Hype and high expectations have always been there as an important  risk for the Cloud to never overcome the high expectations created. We have got used to impressive IaaS system, delivering easily-manageable virtual infrastructures, virtually infinite resources, etc. or advanced PaaS Clouds letting us to deploy our applications and easing data persistence and other development-related tasks. However, the end user was often overlooked and the Cloud had few examples at a global scale aimed at satisfying end users’ needs.

Today, MORFEO Cloud technologies is proud to announce the result of some years of  research and tests in which members of this chapter actively collaborated.

We’d like to present 3GBox, also in the Mobile World Congress 2010. Being more than a 3g modem, 3gBox helps users to store data in the cloud; their SIM card becomes the key element for security and a local cache is in charge of storing data to upload the information to the Cloud depending on the available bit rate. Also, heuristics are implemented that help keep the most “useful” data locally stored to improve users’ experience. Updates,O.S. drivers and so on are downloaded from the Cloud to help usage and configuration.

A few months ago, we tested Amazon’s IaaS offer, concluding that machines deployed closely in time were closely located. We were also able of pinging machines in the same subnetwork which did not belong to us.

A recent article by UCSD and MIT researchers has much further expanded our initial observations on Cloud’s security implications.

The authors use several “probing” techniques such as enumerating public EC2-based web servers using hping2, nmap, or wget, translating responsive public IPs to internal Amazon’s IPs (via DNS queries within Amazon), and launching several EC2 instances of varying types, analyzing the resulting IP address assignment.

Having these  tools handy, the authors are capable of extracting the following heuristics:

• All IPs from a /16 are from the same EC2 availability zone (e.g. US).
• A /24 inherits any included sampled instance type (e.g. small, large, x-large etc).
• A /24 containing a Dom0 IP address only contains Dom0 IP addresses. We associate to this /24 the type of the Dom0’s associated instance (recall that Dom0 is the first domain started by the hypervisor after booting)
• All /24 between two consecutive Dom0 /24’s inherit the former’s associated type.

This topic is often overlooked by Cloud networking providers. “Simple” means can be set up, like, for instance, making local IP assignment random across instance types and availability zones and/or restricting the customers view of this process.

The paper deals with an important issue, preventing the determination of whether or not a VM is located on the same physical machine that other VMs (”colocation”). Three checkpoints are proposed: 1) matching Dom0 IP address; 2) small packet RTT; 3) numerically close internal IP addresses.  The authors conclude that “even a very naive attack strategy can successfully achieve co-residence against a not-so-small fraction of targets” and “instance flooding” (spinning up numerous VMs) immediately after the target has booted to “take advantage of the parallel placement locality exhibited by the EC2 placement algorithms”.

Having colocated VMs implies the possibility of preforming side attack channels. Several of these are discussed: Denial of Service (shared physical resources imply covert channels that can be employed for implementing cross VM attacks), measuring cache usage (creating covert channels between cooperating processes belonging to different VMs), detection of  co-residence without relying on sending any network probes (injecting load on an alien VM and monitor our own in order to correlate load increases in the other VM with performance decreases in our), or estimating traffic rates to deduce targets’ activity patterns in order to determine the most painful moment for an attack to be done.

The paper is a MUST read for both, IaaS Cloud providers and those aiming at moving some services to the Cloud .

Telefónica I+D is proud to announce the first release of its OCCI Java implementation.

 After UCM’s efforts to provide the first fully-compliant OCCI server attached to OpenNebula, we release here a second OCCI implementation (Java REST client + server).

This is the result of privately-funded efforts as well as  FP7 European Research projects  (co-funded by Telefónica and the European Commission) such as RESERVOIR.

 Affero GPL has been the chosen license for this OCCI implementation. Comments, critique and feedback are most welcome through our support pages.

 Thanks a lot!!

Recently, we create of the Claudia project in the Morfeo community, to provide toolkit of components that together compose a management platform for IaaS cloud computing infrastructures, but, at the same time are independent enough to be used as separate pieces. We are proud to announce that the first of those components has been release today: the OVF Manager.

This component has been developed by Telefónica I+D, extending the base functionality provided by existing MPL code with improvements and the processing of OVF extensions developed specifically for cloud computing in the RESERVOIR 7PM project.

More information in Claudia blog post…

As part of its exploitation strategy, Telefónica I+D decided to release as Open Source a number of components developed during the research on Infrastructure as a Service (IaaS) Clouds.  These components will be integrated in the Claudia Platform that will offer a Service Management toolkit to deploy and control the scalability of service among a public or private IaaS Cloud. Telefónica I+D chooses MORFEO Project to release the software because it guarantees the access to the results of research beyond the end of the project.

By March 2010, the first set of components, which are part of the research results of the RESERVOIR project,  will be released:

• Service Lifecycle Manager that will control the deployment and dynamic scalability processes of the services.
• Scalability and Optimization Manager that will dynamically drive the configuration and scalability of the services.
• OVF Manager component, a library to parse and transform OVF files that contains the service definition.
• Service Monitoring Framework, based on the WASUP platform, will store and distribute the status of the services.
• Cloud Dashboard, based on the EzWeb mashup platform, will provide a Web GUI to manage the Cloud.
• The Service Manager Interface, an API that will allow developers to manage the deployment of their services as a whole.
• Implementation of the OCCI (Open Cloud Computing Interface) API to integrate Claudia with different Virtual Infrastructure managers.

These components will continue evolving and put into a “production” status by Telefónica I+D. Each component will be released with its own Open Source License (GPL, Apache, MPL, etc.). Telefónica I+D will also provide commercial support following a dual-license schema.

The Claudia Platform is aligned with the Morfeo’s Cloud Technologies Chapter vision of integrating a complete Open Source Stack for managing a IaaS Cloud. In this way, Claudia will be fully integrated with Open Nebula through the OCCI API as both are members of the chapter.

For more information about the Platform Architecture and other documentation, please visit our Wiki.