UBC Researchers Make the Cloud More Secure

In a recent paper published at the Symposium on Operating Systems Principles (SOSP), a team of UBC researchers describe techniques to make cloud computing environments safer and more secure. A large number of the web sites that we use every day are currently hosted on a relatively small number of large, web hosting platforms such as RackSpace and Amazon's Electric Compute Cloud. These hosting environments are "multi-tenant": different web services all run from the same data center and may even share individual servers.

The researchers observed that these platforms are very difficult to reason about in the face of security threats. Individual web services may actually share a large amount of software with one another, and if an attacker were to compromise this shared software, they could potentially "jump" from attacking one website to another: a security compromise originating from some small web service could foreseeably compromise the virtualization platform and then move on to attack other, different web services hosted in the same data center.

To address this challenge, the researchers described a practical and incrementally deployable approach to building a more secure virtualization platform for the cloud. Their approach makes the sharing of software between individual customers explicit, and presents techniques to make these shared components much more resistant to attack. By incorporating this research into cloud hosting environments, web-based applications and user data can be kept safer in the face of malicious activity.

SOSP is the top conference in operating systems, and the work was carried out by UBC computer science professors Andrew Warfield and Bill Aiello, and their graduate students Patrick Colp and Mihir Nanavati. The research was done in collaboration with researchers at Citri Systems, and the National Security Agency.

Read the Symposium on Operating Systems Principles paper.