tenantguard scalable runtime verification of cloud wide
play

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level - PowerPoint PPT Presentation

Jan 01, 2023 •202 likes •747 views

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Han Song SJTU May 24, 2017 Han Song TenantGuard: Scalable Runtime

  1. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Han Song SJTU May 24, 2017 Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 1 / 28

  2. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Outline 1 Background 2 Architecture and Data Structures 3 Verification 4 Experiments 5 Conclusion 6 Q & A Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 2 / 28

  3. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Isolation Breaches One of the Biggest Security Concerns in Cloud Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 3 / 28

  4. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Isolation Breaches One of the Biggest Security Concerns in Cloud Something went wrong and D is hacked! Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 4 / 28

  5. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Isolation Breaches One of the Biggest Security Concerns in Cloud OpenStack real world vulnerabilities Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 5 / 28

  6. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Isolation Breaches One of the Biggest Security Concerns in Cloud One possible solution is: network isolation verification Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 6 / 28

  7. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Network Isolation Verification Challenges Size of virtual networks: 150M+ VM pairs Diverse and distributed network functions Large data from heterogeneous sources Quickly invalidating verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 7 / 28

  8. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Network Isolation Verification Challenges Size of virtual networks: 150M+ VM pairs Diverse and distributed network functions Large data from heterogeneous sources Quickly invalidating verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 7 / 28

  9. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Network Isolation Verification Challenges Size of virtual networks: 150M+ VM pairs Diverse and distributed network functions Large data from heterogeneous sources Quickly invalidating verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 7 / 28

  10. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Network Isolation Verification Challenges Size of virtual networks: 150M+ VM pairs Diverse and distributed network functions Large data from heterogeneous sources Quickly invalidating verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 7 / 28

  11. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  12. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  13. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  14. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  15. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  16. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  17. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

  18. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

  19. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

  20. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

  21. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

  22. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Integration of Runtime Verification into Metamodeling F. Macias T. Scheffel M. Schmitz R. Wang

Integration of Runtime Verification into Metamodeling F. Macias T. Scheffel M. Schmitz R. Wang

Integration of Runtime Verification into Metamodeling F. Macias T. Scheffel M. Schmitz R. Wang M. Leucker A. Rutle V. Stolz 28th Nordic Workshop on Programming Theory (NWPT16), Denmark 1 / 23 Why Runtime Verification? DSML do not

1.43k views • 23 slides
Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of

Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of

Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of Informatics, University of Oslo Context: Runtime verification Desired properties Every request gets an answer System Buffers should never

656 views • 64 slides
Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29

Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29

Cloud Native Go 6/28/17, 11)02 AM Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29 file:///Users/kimberlyamaral/Desktop/cng-presentation/pres.html#1 Page 1 of 38 Cloud Native Go 6/28/17, 11)02 AM Agenda

566 views • 38 slides
Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica

Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica

Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica Hadi-Tanovi, Grigore Rou, Darko Marinov ICST 2019 4/26/2019 CCF-1421503, CCF-1421575, CCF-1763788, CNS-1619275, CNS-1646305, CNS-1740916 Runtime

448 views • 30 slides
What is a Trace? A Runtime Verification Perspective Giles Reger 1 Klaus Havelund 2 1 University of

What is a Trace? A Runtime Verification Perspective Giles Reger 1 Klaus Havelund 2 1 University of

What is a Trace? A Runtime Verification Perspective Giles Reger 1 Klaus Havelund 2 1 University of Manchester, Manchester, UK 2 Jet Propulsion Laboratory, California Inst. of Technology, USA ISoLa 2016 Corfu, October 12, 2016 1/19 Runtime

421 views • 25 slides
PROGRAM YOUR OWN RV SYSTEM an exercise in DSL design Klaus Havelund Jet Propulsion Laboratory,

PROGRAM YOUR OWN RV SYSTEM an exercise in DSL design Klaus Havelund Jet Propulsion Laboratory,

PROGRAM YOUR OWN RV SYSTEM an exercise in DSL design Klaus Havelund Jet Propulsion Laboratory, USA Summer School on Cyber-Physical Systems July 7-10, 2014 Definition of Runtime Verification Definition (Runtime Verification) Runtime

1.23k views • 109 slides
Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko Yoshida Imperial College London 1 In collaboration with: Matthew Arrott (OOI) Gary Brown (Red Hat) Stephen Henrie (OOI) Bippin Makoond

1.38k views • 80 slides
Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko Yoshida Imperial College London 1 In collaboration with: Matthew Arrott (OOI) Gary Brown (Red Hat) Stephen Henrie (OOI) Bippin Makoond

1.38k views • 78 slides
Some Thoughts on Runtime Verification Oded Maler VERIMAG CNRS and the University of Grenoble

Some Thoughts on Runtime Verification Oded Maler VERIMAG CNRS and the University of Grenoble

Some Thoughts on Runtime Verification Oded Maler VERIMAG CNRS and the University of Grenoble (UGA) France RV, September 2016 Madrid Before Dinner Speech I like long and general introductions in my papers and talks Not everybody does:

544 views • 39 slides
Spack in Shared Environment 2018 Scalable Tools Workshop LANL Programming and Runtime

Spack in Shared Environment 2018 Scalable Tools Workshop LANL Programming and Runtime

Slide 1 Spack in Shared Environment 2018 Scalable Tools Workshop LANL Programming and Runtime Environments Team Paul Ferrell (LA-UR-18-26078) Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA Slide 2 The

527 views • 16 slides
Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Introduction Preliminaries Semantics of Runtime Control Semantics of Synthesis of Controlling Programs Expressiveness of Controlling Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics) Zhe Chen

558 views • 55 slides
Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph

Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph

Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph Zambreno, Phillip H. Jones, Kristin Yvonne Rozier Presenter: Pei Zhang Iowa State University peizhang@iastate.edu September 28, 2018 1 Work supported

487 views • 32 slides
Parallel Runtime Environments with Cloud Database: Performance Study for HMM with Adaptive

Parallel Runtime Environments with Cloud Database: Performance Study for HMM with Adaptive

Parallel Runtime Environments with Cloud Database: Performance Study for HMM with Adaptive Sampling D. Roehm, R. S. Pavel, T. C. Germann, A. L. McPherson and C. Junghans Los Alamos National Laboratory NM, USA May 8, 2015

581 views • 22 slides
Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with

Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with

Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with Kevin Nico Hudemann (TU Berlin), Artur Hecker (Huawei), Stefan Schmid (Vienna Uni.) Apoorv Shukla| NetAI19 P4 [1] : Data plane Programming Language

644 views • 25 slides
Using BDDs to capture data in Runtime verification (RV) [HP18] Per Ove Ringdal November 29, 2019

Using BDDs to capture data in Runtime verification (RV) [HP18] Per Ove Ringdal November 29, 2019

Using BDDs to capture data in Runtime verification (RV) [HP18] Per Ove Ringdal November 29, 2019 Contents Motivation Syntax and semantics of QTL QTL Example An Efficient Algorithm Using BDDs Summary References Verifying file operations

622 views • 35 slides
A Scala API for Runtime Verification Klaus Havelund Jet Propulsion Laboratory Pasadena,

A Scala API for Runtime Verification Klaus Havelund Jet Propulsion Laboratory Pasadena,

A Scala API for Runtime Verification Klaus Havelund Jet Propulsion Laboratory Pasadena, California A Scala API for Runtime Verification DSL Klaus Havelund Jet Propulsion Laboratory Pasadena, California understanding complex systems by

469 views • 32 slides
Deriving Efficient Data Movement From Decoupled Access/Execute Specifications Lee W. Howes,

Deriving Efficient Data Movement From Decoupled Access/Execute Specifications Lee W. Howes,

The Queens Tower The Queens Tower Imperial College Imperial College London London South Kensington, South Kensington, SW7 SW7 Deriving Efficient Data Movement From Decoupled Access/Execute Specifications Lee W. Howes, Anton

791 views • 38 slides
PocketSphinx: Open-Source Speech Recognition for Hand-held and Embedded Devices David

PocketSphinx: Open-Source Speech Recognition for Hand-held and Embedded Devices David

PocketSphinx: Open-Source Speech Recognition for Hand-held and Embedded Devices David Huggins-Daines (dhuggins@cs.cmu.edu) Mohit Kumar (mohitkum@cs.cmu.edu) Arthur Chan (archan@cs.cmu.edu) Alan W Black (awb@cs.cmu.edu) Mosur Ravishankar

169 views • 14 slides
Weakly self-avoiding walk in dimension four Gordon Slade University of British Columbia

Weakly self-avoiding walk in dimension four Gordon Slade University of British Columbia

Weakly self-avoiding walk in dimension four Gordon Slade University of British Columbia Mathematical Statistical Physics Kyoto: July 29, 2013 Abstract We report on recent and ongoing work on the continuous-time weakly self- avoiding walk on

391 views • 25 slides
M obius transformations and Furstenbergs theorem Piotr Rutkowski BSc Wednesday 8 th April,

M obius transformations and Furstenbergs theorem Piotr Rutkowski BSc Wednesday 8 th April,

M obius transformations and Furstenbergs theorem Piotr Rutkowski BSc Wednesday 8 th April, 2020 M OBIUS TRANSFORMATIONS AND F URSTENBERG S THEOREM 1/29 Theorem 1 - discrete version Theorem Let F = { f 1 , . . . , f N ; p 1 , . . .

725 views • 29 slides
Physics and hard disk drives- an industrial career perspective Steven Lambert APS Industrial

Physics and hard disk drives- an industrial career perspective Steven Lambert APS Industrial

Physics and hard disk drives- an industrial career perspective Steven Lambert APS Industrial Physics Fellow George Washington University Colloquium February 12, 2015 1 Outline 1. Brief history- career milestones, my present job 2. Physics

556 views • 36 slides
Brady Corporation F16 Q4 Financial Results September 9, 2016 Forward-Looking Statements 2 In

Brady Corporation F16 Q4 Financial Results September 9, 2016 Forward-Looking Statements 2 In

Brady Corporation F16 Q4 Financial Results September 9, 2016 Forward-Looking Statements 2 In this presentation, statements that are not reported financial results or other historic information are forward -looking statements. These

569 views • 19 slides
$2 to $8 million 2 1 7/30/2013 M ANAGING RISK UNDER THE AIA $1.8 billion $1.5 billion

$2 to $8 million 2 1 7/30/2013 M ANAGING RISK UNDER THE AIA $1.8 billion $1.5 billion

7/30/2013 M ANAGING RISK UNDER THE AIA AMERICA INVENTS ACT MANAGING IP RISK IN THE NEW ERA OF POST GRANT PROCEEDINGS John B. Scherling Antony M. Novom Sughrue Mion, PLLC July 30, 2013 1 M ANAGING RISK UNDER THE AIA $2 to $8 million 2 1 7/30/2013

590 views • 20 slides
20 2018 Exp xper erimental imental of Ener ergy gy Conser nservati vation on Using ng Th

20 2018 Exp xper erimental imental of Ener ergy gy Conser nservati vation on Using ng Th

SC SCIE IENCE NCE ED EDUC UCATI TION ON AWARD RD 20 2018 Exp xper erimental imental of Ener ergy gy Conser nservati vation on Using ng Th The Concept ncept of Ma Magnetic netic and Solar ar Ener nergy gy Presented by:-

317 views • 10 slides

More recommend