Unikernels for Cloud Architectures: How Single Responsibility can Reduce Complexity, Thus Improving Enterprise Cloud Security

Andreas Happe, Bob Duncan, Alfred Bratterud

2017

Abstract

Unikernels allow application deployment through custom-built minimal virtual machines. The authors investigate how unikernels and their inherent minimalism benefit system security. The analysis starts with common security vulnerability classes and their possible remediation. A platonic unikernel framework is used to describe how unikernels can solve common security problems, focusing both on a micro- and macro level. This theoretical framework is matched against an existing unikernel framework, and the resulting mismatch is used as a starting point for the research areas the authors are currently working on. We demonstrate how using a single responsibility unikernel- based architectural framework could be used to reduce complexity and thus improve enterprise cloud security.

References

  1. 37signals. Make Opinionated Software.
  2. Abadi, D. J. (2012). Consistency tradeoffs in modern distributed database system design: CAP is only part of the story. Computer (Long. Beach. Calif)., (2):37-42.
  3. Anati, I., Gueron, S., Johnson, S., and Scarlata, V. (2013). Innovative technology for CPU based attestation and sealing. In Proc. 2nd Int. Work. Hardw. Archit. Support Secur. Priv., volume 13.
  4. Arce, I. (2004). The shellcode generation. IEEE Secur. Priv., 2(5):72-76.
  5. Bass, L., Weber, I., and Zhu, L. (2015). DevOps: A Software Architect's Perspective. Addison-Wesley Professional.
  6. Bhatkar, S., DuVarney, D. C., and Sekar, R. (2005). Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In Usenix Secur.
  7. Blankstein, A. and Freedman, M. J. (2014). Automating isolation and least privilege in web services. In Secur. Priv. (SP), 2014 IEEE Symp., pages 133-148. IEEE.
  8. Bonér, J., Farley, D., Kuhn, R., and Thompson, M. (2014). The reactive manifesto.
  9. Bracha, G., Odersky, M., Stoutamire, D., and Wadler, P. (1998). Making the future safe for the past: Adding genericity to the Java programming language. Acm sigplan Not., 33(10):183-200.
  10. Bratterud, A., Happe, A., and Duncan, B. (2017). Enhancing Cloud Security and Privacy: The Unikernel Solution. In Cloud Comput. 2017 Eighth Int. Conf. Cloud Comput. GRIDs, Virtualization, pages 1-8.
  11. Bratterud, A. and Haugerud, H. (2013). Maximizing hypervisor scalability using minimal virtual machines. In Cloud Comput. Technol. Sci. (CloudCom), 2013 IEEE 5th Int. Conf., volume 1, pages 218-223. IEEE.
  12. Bratterud, A., Walla, A.-A., Engelstad, P. E., Begnum, K., and Others (2015). IncludeOS: A minimal, resource efficient unikernel for cloud services. In 2015 IEEE 7th Int. Conf. Cloud Comput. Technol. Sci., pages 250-257. IEEE.
  13. Bui, T. (2015). Analysis of docker security. arXiv Prepr. arXiv1501.02967.
  14. Burbeck, S. (1992). Applications programming in smalltalk-80 (tm): How to use model-view-controller (mvc). Smalltalk-80 v2, 5.
  15. Candea, G. and Fox, A. (2003). Crash-Only Software. In HotOS, volume 3, pages 67-72.
  16. Childs Jr, R. H. E., Klebanoff, J. L., and Pollack, F. J. (1984). Microprocessor memory management and protection mechanism.
  17. Climate, C. (2013). Rails' Remote Code Execution Vulnerability Explained.
  18. Costan, V. and Devadas, S. Intel sgx explained. Technical report, Cryptology ePrint Archive, Report 2016/086, 2016. https://eprint. iacr. org/2016/086.
  19. Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., and Hinton, H. (1998). StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Usenix Secur., volume 98, pages 63-78.
  20. Detlefs, D., Dosser, A., and Zorn, B. (1994). Memory allocation costs in large C and C++ programs. Softw. Pract. Exp., 24(6):527-542.
  21. Duncan, B., Bratterud, A., and Happe, A. (2016a). Enhancing Cloud Security and Privacy: Time for a New Approach? In Intech 2016, pages 1-6, Dublin.
  22. Duncan, B., Happe, A., and Bratterud, A. (2016b). Enterprise IoT Security and Scalability: How Unikernels can Improve the Status Quo. In 9th IEEE/ACM Int. Conf. Util. Cloud Comput. (UCC 2016), pages 1-6, Shanghai, China.
  23. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., and Others (2014). The matter of heartbleed. In Proc. 2014 Conf. Internet Meas. Conf., pages 475-488. ACM.
  24. Fan, W. and Bifet, A. (2013). Mining big data: current status, and forecast to the future. ACM sIGKDD Explor. Newsl., 14(2):1-5.
  25. Fielding, R. T. (2000). Architectural Styles and the Design of Network-based Software Architectures. PhD thesis, University of California, Irvine.
  26. Fowler, M. (2002). Patterns of enterprise application architecture. Addison-Wesley Longman Publishing Co., Inc.
  27. Haerder, T. and Reuter, A. (1983). Principles of transactionoriented database recovery. ACM Comput. Surv., 15(4):287-317.
  28. Jithin, R. and Chandran, P. (2014). Virtual machine isolation. In Int. Conf. Secur. Comput. Networks Distrib. Syst., pages 91-102. Springer.
  29. Kernighan, B. W., Ritchie, D. M., and Ejeklint, P. (1988). The C programming language, volume 2. prenticeHall Englewood Cliffs.
  30. Madhavapeddy, A., Leonard, T., Skjegstad, M., Gazagnaire, T., Sheets, D., Scott, D., Mortier, R., Chaudhry, A., Singh, B., Ludlam, J., and Others (2015). Jitsu: Justin-time summoning of unikernels. In 12th USENIX Symp. Networked Syst. Des. Implement. (NSDI 15), pages 559-573.
  31. Madhavapeddy, A., Mortier, R., Rotsos, C., Scott, D., Singh, B., Gazagnaire, T., Smith, S., Hand, S., and Crowcroft, J. (2013). Unikernels: Library operating systems for the cloud. ACM SIGPLAN Not., 48(4):461-472.
  32. Madhavapeddy, A. and Scott, D. J. (2013). Unikernels: Rise of the virtual library operating system. Queue, 11(11):30.
  33. Madnick, S. E. and Donovan, J. J. (1973). Application and analysis of the virtual machine approach to information system security and isolation. In Proc. Work. virtual Comput. Syst., pages 210-224. ACM.
  34. Martin, R. C. (1995). Principles of OOD. Von butunclebob. com http//butunclebob. com/ArticleS. UncleBob. Princ. abgerufen.
  35. Marz, N. and Warren, J. (2015). Big Data: Principles and best practices of scalable realtime data systems. Manning Publications Co.
  36. Meyerovich, L. A. and Rabkin, A. S. (2013). Empirical analysis of programming language adoption. ACM SIGPLAN Not., 48(10):1-18.
  37. OWASP (2013). OWASP Top Ten Vulnerabilities 2013.
  38. Pike, R. (2009). The Go Programming Language. Talk given Google's Tech Talks.
  39. Rutkowska, J. (2013). Thoughts on Intel's upcoming Software Guard Extensions (Part 1). \url{http:// theinvisiblethings.blogspot.co.at/2013/08/thoughtson-intels-upcoming-software.html}.
  40. Serverless.com (2016). Serverless Architectures.
  41. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. (2004). On the effectiveness of address-space randomization. In Proc. 11th ACM Conf. Comput. Commun. Secur., pages 298-307. ACM.
  42. Soltesz, S., Pötzl, H., Fiuczynski, M. E., Bavier, A., and Peterson, L. (2007). Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors. In ACM SIGOPS Oper. Syst. Rev., volume 41, pages 275-287. ACM.
  43. Stroustrup, B. (2015). Die C++-Programmiersprache: aktuell zum C++ 11-Standard. Carl Hanser Verlag GmbH Co KG.
  44. Wadler, P. (1992). The essence of functional programming. In Proc. 19th ACM SIGPLAN-SIGACT Symp. Princ. Program. Lang., pages 1-14. ACM.
  45. Yang, J. and Hawblitzel, C. (2010). Safe to the last instruction: automated verification of a type-safe operating system. In ACM Sigplan Not., volume 45, pages 99- 110. ACM.
Download


Paper Citation


in Harvard Style

Happe A., Duncan B. and Bratterud A. (2017). Unikernels for Cloud Architectures: How Single Responsibility can Reduce Complexity, Thus Improving Enterprise Cloud Security . In Proceedings of the 2nd International Conference on Complexity, Future Information Systems and Risk - Volume 1: COMPLEXIS, ISBN 978-989-758-244-8, pages 30-41. DOI: 10.5220/0006282800300041


in Bibtex Style

@conference{complexis17,
author={Andreas Happe and Bob Duncan and Alfred Bratterud},
title={Unikernels for Cloud Architectures: How Single Responsibility can Reduce Complexity, Thus Improving Enterprise Cloud Security},
booktitle={Proceedings of the 2nd International Conference on Complexity, Future Information Systems and Risk - Volume 1: COMPLEXIS,},
year={2017},
pages={30-41},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006282800300041},
isbn={978-989-758-244-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Complexity, Future Information Systems and Risk - Volume 1: COMPLEXIS,
TI - Unikernels for Cloud Architectures: How Single Responsibility can Reduce Complexity, Thus Improving Enterprise Cloud Security
SN - 978-989-758-244-8
AU - Happe A.
AU - Duncan B.
AU - Bratterud A.
PY - 2017
SP - 30
EP - 41
DO - 10.5220/0006282800300041