By Topic

Protection mechanisms for application service hosting platforms

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Xuxian Jiang ; Dept. of Comput. Sci., Purdue Univ., West Lafayette, IN, USA ; Dongyan Xu ; Eigenmann, R.

The application service hosting platform (ASHP) has recently received tremendous attention from both industry and academia. An ASHP provides a shared high-performance infrastructure to host different application services (AS), outsourced by application service providers (ASP). In this paper, we focus on the protection of ASHP which has inherent requirement of sharing, openness, and mutual isolation. In contrast to a dedicated server platform, which is analogous with a private house, an ASHP is like an apartment building, involving the 'host' - the ASHP infrastructure, and the 'tenants' - the AS. Strong protection and isolation must be provided between the host and the tenants, as well as between different tenants. Unfortunately, traditional OS architecture and mechanisms are not adequate to provide strong ASHP protection. In this paper we first make the case for a new OS architecture based on the virtual OS technology. We then present three protection mechanisms we have developed in SODA, our ASHP architecture. The mechanisms include: (1) resource isolation between AS; (2) virtual switching and firewalling between AS; and (3) kernelized intrusion detection and logging for each AS. For (3), we have developed a system called Kernort inside the virtual OS kernel. Kernort detects network intrusions in real-time and logs AS activities even when the AS has been compromised. Moreover for the privacy of AS, logs are encrypted by Kernort so that the 'landlord' (namely ASHP owner) cannot view them without authorization. We are applying SODA to iShare, an Internet-based distributed resource sharing platform.

Published in:

Cluster Computing and the Grid, 2004. CCGrid 2004. IEEE International Symposium on

Date of Conference:

19-22 April 2004