capnet security and least authority in a capability
play

CapNet: Security and Least Authority in a Capability- Enabled Cloud - PowerPoint PPT Presentation

CapNet: Security and Least Authority in a Capability- Enabled Cloud Anton Burtsev David Johnson, Josh Kunz, Eric Eide, Jacobus Van der Merwe University of California, University of Utah Irvine Modern clouds are vulnerable Step 1: End-device


  1. CapNet: Security and Least Authority in a Capability- Enabled Cloud Anton Burtsev David Johnson, Josh Kunz, Eric Eide, Jacobus Van der Merwe University of California, University of Utah Irvine

  2. Modern clouds are vulnerable

  3. Step 1: End-device

  4. Endpoints are inherently vulnerable Linux Kernel Vulnerabilities by Year 400 350 300 250 200 150 100 50 0 2009 2010 2011 2012 2013 2014 2015 2016 2017

  5. Step 2: cloud network Cloud network is the main attack amplifier

  6. Legacy network-isolation primitives • Global tenant-wide access control rules • E.g., security groups • Lack of mutual isolation • Lack of decentralized access control • Need to trust a third party

  7. Capability-enabled network

  8. CapNet Architecture

  9. Threat model • We trust • Cloud provider infrastructure • Network switches • SDN controller • Hypervisors • Cloud software stack • Hosts are malicious • Virtual and physical hosts on the network • Providers of third-party cloud services

  10. CapNet Architecture • Software defined network (SDN) • CapNet runs as an SDN controller application • Tracks resources of the network • By default nodes are completely isolated • No flows are allowed

  11. Objects and capabilities

  12. CapNet Architecture • On the host, capabilities are just 64-bit numbers • Have no meaning outside of the host • Capabilities are resolved through Node’s CSpace into pointers to other objects • CapNet associates a Node object with each host on the network • Unique {switch, port} pair

  13. Objects CapNet Capability graph Physical resources

  14. Nodes • Node is "born" with one special capability, rp0 , connecting it to creator

  15. RendezvousPoints • RendezvousPoints allow Nodes exchange capabilities • Capability derivation trees (CDT)

  16. Flows • A unidirectional communication channel • The ability to send packets to a particular network endpoint

  17. Grant i nvoke ( c a p c , m e t hod m , a r gs ) gr a nt . gr a nt ( c a p c ) • Grant allows a node to operate on behalf of another node • i.e., create objects on its behalf, enable network connections • Support for legacy capability-oblivious hosts

  18. Grant i nvoke ( c a p c , m , a r gs ) gr a nt . gr a nt ( c a p c ) gr a nt . t a ke ( c a pa bi l i t y_i d c a p_i d)

  19. Grant i nvoke ( c a p c , m , a r gs ) gr a nt . gr a nt ( c a p c ) gr a nt . t a ke ( c a pa bi l i t y_i d c a p_i d) gr a nt . c r e a t e ( Fl ow)

  20. Convenient network programming • Example: connecting two nodes A and B 1. connect (cap gantA, cap grantB) 2. flowA = grantA.create(Flow) 3. flowB = grantB.create(Flow) 4. grantA.grant(flowB) 5. grantA.grant(flowA)

  21. Decentralized Authority and Collaboration

  22. Reset operation • Reset the node to a clean, isolated state irrespective of its prior state and ownership

  23. Reset operation: internals • Tracking and cleaning authority of the node

  24. Reset preserves ownership

  25. Membranes: recursive isolation of capability graphs

  26. Membranes

  27. Membranes

  28. Membranes

  29. SealersUnsealers FAIL!

  30. In CapNet SealersUnsealers go through membranes unlabeled

  31. Protocols of Secure Collaboration

  32. Secure provider protocol

  33. Recursion

  34. Trees and general graphs • Membranes and reset allow the construction of trees in capability graphs

  35. Trees and general graphs • SealerUnsealer enable cloud topologies that are general graphs

  36. Joint computation protocol

  37. CapNet in OpenStack

  38. Thank you! Anton Burtsev aburtsev@uci.edu Paper: SoCC’17 Source: https://gitlab.flux.utah.edu/tcloud/capnet Test drive in CloudLab: https://www.cloudlab.us/p/TCloud/OpenStack-Capnet

  39. Endpoint

  40. Recursive isolation of capability graphs

  41. CapNet Objects Physical resources • Node – hosts on the network • RendezvousPoint – exchange of capabilities • Flow – network flows Capability graph • Grant – support for unmodified hosts • Membrane – transitive isolation of capability graphs • SealerUnsealer – secure transport of capabilities

Recommend


More recommend