Overview
As industry is aiming at provision of services which are to be developed under a utility computing model, we work on the indispensable ingredient of trust and security. Without loss of generality, we focus on adding trust to cloud computing. Our goal is to strengthen cloud security by adding "behavior conformity" which is an assurance that principals joining cloud computing must each act in conformity with the rules and policy of the collaborated computing. We apply Trusted Computing technologies as our means to achieving behavior conformity and we do so by working on virtualization in two layers in the software stack: OS layer and middleware layer. "Daoli" is the name of the research project that EMC Research China (ERC) is conducting with the participation of four ChinaGrid universities: Fudan University (Fudan), Huazhong University of Science and Technology (HUST), Wuhan University (WuDa) and Tsinghua University.
Problem Statement
Figure 1: A cloud computing scenario
Fig. 1 illustrates a typical cloud computing scenario which comprises of one user (whose platform is in the left), brokerage servers (Portal, Domain Manager, Information Center and resource Manager in the middle) and back-end server farm (resource in the right). This model depicts typical steps of how user applications are submitted and executed. The following enumeration corresponds to the numbered steps in Fig. 1:
1) User begins by logging onto Portal. Independently, resources, which are formed by principals, are willing to lease computing/storage resources, register resources to Information Center. The latter will play the role of a resource broker.
2) Domain Manager verifies user's legitimacy of using the cloud services. The verification can be based on a prearranged relationship between these two principals (e.g., a credential of user on the basis of a shared secret), or based on a trusted third party's certification (e.g., a credential of user on the basis of a public-key certification). Domain Manager is in a security server's position .
3) User, having logged onto Portal, can check, by interacting with Information Center, service state and obtain the state information to match the requirement of his/her applications.
4) After obtaining satisfactory service state information, user submits his application to the broker.
5) The broker cooperates with Information Center and obtains the addresses of the resources which can satisfy user's application requirements.
A cloud can be regarded as a pool of unbounded computational and storage capacity by pooling heterogeneous resources from real organizations (lessors), which achieves a service-oriented architecture (SOA). A characteristic feature in the SOA can be referred to as a high degree of dependability which covers desirable services collectively in terms of reliability, availability, privacy and scalability. It is a multi-tenancy environment in two senses: (i) a lessee is a tenant of multiple lessors for many applications and (ii) each lessor can host multiple lessees. Ideally, commercial organizations in particular resource-under-utilized financial institutions, should "go for cloud" to become lessors. However, currently such multi-tenancy clouds are not in commercial adoption yet. What are hurdles to make commercial organizations become lessors?
- Behavior Conformity: Security Requirement for Multitenancy Computing
In the general setting of a cloud, principals are distributed in different trust and management domains which can span governmental, industrial and academic organizations. These principals are also ad hoc related to one another because the cloud may be dynamic, usually comes up into being, grows, diminishes or terminates, in an un-predetermined manner.
Despite the ad hoc and dynamic properties, cloud computing needs strong security services. In addition to usual security services for conventional distributed computing to protect mainly owned or organizationally controlled assets against external adversaries, a principal in cloud computing also has interest on a platform which is out of the principal's ownership or organizational control, and the needed protection is often against the very owner of the platform. For cloud security we name these threats as "partner-and-adversary" model: cloud participants are collaboration partners as well as potential adversaries to one another. Then what is exactly a desirable security service we need for a computing environment with a partner-and-adversary threat model?
We think an important security service is behavior conformity: a lessee mustn't cause damage to the lessor or other tenants, and conversely, the lessor mustn't compromise the proprietary code/data of the lessee. Behavior conformity needs to hold in such a manner that even a privileged user such as a system administrator at a host must not be able to violate a security policy. Existing cloud security practice has little means to enforce behavior conformity and consequently falls short of satisfactory solutions to a number of problems.
In order to ensure behavior conformity, there are at least two challenges in the front: one is conforming cloud security policy and another is hardening the OS. Principals forming a cloud must each act in conformity with the rules and policy of the collaborated computing. Furthermore, it must protect the confidentiality of principals' code and data running on a host platform from being tampered (even divulged) by any other party even if for owner of the host platform. How to conform the OS behavior by preserving software privacy even if the OS is hostile or untrusted? And how to ensure a unique cloud code of a tenant for remote policy enforcement can run across a heterogeneous environment? We will meet these challenges.
In cloud infrastructure, we say a principal can be trusted if it always behaves in the expected manner for the intended purpose. Obviously, behavior conformity is the indispensable ingredient of establishing trust in grid infrastructure. Therefore, we attempt to achieve a trusted grid infrastructure by ensuring behavior conformity of each principal in a cloud.
Feature
A characteristic feature in the SOA can be referred to as a high degree of dependability which covers desirable services collectively in terms of reliability, availability, scalability, privacy and security. It should be possible that, after the submission of a user's jobs, the jobs must be processed without requiring any further intervention by the user. Moreover, the continuation in the execution of the jobs should not depend on the continuation of serviceability of any component of the cloud.
Globus Toolkit Version 4 (GT4) is the leading grid architecture to realize this property, but it is done in a trade-off by working with a weakened notion of trust, even though a strong notion of trust is needed among cloud computing participants in order to build a large scale summit. So the goal of Daoli work is to retain the property of high dependability of the leading cloud architecture as well as to strengthen trustworthiness. To strengthen cloud security by adding behavior conformity, we apply Trusted Computing technology as our means to achieve behavior conformity and we do so by working on virtualization in two layers in the software stack.
Daoli has a merger between multiple technologies such as grid computing, trusted computing and virtualization. EMC Research China (ERC) is conducting the Daoli project with several Chinese top universities who have prominent achievements in related research fields respectively, e.g. virtualization (Fudan University), cloud computing (HUST), trusted computing (Wuhan University) and storage (Tsinghua University). The partners are integrating these preponderances to achieve our goal. The work of the Daoli partners are as below:
- Fudan University works on process isolation by xen virutal machine monitor. It strengthens system level security by enforcing behavior conformity with Measured Virtual Machine Monitor (MVMM). The technical component that Fudan offers to Daoli is called CHAOS (Conformity and High Assurance within OSes).
- Wuhan University is responsible for trusted computing technologies, focus on platform measurement, attestation and credential migration. It will implement measurement of the integrity of VMM and SOA container (e.g. Grid middleware)
- HUST develops the middleware that supports one user software runs everywhere with policy enforcement. It will implement a middlement to achieve virtualization of the software/hardware platforms so that the cloud will only need a unique application to achieve policy enforcement in a delegation manner. It is a very important virtualization step!
- Tsinghua University will work on use case on Daoli platform which cover the test of Daoli platform, the storage-as-a-service and some applications such as "genome sequence match".
- ERC is in charge of the problem proposal, technology discussion and working out the architecture.
Daoli Architecture
Figure 2: Daoli architecture
The architecture is under discussion now and we have achieved a draft presented below.
Daoli intends to implement a computational or storage grid with policy enforcement. When the user submits a software across web portal, he can specify any policy on security and privacy protection. Daoli will make sure that the policy is enforced anywhere when the software is running.
Currently we build grid on top of virtual machine monitor Xen. The figure on left depicts the architecture. Trusted computing technoligies are used to measure and attest the Xen and other hardware or software platform. Process isolation is used to ensure that user software is protected by Xen enven when OS is malicious. So privacy of users will be protected any time and anywhere. The only assumption is that Xen is trusted.
The grid middleware will also be implemented in a noval approach. We use a trusted third party to store lots of images, which is specific execution environment and can be ran on top of Xen. Grid middleware consists of frontend and backkend. The frontend, which consists of VM factory service and VM control service, maintains a pool of backend nodes. After user submits its request to frontend nodes, The VM factory service will be called to find a suitable image for user software according to its policy. Then the service finds a trusted backend node by attestation and launch a virtual machine with the image found. Finally grid middlare manages to deploy user software to the virtual machine and launch it. The process isolation and trusted computing technologies discussed above will be used to protect the privacy of user software.
Any time the backend has no capacity to continuely run the task, it will be migrated to another trusted backend node. The migration must be secure. We can do this in two steps. The first step is credential migration, which is done with TPM (or TCM) and related trusted computing technologies. Then the user software is encrypted and migrated to the target node. The target node decrypt the software by credential migrated and launch a new virutal machine to continuelly run it.
--> More info about
Daoli Architecture
Our Approaches
Project Daoli attempts to strengthen grid security by adding behavior conformity to it. We apply Trusted Computing technology as our means to behavior conformity and we do so by working on virtualization in two layers in the software stack. In the OS layer, a highly-privileged hypervisor for memory arbitration will be measured by a Trusted Platform Module (TPM) (or TCM) to achieve isolation between processes of different tenants. Above OSes a grid middleware will achieve virtualization of hardware platforms and commodity OSes so that a unique VO code of a tenant for remote policy enforcement can run across a heterogeneous environment. The VO code and/or data which need confidentiality and/or integrity protection are secured by cryptographic credentials. By calling the standard credential migration function of TPM (or TCM), VO's credentials can be migrated from one TPM (or TCM) to another along the leased platforms.
The following links describe four important elements in our approach:
Partners
Comments
jpg 
Daoli Web
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
Daoli
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.