CloudArmor : Protecting Cloud Instances by Validating Client Commands

IaaS clouds offer on-demand computing resources to clients to offload the burden of IT infrastructure management. However, in order to do so, cloud clients must place full trust in the cloud infrastructure, from various cloud services to the administrators managing the infrastructure. Such trust is often unjustified given the recent evidence of vulnerabilities found in cloud services and threats from accidental and intentional mismanagement by cloud administrators. In this paper, we introduce CloudArmor, a method that validates that client commands are executed as expected on cloud nodes, even if many cloud services are under the control of adversaries. Our insight is that cloud services act as a proxy that transforms commands to sequences of operations performed in cloud. Such transformations, however, do not transform argument values, so we can construct models that limit each command’s execution to legal sequences of system calls and predict their argument values. We implemented a prototype CloudArmor for the OpenStack cloud, converting the compute node to act as a proxy for client to validate how their commands are executed in cloud. Results show that CloudArmor can defend against a variety of attacks from cloud services, enabling a reduction of trust in cloud services by over 90% with no impact on the cloud function. Moreover, as CloudArmor only mediates cloud instance operations, it imposes less than 1.2% overhead for client instances. As a result, OpenStack clients can leverage CloudArmor to manage their instances safely without sacrificing performance or cloud function.