D4.2 - A Proposal for Resource Isolation in Multi-Tenant Storage Systems

Cloud providers that offer multi-tenancy solutions face an inevitable dilemma. On one hand, they have to ensure that tenants’ resources are well isolated from one another, because a breach in resource isolation can result in information leakage or even compromise. On the other hand, this contradicts a cloud provider’s incentive of making efficient use of their resources—resources that are not shared might lie idle, such as a CPU core that is not in use or a disk that holds only a small amount of data. In this deliverable we present a proposal to that tackle the challenge of resource isolation in multi-tenant storage systems at different levels. We show how many-core platforms, originally designed for HPC tasks, can be enhanced to support resource-isolated logical partitions for IaaS clouds (Section 4). The solution, allowing bare-metal execution of VMs, enables IaaS cloud providers to better utilize their hardware and provide improved service at the same time. We continue by with an approach that facilitates memorylevel isolation for SaaS solutions that need to separate untrusted tenant input from the core application logic (Section 5). It does so by categorizing input and routing it to dedicated memory regions, increasing the security of the SaaS application. We also investigate the security of Intel Software Guard Extensions (SGX) [13], a novel building block for isolating execution of trusted code in an untrusted environment. We show that rollback attacks are a threat to the architecture of SGX and present a protection mechanism (Section 6). We propose two mechanisms for secure Docker image manipulation throughout its life cycle: The first securely distributes/migrates Docker images that contain sensitive data while the second preserves the confidentiality of sensitive data stored on disk even during container usage (Section 7). Databases are pervasively used for data storage, deserving special attention with respect to multi-tenancy. We present a general architecture design that allows to combine adjustable encrypted databases with common approaches to multi-tenancy (Section 8).