TY - GEN
T1 - Pileus
T2 - 32nd Annual Computer Security Applications Conference, ACSAC 2016
AU - Sun, Yuqiong
AU - Petracca, Giuseppe
AU - Ge, Xinyang
AU - Jaeger, Trent
N1 - Publisher Copyright:
© 2016 ACM.
Copyright:
Copyright 2017 Elsevier B.V., All rights reserved.
PY - 2016/12/5
Y1 - 2016/12/5
N2 - Cloud computing platforms are now constructed as distributed, modular systems of cloud services, which enable cloud users to manage their cloud resources. However, in current cloud platforms, cloud services fully trust each other, so a malicious user may exploit a vulnerability in a cloud service to obtain unauthorized access to another user's data. To date, over 150 vulnerabilities have been reported in cloud services in the OpenStack cloud. Research efforts in cloud security have focused primarily on attacks originating from user VMs or compromised operating systems rather than threats caused by the compromise of distributed cloud services, leaving cloud users open to attacks from these vulnerable cloud services. In this paper, we propose the Pileus cloud service architecture, which isolates each user's cloud operations to prevent vulnerabilities in cloud services from enabling malicious users to gain unauthorized access. Pileus deploys stateless cloud services "on demand" to service each user's cloud operations, limiting cloud services to the permissions of individual users. Pileus leverages the decentralized information flow control (DIFC) model for permission management, but the Pileus design addresses special challenges in the cloud environment to: (1) restrict how cloud services may be allowed to make security decisions; (2) select trustworthy nodes for access enforcement in a dynamic, distributed environment; and (3) limit the set of nodes a user must trust to service each operation. We have ported the OpenStack cloud platform to Pileus, finding that we can systematically prevent compromised cloud services from attacking other users' cloud operations with less than 3% additional latency for the operation. Application of the Pileus architecture to Open- Stack shows that confined cloud services can service users' cloud operations effectively for a modest overhead.
AB - Cloud computing platforms are now constructed as distributed, modular systems of cloud services, which enable cloud users to manage their cloud resources. However, in current cloud platforms, cloud services fully trust each other, so a malicious user may exploit a vulnerability in a cloud service to obtain unauthorized access to another user's data. To date, over 150 vulnerabilities have been reported in cloud services in the OpenStack cloud. Research efforts in cloud security have focused primarily on attacks originating from user VMs or compromised operating systems rather than threats caused by the compromise of distributed cloud services, leaving cloud users open to attacks from these vulnerable cloud services. In this paper, we propose the Pileus cloud service architecture, which isolates each user's cloud operations to prevent vulnerabilities in cloud services from enabling malicious users to gain unauthorized access. Pileus deploys stateless cloud services "on demand" to service each user's cloud operations, limiting cloud services to the permissions of individual users. Pileus leverages the decentralized information flow control (DIFC) model for permission management, but the Pileus design addresses special challenges in the cloud environment to: (1) restrict how cloud services may be allowed to make security decisions; (2) select trustworthy nodes for access enforcement in a dynamic, distributed environment; and (3) limit the set of nodes a user must trust to service each operation. We have ported the OpenStack cloud platform to Pileus, finding that we can systematically prevent compromised cloud services from attacking other users' cloud operations with less than 3% additional latency for the operation. Application of the Pileus architecture to Open- Stack shows that confined cloud services can service users' cloud operations effectively for a modest overhead.
UR - http://www.scopus.com/inward/record.url?scp=85007595674&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85007595674&partnerID=8YFLogxK
U2 - 10.1145/2991079.2991109
DO - 10.1145/2991079.2991109
M3 - Conference contribution
AN - SCOPUS:85007595674
T3 - ACM International Conference Proceeding Series
SP - 52
EP - 64
BT - Proceedings - 32nd Annual Computer Security Applications Conference, ACSAC 2016
PB - Association for Computing Machinery
Y2 - 5 December 2016 through 9 December 2016
ER -