Skip to main content

Numerous organizations outsource portions of their own IT infrastructure to clouds, even if only to serve intra-organization purposes while achieving the cost savings associated with cloud computing. We outline a number of ways in which cloud operators could assist tenants in managing the security of their outsourced infrastructure.

Side-channel defense

The basis for the dramatic cost savings enabled by clouds is the sharing of resources that they enable so effectively. This sharing, however, does not come without consequences. Research has shown that sharing hardware resources can cause the unintentional leakage of secret information across tenant boundaries in cloud contexts. These leakages, called side channels, arise due to tenant’s shared use of microarchitectural components on the computers they occupy together. Indeed, such side channels seem inevitable on current hardware platforms, if left unchecked by other defenses.

As a result, in Silver we are leading the development of operator-supported defenses against side channels in cloud contexts, ranging from specialized defenses against side-channels in processor caches [1],[2],[9] to more holistic defenses for wide ranges of side-channel attacks arising from co-residency (e.g., [3],[6],[7]). An example of a cache-specific defense is hypervisor scheduler modifications to ensure that one virtual machine (VM) cannot preempt another with very fine granularity [2], since this is an ingredient in known side-channel attacks leveraging per-core caches. Nomad [6] is an example of a more holistic defense that extends this idea via a provider-assisted service that limits cross-tenant information leakage by carefully coordinating the placement and migration of VMs. By focusing on the root cause of side channels (i.e., co-residency), Nomad is agnostic to the specific side-channel vector used.

Tenant networking

Many organizations today rely heavily on network functions (NFs) or middleboxes to implement sophisticated security functionality, including intrusion detection/prevention, monitoring, deep-packet inspection, firewalls, etc. Often, many of these functions are “chained”, with traffic flows routed along a sequence of these middleboxes so as to enforce key security policies. As these organizations move their compute infrastructures into public clouds it becomes important to realize equivalent functionality in these new settings. To facilitate this, our work is leveraging key properties of the cloud infrastructure, namely that it is virtualized and software-defined. We argue that this not only enables flexible realization of the above functionality, but also allows new functionality to be realized in the cloud context.

Specifically, we have developed three frameworks to illustrate these possibilities. The first, FlowTags [4], allows flexible routing of traffic across arbitrary chains of middleboxes, even as middleboxes alter packet header information that routing traditionally relies on. FlowTags achieves this by inserting tags into end-to-end flows; the logic for computing tags resides at a logically central controller that leverages high-level policy to determine how the tags encode required end-to-end paths and any middlebox-internal actions taken along a route (e.g., content being served out of a cache). The tags can be consumed by middleboxes, enabling them to process the context of processing received by a flow so far (e.g., that it traversed a specific set of middleboxes). This allows end- to-end traffic steering policies to be implemented for specific sets of flows.

The second system, OpenNF [5], is complementary to FlowTags and is designed specifically to support distributed processing across multiple middlebox instances. While virtualization of middleboxes allows easy deployment/tear down of instances in a cloud setting, reallocation of processing across middlebox instances must be coordinated with reallocation of the internal state that middleboxes maintain for the traffic they are processing. OpenNF allows such state reallocation to be synchronized with traffic reallocation decisions and to take place in a safe and consistent fashion. This capability enables novel security applications, e.g., a security application whose capability can be dynamically enhanced to detect sophisticated attacks. That is, an on-site middlebox (e.g., a deep-packet inspection engine) employs simple, local processing to identify suspicious traffic access patterns. When such patterns are observed, deeper analysis of those patterns is seamlessly migrated (along with the state created so far by the local instance’s processing) to a more capable, cloud-resident appliance.

The third system, PGA [8], offers a capability to effectively utilize the other two. In many organizations, policies are independently specified by different actors; e.g., administrators of a department may wish to restrict access to servers they own to users with specific credentials, while an enterprise-wide policy may impose general constraints on who can access what resources. It is important to ensure that such independently specified policies are composed and implemented in a consistent fashion in the underlying infrastructure. PGA providers operators a simple graphical interface to specify complex policies among different sets of end-points, including policies on middlebox traversal and elastic scaling. Each policy can be supported individually using FlowTags and OpenNF.  Crucially, the PGA run-time analyzes multiple such policies for potential conflicts, and if no such conflicts exists, quickly computes a routing configuration that ensures consistent policy enforcement.

Publications

  1. Düppel: Retrofitting commodity operating systems to mitigate cache side channels in the cloud
    Y. Zhang and M. K. Reiter
    In 20th ACM Conference on Computer and Communications Security, pages 827–837, November 2013.
  2. Scheduler-based defenses against cross-VM side-channels
    V. Varadarajan, T. Ristenpart, and M. Swift
    In 23rd USENIX Security Symposium, August 2014.
  3. StopWatch: A cloud architecture for timing channel mitigation
    P. Li, D. Gao, and M. K. Reiter
    ACM Transactions on Information and System Security 17(2), November 2014.
  4. Enforcing network-wide policies in the presence of dynamic middlebox actions using FlowTags
    S. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. Mogul
    In 11th USENIX Symposium on Networked System Design and Implementation, April 2014.
  5. OpenNF: Enabling innovation in network function control
    A. Gember, R. Vishwanathan, C. Prakash, R. Grandl, J. Khalid, S. Das, and A. Akella
    In ACM SIGCOMM 2014 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 163-174, August 2014.
  6. A placement vulnerability study in multi-tenant public clouds
    V. Varadarajan, Y. Zhang, T. Ristenpart, and M. Swift
    In 24th USENIX Security Symposium, August 2015.
  7. Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration
    S.-J. Moon, V. Sekar, and M. K. Reiter
    In 22nd ACM Conference on Computer and Communications Security, October 2015.
  8. Leakage-abuse attacks against searchable encryption
    D. Cash, P. Grubbs, J. Perry, and T. Ristenpart
    In 22nd ACM Conference on Computer and Communications Security, October 2015.
  9. Model inversion attacks that exploit confidence information and basic countermeasures
    M. Fredrikson, S. Jha, and T. Ristenpart
    In 22nd ACM Conference on Computer and Communications Security, October 2015.
  10. Mitigating storage side channels using statistical privacy mechanisms
    Q. Xiao, M. K. Reiter, and Y. Zhang
    In 22nd ACM Conference on Computer and Communications Security, October 2015.
  11. PGA: Using graphs to express and automatically reconcile network policies
    C. Prakash, J. Lee, Y. Turner, J.-M. Kang, A. Akella, S. Banerjee, C. Clark, Y. Ma, P. Sharma, and Y. Zhang
    In ACM SIGCOMM 2015 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, August 2015.
  12. Simplifying software-defined network optimization applications using SOL
    V. Heorhiadi, M. K. Reiter, and V. Sekar
    In 13th USENIX Symposium on Networked System Design and Implementation, March 2016.
  13. Privacy is dead, long live privacy: Protecting social norms as confidentiality wanes
    J.-P. Hubaux and A. Juels
    Communications of the ACM (CACM), 59(6): 39-41, June 2016.
  14. Fast control plane analysis using an abstract representation
    A. Gember-Jacobson, R. Viswanathan, A. Akella, and R. Mahajan
    In ACM SIGCOMM 2016 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, August 2016.
  15. AC/DC TCP: Virtual switch-based congestion control enforcement for datacenter networks
    K. He, E. Rozner, K. Agarwal, Y. Gu, W. Felter, J. Carter, and A. Akella
    In ACM SIGCOMM 2016 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, August 2016.
  16. One sketch to rule them all: Rethinking network flow monitoring with UnivMon
    Z. Liu, A. Manousis, G. Vorsanger, V. Sekar, V. Braverman
    In ACM SIGCOMM 2016 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, August 2016.
  17. A software approach to defeating side channels in last-level caches
    Z. Zhou, M. K. Reiter, and Y. Zhang
    In 23rd ACM Conference on Computer and Communications Security, October 2016.
  18. Breaking web applications built on top of encrypted data
    P. Grubbs, R. McPherson, M. Naveed, T. Ristenpart, and V. Shmatikov
    In 23rd ACM Conference on Computer and Communications Security, October 2016.
  19. Efficient network reachability analysis using a succinct control plane representation
    S. K. Fayaz, T. Sharma, A. Fogel, R. Mahajan, T. Millstein, V. Sekar, and G. Varghese
    In 12th USENIX Conference on Operating Systems Design and Implementation, November 2016.
  20. Reassembling our digital selves
    D. Estrin and A. Juels
    Journal of the American Academy of Arts & Sciences, 145(1): 43–53, Winter 2016.
  21. Genesis: Data Plane Synthesis in Multi-Tenant Networks
    K. Subramanian, L. Antoni and A. Akella
    In 44th ACM SIGPLAN Symposium on Principles of Programming Languages, January 2017.
  22. Sealed-glass proofs: Using transparent enclaves to prove and sell knowledge
    F. Tramèr, F. Zhang, H. Lin, J.-P. Hubaux, A. Juels, and E. Shi
    In IEEE European Symposium on Security and Privacy, April 2017.
  23. P5: Policy-driven optimization of P4 pipeline
    A. Abhashkumar, J. Lee, J. Tourrilhes, S. Banerjee, W. Wu, J. Kang and A. Akella
    In ACM Symposium on SDN Research, April 2017.
  24. On-demand time blurring to support side-channel defense
    W. Liu, D. Gao, and M. K. Reiter
    In 22nd European Symposium on Research in Computer Security (ESORICS), September 2017.
  25. PivotWall: SDN-Based Information Flow Control
    T. OConnor, W. Enck, W. Petullo, and A. Verma
    In ACM Symposium on SDN Research (SOSR), March 2018.
  26. Static evaluation of noninterference using approximate model counting
    Z. Zhou, Z. Qian, M. K. Reiter, and Y. Zhang
    In 39th IEEE Symposium on Security and Privacy, May 2018.
  27. Peeking Behind the Curtains of Serverless Platforms
    L. Wang, M. Li, Y. Zhang, T. Ristenpart, and M. Swift
    In USENIX Annual Technical Conference (ATC) , July 2018.

Code

  • SOL: A framework for writing network optimization applications on top of SDN controllers
  • OpenNF: Enabling innovation in network function control
  • Tetris: Multi-resource packing for cluster schedulers
  • MPA: Analytics toolkit for minimizing network outages (e.g., due to bugs, misconfigurations, or failures)
  • ARC: Network analysis and verification of safety invariants for cloud data centers