Andreas Haeberlen MPISWS Outline 2 2009 Andreas Haeberlen Problem Solution Call for action The benefits of cloud computing The cloud enables Alice to obtain resources on demand pay only for what she actually uses ID: 612489
Download Presentation The PPT/PDF document "A Case for the Accountable Cloud" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
A Case for the Accountable Cloud
Andreas HaeberlenMPI-SWSSlide2
Outline
2
© 2009 Andreas Haeberlen
Problem
Solution
Call for actionSlide3
The benefits of cloud computing
The cloud enables Alice to:obtain resources on demandpay only for what she actually usesbenefit from economies of scaleBut...
3
© 2009 Andreas Haeberlen
Alice
Bob
Alice's
customersSlide4
?
Problem: Split administrative domain
Control and information about Alice's service are now split between Alice and Bob
Alice cannot control cloud machines or observe their status
Alice must have a lot of trust in Bob
Bob does not understand the details of Alice's software
Difficult to perform many administrative tasks
4
© 2009 Andreas Haeberlen
Alice
Bob
Alice's
customers
?
?
?
?
?
?
?
?
?
?
?
?Slide5
Problem: Split administrative domain
What if there is a problem with the cloud?MisconfigurationInsufficient allocation of resourcesHacker attack
Data loss or unavailability
Hardware malfunction
...
5
© 2009 Andreas Haeberlen
Alice
Bob
Alice's
customersSlide6
Handling problems: Alice's perspective
6© 2009 Andreas Haeberlen
Alice
Alice's
customers
?
?
?
?
?
?
?
?
Bob
If something is wrong, how will I know?
How can I tell if it's my software or the cloud?
If it's the cloud, how can I convince Bob?Slide7
If something is wrong, how will I know?
How can I tell if it's my software or the cloud?
If it's the cloud, how can I convince Bob?
Handling problems: Bob's perspective
7
© 2009 Andreas Haeberlen
Alice
Bob
Alice's
customers
?
?
?
?
?
?
?
?
?
?
?
?
?
If something is wrong, how will I know?
How can I tell if it's the cloud or Alice's software?
If it's Alice's software, how can I convince Alice?Slide8
Outline
8
© 2009 Andreas Haeberlen
Problem
Solution
Call for action
Split administrative
domainSlide9
An idealized solution
What if we had an oracle that Alice and Bob could ask about cloud problems?Completeness: If the cloud is faulty, the oracle will say soAccuracy:
If the cloud is
not
faulty, the oracle will say so
Verifiability:
The oracle produces evidence that would convince a disinterested third party
9
© 2009 Andreas Haeberlen
Alice
Bob
Alice's
customers
OracleSlide10
The accountable cloud
Idea: Make cloud accountable to Alice+BobCloud records its actions in a tamper-evident logAlice and Bob can
audit
the log and check for faults
Use log to construct
evidence
that a fault does (not) exist
Provides completeness, accuracy, verifiabilityProvable guarantees even if Alice and/or Bob are malicious!
10
© 2009 Andreas Haeberlen
Alice
Bob
Alice's
customers
Tamper-evident
logSlide11
Discussion
Isn't this too pessimistic? Bob isn't malicious!Hacker attacks, software bugs, disgruntled employees, operator error, ..., can have the same effectDifficult to come up with a more restrictive fault modelAlice (or some other customer) could be malicious
Shouldn't Bob use fault tolerance instead?
Bob certainly should mask faults whenever possible
But: Masking is never perfect; Alice still needs to check
Why would a provider want to deploy this?
Attractive to prospective customers
Helps with handling angry support calls
11
© 2009 Andreas HaeberlenSlide12
Discussion: Guarantees
Are these the right guarantees?Completeness: "No false negatives"Could be relaxed: e.g., probabilistic completeness
Accuracy: "No false positives"
Cannot be relaxed safely
if the detection of a fault can have serious legal/financial consequences for Bob
Verifiability: "Produce enough evidence to convince a third party"
Could be relaxed:
e.g., evidence only needs to convince a specific third party
© 2009 Andreas Haeberlen
12Slide13
Outline
13
© 2009 Andreas Haeberlen
Problem
Solution
Call for action
Split administrative
domain
Make the cloud
accountableSlide14
Is the technology ready?
Cloud accountability should:Deliver provable guaranteesWork for most cloud applicationsRequire no changes to application code
Cover a wide spectrum of properties
Have a low overhead
Can existing techniques deliver this?
CATS, Repeat&Compare, AIP, PeerReview,
NetReview, AudIt, ...
More research is needed!
14
© 2009 Andreas Haeberlen
?
?
?Slide15
Work in progress: AVM
Goal: Provide accountability for arbitrary unmodified software
Idea:
Accountable virtual machine (AVM)
Cloud records enough data to enable determinstic replay
Alice can replay log with a known-good copy of the software
Can audit any part of the original execution
15
© 2009 Andreas Haeberlen
Alice
Bob
Virtual machineSlide16
Summary
Problem: Current cloud designs carry risks for both customers and providersCustomer loses control over his computation and dataSplit administration Difficult to detect+resolve problems
Proposed solution: The accountable cloud
Can verify correct operation, produce evidence
Provable guarantees
solid foundation for both sides
Discussion: Guarantees, fault model, incentives, ...
Lots of research opportunities
16
© 2009 Andreas Haeberlen
Questions?