Cloud Computing ResearchRoy H. Campbell

Director of Assured Cloud CenterUniversity of Illinois at Urbana-Champaign

August 8th 2012 Chicago, IL

Security at UIUCITI – Information Trust Institute• 100+ faculty/students/staff• Areas

• Cloud (Air Force)• Power grid (DOE)• Health IT (SHARPS DHHS)• Data Science• Evaluation• Systems and Networking (Boeing)• Science of Security (NSA)• Education (ICSSP – NSF, NSA)

• iti.illinois.edu

Outline

Assured Cloud Center (Air Force)Cloud ComputingCurrent Research ChallengesFuture challenges

Assured Cloud Center (Air Force) – UCoE@UIUCGoal:

Undertake core research and development to address challenges for emerging architectures, algorithms, and techniques to achieve secure and reliable cloud infrastructures and applications

Research focus:

1. New algorithms and techniques to provide reliability and security2. Formal analysis and reasoning about system configurations3. Design and experimental evaluation of prototypes4. Workforce development including education, and technology exchange

Assured Cloud Center – UCoE@UIUCOrganization structure:

Outline

Assured Cloud CenterCloud ComputingCurrent Research ChallengesFuture challenges

What is cloud computing?5th generation of computing

Monolithic Client-Server Web SOA Cloud Services

1970s 1980s 1990s 2000s 2009+

Pros and Cons

Providing a higher level of reliability and availability is one of the biggest challenges of Cloud computing

Growing interest in cloud computingIncreasing number of outages

Google Insight for Search: Cloud Computing

AmazonMicrosoftGoogle

Outage in:

Jul 08: Amazon S3 down 8.5h due to

one single bit flip in Gossip message

Oct 09: MS Azure down 22h due to malfunction in the hypervisor Feb 11: 40K Gmail

Account down 4 days due to a bug

in a storage software update

Apr 11: Amazon EC2 US East down 4 days

due to Network problem and

replicas algorithm

2007 2008 2009 2010 2011

Incidents with Cloud Computing- Providers:• “I discovered that several systems on the Amazon EC2 network were

preforming brute force attacks, against our VoIP servers.”[1]• “Complaints of rampant SIP Brute Force Attacks coming from servers with

Amazon EC2 IP Addresses cause many admins to simply drop all Amazon EC2 traffic.”[2]

• No guarantee that providers will financially survive. What will happen if your provider liquidates? “Cassatt, the San Jose, Calif.-based provider of cloud computing environments, has sold its assets to public IT management firm CA for an undisclosed sum. ” [3]

- Attacks:• BitBucket, DDoS’s Off The Air. “Starting Friday evening, our network

storage became virtually unavailable to us, and the site crawled to a halt.” [4]

Incidents with Cloud Computing- Maintenance:• Maintenance Induced Cascading Failures. “Gmail's web interface had a

widespread outage earlier today, lasting about 100 minutes” [5]- Storage:• T-Mobile: we probably lost all your Sidekick data “Well, this is shaping up to

be one of the biggest disasters in the history of cloud computing, and certainly the largest blow to Danger and the Sidekick platform: T-Mobile's now reporting that personal data stored on Sidekicks has "almost certainly has been lost as a result of a server failure at Microsoft/Danger."” [6]

- Power:• Lightning Strike Triggers Amazon EC2 Outage “Some customers of

Amazon’s EC2 cloud computing service were offline for more than four hours Wednesday night after an electrical storm damaged power equipment at one of the company’s data centers[7]

Magnitude and complexity in Cloud ComputingFive-Minute Snapshot of In-and-Out Traffic within NCSA

Outline

Assured Cloud Center Cloud ComputingCurrent Research ChallengesFuture challenges

Current Research Challenges- Can we trust a virtual machine infrastructure?- Can clouds be real-time?- How do we asses trust in clouds?- Can we monitor the security properties of a cloud?- How do we assess End to End issues?- How do we build resilient virtual machines?- How do we verify assuredness in clouds?- What are the likely attacks?- Are there any legal and privacy concerns?- How do we educate an appropriate workforce?

Can we trust a virtual machine infrastructure?Verifying Trustworthiness of Virtual Appliances Based on Software Whitelists (Rakesh Bobba)

Current Research Challenges- Can we trust a virtual machine infrastructure?- Can clouds be real-time?- How do we asses trust in clouds?- Can we monitor the security properties of a cloud?- How do we assess End to End issues?- How do we build resilient virtual machines?- How do we verify assuredness in clouds?- What are the likely attacks?- Are there any legal and privacy concerns?- How do we educate an appropriate workforce?

Can clouds be real-time?Design of Algorithms and Techniques for Real-time Assuredness in Cloud Computing (Indranil Gupta, Brian Cho)

Current Research Challenges- Can we trust a virtual machine infrastructure?- Can clouds be real-time?- How do we asses trust in clouds?- Can we monitor the security properties of a cloud?- How do we assess End to End issues?- How do we build resilient virtual machines?- How do we verify assuredness in clouds?- What are the likely attacks?- Are there any legal and privacy concerns?- How do we educate an appropriate workforce?

How do we assess trust in clouds?Trust Calculus for assured Cloud Computing (David Nicol, Jingwei Huang)

Current Research Challenges- Can we trust a virtual machine infrastructure?- Can clouds be real-time?- How do we asses trust in clouds?- Can we monitor the security properties of a cloud?- How do we assess End to End issues?- How do we build resilient virtual machines?- How do we verify assuredness in clouds?- What are the likely attacks?- Are there any legal and privacy concerns?- How do we educate an appropriate workforce?

Can we monitor the security properties of a cloud?Cyber Infrastructure Security: Dynamic Policy Monitoring with inference in clouds (Roy Campbell)

Current Research Challenges- Can we trust a virtual machine infrastructure?- Can clouds be real-time?- How do we asses trust in clouds?- Can we monitor the security properties of a cloud?- How do we assess End to End issues?- How do we build resilient virtual machines?- How do we verify assuredness in clouds?- What are the likely attacks?- Are there any legal and privacy concerns?- How do we educate an appropriate workforce?

How do we assess End to End issues?ACC-UCoE: Application-aware Checking for Dependable and Secure Applications: Information Flow Signatures K-Y (Tseng, V. Sidea, R. Iyer, Z. Kalbarczyk)

Current Research Challenges- Can we trust a virtual machine infrastructure?- Can clouds be real-time?- How do we asses trust in clouds?- Can we monitor the security properties of a cloud?- How do we assess End to End issues?- How do we build resilient virtual machines?- How do we verify assuredness in clouds?- What are the likely attacks?- Are there any legal and privacy concerns?- How do we educate an appropriate workforce?

How do we build resilient virtual machines?ACC-UCoE: Building Resilient Virtual Machines: Protection Against Failures and Attacks (C. Pham, P. Cao, R. Iyer, Z. Kalbarczyk)

Current Research Challenges- Can we trust a virtual machine infrastructure?- Can clouds be real-time?- How do we asses trust in clouds?- Can we monitor the security properties of a cloud?- How do we assess End to End issues?- How do we build resilient virtual machines?- How do we verify assuredness in clouds?- What are the likely attacks?- Are there any legal and privacy concerns?- How do we educate an appropriate workforce?

How do we verify assuredness in clouds?Formal Analysis of Cloud Systems (José Meseguer)

How do we verify assuredness in clouds?Coordination and Probabilistic Consistency (Gul Agha)

Current Research Challenges- Can we trust a virtual machine infrastructure?- Can clouds be real-time?- How do we asses trust in clouds?- Can we monitor the security properties of a cloud?- How do we assess End to End issues?- How do we build resilient virtual machines?- How do we verify assuredness in clouds?- What are the likely attacks?- Are there any legal and privacy concerns?- How do we educate an appropriate workforce?

What are the likely attacks?What Incidents Data Tell us About Attackers? R. Bonilla, H. Lin, Z. Kalbarczyk, R. Iyer

Current Research Challenges- Can we trust a virtual machine infrastructure?- Can clouds be real-time?- How do we asses trust in clouds?- Can we monitor the security properties of a cloud?- How do we assess End to End issues?- How do we build resilient virtual machines?- How do we verify assuredness in clouds?- What are the likely attacks?- Are there any legal and privacy concerns?- How do we educate an appropriate workforce?

Are there any legal and privacy concerns?Cloud computing Privacy and Legal Aspects (Masooda Bashir)

Current Research Challenges- Can we trust a virtual machine infrastructure?- Can clouds be real-time?- How do we asses trust in clouds?- Can we monitor the security properties of a cloud?- How do we assess End to End issues?- How do we build resilient virtual machines?- How do we verify assuredness in clouds?- What are the likely attacks?- Are there any legal and privacy concerns?- How do we educate an appropriate workforce?

How do we educate an appropriate workforce?Educational initiatives (Masooda Bashir)

Outline

Assured Cloud Center Cloud Computing Current Research ChallengesFuture challenges

Future challengesHow can we offer Security as a Service in the cloud?

Cloud InfrastructureIaaS

PaaS

SaaS

Infrastructure as a Service (IaaS) Architectures

Platform as a Service (PaaS)Architectures

Software as a Service (SaaS)

Architectures

Cloud Infrastructure

SaaS

Cloud Infrastructure

PaaS

SaaS

Cloud InfrastructureIaaS

PaaS

Cloud Infrastructure

PaaS

Cloud InfrastructureIaaS

Cloud Infrastructure

IaaS

PaaS

SaaSSSaaS

Software Security as a Service(SSaaS)

Architectures

Technology Transfer: Scott Pickard 217-333-3437 spickard@illinois.edu

Commercialization Startups from ITI

Thank you for your attentionContact information:

Roy H. Campbell rhc@illinois.edu http://assured-cloud-computing.illinois.edu http://srg.cs.illinois.edu

References1. http://www.stuartsheldon.org/blog/2010/04/sip-brute-force-attack-originating-from-amazon-ec2-hosts2. http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise3. http://venturebeat.com/2009/06/04/cloud-provider-cassatt-sells-out-to-ca-to-avoid-bankruptcy4. http://blog.bitbucket.org/2009/10/04/on-our-extended-downtime-amazon-and-whats-coming5. http://gmailblog.blogspot.com/2009/09/more-on-todays-gmail-issue.html6. http://www.engadget.com/2009/10/10/t-mobile-we-probably-lost-all-your-sidekick-data7. http://www.datacenterknowledge.com/archives/2009/06/11/lightning-strike-triggers-amazon-ec2-outage

Cloud Computing ResearchRoy H. Campbell

Director of Assured Cloud CenterUniversity of Illinois at Urbana-Champaign

August 8th 2012 Chicago, IL