Self-service Cloud Computing Vinod Ganapathy [email protected] Department of Computer Science...
-
Upload
quinten-mould -
Category
Documents
-
view
214 -
download
0
Transcript of Self-service Cloud Computing Vinod Ganapathy [email protected] Department of Computer Science...
![Page 1: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/1.jpg)
Self-service Cloud Computing
Vinod Ganapathy
[email protected] of Computer Science
Rutgers University
![Page 2: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/2.jpg)
2
The Cloud Smartphones and tablets
Web browsers and other apps
The modern computing spectrum
![Page 3: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/3.jpg)
3
Security concerns are everywhere!Can I trust Gmail with mypersonal conversations?
Can I trust my browser withmy saved passwords?
Is that gaming appcompromising my privacy?
![Page 4: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/4.jpg)
4
Today’s talkThe Cloud Smartphones
and tabletsWeb browsers and other apps
![Page 5: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/5.jpg)
Shakeel Butt H. Andres Lagar-Cavilla
Vinod Ganapathy Abhinav Srivastava
Self-service Cloud Computing
![Page 6: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/6.jpg)
6
What is the Cloud?A distributed computing infrastructure, managed by 3rd-parties,
with which we entrust our code and data.
![Page 7: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/7.jpg)
7
What is the Cloud?
• Comes in many flavours: *-aaS– Infrastructure-aaS, Platform-aaS, Software-aaS,
Database-aaS, Storage-aaS, Security-aaS, Desktop-aaS, API-aaS, etc.
• Many economic benefits– No hardware acquisition/maintainence costs– Elasticity of resources– Very affordable: a few ¢/hour
A distributed computing infrastructure, managed by 3rd-parties,with which we entrust our code and data.
![Page 8: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/8.jpg)
8
• By 2015, 90% of government agencies and large companies will use the cloud [Gartner, “Market Trends: Application Development Software, Worldwide, 2012-2016,” 2012]
• Many new companies & services rely exclusively on the cloud, e.g., Instagram, MIT/Harvard EdX [NYTimes, “Active in Cloud, Amazon Reshapes Computing,” Aug 28, 2012]
![Page 9: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/9.jpg)
9
Virtualized cloud platforms
Hardware
Hypervisor
Management VM (dom0)
Work VM
Work VM
Work VM
Examples: Amazon EC2, Microsoft Azure, OpenStack, RackSpace Hosting
![Page 10: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/10.jpg)
10
Embracing the cloud
Lets do Cloud
![Page 11: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/11.jpg)
11
Embracing the cloud
Trust me with your code & data
Cloud ProviderClient
You have to trust us as well
Cloud operators
Problem #1 Client code & data secrecy and integrity vulnerable to attack
![Page 12: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/12.jpg)
12
Embracing the cloud
Problem #1 Client code & data secrecy and integrity vulnerable to attack
![Page 13: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/13.jpg)
13
Embracing the cloud
Problem #2 Clients must rely on provider to deploy customized services
I need customized malware detection and VM rollback
Cloud ProviderClient
For now just have checkpointing …
Cloud ProviderClient
![Page 14: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/14.jpg)
14
Why do these problems arise?
Hardware
Hypervisor
Management VM (dom0)
Work VM
Work VM
Work VM
![Page 15: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/15.jpg)
15
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
Example: Malware detection
?
[Example: Gibraltar -- Baliga, Ganapathy, Iftode, ACSAC’08]
![Page 16: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/16.jpg)
16
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
?
Problem Clients must rely on provider to deploy customized services
![Page 17: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/17.jpg)
17
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
?
Problem Client code & data secrecy and integrity vulnerable to attack
Malicious cloud operator
![Page 18: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/18.jpg)
18
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
?
Problem Client code & data secrecy and integrity vulnerable to attack
EXAMPLES:• CVE-2007-4993. Xen guest root escapes to dom0 via pygrub• CVE-2007-5497. Integer overflows in libext2fs in e2fsprogs. • CVE-2008-0923. Directory traversal vulnerability in the shared folders feature for
VMWare. • CVE-2008-1943. Buffer overflow in the backend of XenSource Xen paravirtualized
frame buffer. • CVE-2008-2100. VMWare buffer overflows in VIX API let local users execute
arbitrary code in host OS. …. [AND MANY MORE]
![Page 19: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/19.jpg)
19
Our solution
Hardware
Hypervisor
Management VM Client’s VMs
SSC: Self-service cloud computing
![Page 20: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/20.jpg)
20
Outline• Disaggregation and new privilege model• Technical challenges:
– Balancing provider’s and client’s goals– Secure bootstrap of client’s VMs
• Experimental evaluation• Future directions and other projects
![Page 21: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/21.jpg)
21
Duties of the management VM
Manages and multiplexes hardware resources
Manages client virtual machines
Management VM (Dom0)
![Page 22: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/22.jpg)
22
System-wide Mgmt. VM (SDom0)
Per-Client Mgmt. VM
(UDom0)
Main technique used by SSCDisaggregate the management VM
• Manages hardware• No access to clients VMs
Solves problem #1
• Manages client’s VMs• Allows clients to deploy new services
Solves problem #2
![Page 23: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/23.jpg)
23
System-wide Mgmt. VM (SDom0)
Per-Client Mgmt. VM
(UDom0)
Embracing first principlesPrinciple of separation of privilege
![Page 24: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/24.jpg)
24
System-wide Mgmt. VM (SDom0)
Per-Client Mgmt. VM
(UDom0)
Embracing first principlesPrinciple of least privilege
![Page 25: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/25.jpg)
25
An SSC platform
Hardware
SSC Hypervisor
SDom0
Work VM
Work VM
UDom0
Client’s meta-domain
Service VM
Equipped with a Trusted Platform Module (TPM) chip
![Page 26: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/26.jpg)
26
SSC’s privilege modelPrivileged operation
Self-service hypervisorIs the request from client’s Udom0?
NOYES
ALLOW Does requestor have privilege (e.g., client’s service VM)
DENY
NOYES
ALLOW
![Page 27: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/27.jpg)
27
Key technical challenges
1. Providers want some control– To enforce regulatory compliance (SLAs, etc.)– Solution: Mutually-trusted service VMs
2. Building domains in a trustworthy fashion– Sdom0 is not trusted– Solution: the Domain Builder
3. Establishing secure channel with client– Sdom0 controls all the hardware!– Solution: Secure bootstrap protocol
![Page 28: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/28.jpg)
28
Cloud ProviderClient
Providers want some control
• Udom0 and service VMs put clients in control of their VMs
• Sdom0 cannot inspect these VMs• Malicious clients can misuse privilege• Mutually-trusted service VMs
NOdata leaks or
corruption
NOillegal activities or
botnet hosting
![Page 29: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/29.jpg)
29
Trustworthy regulatory compliance
Hardware
SSC Hypervisor
SDom0
Work VM
Work VM
UDom0 Mutually-trusted Service
VM
![Page 30: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/30.jpg)
30
Hardware
SSC Hypervisor
SDom0
Bootstrap: the Domain Builder
Domain Builder
UDom0Work VM
Service VM
![Page 31: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/31.jpg)
31
Hardware
SSC Hypervisor
SDom0
Bootstrap: the Domain Builder
Domain Builder
UDom0Work VM
Service VM
Must establish an encrypted
communicationchannel
![Page 32: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/32.jpg)
32
Secure bootstrap protocol• Goal: Build Udom0, and establish an SSL
channel with client• Challenge: Sdom0 controls the network!• Implication: Evil twin attack
![Page 33: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/33.jpg)
33
Hardware
SSC Hypervisor
SDom0
An evil twin attack
Domain Builder
UDom0
Udom0
![Page 34: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/34.jpg)
34
1
Hardware
SSC Hypervisor
Domain Builder
Udom0 image, Enc ( , )
Udom0
![Page 35: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/35.jpg)
35
Hardware
SSC Hypervisor
Domain Builder
UDom0
DomB builds domain2
Udom0
![Page 36: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/36.jpg)
36
Enc ( , )
Hardware
SSC Hypervisor
Domain Builder
UDom0
DomB installs key, nonce3
![Page 37: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/37.jpg)
37
Hardware
SSC Hypervisor
Domain Builder
UDom0
Client gets TPM hashes4
![Page 38: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/38.jpg)
38
Hardware
SSC Hypervisor
Domain Builder
UDom0
Udom0 sends to client 5
![Page 39: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/39.jpg)
39
UDom0
Hardware
SSC Hypervisor
Domain Builder
Client sends Udom0 SSL key6Enc ( )
![Page 40: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/40.jpg)
40
Hardware
SSC Hypervisor
Domain Builder
UDom0
SSL handshake and secure channel establishment7
![Page 41: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/41.jpg)
41
Hardware
SSC Hypervisor
Domain Builder
UDom0
Can boot other VMs securely
Work VM
Service VM
8
VM image
![Page 42: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/42.jpg)
Client meta-domains
Hardware
Malware detection
Firewall and IDS
Storage services
Service VMs
SSC hypervisor
Computation
Work VM
Work VM
Work VM
Udom0
Trustworthy metering
Regulatory compliance
Mutually-trusted
Service VMs
42
![Page 43: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/43.jpg)
43
Case studies: Service VMs
• Storage services: Encryption, Intrusion detection
• Security services:– Kernel-level rootkit detection– System-call-based intrusion detection
• Data anonymization service• Checkpointing service• Memory deduplication• And compositions of these!
![Page 44: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/44.jpg)
44
Evaluation• Goals
– Measure overhead of SSC
• Dell PowerEdge R610– 24 GB RAM– 8 XEON cores with dual threads (2.3 GHz)– Each VM has 2 vCPUs and 2 GB RAM
• Results shown only for 2 service VMs– Our ACM CCS’12 paper presents many more
![Page 45: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/45.jpg)
45
Storage encryption service VM
Sdom0 Client’s work VM
Backend Block device
Frontend Block device
![Page 46: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/46.jpg)
46
Storage encryption service VM
Sdom0 Storage encryption service VM
Client’s work VM
Backend Block device
Frontend Block device
Frontend Block device
Backend Block device
Encryption
Decryption
Platform Unencrypted (MB/s) Encrypted (MB/s)
Xen-legacy 81.72 71.90
Self-service 75.88 70.64
![Page 47: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/47.jpg)
47
Checkpointing service VM
Client’s VM Checkpoint service
Storage
![Page 48: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/48.jpg)
48
Checkpointing service VM
Client’s VM
Encrypted Storage service
Storage
Checkpoint service
(Encryption)
Platform Unencrypted (sec) Encrypted (sec)
Xen-legacy 1.840 11.419
Self-service 1.936 11.329
![Page 49: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/49.jpg)
49
Related projects
CloudVisor [SOSP’11] Xen-Blanket [EuroSys’12]
Protect client VM data from Dom0 using a thin, bare-metal hypervisor
Allow clients to have their own Dom0s on commodity clouds using a thin shim
Nested Hypervisor
Client VMDom0
CloudVisor Cloud Hypervisor
Client VM
Client Dom0
XenBlanket
CloudDom0
![Page 50: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/50.jpg)
50
SSC is a cloud model that …
… Improves security and privacy of client code and data
… Enhances client control over their VMs
… Imposes low runtime performance overheads… Provides me with a rich source of problems for future work
![Page 51: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/51.jpg)
51
Future vision for SSC• Cloud app markets:
– Marketplaces of service VMs.– Research problems: Ensuring trustworthiness of
apps, enabling novel mutually-trusted apps, App permission models.
• Migration-awareness:– Policies and mechanisms for VM migration in SSC.– Research problems: Prevent exposure of cloud
infrastructure details to competitors, TPM-based protocols that are migration-aware.
![Page 52: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/52.jpg)
52
Other research projects
![Page 53: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/53.jpg)
53
The Cloud The smartphoneThe browser
![Page 54: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/54.jpg)
54
Smartphone rootkits
• Rootkits operate by maliciously modifying kernel code and data
RESULTS:• New techniques to detect data-
oriented rootkits [ACSAC’08]
• Exploring the rootkit threat on smartphones [HotMobile’10]
• Security versus energy tradeoffs in detecting rootkits on mobile devices [MobiSys’11]
New techniques to detect OS kernel-level malware
![Page 55: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/55.jpg)
55
Securing Web browsers
• Addons are untrusted, privileged code– All major browsers support addons – Can leak sensitive information
RESULTS:• Information flow tracking-enhanced
browser [ACSAC’09]
• Static capability leak analysis for Mozilla Jetpack [ECOOP’12]
• New bugs found in Mozilla extensions
Studying information leakage via 3rd party browser addons
![Page 56: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/56.jpg)
56
And many more …• The Cloud (and other software systems) [CCS08, ACSAC08a, ACSAC09a, RAID10, TDSC11, CCS12a, CCS12b, ANCS12]
– Security remediation using transactional programming– Fast, memory-efficient network intrusion detection
• The browser (and the Web) [ACSAC08b, ACSAC09b, ECOOP12a, ECOOP12b]
– Secure mashup Web applications– Integrating the Web and the cloud– Isolation as a first-class JavaScript feature
• The smartphone (and other mobile devices) [UbiComp09, SACMAT09, HotMobile10, MobiSys11]
– Location privacy in mobile computing– Secure remote access to enterprise file systems
![Page 57: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/57.jpg)
57
Looking into the future…
![Page 58: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/58.jpg)
58
SSC++ Improving browserextension security
Improving mobile app security
Active ongoing projects
![Page 59: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/59.jpg)
59
Collaborators and students
And many other camera-shy folks!
![Page 60: Self-service Cloud Computing Vinod Ganapathy vinodg@cs.rutgers.edu Department of Computer Science Rutgers University.](https://reader037.fdocuments.net/reader037/viewer/2022110116/5517c759550346892b8b4bc6/html5/thumbnails/60.jpg)