Hardening OpenStack cloud platforms against compute node compromises

ASIA CCS 2016 - Proceedings of the 11th ACM Asia Conference on Computer and Communications Security

Volumn , Issue , 2016, Pages 341-352

  Sze, Wai Kit ^a   Srivastava, Abhinav ^b   Sekar, R ^a  

^a STONY BROOK UNIVERSITY   (United States)

^b AT AND T LABS RESEARCH   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCESS CONTROL; HARDENING; SALES; SYSTEMS ENGINEERING; TRUSTED COMPUTING;

CLOUD INFRASTRUCTURES; CLOUD PLATFORMS; CRITICAL SERVICE; EFFECTIVE CONFINEMENTS; MANDATORY ACCESS CONTROL; NODE COMPROMISE; SECURITY POLICY; VIRTUAL MACHINES;

INFRASTRUCTURE AS A SERVICE (IAAS);

EID: 84979653181     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2897845.2897851     Document Type: Conference Paper

References (32)

1. Openstack-security mailing list, http://lists.openstack. org/cgi-bin/mailman/listinfo/openstack-security.
2. Bleikertz, S., Bugiel, S., Ideler, H., Nürnberger, S., and Sadeghi, A.-R. Client-controlled Cryptography-as-a-service in the Cloud. In ACNS (2013).
3. Brown, A., and Chase, J. S. Trusted Platform-as-a-service: A Foundation for Trustworthy Cloud-hosted Applications. In CCSW (2011).
4. Butt, S., Lagar-Cavilla, H. A., Srivastava, A., and Ganapathy, V. Self-service Cloud Computing. In CCS (2012).
5. Farley, B., Juels, A., Varadarajan, V., Ristenpart, T., Bowers, K. D., and Swift, M. M. More for Your Money: Exploiting Performance Heterogeneity in Public Clouds. In SoCC (2012).
6. Foundation, O. Rally - OpenStack, , https://wiki.openstack.org/wiki/Rally.
7. Giffin, J. T., Dagon, D., Jha, S., Lee, W., and Miller, B. P. Environment-Sensitive Intrusion Detection. In RAID (2006).
8. Hardy, N. The Confused Deputy: (or Why Capabilities Might Have Been Invented). SIGOPS Oper. Syst. Rev. 22, 4 (Oct. 1988).
9. Le, M., Stavrou, A., and Kang, B. B. Doubleguard: Detecting Intrusions in Multitier Web Applications. In TDSC (2012).
10. Loscocco, P., and Smalley, S. Meeting Critical Security Objectives with Security-Enhanced Linux. In Ottawa Linux symposium (2001).
11. Luft, M. Analysis of Hypervisor Breakouts, http://www.insinuator.net/2013/05/ analysis-of-hypervisor-breakouts/. Online; accessed November 13, 2014.
12. OpenStack Foundation. MessageSecurity - OpenStack, https://wiki.openstack.org/wiki/MessageSecurity. Online; accessed November 13, 2014.
13. OpenStack Foundation. OpenStack Havana Release - OpenStack Open Source Cloud Computing Software, http://www.openstack.org/software/havana/. Online; accessed November 13, 2014.
14. OpenStack Foundation. OpenStack Icehouse Release - OpenStack Open Source Cloud Computing Software, http://www.openstack.org/software/icehouse/. Online; accessed November 13, 2014.
15. OpenStack Foundation. OpenStack Juno Release - OpenStack Open Source Cloud Computing Software, http://www.openstack.org/software/juno/. Online; accessed February 29, 2016.
16. OpenStack Foundation. OpenStack Networking (neutron), http://docs.openstack.org/icehouse/install-guide/ install/apt/content/basics-networking-neutron.html. Online; accessed November 13, 2014.
17. OpenStack Foundation. OpenStack Open Source Cloud Computing Software, http://www.openstack.org/. Online; accessed November 13, 2014.
18. OpenStack Foundation. OpenStack Security Guide, http://docs.openstack.org/security-guide/ security-guide.pdf. Online; accessed August 4, 2014.
19. OpenStack Foundation. Tempest Testing Project, http://docs.openstack.org/developer/tempest/. Online; accessed November 13, 2014.
20. Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds. In CCS (2009).
21. Schiffman, J., Sun, Y., Vijayakumar, H., and Jaeger, T. Cloud Verifier: Verifiable Auditing Service for IaaS Clouds. In SERVICES (2013).
22. Sekar, R. An Efficient Black-box Technique for Defeating Web Application Attacks. In NDSS (2009).
23. Sekar, R., Bendre, M., Dhurjati, D., and Bollineni, P. A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In S&P (2001).
24. SELinux Project. SVirt - SELinux Wiki, http://selinuxproject.org/page/SVirt. Online; accessed November 6, 2014.
25. Srivastava, A., and Ganapathy, V. Towards a Richer Model of Cloud App Markets. In CCSW (2012).
26. Srivastava, A., Raj, H., Giffin, J., and England, P. Trusted VM Snapshots in Untrusted Cloud Infrastructures. In RAID (2012).
27. Sun, Y., Petracca, G., and Jaeger, T. Inevitable Failure: The Flawed Trust Assumption in the Cloud. In CCSW (2014).
28. Varadarajan, V., Kooburat, T., Farley, B., Ristenpart, T., and Swift, M. M. Resource-freeing Attacks: Improve Your Cloud Performance (at Your Neighbor's Expense). In CCS (2012).
29. Wagner, D., and Soto, P. Mimicry Attacks on Host-Based Intrusion Detection Systems. In CCS (2002).
30. Yun Mao. Understanding nova-conductor in OpenStack Nova, http://cloudystuffhappens.blogspot. com/2013/04/understanding-nova-conductor-in.html. Online; accessed May 13, 2015.
31. Zhang, Y., Juels, A., Oprea, A., and Reiter, M. K. HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis. In S&P (2011).
32. Zhang, Y., Juels, A., Reiter, M. K., and Ristenpart, T. Cross-VM Side Channels and Their Use to Extract Private Keys. In CCS (2012).