Communications of the ACM

For cloud computing, such logs can help identify exactly how and when the system was compromised and what resources were affected.

Tracking information flows between virtual machines and the management tool stack allows logging unauthorized use of highly privileged administrative tools. 15 Not only is such use tracked, the specifics of the interaction are recorded for future audit. If a virtual machine’s memory is read, the log stores the exact regions of accessed memory, along with their contents. Users can then assess the effects of the accesses and resolve them appropriately; for instance, if regions corresponding to a password or encryption keys are read, users can change the password or encryption keys before incurring any further damage.

Beyond this, advanced recovery solutions can help recover quickly from security breaches and minimize data loss. Built on top of custom logging engines, 16 they provide analytics to classify actions as either tainted or non-tainted. Recovery is now much more fine grain; by undoing all effects of only the tainted actions, an attack can be reversed without losing all useful changes since the last backup. Alternatively, during recovery, all actions, including the attack, are performed against a patched version of the system. The attack will now fail, while useful changes are restored.

Back at Transmogrifica...

Friday, 16: 35. Transmogrifica head-
quarters, Palo Alto…
Sasha enters the boardroom where
Robin and Andrea are already seated.

“Robin, Andrea, how confidential is
this Petrolica data we’ll be processing?”
“Well,” says Robin, glancing toward
Andrea, “Obviously, it’s private data,
and we don’t want anyone to have ac-
cess to it. But it isn’t medical- or legal-
records-level sensitive, if that’s what
you’re getting at. Why do you ask?”
“I hope you realize anyone with
sufficient privileges in the cloud pro-
vider could read or modify all the
data. The provider controls the entire
stack. There’s absolutely nothing we
can do about it. Worse, we wouldn’t
even know it happened. Obviously I’m
not suggesting it would happen. I just
don’t know the extent of our liability.”
“Shouldn’t the provider’s SOC
compliance ensure it’s got steps in
place to prevent that from happen-
ing?,” says Andrea before Robin could
respond. “Anyhow, I’ll run it by legal
and see how unhappy they are. We
should probably be fine for now, but
it’s worth keeping in mind for any oth-
er projects.”

Watching the Watchers

Isolating virtual machines in co-tenant deployments relies on the underlying hypervisor. While securing the hypervisor against external attacks is indeed vital to security, it is not the only vector for a determined attacker. Today’s hypervisors run a single management stack, controlled by a cloud provider. Capable of provisioning and destroying virtual machines, the management toolstack can also read the memory and disk content of every virtual machine, making it an attractive target for compromising the entire system.

This single administrative toolstack is an artifact of the way hypervisors have been designed rather than a fundamental limitation of hypervisors themselves. While providers have no incentive to undermine their users’ operations (their business indeed depends on maintaining user satisfaction), the carelessness or maliciousness of a single, well-placed administrator could compromise the security of an entire system.

Revelations over the past year indicate several providers have been required to participate in large-scale surveillance operations to aid law-enforcement and counterintelligence efforts. While such efforts concentrate largely on email and social-network activity, the full extent of surveillance remains largely unknown to the public. It would be naïve to believe providers with the ability to monitor users’ virtual machines for sensitive data (such as encryption keys) are not required to do so; furthermore, they are also unable to reveal such disclosures to their customers.

Compliance standards also require
restricting internal access to customer
data while limiting the ability of a sin-
gle administrator to make significant
changes without appropriate checks
and balances. 5 As the single toolstack
architecture bestows unfettered access
to all virtual machines on the adminis-
trators, it effectively hampers the abil-
ity of operators to provide the guaran-
tees required by their customers, who,
in turn, could opt for more private
hosting solutions despite the obvious
advantages of cloud hosting in terms
of scale and security.

Recognizing this danger, some systems advocate splitting the monolithic administrative toolstack into several mini toolstacks8, 10 each capable of administrating only a subset of the entire system. By separating the provisioning of resources from their administration, users would have a private toolstack to manage their virtual machines to a much greater degree than with preprovisioned machines (see Figure 3). As a user’s toolstack can interpose on memory accesses from only the guests assigned to it, users’ can encrypt the content of their virtual machines if desired. Correspondingly, platform administrators no longer need rights to access the memory of any guest on the system, limiting their ability to snoop sensitive data.

“Nested virtualization,” which allows a hypervisor to host other hypervisors in addition to regular OSes, provides another way to enforce privacy for tenants; Figure 4 outlines a small, lightweight, security-centric hypervisor hosting several private, per-tenant, commodity hypervisors. 39 Isolation, security, and resource allocation are separated from resource management. Administrators at the cloud provider manage the outer hypervisor, allocating resources managed by the inner hypervisors. The inner hypervisors are administered by the clients themselves, allowing them to encrypt the memory and disks of their systems without sacrificing functionality. Since device management and emulation are performed by the inner hypervisor, the outer, provider-controlled, hypervisor never needs access to the memory of a tenant, thereby maintaining the tenant’s confidentiality.

While both split toolstacks and nested virtualization help preserve confidentiality from rogue administrators, the cloud provider itself remains a trusted entity in all cases. After all, an operator with physical access to the system could simply extract confidential data and encryp-