Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012); pages 253-264; Raleigh, North Carolina; October 16-18, 2012.
Modern cloud computing infrastructures use virtual machine monitors (VMMs) that often include a large and complex administrative domain with privileges to inspect client VM state. Attacks against or misuse of the administrative domain can compromise client security and privacy. Moreover, these VMMs provide clients inflexible control over their own VMs, as a result of which clients have to rely on the cloud provider to deploy useful services, such as VM introspection-based security tools.
We introduce a new self-service cloud (SSC) computing model that addresses these two shortcomings. SSC splits administrative privileges between a system-wide domain and per-client administrative domains. Each client can manage and perform privileged system tasks on its own VMs, thereby providing flexibility. The system-wide administrative domain cannot inspect the code, data or computation of client VMs, thereby ensuring security and privacy. SSC also allows providers and clients to establish mutually trusted services that can check regulatory compliance while respecting client privacy. We have implemented SSC by modifying the Xen hypervisor. We demonstrate its utility by building user domains to perform privileged tasks such as memory introspection, storage intrusion detection, and anomaly detection.
Slides: [ PDF | Powerpoint ]
Code: [ SSC on Xen ] (Please contact me if you intend to use this code for non-academic purposes)
DOI: [ 10.1145/2382196.2382226 ]
Companion paper in CCSW'12: A companion paper focusing on the SD app store model enabled by SSC (see Section 5.3 of the CCS'12 paper) appears in Proceedings of CCSW'12: the 4th ACM Cloud Computing Security Workshop as Towards a Richer Model of Cloud App Markets.