Cloud Armor: Protecting Cloud Commands from Compromised Cloud Services

Yuqiong Sun, Giuseppe Petracca, Trent Jaeger, Hayawardh Vijayakumar, Joshua Schiffman

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations

Abstract

Infrastructure-as-a-Service (IaaS) clouds can be viewed as distributed systems of cloud services that are entrusted to execute users' cloud commands to provision and manage clouds computing resources (e.g., VM). However, recent vulnerabilities found in cloud services show that this trust is often misplaced. By exploiting a vulnerability in a cloud service, an adversary can hijack or forge commands to modify user VMs, exfiltrate sensitive information, and even modify other service hosts. This paper introduces Cloud Armor, a system that detects and blocks the tampering of user commands without the need for modifications to cloud services. Our insight is that we can construct state machine models to limit the system call sequences executed by cloud services. By applying constraints over system call arguments, we can restrict the way user commands are executed, blocking unauthorized operations from compromised cloud services. We implemented a prototype Cloud Armor system for Open Stack, a widely adopted open source cloud platform. Results show that Cloud Armor can greatly limit attack options available for adversaries while imposing less than 1% overhead for user VMs. As a result, cloud users can leverage Cloud Armor to execute user commands safely even in presence of compromised cloud services.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE 8th International Conference on Cloud Computing, CLOUD 2015
EditorsCalton Pu, Ajay Mohindra
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages253-260
Number of pages8
ISBN (Electronic)9781467372879
DOIs
StatePublished - Aug 19 2015
Event8th IEEE International Conference on Cloud Computing, CLOUD 2015 - New York, United States
Duration: Jun 27 2015Jul 2 2015

Publication series

NameProceedings - 2015 IEEE 8th International Conference on Cloud Computing, CLOUD 2015

Other

Other8th IEEE International Conference on Cloud Computing, CLOUD 2015
Country/TerritoryUnited States
CityNew York
Period6/27/157/2/15

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Cloud Armor: Protecting Cloud Commands from Compromised Cloud Services'. Together they form a unique fingerprint.

Cite this