Enabled Cloud Anton Burtsev David Johnson, Josh Kunz, Eric Eide, - - PowerPoint PPT Presentation

enabled cloud
SMART_READER_LITE
LIVE PREVIEW

Enabled Cloud Anton Burtsev David Johnson, Josh Kunz, Eric Eide, - - PowerPoint PPT Presentation

Jan 19, 2023 24 likes •450 views

CapNet: Security and Least Authority in a Capability- Enabled Cloud Anton Burtsev David Johnson, Josh Kunz, Eric Eide, Jacobus Van der Merwe University of California, University of Utah Irvine Modern clouds are vulnerable Endpoints are

slide-1
SLIDE 1

CapNet: Security and Least Authority in a Capability- Enabled Cloud

Anton Burtsev University of California, Irvine David Johnson, Josh Kunz, Eric Eide, Jacobus Van der Merwe University of Utah

slide-2
SLIDE 2

Modern clouds are vulnerable

slide-3
SLIDE 3

Endpoints are inherently vulnerable

50 100 150 200 250 300 350 400 2009 2010 2011 2012 2013 2014 2015 2016 2017

Linux Kernel Vulnerabilities by Year

slide-4
SLIDE 4

Endpoint

slide-5
SLIDE 5

Broad network authority

Cloud network is the main attack amplifier

slide-6
SLIDE 6

Legacy network-isolation primitives

  • Global tenant-wide access

control rules

  • E.g., security groups
  • Lack of mutual isolation
  • Lack of decentralized access

control

  • Need to trust a third party

Ambient authority

slide-7
SLIDE 7

Capability-enabled network

slide-8
SLIDE 8

CapNet Architecture

slide-9
SLIDE 9

Threat model

  • We trust
  • Cloud provider infrastructure
  • Network switches
  • SDN controller
  • Hypervisors
  • Cloud software stack
  • Hosts are malicious
  • Virtual and physical hosts on the network
  • Providers of third-party cloud services
slide-10
SLIDE 10

CapNet Architecture

  • Software defined network (SDN)
  • CapNet runs as an SDN

controller application

  • Tracks resources of the network
  • By default nodes are completely

isolated

  • No flows are allowed
slide-11
SLIDE 11

Objects and capabilities

slide-12
SLIDE 12

CapNet Architecture

  • On the host, capabilities are just

64-bit numbers

  • Have no meaning outside of the

host

  • CapNet associates a Node object

with each host on the network

  • Unique {switch, port} pair
  • Capabilities are resolved through

Node’s CSpace into pointers to

  • ther objects
slide-13
SLIDE 13

CapNet Objects

Physical resources Capability graph

slide-14
SLIDE 14

Nodes

  • Node is "born" with
  • ne special capability,

rp0, connecting it to creator

slide-15
SLIDE 15

RendezvousPoints

  • RendezvousPoints

allow Nodes exchange capabilities

  • Capability derivation

trees (CDT)

slide-16
SLIDE 16

Flows

  • A unidirectional

communication channel

  • The ability to send packets to a

particular network endpoint

slide-17
SLIDE 17

Grant

invoke(cap c, method m, args) Grant.grant(cap c)

  • Support for legacy capability-oblivious hosts
  • Passive administration
slide-18
SLIDE 18

Grant

invoke(cap c, m, args) Grant.grant(cap c) Grant.take(capability_id cap_id)

slide-19
SLIDE 19

Grant

invoke(cap c, m, args) Grant.grant(cap c) Grant.take(capability_id cap_id) grant.create(Flow)

slide-20
SLIDE 20

Convenient network programming

  • Example: connecting

two nodes A and B

  • 1. connect (cap gantA, cap grantB)

2. flowA = grantA.create(Flow) 3. flowB = grantB.create(Flow) 4. grantA.grant(flowB) 5. grantA.grant(flowA)

slide-21
SLIDE 21

Decentralized Authority and Collaboration

slide-22
SLIDE 22

Reset

  • Reset the node to a clean, isolated state irrespective of its prior

state and ownership

slide-23
SLIDE 23

Reset

  • Tracking and cleaning authority of the node
slide-24
SLIDE 24

Reset preserves ownership

slide-25
SLIDE 25

Recursive isolation of capability graphs

slide-26
SLIDE 26

Membranes

slide-27
SLIDE 27

Membranes

slide-28
SLIDE 28

Membranes

slide-29
SLIDE 29

Membranes

slide-30
SLIDE 30

SealersUnsealers

FAIL!

slide-31
SLIDE 31

SealersUnsealers go through membranes

slide-32
SLIDE 32

Protocols of Secure Collaboration

slide-33
SLIDE 33

Secure provider protocol

slide-34
SLIDE 34

Recursion

slide-35
SLIDE 35

Trees and general graphs

  • Membranes and reset allow the construction of trees in

capability graphs

slide-36
SLIDE 36

Trees and general graphs

  • SealerUnsealer enable cloud topologies that are general graphs
slide-37
SLIDE 37

Joint computation protocol

slide-38
SLIDE 38

CapNet in OpenStack

slide-39
SLIDE 39

Thank you!

Anton Burtsev aburtsev@uci.edu Paper: SoCC’17 Source: https://gitlab.flux.utah.edu/tcloud/capnet Test drive in CloudLab: https://www.cloudlab.us/p/TCloud/OpenStack-Capnet

slide-40
SLIDE 40

Backup slides

slide-41
SLIDE 41
slide-42
SLIDE 42

CapNet Objects

  • Node – hosts on the network
  • RendezvousPoint – exchange of capabilities
  • Flow – network flows
  • Grant – support for unmodified hosts
  • Membrane – transitive isolation of capability graphs
  • SealerUnsealer – secure transport of capabilities

Physical resources Capability graph