Subcontract: a flexible base for distributed programming
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
An active service framework and its application to real-time multimedia transcoding
Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Protection in the Hydra Operating System
SOSP '75 Proceedings of the fifth ACM symposium on Operating systems principles
Towards an Active Network Architecture
DANCE '02 Proceedings of the 2002 DARPA Active Networks Conference and Exposition
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Enterprise Service Bus
Operational information systems: an example from the airline industry
WIESS'00 Proceedings of the 1st conference on Industrial Experiences with Systems Software - Volume 1
E2EProf: Automated End-to-End Performance Management for Enterprise Systems
DSN '07 Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
High performance and scalable I/O virtualization via self-virtualized devices
Proceedings of the 16th international symposium on High performance distributed computing
End-to-end web application security
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Protected data paths: delivering sensitive data via untrusted proxies
Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
I-queue: smart queues for service management
ICSOC'06 Proceedings of the 4th international conference on Service-Oriented Computing
Extending virtualization services with trust guarantees via behavioral monitoring
Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems
VStore: efficiently storing virtualized state across mobile devices
Proceedings of the First Workshop on Virtualization in Mobile Computing
Loosely coupled coordinated management in virtualized data centers
Cluster Computing
| Hi-index | 0.00 |
Protecting shared sensitive information is a key requirement for today's distributed applications. Our research uses virtualization technologies to create and maintain trusted data paths across distributed machines, for the services being run and their information exchanges. For trusted data paths, runtime protection methods control what data is visible to which distributed services operating on it, guided by online monitoring that determines the levels of trust inherent in the paths' machines, services, and service actions. This paper presents a key functional element of trusted data paths, which is the ProtectIT interception mechanism for controlling the data exchanges between the different virtual machines running trusted services. ProtectIT can be applied to any communication and/or I/O performed by virtual machines, and because ProtectIT does not require application, middleware, or operating system modifications, it can be used to construct trusted data paths without the knowledge or consent of such entities. Further, since ProtectIT operates in virtual machines isolated from those used by applications, it is not subject to the attacks faced by services exposed to the open Internet. ProtectIT's functionality consists of dynamic protection rules represented as data filters applied to virtual machines' communications. Examples presented in this paper include email services for which ProtectIT's filters control data visibility to mail servers and clients, and unsecured virtual machine communications morphed into secure ones via ProtectIT-based message interception.