Cloud Security Research
Cloud computing has the potential to revolutionize the way businesses run their IT infrastructure and achieve new efficiencies of scale. However, security and long-term trustworthiness of cloud infrastructures is often a significant barrier to their wider adoption as well as a significant risk. This research addresses a fundamental root cause of many security/trustworthiness problems of the cloud - the lack of a suitable abstraction for defining cloud-based IT systems. As a result of this deficiency, cloud system deployment and management is largely based on low-level scripts or manual interventions that yield poorly configured, stagnant, and fragile systems that invite misuse and failures. Moreover, economic incentives drive cloud vendors to "lock in" their customers, making it difficult for cloud users to switch to a new vendor even if the current vendor is doing a poor job of ensuring the cloud services' security and reliability.
To alleviate these problems, we propose an abstract model for defining cloud-based IT systems and design a compilation process to automatically generate concrete systems in the cloud based on the abstract specifications. Our high-level abstract model will capture important structural information about the system, such as service dependencies, as well as implementation specifications that refer to re-usable knowledge units that define various service and application configuration details. This approach will allow us to conduct a number of research thrusts in the framework: 1) reliably generating cloud-based IT systems with both correct functionality and strong security; 2) providing a consistent model that captures the configuration state of deployed systems, and enabling automated orchestration of system changes while maintaining the desired properties; 3) security analysis, threat isolation and mitigation, and fault diagnosis using this abstraction; and 4) leveraging the abstraction to design technologies to support the easy movement between vendors, both as a way of increasing the cloud user's trust in the cloud as well as an incentive for cloud vendors to compete based on their services' quality, most importantly security and trustworthiness.
Faculty: Collaborator:- Marc Eisenbarth (Arbor Networks)
- Ian Unruh
- Brian Cain
- Trent Novelly
- Gilnei De Pellegrin
- Compiling abstract specifications into concrete systems - bringing order to the cloud. Ian Unruh, Alexandru G. Bardas, Rui Zhuang, Xinming Ou, and Scott A. DeLoach. In 28th Large Installation System Administration Conference (LISA'14), Seattle, WA, USA.
- After we knew it: Empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across IaaS cloud. Su Zhang, Xinwen Zhang, and Xinming Ou. 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Kyoto, Japan, June, 2014.
Acknowledgment:
This research is supported by the Air Force Office of Scientific Research under award no. FA9550-12-1-0106 and U.S. National Science Foundation under award no. 0954138 and 1018703. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor.