Fangfei Zhou

Scheduler vulnerabilities and coordinated attacks in cloud computing

In hardware virtualization a hypervisor provides multiple Virtual Machines VMs on a single physical system, each executing a separate operating system instance. The hypervisor schedules execution of these VMs much as the scheduler in an operating system does, balancing factors such as fairness and I/O performance. As in an operating system, the scheduler may be vulnerable to malicious behavior on the part of users seeking to deny service to others or maximize their own resource usage.Recently, publically available cloud computing services such as Amazon EC2 have used virtualization to provide customers with virtual machines running on the providers hardware, typically charging by wall clock time rather than resources consumed. Under this business model, manipulation of the scheduler may allow theft of service at the expense of other customers, rather than merely re-allocating resources within the same administrative domain.We describe a flaw in the Xen scheduler allowing virtual machines to consume almost all CPU time, in preference to other users, and demonstrate kernel-based and user-space versions of the attack. We show results demonstrating the vulnerability in the lab, consuming as much as 98% of CPU time regardless of fair share, as well as on Amazon EC2, where Xen modifications protect other users but still allow theft of service following the responsible disclosure model, we have reported this vulnerability to Amazon; they have since implemented a fix that we have tested and verified. We provide a novel analysis of the necessary conditions for such attacks, and describe scheduler modifications to eliminate the vulnerability. We present experimental results demonstrating the effectiveness of these defenses while imposing negligible overhead.Also, cloud providers such as Amazons EC2 do not explicitly reveal the mapping of virtual machines to physical hosts [in: ACM CCS, 2009]. Our attack itself provides a mechanism for detecting the co-placement of VMs, which in conjunction with appropriate algorithms can be utilized to reveal this mapping. Other cloud computing attacks may use this mapping algorithm to detect the placement of victims.

Maygh: building a CDN from client web browsers

Over the past two decades, the web has provided dramatic improvements in the ease of sharing content. Unfortunately, the costs of distributing this content are largely incurred by web site operators; popular web sites are required to make substantial monetary investments in serving infrastructure or cloud computing resources---or must pay other organizations (e.g., content distribution networks)---to help serve content. Previous approaches to offloading some of the distribution costs onto end users have relied on client-side software or web browser plug-ins, providing poor user incentives and dramatically limiting their scope in practice. In this paper, we present Maygh, a system that builds a content distribution network from client web browsers, without the need for additional plug-ins or client-side software. The result is an organically scalable system that distributes the cost of serving web content across the users of a web site. Through simulations based on real-world access logs from Etsy (a large e-commerce web site that is the 50th most popular web site in the U.S.), microbenchmarks, and a small-scale deployment, we demonstrate that Maygh provides substantial savings to site operators, imposes only modest costs on clients, and can be deployed on the web sites and browsers of today. In fact, if Maygh was deployed to Etsy, it would reduce network bandwidth due to static content by 75% and require only a single coordinating server.

Scheduler Vulnerabilities and Coordinated Attacks in Cloud Computing

Recently, cloud computing services such as Amazon EC2 have used virtualization to provide customers with virtual machines running on the providers hardware, typically charging by wall clock time rather than resources consumed. Under this business model, manipulation of the scheduler may allow theft-of-service at the expense of other customers. We have discovered and implemented an attack scenario which when implemented on Amazon EC2 allowed virtual machines to consume more CPU time regardless of fair share. We provide a novel analysis of the necessary conditions for such attacks, and describe scheduler modifications to eliminate the vulnerability. We present experimental results demonstrating the effectiveness of these defenses while imposing negligible overhead. Cloud providers such as Amazons EC2 do not explicitly provide the mapping of VMs to physical hosts. Our attack itself provides a mechanism for detecting the co-placement of VMs, which in conjunction with appropriate algorithms can be utilized to reveal this mapping. We abstract mapping discovery as a problem of finding an unknown partition (i.e. of VMs among physical hosts) using a minimum number of co-location queries. We present an algorithm that is provably optimal when the maximum partition size is bounded. In the unbounded case we show upper and lower bounds using the probabilistic method in conjunction with a sieving technique. Our work has implications beyond this attack, for other cases of system and network topology inference from limited data.

HARD-DNS: Highly-Available Redundantly-Distributed DNS

The DNS or Domain Name System is a critical piece of the Internet infrastructure. In recent times there have been numerous attacks on DNS, the Kaminsky attack being one of the more insidious ones. Current solutions to the problem involve patching the DNS software (Bind) and/or using DNSSEC. Unfortunately, these are forklift upgrades of the DNS infrastructure and are not always feasible especially in sensitive and critical installations. We propose and develop the architecture for HARD-DNS - a turn-key bolt-on solution with no client-side change. We utilize a separate distributed network, HARD-DNS, which is architected for greater resilience to DDoS (Distributed Denial of Service) attacks. We employ quorum techniques to increase tolerance to cache poisoning and we protect the connection between the resolvers and HARD-DNS by a technique we call IP-cloaking. We present theoretical analysis and experimental evaluation to validate the feasibility of our approach.

SamaritanCloud: Secure infrastructure for scalable location-based services

Abstract With the maturation of online social networks (OSNs), people have begun to form online communities and look for assistance at a particular place and time from people they only know virtually. However, seeking for such help on existing OSN infrastructures has some disadvantages including loss of privacy (in terms of both location as well as the nature of the help sought) and high response times. In this paper we propose SamaritanCloud, a scalable infrastructure that enables a group of mobile and geographically-dispersed personal computing devices to form a cloud for the purpose of privately sharing relevant locality-specific information. From a technical standpoint our main contribution is to show that only additive homomorphic encryption is sufficient to compute nearness in a cryptographically secure and scalable way in a distributed setting. This allows us to harness the benefit of linear match time while guaranteeing the locational privacy of the clients. In terms of performance our system compares favorably with simpler publish/subscribe schemes that support only equality match. We demonstrate the practical feasibility of SamaritanCloud with experimental evaluations.

Optimization of directional antenna network topology in Airborne Networks

Future IP-based Airborne Networks, important components in net-centric military communications, are envisioned to consist of a persistent backbone core network and dynamic tactical edge networks. The backbone would consist of quasi-stable platforms equipped with multiple high-capacity directional wireless links. The tactical edge networks would consist of highly dynamic platforms such as fighter jets equipped with omni-directional wireless links, and these would be interconnected by the backbone core network. Maintaining optimal backbone topology is an important problem with significant operational impact. Factors such as non-uniform link capacities, the number of traffic sources and sinks, and connectivity complicate the problem. The solution consists of making optimal selection of the link directionality and the possible insertion of communication relay nodes. We approach the solution by abstracting the network as a template from which to select the optimal combination of edges (transmitter-receiver pairs) and nodes (relays). Through innovative graph and flow-theoretic reductions we show that the single sink (or alternatively single source) case can be solved in polynomial time for uniform backbone link capacities. In contrast, we prove not only that the problem is NP-complete for non-uniform backbone link capacities but that the non-uniform case of the problem is hard to approximate to within even a logarithmic factor. Nevertheless we present a scheme based on iterative rounding that scales well in practice. Simulations demonstrate that our algorithm achieves a performance within a factor 2 of the theoretical best. This allows us to conclude that the use of algorithmic techniques in configuring backbone networks can contribute significantly in improving network performance.