Details

<p>Preface xiii</p> <p>Editors’ Biographies xvii</p> <p>List of Contributors xix</p> <p><b>1 Introduction 1<br /></b><i>Roy H. Campbell</i></p> <p>1.1 Introduction 1</p> <p>1.1.1 Mission-Critical Cloud Solutions for the Military 2</p> <p>1.2 Overview of the Book 3</p> <p><b>2 Survivability: Design, Formal Modeling, and Validation of Cloud Storage Systems Using Maude 10<br /></b><i>Rakesh Bobba, Jon Grov, Indranil Gupta, Si Liu, José Meseguer,Peter Csaba Ölveczky, and Stephen Skeirik</i></p> <p>2.1 Introduction 10</p> <p>2.1.1 State of the Art 11</p> <p>2.1.2 Vision: Formal Methods for Cloud Storage Systems 12</p> <p>2.1.3 The Rewriting Logic Framework 13</p> <p>2.1.4 Summary: Using Formal Methods on Cloud Storage Systems 15</p> <p>2.2 Apache Cassandra 17</p> <p>2.3 Formalizing, Analyzing, and Extending Google’s Megastore 23</p> <p>2.3.1 Specifying Megastore 23</p> <p>2.3.2 Analyzing Megastore 25</p> <p>2.3.2.1 Megastore-CGC 29</p> <p>2.4 RAMP Transaction Systems 30</p> <p>2.5 Group Key Management via ZooKeeper 31</p> <p>2.5.1 ZooKeeper Background 32</p> <p>2.5.2 System Design 33</p> <p>2.5.3 Maude Model 34</p> <p>2.5.4 Analysis and Discussion 35</p> <p>2.6 How Amazon Web Services Uses Formal Methods 37</p> <p>2.6.1 Use of Formal Methods 37</p> <p>2.6.2 Outcomes and Experiences 38</p> <p>2.6.3 Limitations 39</p> <p>2.7 Related Work 40</p> <p>2.8 Concluding Remarks 42</p> <p>2.8.1 The Future 43</p> <p><b>3 Risks and Benefits: Game-Theoretical Analysis and Algorithm for Virtual Machine Security Management in the Cloud 49<br /></b><i>Luke Kwiat, Charles A. Kamhoua, Kevin A. Kwiat, and Jian Tang</i></p> <p>3.1 Introduction 49</p> <p>3.2 Vision: Using Cloud Technology in Missions 51</p> <p>3.3 State of the Art 54</p> <p>3.4 System Model 57</p> <p>3.5 Game Model 59</p> <p>3.6 Game Analysis 61</p> <p>3.7 Model Extension and Discussion 67</p> <p>3.8 Numerical Results and Analysis 71</p> <p>3.8.1 Changes in User 2’s Payoff with Respect to L₂ 71</p> <p>3.8.2 Changes in User 2’s Payoff with Respect to <i>e</i> 72</p> <p>3.8.3 Changes in User 2’s Payoff with Respect to <i>π</i> 73</p> <p>3.8.4 Changes in User 2’s Payoff with Respect to q_I 74</p> <p>3.8.5 Model Extension to <i>n</i> = 10 Users 75</p> <p>3.9 The Future 78</p> <p><b>4 Detection and Security: Achieving Resiliency by Dynamic and Passive System Monitoring and Smart Access Control 81<br /></b><i>Zbigniew Kalbarczyk</i></p> <p>4.1 Introduction 82</p> <p>4.2 Vision: Using Cloud Technology in Missions 83</p> <p>4.3 State of the Art 84</p> <p>4.4 Dynamic VM Monitoring Using Hypervisor Probes 85</p> <p>4.4.1 Design 86</p> <p>4.4.2 Prototype Implementation 88</p> <p>4.4.3 Example Detectors 90</p> <p>4.4.3.1 Emergency Exploit Detector 90</p> <p>4.4.3.2 Application Heartbeat Detector 91</p> <p>4.4.4 Performance 93</p> <p>4.4.4.1 Microbenchmarks 93</p> <p>4.4.4.2 Detector Performance 94</p> <p>4.4.5 Summary 95</p> <p>4.5 Hypervisor Introspection: A Technique for Evading Passive Virtual Machine Monitoring 96</p> <p>4.5.1 Hypervisor Introspection 97</p> <p>4.5.1.1 VMI Monitor 97</p> <p>4.5.1.2 VM Suspend Side-Channel 97</p> <p>4.5.1.3 Limitations of Hypervisor Introspection 98</p> <p>4.5.2 Evading VMI with Hypervisor Introspection 98</p> <p>4.5.2.1 Insider Attack Model and Assumptions 98</p> <p>4.5.2.2 Large File Transfer 99</p> <p>4.5.3 Defenses against Hypervisor Introspection 101</p> <p>4.5.3.1 Introducing Noise to VM Clocks 101</p> <p>4.5.3.2 Scheduler-Based Defenses 101</p> <p>4.5.3.3 Randomized Monitoring Interval 102</p> <p>4.5.4 Summary 103</p> <p>4.6 Identifying Compromised Users in Shared Computing Infrastructures 103</p> <p>4.6.1 Target System and Security Data 104</p> <p>4.6.1.1 Data and Alerts 105</p> <p>4.6.1.2 Automating the Analysis of Alerts 106</p> <p>4.6.2 Overview of the Data 107</p> <p>4.6.3 Approach 109</p> <p>4.6.3.1 The Model: Bayesian Network 109</p> <p>4.6.3.2 Training of the Bayesian Network 110</p> <p>4.6.4 Analysis of the Incidents 112</p> <p>4.6.4.1 Sample Incident 112</p> <p>4.6.4.2 Discussion 113</p> <p>4.6.5 Supporting Decisions with the Bayesian Network Approach 114</p> <p>4.6.5.1 Analysis of the Incidents 114</p> <p>4.6.5.2 Analysis of the Borderline Cases 116</p> <p>4.6.6 Conclusion 118</p> <p>4.7 Integrating Attribute-Based Policies into Role-Based Access Control 118</p> <p>4.7.1 Framework Description 119</p> <p>4.7.2 Aboveground Level: Tables 119</p> <p>4.7.2.1 Environment 120</p> <p>4.7.2.2 User-Role Assignments 120</p> <p>4.7.2.3 Role-Permission Assignments 121</p> <p>4.7.3 Underground Level: Policies 121</p> <p>4.7.3.1 Role-Permission Assignment Policy 122</p> <p>4.7.3.2 User-Role Assignment Policy 123</p> <p>4.7.4 Case Study: Large-Scale ICS 123</p> <p>4.7.4.1 RBAC Model-Building Process 124</p> <p>4.7.4.2 Discussion of Case Study 127</p> <p>4.7.5 Concluding Remarks 128</p> <p>4.8 The Future 128</p> <p><b>5 Scalability, Workloads, and Performance: Replication, Popularity, Modeling, and Geo-Distributed File Stores 133<br /></b><i>Roy H. Campbell, Shadi A. Noghabi, and Cristina L. Abad</i></p> <p>5.1 Introduction 133</p> <p>5.2 Vision: Using Cloud Technology in Missions 134</p> <p>5.3 State of the Art 136</p> <p>5.4 Data Replication in a Cloud File System 137</p> <p>5.4.1 MapReduce Clusters 138</p> <p>5.4.1.1 File Popularity, Temporal Locality, and Arrival Patterns 142</p> <p>5.4.1.2 Synthetic Workloads for Big Data 144</p> <p>5.4.2 Related Work 147</p> <p>5.4.3 Contribution from Our Approach to Generating Big Data Request Streams Using Clustered Renewal Processes 149</p> <p>5.4.3.1 Scalable Geo-Distributed Storage 149</p> <p>5.4.4 Related Work 151</p> <p>5.4.5 Summary of Ambry 152</p> <p>5.5 Summary 153</p> <p>5.6 The Future 153</p> <p><b>6 Resource Management: Performance Assuredness in Distributed Cloud Computing via Online Reconfigurations 160<br /></b><i>Mainak Ghosh, Le Xu, and Indranil Gupta</i></p> <p>6.1 Introduction 161</p> <p>6.2 Vision: Using Cloud Technology in Missions 163</p> <p>6.3 State of the Art 164</p> <p>6.3.1 State of the Art: Reconfigurations in Sharded Databases/Storage 164</p> <p>6.3.1.1 Database Reconfigurations 164</p> <p>6.3.1.2 Live Migration 164</p> <p>6.3.1.3 Network Flow Scheduling 164</p> <p>6.3.2 State of the Art: Scale-Out/Scale-In in Distributed Stream Processing Systems 165</p> <p>6.3.2.1 Real-Time Reconfigurations 165</p> <p>6.3.2.2 Live Migration 165</p> <p>6.3.2.3 Real-Time Elasticity 165</p> <p>6.3.3 State of the Art: Scale-Out/Scale-In in Distributed Graph Processing Systems 166</p> <p>6.3.3.1 Data Centers 166</p> <p>6.3.3.2 Cloud and Storage Systems 166</p> <p>6.3.3.3 Data Processing Frameworks 166</p> <p>6.3.3.4 Partitioning in Graph Processing 166</p> <p>6.3.3.5 Dynamic Repartitioning in Graph Processing 167</p> <p>6.3.4 State of the Art: Priorities and Deadlines in Batch Processing Systems 167</p> <p>6.3.4.1 OS Mechanisms 167</p> <p>6.3.4.2 Preemption 167</p> <p>6.3.4.3 Real-Time Scheduling 168</p> <p>6.3.4.4 Fairness 168</p> <p>6.3.4.5 Cluster Management with SLOs 168</p> <p>6.4 Reconfigurations in NoSQL and Key-Value Storage/Databases 169</p> <p>6.4.1 Motivation 169</p> <p>6.4.2 Morphus: Reconfigurations in Sharded Databases/Storage 170</p> <p>6.4.2.1 Assumptions 170</p> <p>6.4.2.2 MongoDB System Model 170</p> <p>6.4.2.3 Reconfiguration Phases in Morphus 171</p> <p>6.4.2.4 Algorithms for Efficient Shard Key Reconfigurations 172</p> <p>6.4.2.5 Network Awareness 175</p> <p>6.4.2.6 Evaluation 175</p> <p>6.4.3 Parqua: Reconfigurations in Distributed Key-Value Stores 179</p> <p>6.4.3.1 System Model 180</p> <p>6.4.3.2 System Design and Implementation 181</p> <p>6.4.3.3 Experimental Evaluation 183</p> <p>6.5 Scale-Out and Scale-In Operations 185</p> <p>6.5.1 Stela: Scale-Out/Scale-In in Distributed Stream Processing Systems 186</p> <p>6.5.1.1 Motivation 186</p> <p>6.5.1.2 Data Stream Processing Model and Assumptions 187</p> <p>6.5.1.3 Stela: Scale-Out Overview 187</p> <p>6.5.1.4 Effective Throughput Percentage (ETP) 188</p> <p>6.5.1.5 Iterative Assignment and Intuition 190</p> <p>6.5.1.6 Stela: Scale-In 191</p> <p>6.5.1.7 Core Architecture 191</p> <p>6.5.1.8 Evaluation 193</p> <p>6.5.1.9 Experimental Setup 193</p> <p>6.5.1.10 Yahoo! Storm Topologies and Network Monitoring Topology 193</p> <p>6.5.1.11 Convergence Time 195</p> <p>6.5.1.12 Scale-In Experiments 196</p> <p>6.5.2 Scale-Out/Scale-In in Distributed Graph Processing Systems 197</p> <p>6.5.2.1 Motivation 197</p> <p>6.5.2.2 What to Migrate, and How? 199</p> <p>6.5.2.3 When to Migrate? 201</p> <p>6.5.2.4 Evaluation 203</p> <p>6.6 Priorities and Deadlines in Batch Processing Systems 204</p> <p>6.6.1 Natjam: Supporting Priorities and Deadlines in Hadoop 204</p> <p>6.6.1.1 Motivation 204</p> <p>6.6.1.2 Eviction Policies for a Dual-Priority Setting 206</p> <p>6.6.1.3 Natjam Architecture 209</p> <p>6.6.1.4 Natjam-R: Deadline-Based Eviction 215</p> <p>6.6.1.5 Microbenchmarks 216</p> <p>6.6.1.6 Natjam-R Evaluation 221</p> <p>6.7 Summary 223</p> <p>6.8 The Future 224</p> <p><b>7 Theoretical Considerations: Inferring and Enforcing Use Patterns for Mobile Cloud Assurance 237<br /></b><i>Gul Agha, Minas Charalambides, Kirill Mechitov, Karl Palmskog,Atul Sandur, and Reza Shiftehfar</i></p> <p>7.1 Introduction 237</p> <p>7.2 Vision 239</p> <p>7.3 State of the Art 240</p> <p>7.3.1 Code Offloading 241</p> <p>7.3.2 Coordination Constraints 241</p> <p>7.3.3 Session Types 242</p> <p>7.4 Code Offloading and the IMCM Framework 243</p> <p>7.4.1 IMCM Framework: Overview 244</p> <p>7.4.2 Cloud Application and Infrastructure Models 244</p> <p>7.4.3 Cloud Application Model 245</p> <p>7.4.4 Defining Privacy for Mobile Hybrid Cloud Applications 247</p> <p>7.4.5 A Face Recognition Application 247</p> <p>7.4.6 The Design of an Authorization System 249</p> <p>7.4.7 Mobile Hybrid Cloud Authorization Language 250</p> <p>7.4.7.1 Grouping, Selection, and Binding 252</p> <p>7.4.7.2 Policy Description 252</p> <p>7.4.7.3 Policy Evaluation 253</p> <p>7.4.8 Performance- and Energy-Usage-Based Code Offloading 254</p> <p>7.4.8.1 Offloading for Sequential Execution on a Single Server 254</p> <p>7.4.8.2 Offloading for Parallel Execution on Hybrid Clouds 255</p> <p>7.4.8.3 Maximizing Performance 255</p> <p>7.4.8.4 Minimizing Energy Consumption 256</p> <p>7.4.8.5 Energy Monitoring 257</p> <p>7.4.8.6 Security Policies and Energy Monitoring 258</p> <p>7.5 Coordinating Actors 259</p> <p>7.5.1 Expressing Coordination 259</p> <p>7.5.1.1 Synchronizers 260</p> <p>7.5.1.2 Security Issues in Synchronizers 260</p> <p>7.6 Session Types 264</p> <p>7.6.1 Session Types for Actors 265</p> <p>7.6.1.1 Example: Sliding Window Protocol 265</p> <p>7.6.2 Global Types 266</p> <p>7.6.3 Programming Language 268</p> <p>7.6.4 Local Types and Type Checking 269</p> <p>7.6.5 Realization of Global Types 270</p> <p>7.7 The Future 271</p> <p>Acknowledgments 272</p> <p><b>8 Certifications Past and Future: A Future Model for Assigning Certifications that Incorporate Lessons Learned from Past Practices 277<br /></b><i>Masooda Bashir, Carlo Di Giulio, and Charles A. Kamhoua</i></p> <p>8.1 Introduction 277</p> <p>8.1.1 What Is a Standard? 279</p> <p>8.1.2 Standards and Cloud Computing 281</p> <p>8.2 Vision: Using Cloud Technology in Missions 283</p> <p>8.3 State of the Art 284</p> <p>8.3.1 The Federal Risk Authorization Management Program 286</p> <p>8.3.2 SOC Reports and TSPC 288</p> <p>8.3.3 ISO/IEC 27001 291</p> <p>8.3.4 Main Differences among the Standards 292</p> <p>8.3.5 Other Existing Frameworks 293</p> <p>8.3.5.1 PCI-DSS 293</p> <p>8.3.5.2 C5 294</p> <p>8.3.5.3 STAR 294</p> <p>8.3.6 What Protections Do Standards Offer against Vulnerabilities in the Cloud? 294</p> <p>8.4 Comparison among Standards 296</p> <p>8.4.1 Strategy for Comparing Standards 298</p> <p>8.4.2 Patterns, Anomalies, and Discoveries 299</p> <p>8.5 The Future 302</p> <p>8.5.1 Current Challenges 304</p> <p>8.5.2 Opportunities 305</p> <p><b>9 Summary and Future Work 312<br /></b><i>Roy H. Campbell</i></p> <p>9.1 Survivability 312</p> <p>9.2 Risks and Benefits 313</p> <p>9.3 Detection and Security 314</p> <p>9.4 Scalability, Workloads, and Performance 316</p> <p>9.5 Resource Management 319</p> <p>9.6 Theoretical Considerations: Inferring and Enforcing Use Patterns for Mobile Cloud Assurance 321</p> <p>9.7 Certifications 322</p> <p>Index 327 </p>

<p><b>ROY H. CAMPBELL, P<small>H</small>D,</b> is Associate Dean for Information Technology in the College of Engineering, and Sohaib and Sara Abbasi Professor of Computer Science, at the University of Illinois at Urbana-Champaign. He was formerly Director of the Assured Cloud Computing- University Center of Excellence at the University of Illinois. <p><b>CHARLES A. KAMHOUA, P<small>H</small>D,</b> is a researcher at the U.S. Army Research Laboratory's Network Security Branch. He managed the U.S. Air Force's Assured Cloud Computing-University Center of Excellence at the University of Illinois at Urbana-Champaign. <p><b>KEVIN A. KWIAT,</b> <b>P<small>H</small>D,</b> following over 34 years as Principal Computer Engineer with the U.S. Air Force Research Laboratory, is now leading Haloed Sun TEK, LLC, in Sarasota, Florida and has joined forces with the Commercial Applications for Early Stage Advanced Research (CAESAR) Group.

<p><b>EXPLORES KEY CHALLENGES AND SOLUTIONS FOR ASSURED CLOUD COMPUTING TODAY AND PROVIDES A PROVOCATIVE LOOK AT THE FACE OF CLOUD COMPUTING TOMORROW</b> <p>This book offers readers a comprehensive suite of solutions for resolving many of the key challenges to achieving high levels of assurance in cloud computing. The distillation of critical research findings generated by the Assured Cloud Computing-University Center of Excellence (ACC-UCoE) of the University of Illinois at Urbana-Champaign, it provides unique insights into the current and future shape of robust, dependable, and secure cloud-based computing and data cyberinfrastructures. <p>A survivable and distributed cloud-computing-based infrastructure can enable the configuration of any dynamic systems-of-systems that contain both trusted and partially trusted resources and services sourced from multiple organizations. To assure mission-critical computations and workflows that rely on such systems-of-systems, it is necessary to ensure that a given configuration does not violate any security or reliability requirements. Furthermore, it is necessary to model the trustworthiness of a workflow or computation to a high level of assurance. In presenting the substance of the work done by the ACC-UCoE, this book provides a vision for assured cloud computing. The book: <ul> <li>Explores dominant themes in cloud-based systems, including design correctness, support for big data and analytics, monitoring and detection, network considerations, and performance</li> <li>Synthesizes earlier work on topics such as DARE, trust mechanisms, and elastic graphs, as well as newer research findings on topics including R-Storm and RAMP transactions</li> <li>Addresses assured cloud computing concerns such as game theory, stream processing, storage, algorithms, workflow, scheduling, access control, formal analysis of safety, and streaming</li> </ul> <p>Bringing together the freshest thinking and applications in one of today's most important topics, <i>Assured Cloud Computing</i> is a must-read for researchers and professionals in the fields of computer science and engineering, especially those working within industrial, military, and governmental contexts. It is also a valuable reference for advanced students of computer science.

US