Scribe Notes

Mainframes - 1960s

Data intensive
Had to focus on data optimization
Reliability

Clusters - 1990s

Machines that work together over an IP network.
Don't need to be running on identical hardware.
"Single image cluster": the operating system treats the cluster as one whole thing.
- People have tried to build these, but they're not very popular because the optimization decisions come out badly. Also, how do you patch the OS?

Clouds

"clusters of clusters"
Spread across multiple locations, communicate through the internet
Political issues: Who controls the cloud? Who pays for it?
- These become technical issues: security, resource management

Clouds

Most well known clouds: AmazonEC2, Globus

Advantages over clusters/grids:

Short-term commitment (don't need to invest in a whole cluster)
Pay as you go (buy more computing power as you need it)
Fast scaling, it can grow quickly as needed. This works well when the demand is unknown or can vary

Disdvantages:

$ - If you know exactly what the program needs, a cluster is better
Privacy - data confidentiality
- Even encrypting data transfers between you and the cloud won't secure you from the cloud's owner
Network latency - not dependable
Data transfer bottlenecks (huge unsolved problem)
- Archiving
- "sneakernet" - send the data in some physical form instead
Bugs
- Some may only appear as you scale up
- Can't solve these cheaply, as you would need to debug it at the scale the bug is at
Other Security
- DoS attacks
- Physical attacks (though clouds are harder to bring down)
Overload risks - if all the users combined exceed the cloud's capacity
- Use multiple suppliers
- Societal risk
- Overloads typically happen for data access, not CPU (need scalable storage solution)
Vendor Lock-In
- Stuck with whoever you choose
- Owner might take the cloud in the wrong direction
Software Licensing
- Need a license for each VM
- "software jail" - for some software licenses you don't have to publish changes if you don't distribute them

We want something simpler than resources × principals × access types, something easier to manage & understand
Need to accurately prohibit "bad" access and allow "good" access

Traditional Unix

rwx rwx rwx
[user] [group] [other]

Originally, users had 1 group, but now they can have multiple.

ACLs - Access Control Lists

Owner of a resource can specify an access list.
An access list is a list of principals and their accesses.

In Solaris, a very simple ACL would look like this:

$ getfacl .
    user::rwx
    group::r_x
    other::r_x
	
$ setfacl .

ACL key idea: making sure the default ACLs are correct when a resource is created

Role-Based Access Control (RBAC)

Replaces principals with roles.
Users can assume various roles.
Some example roles:

backup (would have read access to everything)
poweroff
change grades

Applications run limited roles.

Mechanisms for enforcing access control

ACLs

Each resource has an ACL (controlled by the OS) attached to it, all accesses are mediated by the OS.

Capabilities

Each principal has a set of capabilities. They have a hashed pointer to the resource which the OS decrypts. (This can be done in hardware)

Trusted Software

From an OS viewpoint: Oses don't drust apps because they don't trust the users that run them.
However, some programs are trusted, like login. These programs have a bit set in their permissions that makes them run as the owner of the file when executed, this way they can do things only root can do.

But which programs do we trust?

as few as possible
and those programs should be as small as possible

How can we trust login? By checking a cryptographic checksum of the program.
Apparently there's a very large trusted computing base, which is a big security problem.

CS111, Lecture 19

Cloud Computing

Clouds

Security

Traditional Unix

ACLs - Access Control Lists

Role-Based Access Control (RBAC)

Mechanisms for enforcing access control

ACLs

Capabilities

Trusted Software