CS 6393: Security Architectures for Cloud and Distributed Systems

Class web site: www.profsandhu.com/cs6393_s14

UTSA common syllabus information: provost.utsa.edu/syllabus.asp

Prof. Ravi Sandhu

Spring 2014, Friday 10am-12:30pm, Location: FLN 3.02.10A

Course prerequisties will be strictly enforced

Important Notices:

• 13/3/14: Presentation schedule revised. All presentations will be in ICS conference room. Yuan Cheng and Xin Jin PhD defenses scheduled. See special events in weekly schedule.
• 30/1/14: Major update.
• 12/10/13: Intial web site created. Next expected update after start of Spring 2014 semester.
• Watch this space for important announcements throughout the course. Recent announcements will be at top and highlighted in red.

Course Prerequisites:

Catalog Description:

• 6393 Advanced Topics in Computer Security (3-0) 3 hours credit.
  Analysis of computer security. The topics may include but are not limited to database and distributed systems security, formal models for computer security, privacy and ethics, intrusion detection, critical infrastructure protection, network vulnerability assessments, wireless security, trusted computing, and highly dependable systems. May be repeated for credit when topics vary.
• This course is different from any prior offering of CS 6393. It is eligible for repeated credit.

Course Format:

• Lectures with supporting papers from the literature.
• Programming projects on OpenStack, AWS and possibly other cloud platforms.
• Modeling projects to relate security features of OpenStack, AWS and possibly other cloud platforms, to formal security models.

Course Objectives:

• This is a research-oriented course designed for post-qualifier CS PhD students.
• Primary goal is to develop broad and deep understanding of security features of current cloud platforms and their possible shortcomings.
• Identify high potential topics for cloud security research.

Grading:

• Grading will be based on: (i) individual term project, (ii) project presentation and discussion, and (iii) participation in class discussions.

Schedule Notes:

• The weekly schedule is subject to change and adjustment as the semester proceeds.
• Assigned readings for a lecture are expected to be read in full in advance of the lecture for maximum benefit. Readings marked as partial are not required to be read in full. Selected aspects will be covered in class. Readings marked as reference should be reviewed as indicated in each case and will only be discussed briefly in class.

Schedule by Week: In Progress

Part 1: Lectures by Prof. Sandhu

• 1/17/14: Reprise of 4/12/13 and 4/19/13 lectures from CS 6393 Spring 2013
• 1/24/14: UTSA closed due to inclement weather
• 1/31/14: Virtualization
  
  Read in Full:
  
  1. Diego Perez-Botero, Jakub Szefer, and Ruby B. Lee. 2013. Characterizing hypervisor vulnerabilities in cloud computing servers. In Proceedings of the 2013 international workshop on Security in cloud computing (Cloud Computing '13 at AsiaCCS). pdf
• 2/07/14: Virtualization slides
  
  Read in Full:
  
  1. Smith, J.E. and Nair, R., The Architecture of Virtual Machines," IEEE Computer , vol.38, no.5, pp.32-38, May 2005. pdf
  2. SCOPE Alliance. Virtualization: State of the Art. Version 1.0, April 3, 2008. 18 pages. pdf
  Read in Part:
  
  3. Gabor Pik, Levente Buttyan, and Boldizsar Bencsath. 2013. A survey of security issues in hardware virtualization. ACM Comput. Surv. 45, 3, Article 40 (July 2013) pdf
  Xen links:
  
  1. Xen project wiki
  2. Xen Server and OpenStack wiki
  3. The deployment architecture of Xen with OpenStack
  4. How to install Xen with Ubuntu 12.04
  5. A note on XCP and XAPI
• 2/14/14: Virtualization slides
  
  Read in Part:
  
  1. Uhlig, R.; Neiger, G.; Rodgers, D.; Santoni, A.L.; Martins, F.C.M.; Anderson, A.V.; Bennett, S.M.; Kagi, A.; Leung, F.H.; Smith, L., "Intel virtualization technology," IEEE Computer , vol.38, no.5, pp.48,56, May 2005 pdf
  2. Yaozu Dong, Shaofan Li, Asit Mallick, Jun Nakajima, Kun Tian, Xuefei Xu, Fred Yang, Wilfredd Yu. "Extending Xen With Intel Virtualization Technology." Intel Technology Journal 10.3 (2006): 193-203 pdf
  3. Michael Pearce, Sherali Zeadally, and Ray Hunt. 2013. Virtualization: issues, security threats, and solutions. ACM Comput. Surv. 45, 2, Article 17 (March 2013), 39 pages. pdf
  Read as Reference:
  
  4. Gerald J. Popek and Robert P. Goldberg. 1974. Formal requirements for virtualizable third generation architectures. Commun. ACM 17, 7 (July 1974), 412-421. pdf
  5. R.L. Brown, P.J. Denning, W.F. Tichy, "Advanced Operating Systems," Computer, vol. 17, no. 10, pp. 173-190, October, 1984 pdf
  Hypercall confusion:
  
  1. Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217
• 2/21/14: Open discussion on access control in the cloud, in OpenStack and in AWS
• 2/28/14: No class. Project work day.
• 3/07/14: I/O virtualization slides
  
  Read in Part:
  
  1. Waldspurger, Carl, and Mendel Rosenblum. "I/O virtualization." Communications of the ACM 55.1 (2012): 66-73. pdf
  2. Simon Crosby and David Brown. 2006. The Virtualization Reality. Queue 4, 10 (December 2006), 34-41. pdf
  3. Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on Operating systems principles (SOSP '03). pdf
  4. Santos, Jose Renato, et al. "Bridging the Gap between Software and Hardware Techniques for I/O Virtualization." USENIX Annual Technical Conference. 2008. pdf


• 3/14/14: Spring Break. No class.
• 3/21/14: No class. Project work day.
• 3/28/14: No class. Project work day.

Part 2: Presentations by students: In ICS Conference room

• 4/04/14: Xin Jin: Attribute Based Access Control and Implementation in Infrastructure as a Service Cloud slides (pptx) slides (pdf)
• 4/11/14: Bo Tang: Multi-Tenant Access Control for Collaborative Cloud Services slides (pptx) slides (pdf)
• 4/15/14: Tuesday make up class. Dang Nguyen: Provenance-based Access Control in Cloud IaaS slides (pptx) slides (pdf)
• 4/16/14: Wednesday special event: Yuan Cheng PhD defense, CS conference room, 10am-12noon
• 4/18/14: Khalid Bijon Zaman: Risk-Aware Role and Attribute Based Access Control Models slides (ppt) slides (pdf)
• 4/22/14: Tuesday special event: Xin Jin PhD defense, CS conference room, 10am-12noon
• 4/23/14: Wednesday make up class. Prosunjit Biswas: ZeroVM Background slides (ppt) slides (pdf)
  
  Papers:
  
  1. Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient software-based fault isolation. SIGOPS Oper. Syst. Rev. 27, 5 (December 1993), 203-216. pdf
  2. Strauss, David. "Containers---Not Virtual Machines---Are the Future Cloud." Linux Journal. 2013. pdf
• 4/25/14: Navid Pustchi: Multi Cloud slides (pptx) slides (pdf)
  
  Papers:
  
  1. Lee Badger, Tim Grance, Robert Patt-Corner and Jeff Voas. "Cloud Computing Synopsis and Recommendations." NIST Special Publication 800-146, May 2012. pdf
  2. Bohli, J.-M.; Gruschka, N.; Jensen, M.; Iacono, L.L.; Marnau, N., "Security and Privacy-Enhancing Multicloud Architectures," Dependable and Secure Computing, IEEE Transactions on , vol.10, no.4, pp.212,224, July-Aug. 2013. pdf
  3. Vandenberghe, Wim, et al. "Architecture for the heterogeneous federation of future internet experimentation facilities." Future Network and Mobile Summit (FutureNetworkSummit), 2013. IEEE, 2013. pdf
  4. Chadwick, David W., et al. "Adding Federated Identity Management to OpenStack." Journal of Grid Computing (2013): 1-25. pdf
  5. del Castillo, Lorenzo, et al. "OpenStack Federation in Experimentation Multi-cloud Testbeds." (2013). pdf
• 4/29/14: Tuesday make up class. Tahmina Ahmed: ABAC safety and analysis slides (pdf)
• 4/30/14: Wednesday make up class. Discussion with Dolph Mathews, Rackspace, OpenStack-Keystone leader. Bo slides (pdf) Navid slides (pptx) (pdf)
• 5/01/14: Thursday make up class. Amy Zhang: Information Sharing in Cloud slides (pdf)

END