AT&T Labs Research — Leading Invention, Driving Innovation

(c) ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in 2012 , 2012-10-19.

{Major cloud providers have recently been building cloud markets, which serve as a hosting platform for VMs pre-installed with a variety of software stacks. Clients of cloud computing leverage such markets by downloading and instantiating the VMs that best suit their computing needs, thereby saving the effort needed to configure and build VMs from scratch. This vision paper argues for a richer model of cloud markets. We envision a market of VM apps that can interact with client VMs in a rich set of ways to provide a number of services that are currently supported only by cloud providers. For example, clients can use VM apps to deploy virtual machine introspection-based security tools and various network middleboxes on their work VMs without requiring the cloud provider to deploy these services on their behalf. This paper presents a taxonomy of VM apps, analyzes the key requirements needed to realize such VM apps, and explores the design and tradeoffs of various options to implement VM apps.}

(c) ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in 2012 , 2012-10-16.

{Modern cloud computing infrastructures use virtual machine monitors (VMMs) that often include a large and complex administrative domain with privileges to inspect client VM state. Attacks against or misuse of the administrative domain can compromise client security and privacy. Moreover, these VMMs provide clients inflexible control over their own VMs, as a result of which clients have to rely on the cloud provider to deploy useful services, such as VM introspection-based security tools. We introduce a new self-service cloud (SSC) computing model that addresses these two shortcomings. SSC splits administrative privileges between a system-wide domain and per-client administrative domains. Each client can manage and perform privileged system tasks on its own VMs, thereby providing flexibility. The system-wide administrative domain cannot inspect the code, data or computation of client VMs, thereby ensuring security and privacy. SSC also allows providers and clients to establish mutually trusted services that can check regulatory compliance while respecting client privacy. We have implemented SSC by modifying the Xen hypervisor. We demonstrate its utility by building user do- mains to perform privileged tasks such as memory introspection, storage intrusion detection, and anomaly detection.}