CAREER: Infrastructure for Secure Cloud Computing

职业：安全云计算基础设施

• 批准号: 1253870
• 负责人: Thomas Ristenpart
• 金额: $ 48.06万
• 依托单位: University of Wisconsin-Madison
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-06-01 至 2015-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1253870&HistoricalAwards=false
• 关键词: CAREER; Infrastructure; Secure; Cloud; Computing

Infrastructure-as-a-service (IaaS) cloud computing systems are revolutionizing business, government, and science by providing easy access to scalable computing. These public services, as offered by Amazon, Google, Microsoft, and others, allow an arbitrary customer to rent, by the hour, the resources needed to run their applications within virtual machines (VMs) hosted on the provider?s compute infrastructure. With these new services, however, comes subtle new security issues. Prior work by the PI uncovered attacks that abuse two aspects unique to cloud computing: resource sharing among mutually distrustful customers and pricing that incentivizes malicious behavior. The proposed research is organized along the two themes of resource sharing and pricing. In the first theme, the work explores whether cryptographic side channel attacks and resource-freeing attacks pose serious threats to cloud customers and then develops new placement and CPU scheduling algorithms that realize the security principle of soft isolation: minimization of potentially dangerous cross-user scheduling interactions (e.g., sharing a server or CPU core). Within the second theme, the work explores the implications of fine-grained pricing mechanisms on security. This includes developing pricemarks (mechanisms for accurately determining the true costs of a cloud service), understanding customer-controlled placement gaming that exploits cloud performance heterogeneity, and explores pricing-based security mechanisms that, in conjunction with the aforementioned scheduling mechanisms, will degrade fiscal incentivizes for adversarial behavior. The impact of the proposed work will be deeper understanding of threats in cloud IaaS systems, new security design principles, deployable security technologies, and improvements in security education.

基础设施即服务(IaaS)云计算系统通过提供对可扩展计算的轻松访问，正在给企业、政府和科学带来革命性的变化。亚马逊、谷歌、微软和其他公司提供的这些公共服务允许任意客户按小时租用在提供商S计算基础设施上托管的虚拟机(VM)内运行其应用程序所需的资源。然而，随着这些新服务的推出，也带来了微妙的新安全问题。PI之前的工作发现了滥用云计算特有的两个方面的攻击：相互不信任的客户之间的资源共享和激励恶意行为的定价。拟议的研究围绕资源共享和定价这两个主题展开。在第一个主题中，研究了加密侧通道攻击和资源释放攻击是否对云客户构成严重威胁，然后开发了新的布局和CPU调度算法，实现了软隔离的安全原则：最小化潜在危险的跨用户调度交互(例如，共享服务器或CPU核心)。在第二个主题中，这项工作探索了细粒度定价机制对安全的影响。这包括开发价格标记(用于准确确定云服务的真实成本的机制)，了解利用云性能异质性的客户控制的配售游戏，以及探索基于定价的安全机制，与上述调度机制结合使用，将降低对敌对行为的财务激励。拟议工作的影响将是更深入地了解云IaaS系统中的威胁、新的安全设计原则、可部署的安全技术以及安全教育的改进。