Sponsored by National Science Foundation
Cloud Verifier: Verifiable Auditing Service for IaaS Clouds
Visibility and control in Cloud
Cloud computing has revolutionized the way we consume computing resources.
Instead of maintaining a locally administered data center, businesses and individuals can simply purchase compute, storage, and network resources on demand from a public cloud utility.
While this new model has increased access to affordable resources, it comes with new and challenging security risks.
By using remotely administered systems, cloud customers are no longer in able to maintain visibility and control over their computing infrastructure.
without such visibility and control:
- Customer has little knowledge over how the underlying computing infrastructure (compute/network/api server) is configured.
A careless cloud administrator can result in a vulnerable cloud state (e.g. using an unpatched hypervisor) which puts customers's VM at great risk.
- Customers lacks effective countermeasures to address the threats posed by subjects with privileged access to the cloud infrastructure, often insiders.
An insider could corrupt customer's computing environment with little effort such as directly modifying customer's VM running state.
- Customers become less capable of addressing traditional threats (e.g. network attacks, malware).
Security mechanisms can only be placed within VM thus susceptible to circumvention.
Little assurance can be obtained that the security settings they specify are properly enforced or that their instances are running unmolested.
Therefore, we proposed the Cloud Verifier, a monitoring framework that provide complete, correct, accurate and verifiable monitoring service to customers.
Customers can leverage such framework to obtain a correct view of the runtime state of their computing environment and perform responsive reaction upon anomalies.
The CV leverages the cloud's hierarchical structure to build transitive trust starting in the cloud platform up to the instances themselves.
Platform states are monitored by a Cloud Verifier against the cloud administrator's specified criteria, thereby preventing maliciously modified systems from executing customer VMs.
From there, cloud customers specify their own requirements, represented by Integrity Criteria, to the CV, which distributes those requirements to an Integrity Verification Proxy (IVP) service on each VM host.
This IVP monitors each instance's state to detect changes on the VM or its host that violate those requirements.
If those requirements are violated, remediation is then performed for customers by cutting connections to the problematic instance or rolling it back to a known good state.
The design of the monitoring framework is guided by the following goals:
For how we achieved these goals, see the Publications section.
- Completeness: The monitoring framework should be able to collect the evolving states of both cloud platform and instances, and across their lifecycles.
- Correctness: Consider a system variable that is under monitoring. Any changes to such variable should be captured by the monitoring framework without delay.
- Accuracy: If the monitored variable remains unmodified, monitoring framework should not falsely report it.
- Verifiability: Customer or thrid-party should be able to verify the monitoring framework for auditing purposes.
- Timely Control: Immediate remediation should be performed upon detection of anomalies. The services under abnormal state should not serve any clients.
- Cloud Verifier: Verifiable Auditing Service for IaaS Clouds
by Joshua Schiffman, Yuqiong Sun, Hayawardh Vijayakumar, and Trent Jaeger.
Technical Report. NAS-TR-0163-2012
- Verifying System Integrity by Proxy
by Joshua Schiffman, Hayawardh Vijayakumar, and Trent Jaeger.
In 5th International Conference on Trust and Trustworthy Computing, 2012, pp. 179-201.
- Network-based Root of Trust for Installation
by Joshua Schiffman, Thomas Moyer, Trent Jaeger, and Patrick McDaniel.
IEEE Security & Privacy, Jan/Feb 2011.
- Seeding Clouds with Trust Anchors
by Joshua Schiffman, Thomas Moyer, Hayawardh Vijayakumar, Trent Jaeger, and Patrick McDaniel.
In CCSW '10: Proceedings of the 2010 ACM Workshop on Cloud Computing Security, 2010.
- Cloudy with a Chance of Security Challenges and Improvements
by Trent Jaeger and Joshua Schiffman.
IEEE Security & Privacy, Jan/Feb 2010.
- Justifying integrity using a Virtual Machine Verifier
by Joshua Schiffman, Thomas Moyer, Christopher Shal, Trent Jaeger, and Patrick McDaniel.
In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC '09), 2009.
- Establishing and Sustaining System Integrity via Root of Trust Installation
by Luke St. Clair, Joshua Schiffman, Trent Jaeger, and Patrick McDaniel.
In Proceedings of the 2007 Annual Computer Security Applications Conference, Dec. 2007, pp. 19-29.