Chris I. Dalton

SoftUDC: a software-based data center for utility computing

Utility computing aims to aggregate server, network, and storage systems into a single, centrally managed pool of resources. SoftUDC, a virtual machine monitor, lets applications and administrative domains share physical resources while maintaining full functional isolation.

User-space protocols deliver high performance to applications on a low-cost Gb/s LAN

Two important questions in high-speed networking are firstly, how to provide Gbit/s networking at low cost and secondly, how to provide a flexible low-level network interface so that applications can control their data from the instant it arrives. We describe some work that addresses both of these questions. The Jetstream Gbit/s LAN is an experimental, low-cost network interface that provides the services required by delay-sensitive traffic as well as meeting the performance needs of current applications. Jetstream is a combination of traditional shared-medium LAN technology and more recent ATM cell- and switch-based technology. Jetstream frames contain a channel identifier so that the network driver can immediately associate an incoming frame with its application. We have developed such a driver that enables applications to control how their data should be managed without the need to first move the data into the applications address space. Consequently, applications can elect to read just a part of a frame and then instruct the driver to move the remainder directly to its destination. Individual channels can elect to receive frames that have failed their CRC, while applications can specify frame-drop policies on a per-channel basis. Measured results show that both kernel- and user-space protocols can achieve very good throughput: applications using both TCP and our own reliable byte-stream protocol have demonstrated throughputs in excess of 200 Mbit/s. The benefits of running protocols in user-space are well known- the drawback has often been a severe penalty in the performance achieved. In this paper we show that it is possible to have the best of both worlds.

Towards automated provisioning of secure virtualized networks

We describe a secure network virtualization framework that helps realize the abstraction of Trusted Virtual Domains (TVDs), a security-enhanced variant of virtualized network zones. The framework allows groups of related virtual machines running on separate physical machines to be connected together as though there were on their own separate network fabric and, at the same time, helps enforce cross-group security requirements such as isolation, confidentiality, security, and information flow control. The framework uses existing network virtualization technologies, such as Ethernet encapsulation, VLAN tagging, and VPNs, and combines and orchestrates them appropriately to implement TVDs. Our framework aims at automating the instantiation and deployment of the appropriate security mechanism and network virtualization technologies based on an input security model that specifies the required level of isolation and permitted network flows. We have implemented a prototype of the framework based on the Xen hypervisor. Experimental evaluation of the prototype shows that the performance of our virtual networking extensions is comparable to that of the standard Xen configuration.

Afterburner (network-independent card for protocols)

Many current implementations of protocols such as the Transmission Control Protocol/Internet Protocol (TCP/IP) are inefficient because data are often accessed more frequently than necessary. Three techniques that reduce the need for memory bandwidth are proposed. The techniques are copy-on-write, page remapping, and single-copy. Afterburner, a network-independent card that provides the services that are necessary for a single-copy protocol stack, is described. The card has 1 MByte of local buffers and provides a simple interface to a variety of network link adapters, including HIPPI and asynchronous transfer mode (ATM). Afterburner can support transfers to and from the link adapter card at rates up to 1 Gbit/s. An implementation of TCP/IP that uses the features provided by Afterburner to reduce the movement of data to a single copy is discussed. Measurements of the end-to-end performance of Afterburner and the single-copy implementation of TCP/IP are presented.<<ETX>>

Applying military grade security to the Internet

Abstract The explosive growth witnessed in the Internet over the last few years has encouraged companies to connect to it and to offer services to their customers over it. Concerns about security are holding them back from all but the most restrictive connectivity. This paper explores the use of a military development, the Compartmented Mode Workstation in a commercial setting, as a platform that is secure enough to implement services that are accessed over the Internet. Two applications have been investigated in detail, a firewalled Domain Name System and a World Wide Web service with enhanced authentication. Finally, there is discussion of how other Internet-based services might benefit from the application of CMW technology.

Towards automated security policy enforcement in multi-tenant virtual data centers

Serdar Cabuk a, Chris I. Dalton a, Konrad Eriksson b, Dirk Kuhlmann a, HariGovind V. Ramasamy c, Gianluca Ramunno d, Ahmad-Reza Sadeghi e, Matthias Schunter b and Christian Stuble f a Hewlett–Packard Labs, Bristol, UK E-mails: serdar.cabuk@gmail.com, {cid,dirk.kuhlmann}@hp.com b IBM Zurich Research Laboratory, Ruschlikon, Switzerland E-mails: {kon,mts}@zurich.ibm.com c IBM T. J. Watson Research Center, Hawthorne, NY, USA E-mail: hvramasa@us.ibm.com d Politecnico di Torino, Turin, Italy E-mail: ramunno@polito.it e Ruhr-University Bochum, Germany E-mail: ahmad.sadeghi@trust.rub.de f Sirrix AG Security Technologies, Bochum, Germany E-mail: stueble@sirrix.com

An operating system approach to securing e-services

As more and more services turn electronic and are exposed to the public world of the Internet, many will become attractive and lucrative targets to would-be attackers. A large number of Internet security breaches take place via compromising the applications forming the electronic services. The applications forming e-services are in general sophisticated and contain many lines of code. It is not surprising that there are bugs in some of this code. Indeed, with such large applications it is difficult to guarantee otherwise. Offering a service over the Internet means exposing it to a large population of attackers capable of probing the service for vulnerabilities. It is not unlikely, and has been shown to be the case in the past, that some of these bugs can and will be exploited, leading to security violations. Increasingly, single machines are being used to host multiple services concurrently (ISP, ASP, xSP service provision). It is becoming critically important that not only is the security of the host platform protected from application compromise attacks but also the applications are adequately protected from each other in the face of attack. This article looks at some of the problems surrounding application compromise in more detail and puts forward our approach to solving these problems. We do not attempt to guarantee that the application services are bug-free (a difficult problem). Instead, we have found that the effects of this type of attack, and quite a few others, can be usefully mitigated by adding specific properties to the OSs used to host those applications. Specifically, we look at Trusted Linux, HP Laboratories’ implementation of a secure version of Linux, which we believe is an ideal platform for e-service application hosting.

Trusted virtual platforms: a key enabler for converged client devices

This paper introduces our work around combining machine virtualization technology with Trusted Computing Group technology. We first describe our architecture for reducing and containing the privileged code of the Xen Hypervisor. Secondly we describe our Trusted Virtual Platform architecture. This is aimed at supporting the strong enforcement of integrity and security policy controls over a virtual entity where a virtual entity can be either a full guest operating system or virtual appliance running on a virtualized platform. The architecture includes a virtualization-specific integrity measurement and reporting framework. This is designed to reflect all the dependencies of the virtual environment of a guest operating system. The work is a core enabling component of our research around converged devices -- client platforms such as notebooks or desktop PCs that can safely host multiple virtual operating systems and virtual appliances concurrently and report accurately on the trustworthiness of the individually executing entities.

A Framework for Detecting Malware in Cloud by Identifying Symptoms

Security is seen as one of the major challenges of the Cloud computing. Recent malware are not only becoming more sophisticated, but have also demonstrated a trend to make use of components, which can easily be distributed through the Internet to develop newer and better malware. As a result, the key problem facing Cloud security is to cope with identifying diverse sets of malware. This paper presents a method of detecting malware by identifying the symptoms of malicious behaviour as opposed to looking for the malware itself. This can be compared to the use of symptoms in human pathology, in which study of symptoms direct physicians to diagnosis of a disease or possible causes of illnesses. The main advantage of shifting the attention to the symptoms is that a wide range of malicious behaviour can result in the same set of symptoms. We propose the creation of Forensic Virtual Machines (FVM), which are mini Virtual Machines (VM) that can monitor other VMs to discover the symptoms. In this paper, we shall present a framework to support the FVMs so that they collaborate with each other in identifying symptoms by exchanging messages via secure channels. The FVMs report to a Command & Control module that collects and correlates the information so that suitable remedial actions can take place in real-time. The Command & Control can be compared to the physician who infers possibility of an illness from the occurring symptoms. In addition, as FVMs make use of the computational resources of the system we will present an algorithm for sharing of the FVMs so that they can be guided to search for the symptoms in the VMs with higher priority.

Dynamic label binding at run-time

Information flow control allows enforcement of end-to-end confidentiality policies but has been difficult to put in practice. This paper introduces a pragmatic new approach for tracking information flow while the process is running at the same time applying dynamic label binding. The underlying implementation mechanism uses machine code instruction stream modification to track individual data movements and manipulations within the address space of an application. This gives the ability to precisely determine all information flow causing operations and apply controls that do not overly restrict what computations can be performed.