Auditing Cloud Administrators Using Information Flow Tracking

Afshar Ganjali a.ganjali@utoronto.caDavid Lie lie@eecg.utoronto.ca

ACM Scalable Trusted Computing Workshop

Raleigh, North Carolina

October 2012

Cloud Computing Is Not Trusted

2

2011 – 2012

70%Security

Admins at Infrastructure-as-a-Service (IaaS) Providers

3

VMM

User VM User VMManageme

nt StackManageme

nt Stack

Restricting Admins Is Not the Solution

4

VMM

User VM User VMManageme

nt Stack

• I cannot:• Install commodity applications I want.• Change system configurations.• Write my own scripts in Perl or Python.• Monitor resource usages.• See the logs for troubleshooting.

H-one Provides Logs for Auditing

5

• We propose auditing. H-one performs no access control.

• Auditing has been used in other domains.

• Auditing deters misbehaving.• Helps to assign liability of events.• No unnecessary restrictions for admins.• Auditing has 2 stages:

Generating logs Inspecting the logs

What are the logging challenges in H-one?

6

GOALS

Complete

Efficient

PrivacyPreserving

Data: From VMs to

Admins From Admins to

VMs

Minimal Storage Costs

Logs related to different customers should be separate.

To achieve these goals H-one uses Information Flow Tracking

Example 1: Benign Admin Task s: VM Backup

7

VMM

User VMManagement Stack

Disk

Kernel

User Disk Imag

e

H-one Module

Example 2: Benign Admin Task s: Backup for 2 VMs

8

VMM

User VM 2User VM 1Management Stack

Disk

Kernel

Disk 1

Disk 2

H-one Module

Example 3: Adversarial Admin

9

VMM

User VMManagement Stack

Disk

Kernel

01011

01011

User Disk Imag

e

H-one Module

Using Information Flow Tracking

10

GOALS

Complete

Efficient

PrivacyPreserving

H-one tracks any data flow inside management stack.

By following information flows, just the required data at appropriate points get logged.

Tracking flows lets us know leaked data belong to which user.

We use Xen hypervisor for our prototype.

We use a customized LSM module for

• labeling and tracking information flows

• protecting the integrity of the H-one logging system

We use the concept of the “exporter” processes similar to DStar paper for tracking networking communications.

N. Zeldovich, S. Boyd-Wickizer, and D. Mazieres, “Securing Distributed Systems with Information Flow Control,” in Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2008, pp. 293–308.

Implementation

11

Information Flow Tracking reduces the logging cost.

Our filtering daemon can further reduce the log size in specific scenarios based on the context.

Filtering daemon understands the legitimate flows of information and filters the corresponding logs.

Realtime Filtering of Logs

12

13

Questions ?!Discussion ?!

Label Propagation

14

15

Questions ?!Discussion ?!