This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, October 15 • 9:50am - 10:50am
Towards Addressing the Flawed Trust Assumption in IaaS Cloud Platforms

Sign up or log in to save this to your schedule and see who's attending!

IaaS cloud has revolutionized they way we consume computing resources. Instead of maintaining a locally administered data center, businesses and individuals can simply purchase compute, storage, and network resources on demand from a public IaaS cloud utility. While this new model has increased access to affordable resources, it comes with challenging security risks. Specifically, IaaS cloud platforms comprise of a variety of cloud services running on many cloud nodes. Current cloud platforms often assume a Trusted Computing Base (TCB) that includes each and every cloud service and all the cloud nodes. Consequently, compromise of a single cloud service or a node may lead to the compromise of the entire cloud. This is evidenced by the increasing number of vulnerabilities found in cloud services and new types of attacks found in cloud platforms, some of which we will discuss in this talk in order to draw community’s attention to the security of IaaS cloud platforms.

In this talk, we explore methods that address the flawed trust assumption in IaaS cloud platforms. We will present two systems we built at Penn State: Pileus, a mandatory access control system for cloud platform that confines the trust placed on individual cloud services/nodes and CloudArmor, a system framework that detects and blocks abnormal behaviors of cloud platforms.

Pileus adopts a least-privilege model for cloud services where a chain of cloud services are dynamically spawned and destroyed according to the cloud operations performed by cloud customers. Each cloud services are run with specific labels that represents privileges that a cloud service is designated by the cloud customer. Based on labels, Pileus mediates the resource access performed by cloud services as well as the communication between cloud services and nodes. Consequently, even if one cloud service/node is under control of adversary, it is still confined by Pileus in terms of the cloud resource that it can access and its effect on other cloud services/nodes. CloudArmor framework complements the Pileus by detecting abnormal behaviors of cloud services. It models and enforces the system calls (i.e., system call order and arguments) issued by cloud services when performing a cloud operation. Consequently, if a cloud service is deviating from its normal behavior (e.g., it is controlled by adversary), CloudArmor will abort such cloud operation to prevent potential damage that the cloud service would make to cloud resources.


Yuqiong Sun

Yuqiong Sun is a 5th year PhD student in the Department of Computer Science and Engineering at Penn State University, advised by Dr. Trent Jaeger. He is now a member of the Systems and Internet Infrastructure Security lab at Penn State, and his current research focuses on security issues in cloud computing, virtualization, and operating systems as well as distributed systems. | | Yuqiong has been involved in several research projects related... Read More →

Thursday October 15, 2015 9:50am - 10:50am
Presidents Hall 2 The Penn Stater Conference Center Hotel

Attendees (3)