Protection Mechanisms for - PowerPoint PPT Presentation
Title:
Protection Mechanisms for
Description:
Conclusion. Why application service hosting? Reflection of the vision of Utility Computing ... Conclusion. Security and Protection. Controlled communication ... – PowerPoint PPT presentation
Number of Views:34
Avg rating:3.0/5.0
Title: Protection Mechanisms for
1
Protection Mechanisms for Application Service
Hosting Platforms
Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann
Department of Computer Sciences, Center for
Education and Research in Information Assurance
and Security (CERIAS), and School of Electrical
and Computer Engineering at Purdue University
2
Outline
- Motivations and Goals
- SODA a Service-On-Demand Architecture
- Two-level application service hosting platform
- Security Protection
- Controlled communication
- Kernort
- Untamperable logging
- Evaluation
- Related Work
- Conclusion
3
Motivations
- Why application service hosting?
- Reflection of the vision of Utility Computing
- Outsourcing
- CDN services
- What is challenging?
- Private house vs. apartment building
- Openness
- Sharing
- Mutual isolation, confinement, and protection
4
Goals
- To build a value-added secure application service
hosting platform based on a shared
infrastructure, achieving - On-demand creation and provisioning
- Isolation
- Protection
- Accountability
- Privacy
5
Outline
- Motivations and Goals
- SODA a Service-On-Demand Architecture
- Two-level application service hosting platform
- Security Protection
- Controlled communication
- Kernort
- Untamperable logging
- Evaluation
- Related Work
- Conclusion
6
SODA
- Service-On-Demand Architecture
- On-demand creation and provisioning
- Isolation
- Two-level application service hosting platform
- Key technique Virtualization
7
SODA Architecture
AS
AS
SODA Host (physical)
8
Virtualization Key Technique
- Two-level OS structure
- Host OS
- Guest OS
- Strong isolation
- Administration isolation
- Installation isolation
- Fault / attack Isolation
- Recovery, migration, and forensics
9
- For detailed information about SODA
- Xuxian Jiang, Dongyan Xu, "SODA a
Service-On-Demand Architecture for Application
Service Hosting Utility Platforms", Proceedings
of The 12th IEEE International Symposium on High
Performance Distributed Computing (HPDC-12),
Seattle, WA, June 2003.
10
Outline
- Motivations and Goals
- SODA a Service-On-Demand Architecture
- Two-level application service hosting platform
- Security Protection
- Controlled communication
- Kernort
- Untamperable logging
- Evaluation
- Related Work
- Conclusion
11
Security and Protection
- Controlled communication
- IDS in guest OS kernel
- Untamperable logging (blackbox-ing)
12
Controlled Communication
Virtual machine (with IP address)
SODA host (Invisible on Internet)
13
Kernort IDS in Guest OS Kernel
14
Kernort IDS in Guest OS Kernel (2)
- VM-based IDS deployed in each VM
- Inside guest OS kernel a unique vista point
- Customizable without affecting host OS
- Clearer view
- Untamperable logging (saved to SODA host)
- Fail-close instead of fail-open
15
Kernort IDS in Guest OS Kernel (3)
- Kernort sensor
- Renewable signature set
- Event-driven (system call and packet reception)
- Kernort blackbox
- Untamperable logging
- Privacy preservation of ASes
- Analyzer
- Exhaustive signature matching
- Detection of complex attack patterns
- Session replay
16
Kernort IDS in Guest OS Kernel (4)
17
Outline
- Motivations and Goals
- SODA a Service-On-Demand Architecture
- Two-level application service hosting platform
- Security Protection
- Controlled communication
- Kernort
- Untamperable logging
- Evaluation
- Related Work
- Conclusion
18
System Performance Overhead
19
Network Throughput Latency Slowdown
20
Real-Time Alert
21
Session Re-play
22
Outline
- Motivations and Goals
- SODA a Service-On-Demand Architecture
- Two-level application service hosting platform
- Security Protection
- Controlled communication
- Kernort
- Untamperable logging
- Evaluation
- Related Work
- Conclusion
23
Related Work
- Utility computing architectures
- IBM Oceano, HP UDC
- Grid platforms
- Computation Globus, Condor, Legion, NetSolve,
Harness, Cactus - Storage and data SRB, NeST, Data Grid,
OceanStore - Shared infrastructure
- PlanetLab, Emulab
24
Related Work
- Intrusion detection systems
- Snort, VMM-based, retrospection
- Virtualization technologies
- Virtual super computer (aggregation) NOW, HPVM
- Virtual OS, isolation kernel (slicing) VMWare,
Xen (Cambridge), Denali (UW), UML, UMLinux,
Virtual Private Server (Ensim) - Grid computing on VM Virtuoso (Northwestern),
Entropia - Virtual cluster Cluster-on-Demand (Duke)
- Resource isolation
- GARA, QLinux (UMass), Virtual service (UMich),
Resource Container, Cluster Reserves (Rice)
25
Conclusion
- New challenges in application service hosting
platform - Openness, sharing, mutual isolation, confinement,
and protection - Two-level architecture for service provisioning
- Efficient security protection mechanisms for
ASHP - Virtual switching and firewalling
- Kernort
- Untamperable logging
26
Thank you.
For more information jiangx,dxu_at_cs.purdue.edu
http//www.cs.purdue.edu/jiangx/soda
27
Backup Slides
28
Kernort vs. conventional IDS
- Problems with traditional IDS
- Encrypted traffic (e.g. ssh) makes NIDS less
effective - App-level IDS process will be killed, once a
machine is compromised - Log may be tampered with
- Fail-open
- Inside guest OS kernel a unique vista point
- Customizable without affecting host OS
- Clearer view
- Untamperable logging (saved to SODA host)
- Fail-close instead of fail-open
Recommended
CrystalGraphics Presentations
