Transparent security for cloud - Semantic Scholar

Download PDF
7 downloads 298 Views 365KB Size Report
Comment
access —Management of Computing and Information Sys- tems. General Terms. Security. Keywords. Security, Cloud Computing, Threat Handling, Virtual Ma-.
Transparent Security for Cloud ∗

Flavio Lombardi

Roberto Di Pietro

Consiglio Nazionale delle Ricerche Sistemi Informativi Piazzale Aldo Moro 7, 00185 Rome, Italy

UNESCO Chair in Data Privacy Universitat Rovira i Virgili Tarragona, Spain

[email protected]

[email protected]

ABSTRACT

cloud service user

Large distributed systems such as clouds are increasingly becoming targets of attacks. Virtualization can be leveraged to increase the security of such systems by protecting the integrity of guest components. This paper discusses the integrity protection problem in the clouds and sketches a novel architecture, Transparent Cloud Protection System (TCPS) for increased security of cloud resources. TCPS can be tailored to different cloud flavors to monitor the integrity of guests and infrastructure components while remaining transparent to virtual machines.

SaaS PaaS

Linux,Win, Java...

Google Apps, Salesforce.com

Google AppEngine

Amazon EC2 Eucalyptus, Enomalism

IaaS dSaaS

Amazon S3 Cleversafe dsNet

Virtualization

TCPS

Xen, VmWare, KVM,

Linux...Win,...

Kernel

HARDWARE

Figure 1: Cloud layers and examples (extended)

Categories and Subject Descriptors crucial to know the possible threats and to establish security processes to protect services and hosting platforms from attacks. Virtualization is already leveraged in clouds. It allows better use of resources via server consolidation and better load balancing via migration of virtual machines (VMs). Virtualization can also be used as a security component e.g. to provide monitoring of VMs, allowing easier security management of complex cluster, server farms and cloud computing infrastructure. However, it can also create new potential concerns with respect to security. Based on KvmSec [1], a security extension to the Linux Kernel Virtual Machine, we present TCPS, a protection system for clouds aimed at transparently monitoring the integrity of cloud components. While privacy issues in clouds have been discussed in detail by Pearson in [2], security issues in clouds are less discussed in the literature [4]. An interesting work for our research is in [3] where it is possible to instantiate many guest VMs until one is placed co-resident with the target VM. Once achieved co-residence, attacks can theoretically extract information from a target VM on the same machine. Furthermore, by exploiting cloud auto-scaling systems an attacker might also trigger new victim instances.

D.4.6 [Software ]: Operating Systems —Security and Protection; K.6.5 [Security and Protection ]: Unauthorized access —Management of Computing and Information Systems

General Terms Security

Keywords Security, Cloud Computing, Threat Handling, Virtual Machine Monitor

1.

INTRODUCTION

Cloud computing is growing in popularity and analysts predict its further diffusion, but security and privacy concerns might slow down its adoption and success. Clouds are inherently more vulnerable to attacks given their size and management complexity. As a consequence, increased protection of such systems is a challenging task. It becomes ∗Also with Dipartimento di Matematica, Universit` a di Roma Tre. E-mail: [email protected]

2.

REQUIREMENTS

The core set of requirements to be met by a security monitoring system for clouds is the following (see [1]): Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SAC’10 March 22-26, 2010, Sierre, Switzerland. Copyright 2010 ACM 978-1-60558-638-0/10/03 ...$10.00.

RQ1 Effectiveness: the system should be able to detect most kinds of attacks. RQ2 Guest Maintenance Tolerance: the system should be able to (ideally) avoid false-positives; that is, mistakenly detecting malware attacks where authorized activities are taking place.

414

Feature Semantic View Guest Component Transparency

KvmSec N Y Partial

TCPS Y N Full

into the system (RQ1, RQ6). Furthermore, to monitor accesses to cloud entry points we can check the integrity of cloud components via periodic checksum. The high level TCPS architecture is depicted in Figure 2, where potentially dangerous data flows are depicted in continuous lines and monitoring data flows are depicted in dashed lines. All TCPS modules reside on the Host and Qemu is leveraged to access the guest. Suspicious guest activity can be noticed by the Interceptor and they are recorded by the Warning Recorder into the Warning Queue where the potential alteration will be evaluated by the Detector component. TCPS can locally react to security breaches or notify the distributed computing security components of such an occurrence. In order to avoid false positives (RQ2) as much as possible, an administrator can notify TCPS of the new components’ checksum. TCPS is significantly different from the security monitoring system presented in KvmSec [1]. Some of the main differences between KvmSec and TCPS are shown in Table 1. Most important, TCPS is entirely located on the host machine (RQ3). TCPS is transparent to guest machines: it is hard to attack even from a compromised or untrusted VM and can inspect guest status and data. It is worth noting that in TCPS, as in KvmSec, each VM uses its own private memory area, so it is totally independent from other VMs (RQ4).

Table 1: TCPS vs KvmSec

HOSTING PLATFORM

GUEST VM

Malicious Application

TCPS Warning Recorder

WQ

Detector (Daemon)

Middleware Integrity Monitor

Hasher

Cloud Middlew

Checksum DB

User Space Kernel Space

User Space

Qemu

Kernel Space

Kvm

Kernel Code

Selected Kernel Data

Interceptor

Figure 2: TCPS Architecture RQ3 Transparency: the system should minimize visibility from VMs; that is, potential intruders should not be able to detect the presence of the monitoring system.

4.

We have introduced the integrity protection problem in the clouds and proposed a novel architecture, Transparent Cloud Protection System (TCPS) for increased security of cloud resources. TCPS can be tailored to different cloud middleware implementations and can monitor cloud components integrity. This allows increased protection from most kind of attacks in a way that is completely transparent to guest VMs. As for further research directions, we aim to implement effective protection mechanisms in order to detect the largest possible number of threats.

RQ4 Immunity to attacks from the Guest: the host system and the sibling guests should be protected from attacks proceeding from a compromised guest; RQ5 Deployability: the system should be installable on the vast majority of available middleware. RQ6 Dynamic Reaction: the system should detect an intrusion attempt over a guest and, if required by the security policy, take appropriate actions against the attempt or against the compromised guest and/or notify remote middleware security-management components.

3.

CONCLUSION

5.

THE TRANSPARENT CLOUD PROTECTION SYSTEM (TCPS)

The proposed Transparent Cloud Protection System (TCPS), a middleware whose core is located between the Kernel and the virtualization layer (see Figure 1), is intended to protect the integrity of guest VMs and of the distributed computing middleware by allowing the host to monitor guest VMs and infrastructure components (RQ5). Our proposal extends the KvmSec [1] approach in order to protect monitored components against intruders and attacks such as worms and viruses. TCPS is a pure host side architecture and this allows deploying unmodified guest virtual appliances. In order to protect VMs and cloud infrastructure we plan to monitor key components that would be affected by attacks. By either actively or passively monitoring such key kernel and cloud components we are able to detect any possible modification to kernel data and code, thus guaranteeing that kernel and cloud middleware integrity has not been compromised and consequently no attacker has made its way

415

REFERENCES

[1] F. Lombardi and R. Di Pietro. Kvmsec: a security extension for linux kernel virtual machines. In SAC ’09: Proceedings of the 2009 ACM symposium on Applied Computing, pages 2029–2034, New York, NY, USA, 2009. ACM. [2] S. Pearson. Taking account of privacy when designing cloud computing services. In CLOUD ’09: Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing, pages 44–52, Washington, DC, USA, 2009. IEEE Computer Society. [3] T. Ristenpart, E. Tromert, H. Shacham, and S. Savage. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In CCS ’09: Proceedings of the 14th ACM conference on Computer and communications security, pages 103–115, New York, NY, USA, 2009. ACM. [4] F. Siebenlist. Challenges and opportunities for virtualized security in the clouds. In SACMAT ’09: Proceedings of the 14th ACM symposium on Access control models and technologies, pages 1–2, New York, NY, USA, 2009. ACM.