Securing Elastic Applications for Cloud Computing Many to One Virtualization Xinwen Zhang, Joshua S chiffman, S imon Gibbs, Anugeetha Kunj ithapatham, and S angoh Jeong S amsung Information S ystems America Pennsylvania S tate University Outline • Cloud Computing for CE devices • Elastic Application concept and examples • S ecurity problems and approaches - 1 - 1
CE + Cloud Computing (1 of 2) IT View of Cloud Computing cloud = web service platform � Cloud is a platform for service delivery � Push from services into devices - 2 - CE + Cloud Computing (2 of 2) Proposed CE View of Cloud Computing API cloud = data/ core center + API � Cloud is a platform for new applications that run across the cloud and device (“ elastic applications” ) � Expand the device into the cloud - 3 - 2
Ongoing Approaches for Mobile + Cloud • CloneCloud (Hot Cloud’ 09) – Clone of phone image at cloud • Dynamic Composable Comput ing (Hot Mobile’ 08) – Dynamic composition of functions with mobile devices and surrogates. • Cloudlet (PVC’ 09) – Offloading VM to proximate infrastructure – 60-90s on VM synthesis • HW-supported VM migrat ion (At om) (MobiCase’ 09) – Focus on mobility of app • … • Elastic Device/ Application – On application level – Dynamic execution configuration – More flexible and easy for parallel… - 4 - Motivation CE Devices The Cloud Compute – Fixed S torage – Fixed* Compute – ELASTIC Power – Limited S torage – ELAS TIC Bandwidth – Limited Applications – UNCONS TRAINED Applications – CONS TRAINED The goal of the Elastic Device proj ect is to enable development of cross device/cloud applications . The advantages are: • Remove device constraints, create new classes of powerful applications • Help realize a new business model for device applications • Provide developers a transition path to multi/many core - 5 - 3
Elastic Device Concept Cloud Application Platform Store App UI Container New! When device Elastic Layer resources are App App sufficient Operating System When device resources are not sufficient Hardware RAM Flash Core Core Core Battery - 6 - Elastic Applications (EA) • EA are cloud aware applications • Weblets Weblet App GUI – Define discrete application components – Communicate using RES T interface Weblet – Run on Device or Cloud Manifest – Can be replicated to handle loads Weblet Elastic App • Application GUI – Launches the program – Directs the creation of new weblets Integrity Access • Manifest Control – Meta-data of EA – Dynamic configuration info Security Location Settings Info – Integrity of weblets – Policies for each weblet Manifest • E.g. JVM, network, access control, location - 7 - - 7 - 4
Elastic Devices (ED) • ED support EAs – Enable seamless migration of weblets Weblet – Manage resources to optimize costs Weblet – Interface with cloud providers Weblet • Elastic Manager – S pawns weblets on demand Cloud Fabric Interface – Migrates weblets to / from cloud – S enses resource availability • Cloud Fabric Interface – Exposes cloud services to devices – Controls weblets on behalf of EM Elastic Manager • S tart / S top / Create / Destroy – Can provide PaaS or IaaS model App GUI Weblet Elastic Device - 8 - - 8 - Benefits • Many-to-one virt ualizat ion – S eamlessly expands and shrinks of platform capability • Dynamic user experience – User control of expending/ shrinking based on factors such as battery consuming, monetary cost, latency/ throughput, etc. • Device flexibility – CE device computation and storage capabilities need not be designed to satisfy the most demanding applications. • Dependability – Migrating applications to cloud when device is low in battery/ weak signal • Future proof: – Move app from cloud to device, extend app lifetime, reduce development cost - 9 - 5
Challenges � Application model (data model, concurrency, lang features, … ) � Performance (QoS , caching, scheduling, … ) � Dynamic configuration (costs, migration, replication, … ) � S ecurity (new threats, data privacy, access control, … ) - 10 - Reference Architecture � Elastic application package including UI and weblets Elastic Cloud Elasticity Application Service Application � Cloud nodes running on Amazon UI IaaS/PaaS Store manifest weblet1 Application EC2 instances Manager weblet 2 Node Manager Cloud Cloud Application Fabric Sensing � Web service – Weblet1 Interface Installation based CFI Weblet Cloud Container Manager UI Container � Application installation on both UI cloud and device sides http Elastic Layer Device Elasticity Router Http(s) Manager Sensing Weblet2 Http(s) Elastic Weblet Device Container - 11 - 6
Elasticity Patterns and Applications • Elastic image processing • Elastic augmented reality • Elastic augmented video - 12 - Elastic Image Processing S amsung Q1 S amsung Omnia ImageWeblet 1 App on Device ImageWeblet 2 … (Analysis & Filtering of images) ImageWeblet n ElasticIP App ImageWeblet on device : image processing on cloud : image processing - 13 - 7
Elastic Augmented Video S amsung Q1 ElasticAV Application Splitter (ident ify, t rack & Matcher 1 replace “ t arget ” images) ElasticAV App Matcher 2 Tracker Composito … Matcher n Camera r planar object recognition and replacement on device : feature point extraction from video, tracking, compositing on cloud : matching live features against library of target images - 14 - Elastic Augmented Reality ElasticAR Application (register POI icons & POI real-time info Servic on live camera) e ElasticAV App Tracker Composit Crowd Sim or GPS Compass Camera S amsung Galaxy on device : using compass and GPS to align POI markers with live video from camera on cloud : POI service and crowd simulator (gives # people in proximity to POI’s) - 15 - 8
Security Threats • Threats from Applications – Untrusted applications can damage the weblets, weblet containers, the elastic manager, and their behaviors • Compromise the code and data integrity of installed elastic applications • Change or disable t he elast ic manager’ s funct ionalit y • Launch weblets on cloud platforms without user authorization/ awareness • Threats in the Cloud – Malicious change to cloud VM, including VM itself and any configurations. – Malicious change to weblet code and data on cloud side – Malicious change to network and cost settings: e.g., use expensive network connections – Hidden malicious activities that consume cloud resources • Threats on the Network – Man-in-the-Middle (MITM) attack: • Passive eavesdropping all the t raffic in the middle • Act ive replay attack • S ession hij ack. – Dynamic Denial-of-S ervice (DDoS ) attack to both ED and cloud – Generate random traffic to weblets such consume user bill - 16 - Elastic Application Security Requirements • Trust – Applications must trust both the cloud and device. • Weblets – Communication with weblets must be secure. Only application should be able to issue request s t o its weblets. – Privacy of weblet data. Maintaining isolation. • Migration – What happens t o access rights when an weblet is migrated. – How are sessions maintained when a weblet is migrated. • Monitoring / Aggregation – Want t o monit or and collect device and cloud dat a. Privacy considerations. – Using cloud t o detect malicious behavior. - 17 - 9
Recommend
More recommend