Computer Science

Assuring Integrity of Dataflow Processing in Large-Scale Cloud Systems

Juan DuCo-advised by:

Dr. Xiaohui (Helen) Gu, Dr. Douglas ReevesDepartment of Computer Science

North Carolina State University

Computer Science

Outline• Background

– Multi-tenant cloud systems– Service integrity attack

• Service Integrity Assurance – RunTest [ASIACCS’10]

• Conclusion and Ongoing Work

2

Computer Science

Multi-Tenant Cloud Systems

• Platform for Software as a Service (SaaS)

•P3

•P1

•P1

•P2

•P2

•P3

•P3

VM

VM

VM VM

VM

VMVMc2

c1

c3c4

c5 c6

c7

•Portal•User

•f2

•f2

•f3

•f3•f1

•f1 •f4

•…di,…

•…,f 1

(d i),… •…,f2(f1(di)),…

•…,f 3

(f 2(f 1

(d i))),…

•…d

i ,…•…,f3(f2(f1(di))),…

3

Computer Science

Service Integrity Attack

4

•P3

•P1

•P1

•P2

•P2

•P3

•P3

c1

c3c4

c5 c6

c7

•Portal•User

•f2

•f2

•f3

•f3•f1

•f1 •f4

•…di,…

•…,f 1

(d i),… •…,f0(f1(di)),…

•…,f 3

(f 0(f 1(d i))

),…

•…,f3(f0(f1(di))),…

•…d

i ,…

c2

• Service providers come from different security domains• Not all data processing components are trustworthy

Computer Science

Previous Work

• Distributed dataflow processing– focuses on resource and performance management

issues.– usually assumes that all data processing

components are trustworthy.

• Trust management in distributed systems– Distributed messaging systems [Haeberlen, et al.

SOSP 2007]– Pub-sub overlay [Srivatsa, et al., CCS 2005]– Virtualized datacenters [Berger, et al., SIGOPS

2008]– None of them addressed secure and scalable

dataflow processing in multi-tenant cloud systems

5

Computer Science

Previous Work (cont.)

• Byzantine fault-tolerance– in Wide area networks [Amir, et al., DSN 2006]– Generally has scalability issues.

• Security in SOA – WS-Security v1.1 [Oasis, 2006]– Focuses on integrity and confidentiality of web

service messages through encryption and authentication.

– Attacks can go beyond messaging security.

6

Computer Science

RunTest

RunTest: Assuring Integrity of Dataflow Processing in Cloud Computing Infrastructures. Juan Du, Wei Wei, Xiaohui Gu, Ting Yu. ACM Symposium on Information, Computer and Communications Security (ASIACCS), Beijing, China, April, 2010.

7

Attestation Graph

•Detect integrity •attack

•Pinpoint malicious nodes

•Randomized data attestation

Computer Science

Integrity Attestation Graph

• Randomized data attestation – Capture consistency/inconsistency relationships

between pairs of components

•Portal

•d1 •Portal

•f1 •f2

•s1

•s2

•s3 •s6

•s5

•s4

•d2

•s1

•s2 •s3

•f1

•s4

•s5 •s6

•f2

•d1

•d1’• d2

• d2’

• f1(d1)=f1(d1’)

• f1(d2) != f1(d2’)

•1 •0.3

•0.3 •0.6

•0.6•1

•f1(d1)

•f1(d1’)

• f1(d2’)

• f1(d2)

•f2(f1(d1))

• f2(f1(d1))=f2(f1(d1’))

•f2(f1(d1’))

• f2(f1(d2’))

• f2(f1(d2))

8

Computer Science

Pinpoint Malicious Service Providers

9

P1

P2

P3 P4

P5

1

1

Proposition 1: All good nodes form a consistency clique.

•clique

Assume: Good nodes take majority in each service function.

Computer Science

Identify Attack Patterns

10

• Number of cliques• Weights on the edges

•clique•clique

•clique

Computer Science

Experimental Evaluation

• Implementation– On top of IBM System S

• Experiment setup– Tested on NCSU virtual computing lab (VCL)– Use about 10 blade servers– Each host run CentOS 5.2 64-bit with Xen 3.0.3

11

Computer Science

Detection Rate

•Can achieve 100% detection rate under different attack patterns

12

Computer Science

Comparison

• Full Time Majority Voting (pu = 1, r = 5)― Immediate detection ― Not scalable

• RunTest― Scalable, small pu and r => less attestation traffic― A short delay in detection, small pu and r => takes longer to detect

13

Computer Science

Conclusion

• The first attempt to address service integrity of dataflow processing applications in multi-tenant cloud systems

• Scalable runtime service attestation– Light-weight

• Randomized data attestation– Black-box approach

• Application-level input replay and result consistency check– Effective

• High detection rate and no false alarm

14

Computer Science

Ongoing Work

• Support stateful service functions

• Relax the assumptions for malicious service providers – can take majority in service functions– Must be minority in overall system

15

Computer Science

Thank you! Questions?

16