The invention generally relates virtual computing platforms. More particularly, but not exclusively, the invention relates to securing distributed virtual computing platforms for mobile devices as well as for non-mobile devices.
A generic distributed virtual computing platform provides an environment in a network for mobile users to host a service instead of running it on their mobile terminals, where there are limitations in computing, storage, as well as communication resources. Users are allowed to push their services to, and subsequently host their services on the virtual computing platform. As an example, a subscriber may host a web server on the platform, rather than having it on his/her mobile terminal. The same virtual computing platform may also be used by application developers for developing peer-to-peer applications (e.g., gaming applications).
The virtual computing platform is not limited for use of mobile users only, but can also be used by non-mobile devices. A subscriber having a non-mobile or fixed terminal may decide to run some services on the virtual computing platform as well, e.g., the subscriber may not be running her own desktop computer all the time, and to make his/her services available all the time, he/she can host the services on such a virtual computing platform.
In the following, the architecture of a generic distributed virtual computing platform is described in more detail. A distributed virtual computing platform is a virtualization of hardware resources that the operator or third-party service provider provides, as a unified view, to the subscribers. The term “operator” and the “service provider” that provides this kind of virtual computing platform service for devices can generally be used interchangeably. In the following description, the term operator will be used.
A generic virtual computing platform allows multiple users to host applications on the same physical machine, namely, the service platform.
The virtual computing platform 100 further comprises hardware 170, such as a processing unit 171 for performing action with the aid of memory 172 and disk 173. The hardwire further comprises a network interface 174 for accessing the Internet and/or other networks.
Virtual computing platforms are subject to various kinds of attacks, many of which are unique to such platforms. As far as distributed virtual computing platforms described are concerned, it is possible for one hostile subscriber to launch attacks against other subscribers. These attacks are possible since the traffic from one service proxy to another is considered “internal” communication. One such security threat will be more closely described in the following.
It can be understood from the foregoing that one special characteristic of the service platform described in the preceding is that more than one user are sharing the computing and communicating resources. Each of the service proxies is running in sandbox environment (e.g., Java Virtual Machine) and is supposed not to interfere with one another. However, an application running on one service proxy can legitimately send information to another application running on another service proxy. This type of internal traffic is called Inter-process communication (IPC). If an “internal” attacker desires to launch layer-3 (network layer of the well-known OSI model) or layer-4 (transport layer) attacks against other service proxies of the same service platform, this will be rather easy. This is because internal traffic are typically subject to less strict security measures (or none) compared to external traffic, which will typically be filtered by one or more firewalls in the network.
A first service proxy can generate a packet towards another service proxy running on the same service platform, causing it to overload or perform illegal operations. For example, in all IP stack implementations (from different Operating systems, products, etc), the IP layer checks the source and destination IP addresses of an IP packet. If they are the same (which is the case inside a single service platform), then it forwards the packet directly to the receiving application. A malicious service proxy can therefore generate traffic to another service proxy inside the same service platform without considerable difficulties.
In the example shown in
One solution to this problem is to run a host firewall inside the service platform and have policy rules specifying that only IP packets with the same source and destination IP addresses will be filtered. By a host firewall is meant a software firewall running in a host machine (here: the service platform) to filter traffic in and out of the host machine. This is sometimes referred to as a personal firewall. However, this solution has several drawbacks. Firstly, the service platform will be slowed down, as it is not designed for network centric operations (which uses network processors, etc). Secondly, a single subscriber may use more than one service proxies, in which case unnecessary filtering for traffic from the same user cannot be avoided. Thirdly, application layer attacks cannot be filtered as a host firewall typically does not filter application layer attacks.
It is an object of the invention to provide a better solution for the security problem of virtual computing platforms.
According to a first aspect of the invention there is provided a virtual computing platform for providing subscribers of the virtual computing platform with means for running their applications on the platform instead of running the applications on their personal devices, the virtual computing platform being adapted to route communication directed from a first application of the platform to a second application of the platform via an external security appliance.
Accordingly, to protect the service platform from the threat described in the introductory portion, one basic idea of the invention is to force inter-process communication (IPC) traffic between service proxies owned by different subscribers to route through external security appliance(s) (including firewall, web shield, anti-virus, anti-spam, etc.). As discussed in the foregoing, a host firewall typically can deal with layer-3 or layer-4 attacks only. In an embodiment of the invention, a separate device, for example, an application layer firewall (a web shield or similar for web traffic) is used for application layer attacks. A host firewall is an inefficient solution compared to external security appliances, which have dedicated hardware/software to handle the traffic.
Advantageously, said external security appliances are local devices residing close to the virtual computing platform in question. Yet advantageously, the virtual computing platform comprises rules according to which internal communication of the platform is routed towards a set of external security appliances.
According to a second aspect of the invention there is provided a method for a virtual computing platform providing subscribers of the virtual computing platform with means for running their applications on the platform instead of running the applications on their personal devices, wherein the method comprises: routing communication directed from a first application of the platform to a second application of the platform via an external security appliance.
According to a third aspect of the invention there is provided software for a virtual computing platform providing subscribers of the virtual computing platform with means for running their applications on the platform instead of running the applications on their personal devices, wherein the software comprises:
program code for causing the virtual computing platform to route communication directed from a first application of the platform to a second application of the platform via at least one external security appliance.
The software may be computer program product(s), comprising program code, stored on a medium, such as a memory.
According to a fourth aspect of the invention there is provided a system comprising:
computer means for implementing a virtual computing platform for providing subscribers of the virtual computing platform with means for running their applications on the platform instead of running the applications on their personal devices, the virtual computing platform being adapted to route communication directed from a first application of the platform to a second application of the platform via at least one external security appliance, the system further comprising: said at least one external security appliance for receiving and acting upon said communication routed by the virtual computing platform.
Dependent claims relate to different embodiments of the invention. The subject matter contained by the embodiments and relating to a particular aspect of the invention may be applied to other aspects of the invention mutatis mutandis.
Embodiments of the invention will now be described by way of example with reference to the accompanying drawings in which:
The subject matter contained in the introductory portion of this patent application is used to support the detailed description. Accordingly, an embodiment of the invention also operates in the framework presented in
In the present embodiment, an operating system kernel is required to function in a certain way. The operating system kernel is the center piece of the operating system. In terms of
In
Messages 42 are policy configuration messages sent between the service management daemon 105 and the external security appliances 191-194. Concerning policy configuration messages the firewall 192 is taken as an example. The term “policy” means here, among other things, a set of installed filtering rules that the firewall 192 should use to filter traffic. In the present embodiment, the service management daemon 105 is responsible to send this policy to the firewall 192, basically to configure it such that it will filter in a desired way. For example, if HTTP service is allowed, a certain port (e.g., port number 80) should be opened in a firewall. In the present embodiment, this policy may change over time as well, as a new subscriber joins or when a new proxy is launched. In that case, new rules specific to this subscriber or proxy may need to be communicate to the firewall. The policy configuration works correspondingly for the others of said external security appliances.
In more detail, the operation system kernel can be programmed (a suitable software module comprising desired program code can be added) to operate as follows:
These modifications to the kernel should not substantially affect application process operations at all, and are transparent to the users.
Embodiments of the invention can be implemented by means of suitable extensions to an existing operating system kernel. As mentioned in the preceding, in accordance with an embodiment of the invention, each subscriber is identified and allocated with unique group and user identification. When a service proxy initiates IPC to another service proxy running on the same machine, the following action presented as a pseudo-code is taken:
It should be noted that although it has been described that communication between different service proxies owned by the same subscriber would not be routed to the external security appliances, in other embodiments also this type of communication is passed via the external security appliances. This can be done in order to further improve the security against “attacks” caused by different possibly malfunctioning applications/service proxies owned by the subscriber.
Embodiments of the present invention work with existing operating systems and also with existing firewalls, security gateways and other security devices. The presented mechanism can also be applied to future virtual computing environments.
Particular implementations and embodiments of the invention have been described. It is clear to a person skilled in the art that the invention is not restricted to details of the embodiments presented above, but that it can be implemented in other embodiments using equivalent means without deviating from the characteristics of the invention. The scope of the invention is only restricted by the attached patent claims.