Bachelorthesis: Kernel as a Service
Abstract
During the last years cloud computing, and particular Infrastructure as a Service (IaaS), has become a feasible alternative for corporations and developers for deploying and offering services to end users. The ability to deploy new virtual machines on demand based on the application workload has led to a worldwide shift from self-owned datacenters and (standby) server farms to IaaS providers like amazon EC2 or rackspace. While the hardware changes the software stays mostly the same: a Linux distribution with a generic kernel plus the application itself. The generic kernel may suffer from security vulnerabilities in places which are not required by applications on the system, but those may still be exploitable through other means.
This bachelor thesis’ explores the possibility of providing custum build Linux kernels for cloud based virtual servers in an on demand way similar to the deployment of the servers themself. The proposed solution will make use of the undertaker project from University Erlangen-Nürnberg and OpenStack. The undertaker project offers a suite of tools to trace the usage of a general Linux kernel and to build a new kernel based on the traced data. This process, also called tailoring, is to be automated with as less user interaction as possible to provide an easy, on demand way of customizing a Linux kernel for a given virtual server running inside OpenStack Compute. Undertaker is able to achieve an attack surface reduction of 50% to 85% and in connection with OpenStack this seems like a great way for IaaS users to further secure their virtual machines.
Overall, the content of this thesis is:
- Exploring the possibility and benefits of custom tailored kernels for cloud based services
- Development and implementation of an OpenStack Dashboard plugin to enable options for kernel tracing and tailoring
- Development of a tracable and tailorable cloud base image
- Performance and practicability evaluation of tailored kernels for cloud based services
- Analysis of virtual machines and their tailored kernels for enhanced security
Download
German: Thesis (3.3MB) Slides (6.5MB)
Code: https://github.com/envy/kaas