Anbang Ruan

Towards Trustworthy Resource Scheduling in Clouds

Managing the allocation of cloud virtual machines at physical resources is a key requirement for the success of clouds. Current implementations of cloud schedulers do not consider the entire cloud infrastructure neither do they consider the overall user and infrastructure properties. This results in major security, privacy, and resilience concerns. In this paper, we propose a novel cloud scheduler which considers both user requirements and infrastructure properties. We focus on assuring users that their virtual resources are hosted using physical resources that match their requirements without getting users involved with understanding the details of the cloud infrastructure. As a proof-of-concept, we present our prototype which is built on OpenStack. The provided prototype implements the proposed cloud scheduler. It also provides an implementation of our previous work on cloud trust management which provides the scheduler with input about the trust status of the cloud infrastructure.

RepCloud: achieving fine-grained cloud TCB attestation with reputation systems

Security concerns for emerging cloud computing models have become the focus of much research, but little of this targets the underlying infrastructure. Trusted Cloud proposals generally assert that the Trusted Computing Base (TCB) of the cloud should be clearly defined and attested to. However, specific characteristics of trust in the cloud make such solutions difficult to implement in an effective and practical way. We present RepCloud, a reputation system for managing decentralised attestation metrics in the cloud. We observe that as being deterministic and tamper-proof, trust evidence generated by the TCG framework can be efficiently transmitted within the cloud. In a web of nodes with high connectivity and mutual-attestation frequency, corrupted nodes can be identified effectively. By modelling this web with RepCloud, we achieved a fine-grained cloud TCB attestation scheme with high confidence for trust. Cloud users can determine the security properties of the exact nodes that may affect the genuine functionalities of their applications, without obtaining much internal information of the cloud. Experiments showed that besides achieved fine-grained attestation RepCloud still incurred lower trust management overhead than existing trusted cloud proposals.

TMR: Towards a Trusted MapReduce Infrastructure

MapReduce systems deployed over an open infrastructure such as a cloud have attracted much attention, due to the significant reductions in the costs entailed in satisfying both the computation and storage demands. However, in these systems, the integrity of MapReduce applications is subject to significant threats. Recent research mainly focuses on replication-based integrity verification schemes. However, inevitable critical deficiencies restrict its usage. In this paper, we propose a Trusted MapReduce (TMR) framework to integrate MapReduce systems with the TCG Trusted Computing infrastructure. TMR effectively uses remote attestations to achieve efficient and deterministic integrity verification. We propose a split and parallel attestation schema to reduce latency and eliminate scalability limitations when employing the Trusted Computing mechanisms. We implemented TMR on the Hadoop MapReduce system. Experiments showed that a high strength integrity assurance has been achieved, and the overheads can easily be managed to less than 1% for an industry-strength implementation.

A Generalized Trusted Virtualized Platform Architecture

Problems of overall safety management, appropriate load balance, and the need for easy-to-use emerge in an environment containing multiple trusted virtualized platforms. We proposed the generalized trusted virtualized platform architecture, GTVP, which combines multiple physical platforms as a trusted union. GTVP first establishes trust relationship among all platforms, and then synchronizes their resource and security information for unified management. Moreover, GTVP supports fast and secure migration to resolve the overall load-balance issue. Host OS (as in Xen) of GTVP is divided into five control domains for minimizing TCB and guest OS of certain application (called as Lazy Box) cut into components for rapid deployment and upgrade. As a result, administrators can manage multiple platforms in a similar way as in a single platform and get the benefits of security, efficiency and easy-to-use while obtaining transparency and flexibility. Three scenarios are demonstrated to show their efficiency in the GTVP architecture.

OpenStack Security Modules: A Least-Invasive Access Control Framework for the Cloud

The access control mechanisms of existing cloud systems, mainly OpenStack, fail to provide two key factors: i) centralized access mediation and ii) flexible policy customization. This situation prevents cloud administrators and end customers from enhancing their security. Furthermore, a variety of clouds have implemented their access control systems and policies in separated ways. This might confuse the customers whose businesses are built on multiple clouds, as they have to take efforts to accommodate their policies for different platforms. The OpenStack Security Modules (OSM) project has developed a least-invasive access control framework for OpenStack to enable different access control models to be implemented as loadable modules. This framework can be a good replacement of the existing permission checks in OpenStack and other platforms. We also propose an integration mechanism for multiple policies to form a single decision. This paper presents the design and implementation of OSM, including a new service called patron and an attachment module called access endpoint middleware (AEM). Experiments on the tempest benchmark indicate that OSM has improved the flexibility and security of policy management without affecting other services. Meantime, the average performance overhead remains as low as 7.3%, which is acceptable for practical use.

RestPL: Towards a Request-Oriented Policy Language for Arbitrary RESTful APIs

Recently an increasing number of web applications especially cloud computing systems utilize representational state transfer (REST) API to deploy their services for simplicity and clarity. Users can employ the same interface to invoke various applications from the Internet. For security purposes, service providers would control the access to the provided interface through policy enforcement. Yet the access control of REST interfaces lacks a uniform standard regarding the policy language and corresponding enforcement implementation, which brings two limitations: i) Users have to deal with totally different types of policies to accommodate certain systems. ii) Service providers have to design their own platform-specific authorization policy language and the related enforcement mechanisms. In this paper, we propose a REST Policy Language (RestPL) to express the authorization policies especially for REST APIs. RestPL is ensured to be request-oriented, based on our definition of the standard request form. This indicates that a RestPL policy can be automatically generated from an actual request, which helps mitigate a users pressure during policy designing. Furthermore, we also provide a reference implementation for the enforcement code of RestPL based on regular expressions and deploy it on OpenStack Liberty to demonstrate its feasibility. The experimental results indicate the enforcement overhead of RestPL can be reduced to 80.6% compared with the original policy. In addition, we show that an end-user can also benefit from RestPL for reducing the learning effort by at least 41.6%.

NeuronVisor: Defining a Fine-Grained Cloud Root-of-Trust

Security issues have become a significant barrier to the adoption of cloud computing services. Most existing security enhancements lack a well defined Root-of-Trust RoT. Models for Trusted Clouds have been proposed, which establish RoT inside the cloud and vouch for the trustworthiness of the cloud services. However, these are often impractical due to clouds dynamics and complexity. In this paper, we present the NeuronVisor, an abstract Cloud Root-of-Trust cRoT framework. NeuronVisor enforces decentralized attestations to capture trust dependency among interacting software components inside the cloud, and determines a single cRoT for each cloud application. This cRoT hides the clouds internal by presenting a uniform interface for attesting to the trustworthiness of the entire cloud application and all its dependent services inside the cloud the Cloud TCB. Our simulations show that, for more than 98i¾ź% times, one interrogation to the dynamically formed cRoT is able to identify the properties of more than 90i¾ź% of the nodes hosting a cloud application and its cloud TCB. Meanwhile, NeuronVisor achieves higher fault detection rate than the prevalent centralized cloud attestation scheme CEN. It still achieves the same fault detection rate with CEN even when 90i¾ź% of the NeuronVisors are constantly tampered with and maliciously collaborating with each other.

SCOBA: source code based attestation on custom software

Most existing attestation schemes deal with binaries and typically require an exhaustive list of known-good measurements beforehand in order to perform verification. However, many programs nowadays are custom-built: the end user is allowed to tailor, compile and build the source code into various versions, or even build everything from scratch. As a result, it is very difficult, if not impossible, for existing schemes to attest the custom-built software with theoretically unlimited number of valid binaries available. This paper introduce SCOBA, a new Source COde Based Attestation framework, to specifically deal with the attestation on custom software. Instead of trying to obtain a know-good measurement list, SCOBA focuses on the source code and provides a trusted building process to attest the resulting binaries based on the source files and building configuration. SCOBA introduces a trusted verifier to certify the binary code of custom-build program according to its source code and building configuration. For custom-built software based on open-source distributions, we implemented a fully automatic trusted building system prototype for SCOBA based on GCC and TPM. As a case study, we also applied SCOBA to Gentoo and its Portage, which is a source code based package management system. Experimental results show that remote attestation, one of the key TCG features, can be made practically available to the free software community.

RepCloud: Attesting to Cloud Service Dependency

Security enhancements to the emerging IaaS (Infrastructure as a Service) cloud computing systems have become the focus of much research, but little of this targets the underlying infrastructure. Trusted cloud systems are proposed to integrate trusted computing infrastructure with cloud systems. With remote attestations, cloud customers are able to determine the genuine behaviors of their applications’ hosts; and therefore they establish trust to the cloud. However, the current trusted clouds have difficulties in effectively attesting to the cloud service dependency for customers’ applications, due to the cloud’s complexity, heterogeneity and dynamism. In this paper, we present RepCloud, a decentralized cloud trust management framework, inspired by the reputation systems from the research in peer-to-peer systems. With RepCloud, cloud customers are able to determine the properties of the exact nodes that may affect the genuine functionalities of their applications, without obtaining much internal information of the cloud. Experiments showed that besides achieving fine-grained cloud service dependency attestation, RepCloud incurred lower trust management overhead than the existing trusted cloud systems.

Partial Attestation: Towards Cost-Effective and Privacy-Preserving Remote Attestations

In recent years, the rapid development of virtualization and container technology brings unprecedented impact on traditional IT architecture. Trusted Computing devotes to provide a solution to protect the integrity of the target platform and introduces a virtual TPM to adapt to the challenges that virtualization brings. However, the traditional integrity measurement solution and remote attestation has limitations due to the challenges such as large of measurement and attestation cost and overexposure of configurations details. In this paper, we propose the Partial Attestation Model. The basic idea of Partial Attestation Model is to reconstruct the Chain of Trust by dividing them into several separated ones. Our model therefore enables the challenger to attest the specified security requirements of the target platform, instead of acquiring and verifying the complete detailed configurations. By ignoring components not related to the target requirements, our model reduces the attestation costs. In addition, we further implement an attestation protocol to prevent overexposure of the target platforms configuration details. We build a use case to illustrate the implementation of our model, and the evaluations on our prototype show that our model achieves better efficiency than the existing remote attestation scheme.