CloudRand: Building Heterogeneous and Moving-target Network Interfaces
Additional Document Info
2018 IEEE. Some fundamental reasons why our networked systems are still vulnerable to network attacks are because (1) they are more open than necessary; (2) they are homogeneous, i.e., the same way to exploit a vulnerability on one machine is easily applicable to many other machines (which is particularly a severe issue in cloud computing environments when virtual machines images are heavily reused/cloned); (3) current networked services are merely static targets, i.e., they are easily predictable and do not change. While network authentication and access control mechanisms such as firewall and VPN can help reduce the openness (mostly at network perimeter level), they do not help much on the latter two factors. To bridge the gap and greatly complement existing network authentication/access control mechanisms, we propose CloudRand, a new framework to make networked systems/services in the cloud heterogeneous (every host has a different networking interface) and moving targets (such interfaces keep changing and they are unpredictable to untrusted entities). Inspired by the previous work on host-level (memory or instruction) Address Space Randomization (ASR), we build a lightweight solution to randomize network service interfaces. Thus, even derived from the same image, each virtual machine can have very different network service interfaces and they keep changing to further reduce the attack surface. CloudRand is an application-independent security service, orthogonal to existing application/network security mechanisms such as authentication, encryption, and access control. To fit into different environments such as clouds or enterprise networks, we provide various prototype systems at different levels for flexible deployment choices, e.g., host level (kernel drivers for both Linux and Windows), network level (based on Click modular router or software-defined networking technology), virtual machine hypervisor level (based on Xen), and application level (browser plugin). Our extensive evaluation shows that this solution has low overhead, and it can it can significantly reduce the network attack surface and successfully defeat malware epidemic attacks.
name of conference
2018 27th International Conference on Computer Communication and Networks (ICCCN)