Auditing Cloud Administrators Using Information Flow Tracking Afshar Ganjali [email protected] David Lie [email protected] ACM Scalable Trusted Computing Workshop Raleigh, North Carolina October 2012
Dec 27, 2015
Auditing Cloud Administrators Using Information Flow Tracking
Afshar Ganjali [email protected] Lie [email protected]
ACM Scalable Trusted Computing Workshop
Raleigh, North Carolina
October 2012
Admins at Infrastructure-as-a-Service (IaaS) Providers
3
VMM
User VM User VMManageme
nt StackManageme
nt Stack
Restricting Admins Is Not the Solution
4
VMM
User VM User VMManageme
nt Stack
• I cannot:• Install commodity applications I want.• Change system configurations.• Write my own scripts in Perl or Python.• Monitor resource usages.• See the logs for troubleshooting.
H-one Provides Logs for Auditing
5
• We propose auditing. H-one performs no access control.
• Auditing has been used in other domains.
• Auditing deters misbehaving.• Helps to assign liability of events.• No unnecessary restrictions for admins.• Auditing has 2 stages:
Generating logs Inspecting the logs
What are the logging challenges in H-one?
6
GOALS
Complete
Efficient
PrivacyPreserving
Data: From VMs to
Admins From Admins to
VMs
Minimal Storage Costs
Logs related to different customers should be separate.
To achieve these goals H-one uses Information Flow Tracking
Example 1: Benign Admin Task s: VM Backup
7
VMM
User VMManagement Stack
Disk
Kernel
User Disk Imag
e
H-one Module
Example 2: Benign Admin Task s: Backup for 2 VMs
8
VMM
User VM 2User VM 1Management Stack
Disk
Kernel
Disk 1
Disk 2
H-one Module
Example 3: Adversarial Admin
9
VMM
User VMManagement Stack
Disk
Kernel
01011
01011
User Disk Imag
e
H-one Module
Using Information Flow Tracking
10
GOALS
Complete
Efficient
PrivacyPreserving
H-one tracks any data flow inside management stack.
By following information flows, just the required data at appropriate points get logged.
Tracking flows lets us know leaked data belong to which user.
We use Xen hypervisor for our prototype.
We use a customized LSM module for
• labeling and tracking information flows
• protecting the integrity of the H-one logging system
We use the concept of the “exporter” processes similar to DStar paper for tracking networking communications.
N. Zeldovich, S. Boyd-Wickizer, and D. Mazieres, “Securing Distributed Systems with Information Flow Control,” in Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2008, pp. 293–308.
Implementation
11
Information Flow Tracking reduces the logging cost.
Our filtering daemon can further reduce the log size in specific scenarios based on the context.
Filtering daemon understands the legitimate flows of information and filters the corresponding logs.
Realtime Filtering of Logs
12