This work has been supported by the National Science Foundation under grant No. CNS-1117692. Additional support has been provided by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation here on.
By using remotely administered cloud platforms, cloud users are no longer in able to maintain visibility and control over their computing infrastructure. Without such visibility and control, 1) users have little knowledge over how the underlying computing infrastructure (compute/network/api server) is configured. Consequently, a careless cloud administrator can result in a vulnerable cloud state (e.g. using an unpatched hypervisor) which puts customers's VM at great risk; 2) users lack effective countermeasures to address the threats posed by subjects with privileged access to the cloud infrastructure, often insiders. Thus, an insider could corrupt users' computing environment with little effort such as directly modifying users' VM running state; and 3) users become less capable of addressing traditional threats (e.g. network attacks, malware). Since security mechanisms can only be placed within VM thus susceptible to circumvention. Little assurance can be obtained that the security settings they specify are properly enforced or that their instances are running unmolested.
Therefore, we proposed the Cloud Verifier, a monitoring framework that provide complete, correct, accurate and verifiable monitoring service to customers. Customers can leverage such framework to obtain a correct view of the runtime state of their computing environment and perform responsive reaction upon anomalies. The CV leverages the cloud's hierarchical structure to build transitive trust starting in the cloud platform up to the instances themselves. Platform states are monitored by a Cloud Verifier against the cloud administrator's specified criteria, thereby preventing maliciously modified systems from executing customer VMs. From there, cloud customers specify their own requirements, represented by Integrity Criteria, to the CV, which distributes those requirements to an Integrity Verification Proxy (IVP) service on each VM host. This IVP monitors each instance's state to detect changes on the VM or its host that violate those requirements. If those requirements are violated, remediation is then performed for customers by cutting connections to the problematic instance or rolling it back to a known good state.
IaaS clouds offer customers on-demand computing resources such as virtual machine, network and storage. To provision and manage these resources, cloud users must rely on a variety of cloud services. However, a wide range of vulnerabilities have been identiﬁed in these cloud services that may enable an adversary to compromise customers’ computations or even the cloud platform itself. Using the motivation for adding mandatory access to commercial operating systems, we argue for the development of a secure cloud operating system (SCOS) to enforce mandatory access control (MAC) over cloud services and customer instances. To better understand the concrete challenges of building a SCOS, we examine the OpenStack cloud platform from two perspectives: (1) how attacks propagate across cloud services and (2) how adversaries leverage vulnerabilities in cloud services to attack hosts. Using this information, we review the application of three MAC approaches employed by "secure" commercial systems to evaluate their practical effectiveness for controlling cloud services. While MAC enforcement can improve security for cloud services, several threats remain unchecked. We outline a set of additional security policy goals that a SCOS must enforce to control threats from potentially compromised cloud services comprehensively. While we do not actually construct a SCOS in this paper, we hope that this study will initiate discussions that may lead to practical designs.
IaaS clouds can be viewed as distributed systems of cloud services that are entrusted to execute users’ cloud commands to provision and manage clouds computing resources (e.g., VM). However, recent vulnerabilities found in cloud services show that this trust is often misplaced. By exploiting a vulnerability in a cloud service, an adversary can hijack or forge commands to modify user VMs, exﬁltrate sensitive information, and even modify other service hosts. This paper introduces CloudArmor, a system that detects and blocks the tampering of user commands without the need for modiﬁcations to cloud services. Our insight is that we can construct state machine models to limit the system call sequences executed by cloud services. By applying constraints over system call arguments, we can restrict the way user commands are executed, blocking unauthorized operations from compromised cloud services. We implemented a prototype CloudArmor system for OpenStack, a widely adopted open source cloud platform. Results show that CloudArmor can greatly limit attack options available for adversaries while imposing less than 1% overhead for user VMs.
Cloud computing platforms are now constructed as distributed, modular systems of cloud services, which enable cloud users to manage their cloud resources. However, in current cloud platforms, cloud services fully trust each other, so a malicious user may exploit a vulnerability in a cloud service to obtain unauthorized access to another user’s data. To date, over 150 vulnerabilities have been reported in cloud services in the OpenStack cloud. Research efforts in cloud security have focused primarily on attacks originating from user VMs or compromised operating systems rather than threats caused by the compromise of distributed cloud services, leaving cloud users open to attacks from these vulnerable cloud services. In this paper, we propose the Pileus cloud service architecture, which isolates each user’s cloud operations to prevent vulnerabilities in cloud services from enabling malicious users to gain unauthorized access. Pileus deploys stateless cloud services “on demand” to service each user’s cloud operations, limiting cloud services to the permissions of individual users. Pileus leverages the decentralized information ﬂow control (DIFC) model for permission management, but the Pileus design addresses special challenges in the cloud environment to: (1) restrict how cloud services may be allowed to make security decisions; (2) select trustworthy nodes for access enforcement in a dynamic, distributed environment; and (3) limit the set of nodes a user must trust to service each operation. We have ported the OpenStack cloud platform to Pileus, ﬁnding that we can systematically prevent compromised cloud services from attacking other users’ cloud operations with less than 3% additional latency for the operation. Application of the Pileus architecture to OpenStack shows that conﬁned cloud services can service users’ cloud operations effectively for a modest overhead.