Privacy-Sensitive VM Retrospection

The success of cloud computing leads to large, centralized collections of virtual machine (VM) images. The ability to retrospect (examine the historical state of) these images at a high semantic level can be valuable in many aspects of IT management such as debugging and troubleshooting, software quality control, legal establishment of data or code provenance, and cyber forensics such as malware tracking and licensing violations. In this paper, we explore the privacy implications of VM retrospection. We argue that retrospection will worsen current concerns about privacy in cloud computing. We develop privacysensitive requirements for the design of a retrospection mechanism, and then show how they can be met in a functional prototype. 1 Executable Content as Searchable Data We normally think of VM images as executable content, but the practice of archiving VM snapshots in cloud computing suggests that it may also be valuable to view them as “big data.” Snapshots of a VM image over time represent historical provenance that can be relevant to debugging, troubleshooting, and forensics. We use the term VM retrospection for this ability to pose and answer deep questions about VM images. In contrast to VM introspection [5], which examines active VM state during execution, retrospection focuses on passive VM state. For example, consider a developer who periodically snapshots his VM. When a colleague encounters a misconfiguration bug that has plagued the developer in the past, he is able to search through the VM history to reproduce the bug and to recapitulate its fix. A different example involves a graphic arts company that is accused of copyright infringement. By searching archived VM history of the company’s employees, the plaintiff is able to show how they transformed the original photograph into the disputed product. Other use cases of VM retrospection can be found in a recent position paper [11]. This paper focuses on the privacy implications of VM retrospection. We argue that retrospection will worsen current concerns about privacy in cloud computing. We develop privacy-sensitive requirements for the design of a retrospection mechanism, and then show how they can be met in a functional prototype. 2 Honoring the Principle of Least Privilege A dominant concern of retrospection is the need to be extremely sensitive to issues of privacy. There is already enormous public concern about the potential for compromise of personal privacy in cloud computing. The concentration of VM images in a cloud, rather than the dispersal of that state over myriad personal computers (many inaccessible behind firewalls), simplifies the task of exploring that state for good or evil. Just a small sampling of the huge volume of recent discourse on this topic [2, 3, 7] shows the level of public concern. Microsoft recently requested the United States Congress to pass legislation on privacy in cloud computing [12]. In this highly charged atmosphere, creating a VM retrospection capability is sure to cause alarm. It is therefore essential that the high-level architecture and method of operation of the mechanism be clearly and unambiguously biased in favor of privacy. The deep concerns about privacy suggest that a good retrospection mechanism is unlikely to be obtained through the most obvious implementation strategy. That strategy would be to leverage the well-understood world of Web search exemplified by Google and Bing, and to use search engine software such as MapReduce to periodically crawl VM images in a cloud and index their content. Such an approach would inflame privacy advocates because of the power that it would give to cloud owners and their search partners. There would be fear of abuse of this power. There would be serious concerns about unauthorized searches by cloud employees on already-built indexes. There would also be great concern over frequent exposure of data for index creation. These issues have not surfaced in the context of Web search because the data in question is, by definition, “published” by their owners. In contrast, VM images in a cloud are not “published” by their owners—they are given for safe-keeping to the cloud operator, much as one places valuables for safe-keeping in a bank’s vault. Since perception matters as much as reality in matters of trust, these privacy-related concerns will be difficult to overcome. A good retrospection mechanism should be finegrained and selective in its application. It should involve more heavyweight actions than an index lookup, and there should be an opportunity to inspect and/or audit the computations involved in a search. The mechanism should not require any component (such as a search engine for index creation) to have cloud-wide access to the complete con-