OSDI ’14 Highlight: Preserving Trust in the Cloud
That’s the contention of Andrew Baumann, (@1andrewb) a Microsoft researcher whose paper Shielding applications from an untrusted cloud with Haven, written with colleagues Marcus Peinado and Galen Hunt (@igalenhunt), has been named a best paper of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2014), being held in Broomfield, Colo., from Oct 6 to 8.
“One of the biggest impediments to cloud computing is the change in the trust model from on-premises computing,” Baumann explains. “When I store my data on my computer, I know that, with reasonable precaution, I can keep anyone else from accessing that data.
“However, when I store my data in the cloud, I must trust not only the cloud provider, but also the cloud provider’s operations staff and the legal authorities with jurisdiction over the cloud provider’s computers. This creates a huge friction on the movement of data and computing to the cloud.”
In the best-paper-winning publication, Baumann and his colleagues offer a concept they call “shielded execution,” which protects the confidentiality and the integrity of a program, as well as the associated data from the platform on which it runs—the cloud operator’s operating system, administrative software, and firmware.
The researchers’ prototype, named Haven, represents the first system that can achieve shielded execution of unmodified legacy applications on a commodity operating system and commodity hardware.
“With Haven,” Baumann says, “we have shown for the first time that it is possible to store data and perform computation in the cloud with equivalent trust to local computing. Our Haven prototype demonstrates how unmodified applications can run and store data in the cloud with complete security and privacy from the cloud operator, the provider’s operations staff, and legal authorities.”
Two Core Technologies
Haven uses the hardware protection proposed in Intel’s Software Guard Extensions (SGX)—a set of CPU instructions that can be used by applications to isolate code and data securely, enabling protected memory and execution. While previous work has demonstrated how SGX could protect simple computations, the Haven technology addresses the challenges of executing unmodified legacy binaries and protecting them from a malicious host.
“Haven is able to provide shielded execution in the cloud,” Baumann says, “by building on two core technologies: Drawbridge, a new kind of virtual-machine container from Microsoft Research, and SGX, a proposal from Intel to protect against malicious privileged code.
To produce Haven, Baumann’s team worked with the SGX research team at Intel Labs, including Matthew Hoekstra, Simon Johnson, Rebekah Leslie-Hurd, Frank McKeen, Carlos Rozas, and Krystof Zmudzinski. The Intel team provided the Microsoft researchers with an SGX emulator and reviewed a number of possible options for enhancements to the SGX architecture to enable uses such as Haven. Based, in part, on discoveries made by the Microsoft researchers during prototyping, Intel is producing a revised SGX specification.
“With Haven,” Baumann says, “we have demonstrated how to combine Drawbridge with SGX to provide shielding of arbitrary Windows Server applications, the kind of applications that run in the Azure cloud now, without any modification of the application code.”
For Mark Russinovich, chief technical officer for Microsoft Azure, those words are music to his ears.
“The implications of this technology on public clouds could be far-reaching,” he says, “with multiple use cases that will allow customers to take advantage of the agility, scale, and cost savings the cloud provides, while gaining unprecedented security in the processing and storage of their most sensitive data.”
The Haven paper is just one of eight papers from Microsoft Research being presented during OSDI, the premier forum for academics and industrial researchers to discuss the design, implementation, and implications of systems software.
Included on that list is Project Adam: Building an Efficient and Scalable Deep Learning Training System, written by Trishul Chilimbi, Yutaka Suzue, Johnson Apacible, and Karthik Kalyanaraman. Project Adam, which was publicly announced July 14 during Microsoft Research’s annual Faculty Summit, garnered a wealth of attention for its demonstration of the ability of large-scale, commodity distributed systems to train huge deep neural networks effectively, in this instance by identifying the precise breeds of individual dogs.
Other OSDI 2014 papers from Microsoft Research:
- Apollo: Scalable and Coordinated Scheduling for Cloud-Scale Computing—Eric Boutin, Microsoft; Jaliya Ekanayake, Microsoft; Wei Lin, Microsoft; Bing Shi, Microsoft; Jingren Zhou, Microsoft; Zhengping Qian, Microsoft Research; Ming Wu, Microsoft Research; and Lidong Zhou, Microsoft Research.
- A Self-Configurable Geo-Replicated Cloud Storage System—Masoud Saeida Ardekani, Inria and Sorbonne Universités, and Douglas B. Terry, Microsoft Research.
- End-to-end Performance Isolation Through Virtual Datacenters—Sebastian Angel, The University of Texas at Austin; Hitesh Ballani, Microsoft Research; Thomas Karagiannis, Microsoft Research; Greg O’Shea, Microsoft Research; and Eno Thereska, Microsoft Research.
- Ironclad Apps: End-to-End Security via Automated Full-System Verification—Chris Hawblitzel, Microsoft Research; Jon Howell, Microsoft Research; Jacob R. Lorch, Microsoft Research; Arjun Narayan, University of Pennsylvania; Bryan Parno, Microsoft Research; Danfeng Zhang, Cornell University; and Brian Zill, Microsoft Research.
- Pelican: A Building Block for Exascale Cold Data Storage—Shobana Balakrishnan, Microsoft Research; Richard Black, Microsoft Research; Austin Donnelly, Microsoft Research; Paul England, Microsoft Research; Adam Glass, Microsoft Research; Dave Harper, Microsoft Research; Sergey Legtchenko, Microsoft Research; Aaron Ogus, Microsoft; Eric Peterson, Microsoft Research; and Antony Rowstron, Microsoft Research.
- The Power of Choice in Data-Aware Cluster Scheduling—Shivaram Venkataraman, University of California, Berkeley; Aurojit Panda, University of California, Berkeley; Ganesh Ananthanarayanan, Microsoft Research; Michael J. Franklin, University of California, Berkeley; and Ion Stoica, University of California, Berkeley.