenStack cloud. Research efforts in cloud security have focused primarily on attacks originating from user VMs or compromised operating systems rather than threats caused by the compromise of distributed cloud services, leaving cloud users open to attacks from these vulnerable cloud services. In this paper, we propose the Pileus cloud service architecture, which isolates each user's cloud operations to prevent vulnerabilities in cloud services from enabling malicious users to gain unauthorized access. Pileus deploys stateless cloud services "on demand" to service each user's cloud operations, limiting cloud services to the permissions of individual users. Pileus leverages the decentralized information flow control (DIFC) model for permission management, but the Pileus design addresses special challenges in the cloud environment to: (1) restrict how cloud services may be allowed to make security decisions; (2) select trustworthy nodes for access enforcement in a dynamic, distributed environment; and (3) limit the set of nodes a user must trust to service each operation. We have ported the OpenStack cloud platform to Pileus, finding that we can systematically prevent compromised cloud services from attacking other users' cloud operations with less than 3% additional latency for the operation. Application of the Pileus architecture to Open-Stack shows that confined cloud services can service users' cloud operations effectively for a modest overhead.

[1]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[2]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[3]  Ahmad-Reza Sadeghi,et al.  AmazonIA: when elasticity snaps back , 2011, CCS '11.

[4]  Winnie Cheng,et al.  Abstractions for Usable Information Flow Control in Aeolus , 2012, USENIX Annual Technical Conference.

[5]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[6]  Yuqiong Sun,et al.  Cloud Armor: Protecting Cloud Commands from Compromised Cloud Services , 2015, 2015 IEEE 8th International Conference on Cloud Computing.

[7]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[8]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[9]  Ben Y. Zhao,et al.  Silverline: toward data confidentiality in storage-intensive cloud applications , 2011, SoCC.

[10]  Abhinav Srivastava,et al.  Self-service cloud computing , 2012, CCS '12.

[11]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[12]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[13]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[14]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[15]  David M. Eyers,et al.  FlowK: Information Flow Control for the Cloud , 2014, 2014 IEEE 6th International Conference on Cloud Computing Technology and Science.

[16]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[17]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[18]  Xin Qi,et al.  Fabric: a platform for secure distributed computation and storage , 2009, SOSP '09.

[19]  Crispin Cowan,et al.  Linux Security Module Framework , 2002 .

[20]  Yuqiong Sun,et al.  Inevitable Failure: The Flawed Trust Assumption in the Cloud , 2014, CCSW.

[21]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[22]  Andrew C. Myers,et al.  Sharing Mobile Code Securely with Information Flow Control , 2012, 2012 IEEE Symposium on Security and Privacy.

[23]  Yuqiong Sun,et al.  Cloud Verifier: Verifiable Auditing Service for IaaS Clouds , 2013, 2013 IEEE Ninth World Congress on Services.

[24]  Paul A. Karger,et al.  An Augmented Capability Architecture to Support Lattice Security and Traceability of Access , 1984, 1984 IEEE Symposium on Security and Privacy.

[25]  Jatinder Singh,et al.  Camflow: Managed Data-Sharing for Cloud Services , 2015, IEEE Transactions on Cloud Computing.

[26]  David M. Eyers,et al.  Information Flow Control for Secure Cloud Computing , 2014, IEEE Transactions on Network and Service Management.

[27]  References , 1971 .

[28]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[29]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[30]  HardyNorm The Confused Deputy , 1988 .

[31]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[32]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[33]  Abhinav Srivastava,et al.  Hardening OpenStack Cloud Platforms against Compute Node Compromises , 2016, AsiaCCS.

[34]  David M. Eyers,et al.  CloudSafetyNet: Detecting Data Leakage between Cloud Tenants , 2014, CCSW.

[35]  Krishna P. Gummadi,et al.  Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services , 2012, USENIX Security Symposium.

[36]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.