tenantguard scalable runtime verification of cloud wide
play

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level - PowerPoint PPT Presentation

Jan 01, 2023 •202 likes •747 views

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Han Song SJTU May 24, 2017 Han Song TenantGuard: Scalable Runtime

  1. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Han Song SJTU May 24, 2017 Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 1 / 28

  2. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Outline 1 Background 2 Architecture and Data Structures 3 Verification 4 Experiments 5 Conclusion 6 Q & A Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 2 / 28

  3. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Isolation Breaches One of the Biggest Security Concerns in Cloud Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 3 / 28

  4. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Isolation Breaches One of the Biggest Security Concerns in Cloud Something went wrong and D is hacked! Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 4 / 28

  5. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Isolation Breaches One of the Biggest Security Concerns in Cloud OpenStack real world vulnerabilities Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 5 / 28

  6. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Isolation Breaches One of the Biggest Security Concerns in Cloud One possible solution is: network isolation verification Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 6 / 28

  7. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Network Isolation Verification Challenges Size of virtual networks: 150M+ VM pairs Diverse and distributed network functions Large data from heterogeneous sources Quickly invalidating verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 7 / 28

  8. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Network Isolation Verification Challenges Size of virtual networks: 150M+ VM pairs Diverse and distributed network functions Large data from heterogeneous sources Quickly invalidating verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 7 / 28

  9. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Network Isolation Verification Challenges Size of virtual networks: 150M+ VM pairs Diverse and distributed network functions Large data from heterogeneous sources Quickly invalidating verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 7 / 28

  10. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Network Isolation Verification Challenges Size of virtual networks: 150M+ VM pairs Diverse and distributed network functions Large data from heterogeneous sources Quickly invalidating verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 7 / 28

  11. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  12. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  13. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  14. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  15. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  16. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Existing Approaches Designed for physical networks Not suitable for VM-level pair-wise reachability Focus on small to medium virtual infrastructure Not designed for millions of VM pairs Can support VM-level reachability Taking minutes to hours for over 100 million pairs Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 8 / 28

  17. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

  18. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

  19. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

  20. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

  21. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

  22. TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Background Assumptions Focused on: Verifying security properties specified by cloud tenants Not detecting any specific attack Relies on: The correctness of input data Existing solutions at other layers No sensitive information in the verification results Han Song TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation May 24, 2017 9 / 28

Recommend

Integration of Runtime Verification into Metamodeling F. Macias T. Scheffel M. Schmitz R. Wang

Integration of Runtime Verification into Metamodeling F. Macias T. Scheffel M. Schmitz R. Wang

Integration of Runtime Verification into Metamodeling F. Macias T. Scheffel M. Schmitz R. Wang M. Leucker A. Rutle V. Stolz 28th Nordic Workshop on Programming Theory (NWPT16), Denmark 1 / 23 Why Runtime Verification? DSML do not

1.43k views • 23 slides
Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of

Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of

Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of Informatics, University of Oslo Context: Runtime verification Desired properties Every request gets an answer System Buffers should never

656 views • 64 slides
Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29

Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29

Cloud Native Go 6/28/17, 11)02 AM Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29 file:///Users/kimberlyamaral/Desktop/cng-presentation/pres.html#1 Page 1 of 38 Cloud Native Go 6/28/17, 11)02 AM Agenda

566 views • 38 slides
Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica

Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica

Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica Hadi-Tanovi, Grigore Rou, Darko Marinov ICST 2019 4/26/2019 CCF-1421503, CCF-1421575, CCF-1763788, CNS-1619275, CNS-1646305, CNS-1740916 Runtime

448 views • 30 slides
What is a Trace? A Runtime Verification Perspective Giles Reger 1 Klaus Havelund 2 1 University of

What is a Trace? A Runtime Verification Perspective Giles Reger 1 Klaus Havelund 2 1 University of

What is a Trace? A Runtime Verification Perspective Giles Reger 1 Klaus Havelund 2 1 University of Manchester, Manchester, UK 2 Jet Propulsion Laboratory, California Inst. of Technology, USA ISoLa 2016 Corfu, October 12, 2016 1/19 Runtime

421 views • 25 slides
PROGRAM YOUR OWN RV SYSTEM an exercise in DSL design Klaus Havelund Jet Propulsion Laboratory,

PROGRAM YOUR OWN RV SYSTEM an exercise in DSL design Klaus Havelund Jet Propulsion Laboratory,

PROGRAM YOUR OWN RV SYSTEM an exercise in DSL design Klaus Havelund Jet Propulsion Laboratory, USA Summer School on Cyber-Physical Systems July 7-10, 2014 Definition of Runtime Verification Definition (Runtime Verification) Runtime

1.23k views • 109 slides
Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko Yoshida Imperial College London 1 In collaboration with: Matthew Arrott (OOI) Gary Brown (Red Hat) Stephen Henrie (OOI) Bippin Makoond

1.38k views • 80 slides
Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko Yoshida Imperial College London 1 In collaboration with: Matthew Arrott (OOI) Gary Brown (Red Hat) Stephen Henrie (OOI) Bippin Makoond

1.38k views • 78 slides
Some Thoughts on Runtime Verification Oded Maler VERIMAG CNRS and the University of Grenoble

Some Thoughts on Runtime Verification Oded Maler VERIMAG CNRS and the University of Grenoble

Some Thoughts on Runtime Verification Oded Maler VERIMAG CNRS and the University of Grenoble (UGA) France RV, September 2016 Madrid Before Dinner Speech I like long and general introductions in my papers and talks Not everybody does:

544 views • 39 slides
Spack in Shared Environment 2018 Scalable Tools Workshop LANL Programming and Runtime

Spack in Shared Environment 2018 Scalable Tools Workshop LANL Programming and Runtime

Slide 1 Spack in Shared Environment 2018 Scalable Tools Workshop LANL Programming and Runtime Environments Team Paul Ferrell (LA-UR-18-26078) Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA Slide 2 The

527 views • 16 slides
Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Introduction Preliminaries Semantics of Runtime Control Semantics of Synthesis of Controlling Programs Expressiveness of Controlling Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics) Zhe Chen

558 views • 55 slides
Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph

Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph

Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph Zambreno, Phillip H. Jones, Kristin Yvonne Rozier Presenter: Pei Zhang Iowa State University peizhang@iastate.edu September 28, 2018 1 Work supported

487 views • 32 slides
Parallel Runtime Environments with Cloud Database: Performance Study for HMM with Adaptive

Parallel Runtime Environments with Cloud Database: Performance Study for HMM with Adaptive

Parallel Runtime Environments with Cloud Database: Performance Study for HMM with Adaptive Sampling D. Roehm, R. S. Pavel, T. C. Germann, A. L. McPherson and C. Junghans Los Alamos National Laboratory NM, USA May 8, 2015

581 views • 22 slides
Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with

Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with

Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with Kevin Nico Hudemann (TU Berlin), Artur Hecker (Huawei), Stefan Schmid (Vienna Uni.) Apoorv Shukla| NetAI19 P4 [1] : Data plane Programming Language

644 views • 25 slides
Using BDDs to capture data in Runtime verification (RV) [HP18] Per Ove Ringdal November 29, 2019

Using BDDs to capture data in Runtime verification (RV) [HP18] Per Ove Ringdal November 29, 2019

Using BDDs to capture data in Runtime verification (RV) [HP18] Per Ove Ringdal November 29, 2019 Contents Motivation Syntax and semantics of QTL QTL Example An Efficient Algorithm Using BDDs Summary References Verifying file operations

622 views • 35 slides
A Scala API for Runtime Verification Klaus Havelund Jet Propulsion Laboratory Pasadena,

A Scala API for Runtime Verification Klaus Havelund Jet Propulsion Laboratory Pasadena,

A Scala API for Runtime Verification Klaus Havelund Jet Propulsion Laboratory Pasadena, California A Scala API for Runtime Verification DSL Klaus Havelund Jet Propulsion Laboratory Pasadena, California understanding complex systems by

469 views • 32 slides
How to Build Reliable, Scalable Filesystem Solution Using Cloud Infrastructure Sasikanth

How to Build Reliable, Scalable Filesystem Solution Using Cloud Infrastructure Sasikanth

How to Build Reliable, Scalable Filesystem Solution Using Cloud Infrastructure Sasikanth Eda (sasikanth.eda@in.ibm.com) Master Inventor, Software Engineer IBM Agenda How Cloud is Falling Short for HPC / Technical Computing Introduction

821 views • 23 slides
Scalable and Cost-Effective Model-Based Software Verification and Testing University of

Scalable and Cost-Effective Model-Based Software Verification and Testing University of

Scalable and Cost-Effective Model-Based Software Verification and Testing University of Luxembourg Interdisciplinary Centre for Security, Reliability and Trust Software Verification and Validation Lab (www.svv.lu) May 17th, 2013 University of

1.03k views • 72 slides
A vision for Carrier Cloud Networking... Itzik Weinstein, CEO 1 Cloud Services The Cloud is

A vision for Carrier Cloud Networking... Itzik Weinstein, CEO 1 Cloud Services The Cloud is

A vision for Carrier Cloud Networking... Itzik Weinstein, CEO 1 Cloud Services The Cloud is highly scalable, and managed infrastructure capable of hosting end- customer applications and billed by consumption. - Forrester Virtual

399 views • 6 slides
DSC 102 Systems for Scalable Analytics Arun Kumar Topic 2: Basics of Cloud Computing 1

DSC 102 Systems for Scalable Analytics Arun Kumar Topic 2: Basics of Cloud Computing 1

DSC 102 Systems for Scalable Analytics Arun Kumar Topic 2: Basics of Cloud Computing 1 Cloud Computing Compute, storage, memory, networking, etc. are virtualized and exist on remote servers ; rented by application users Main pros of

378 views • 21 slides
Three-Valued Asynchronous Distributed Runtime Verification Torben Scheffel Institute for

Three-Valued Asynchronous Distributed Runtime Verification Torben Scheffel Institute for

Three-Valued Asynchronous Distributed Runtime Verification Torben Scheffel Institute for Software Engineering and Programming Languages University of Lbeck, Germany scheffel@isp.uni-luebeck.de October 19, 2014 Torben Scheffel Three-Valued

531 views • 27 slides
Test-Case Generation for Runtime Analysis and Vice-Versa: Verification of Aircraft Separation

Test-Case Generation for Runtime Analysis and Vice-Versa: Verification of Aircraft Separation

Test-Case Generation for Runtime Analysis and Vice-Versa: Verification of Aircraft Separation Assurance Dimitra Giannakopoulou Marko Dimjaevi University of Utah NASA Ames Research Center ISSTA 2015, Baltimore, Maryland July 17, 2015 1 /

614 views • 46 slides
Generating System-Agnostic Runtime Verification Benchmarks from MLTL Formulas Josh Wallin &

Generating System-Agnostic Runtime Verification Benchmarks from MLTL Formulas Josh Wallin &

Motivation Background Naive Encoding Interval-Aware Encoding Future Work Generating System-Agnostic Runtime Verification Benchmarks from MLTL Formulas Josh Wallin & Kristin Yvonne Rozier Iowa State University September 29, 2018 Midwest

737 views • 40 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides

More recommend