Visible to the public Hardening OpenStack Cloud Platforms Against Compute Node Compromises

TitleHardening OpenStack Cloud Platforms Against Compute Node Compromises
Publication TypeConference Paper
Year of Publication2016
AuthorsSze, Wai Kit, Srivastava, Abhinav, Sekar, R.
Conference NameProceedings of the 11th ACM on Asia Conference on Computer and Communications Security
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4233-9
Keywordscloud infrastructure security, composability, decomposition, Metrics, network control systems, network control systems security, networked control systems, pubcrawl, Resiliency, security, security scalability, system security, virtual machine, virtual machine security
Abstract

Infrastructure-as-a-Service (IaaS) clouds such as OpenStack consist of two kinds of nodes in their infrastructure: control nodes and compute nodes. While control nodes run all critical services, compute nodes host virtual machines of customers. Given the large number of compute nodes, and the fact that they are hosting VMs of (possibly malicious) customers, it is possible that some of the compute nodes may be compromised. This paper examines the impact of such a compromise. We focus on OpenStack, a popular open-source cloud plat- form that is widely adopted. We show that attackers com- promising a single compute node can extend their controls over the entire cloud infrastructure. They can then gain free access to resources that they have not paid for, or even bring down the whole cloud to affect all customers. This startling result stems from the cloud platform's misplaced trust, which does not match today's threats. To overcome the weakness, we propose a new system, called SOS , for hardening OpenStack. SOS limits trust on compute nodes. SOS consists of a framework that can enforce a wide range of security policies. Specifically, we applied mandatory access control and capabilities to con- fine interactions among different components. Effective confinement policies are generated automatically. Furthermore, SOS requires no modifications to the OpenStack. This has allowed us to deploy SOS on multiple versions of OpenStack. Our experimental results demonstrate that SOS is scalable, incurs negligible overheads and offers strong protection.

URLhttp://doi.acm.org/10.1145/2897845.2897851
DOI10.1145/2897845.2897851
Citation Keysze_hardening_2016