Open Stack

Hi all,

I, Amey Ghadigaonkar, had contacted the community regarding a project about
run time integrity checks for OpenStack in the OSSG meeting held on
02.27.14 (transcript:
http://eavesdrop.openstack.org/meetings/openstack_security_group/2014/openstack_security_group.2014-02-27-18.00.html
). I am submitting a blueprint to describe what our project is really
about. We are quite enthusiastic to hear what the community thinks of our
project. Please read on.


*What we want do*

Goal of this project is to develop a component that will perform periodical
validations of run-time integrity of OpenStack code, services, and
configurations. We aim to:

1.    Develop a framework in Nova that allows periodic or user-triggered
integrity measurements of compute nodes in the trusted pool.

2.    The framework will allow specific integrity measures to be developed
as plugins.

3.    Adapt OpenAttestation as the first plugin to this framework.

4.    Develop a Horizon component that will allow users to configure their
choice of checks and schedule when these checks should be run. The results
obtained from these checks will be stored and can be retrieved by users
using the Horizon component.

5.    As time and scoping permits, develop more run-time integrity check
plugins such as checking that trusted nodes are running known good code or
performing dynamic memory checks.

We have attached a sample usecase diagram with this email to illustrate
some simple usecases. *Suggestions/comments from the community* regarding
the project are welcome and we consider these comments as *essential for
success* of this project. Some issues that we would like to discuss with
the community are:

1.    Are there any potential architectural or technical concerns that you
are aware of that might impact these goals?

2.    Any listed functionality that you deem redundant or think that
something specific should be added?

3.    Do you have suggestions for good candidates for run-time integrity
check plugins?

4.    Any pointers to relevant documentation, mailing list discussions, or
people that should be included in further discussions?

5.    Any other general comments or suggestions?







*Where we are right now*

We are in the inception phase of the project and are negotiating its scope.
We plan to submit an elaborate blueprint for the deliverable and its
architecture before the Juno Release Design Summit in May. Development will
start soon after the Summit.





*Who we are*

This project is a part of Practicum for Software Engineering course
(17-677) at Carnegie Mellon University. There are four team members. We are
students at Master of Science in Information Technology - Software
Engineering (MSIT-SE) program in Carnegie Mellon University:

1.    Alexandr Naumchev

2.    Amey Ghadigaonkar

3.    Fusheng Yuan

4.    Vasilii Artemev

Mentor: Dr. Bradley Schmerl, Senior Systems Scientist, School of Computer
Science, Carnegie Mellon University.

Client: Laura Glendenning. Software Engineer at Applied Physics Laboratory
in Johns Hopkins University.





*Future Work:*

One of the extensions of this project would be to develop hooks to the
framework from Ceilometer to enhance functionality provided by our
component.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140313/3cfa08b3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: useCase.png
Type: image/png
Size: 175449 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140313/3cfa08b3/attachment.png>