EcoCloud’s expanding mission

As of January 1st, 2022, the EPFL EcoCloud Center is headed by Professor David Atienza. Its mission has been expanded with a strong new focus on fundamental research and education in the domain of sustainable cloud computing.

“Historically, Ecocloud’s main focus has been to deliver technologies jointly with top companies in the information technologies (IT) sector to help them optimize the large cloud computing infrastructure of public cloud systems”, says Atienza. “We are now focusing on the whole IT ecosystem to develop sustainable multiscale computing from the cloud to the edge”, he adds. “Our goal is to rethink the whole ecosystem and how we can provide IT solutions that can make computing more sustainable. In particular, the goal is to optimize the used resources for computing to minimize the environmental and social impact of IT infrastructures and practices. This includes the monitoring of materials, energy, water as well as other rare resources, and the creation of a circular economy for IT infrastructure, consering electronics impact on the environment from production to the recycling of cloud computing components.”

IT infrastructure as enabler for a sustainable society

“In collaboration with the School of Engineering (STI), the School of Computer and Communication Sciences (IC), the School of Architecture, Civil and Environmental Engineering (ENAC), and the School of Basic Sciences (SB) we have defined multi-disciplinary IT application pillars or directions that are strategic for them”, says Atienza.

Four multi-center projects are planned for 2022 in the following research areas: energy-constrained and sustainable deep learning (in collaboration with the Center for Intelligent Systems (CIS) and the Center for Imaging), computational and data storage sustainability for scientific computing (in collaboration with the Space Center and the Energy Center), sustainable smart cities and transportation systems (in partnership with the FUSTIC Association, CIS and CLIMACT Center) and energy-constrained trustworthy systems including Bitcoin’s technology (in collaboration with the Center for Digital Trust).

In addition to its multi-center research projects on specific applications, EcoCloud will also work on fundamental technologies to enable sustainable IT infrastructures, such as minimal-energy computing and storage platforms, or approaches to maximize the use of renewable energy in data centers and IT services deployment.

Moreover, EcoCloud will keep working and strengthening in this new era of sustainable cloud computing research its previous collaboration for many years with historical IT partners through its Industrial Affiliates Program (IAP), such as Microsoft, HPE, Intel, IBM, Huawei or Facebook, who have confirmed their interest in continuing to collaborate with the center on its new research topics through their AIP membership.

A new facility for research on sustainable computing

“We plan to create an experimental facility dedicated to multi-disciplinary research on sustainable computing at EPFL”, says Atienza. In this facility, EcoCloud will provide specialized IT personnel to assist and support the EPFL laboratories in performing tests related to the proposed multi-center IT research projects and cloud infrastructures. “This year, research activities will focus on the agreed projects with the different schools and centers at EPFL, but in the future, we expect to make open calls for anyone at EPFL interested in research related to sustainable computing to be supported by EcoCloud.

Best practices for IT infrastructure

The dissemination of best practices for sustainable IT infrastructure is another core mission of EcoCloud. “In cooperation with the Vice-Presidency for Responsible Transformation (VPT), we are going to develop a course about the fundamentals of sustainable computing for EPFL students at the master level, which will be offered by the Section of Electrical Engineering (SEL) and the Section of Computer Science (SIN) for the complete campus”, says Atienza. “Continuous education for professionals is also important. We plan to offer training to companies to support and assist them in their digitalization processes and help them understand how to implement the most sustainable IT technologies and processes possible.”

“IT is the engine of our digital world. With a compound annual growth rate of more than 16%, cloud computing must embrace a strategy of digital responsibility to support economic progress and societal development without compromising the future of our planet”, concludes Atienza.

Public cloud

The public cloud concept refers to an IT model where on-demand computing services and infrastructure are managed by a third-party provider (e.g., Microsoft, Amazon, Google, IBM, etc.) and shared (for a specific fee) with multiple organizations using the Internet. So, a public cloud is a subscription service offered by a company to many customers who want similar services. On the contrary, a private cloud is a service entirely controlled by a single organization for its internal use and not shared with others (e.g., the internal datacenter and IT infrastructure we have at EPFL).

Author: Leila Ueberschlag

Source: Computer and Communication Sciences | IC

This content is distributed under a Creative Commons CC BY-SA 4.0 license. You may freely reproduce the text, videos and images it contains, provided that you indicate the author’s name and place no restrictions on the subsequent use of the content. If you would like to reproduce an illustration that does not contain the CC BY-SA notice, you must obtain approval from the author.
Read More

Beating hackers at bug hunting with automated, far-reaching technology

On the 9th of December, 2021 the world of IT security abruptly went into a state of shock. An alarming message was spreading like wildfire:

    RCE 0-day exploit found in log4j   

For the uninitiated, there is a lot to unpack here. “RCE” stands for remote code execution: similar to when somebody takes control of your computer with TeamViewer to run programs of their choosing. In this context, however, control is exerted without the consent, or even the knowledge of the owner.

A zero day exploit is a major software vulnerability, previously unknown to the developer. They must act quickly to develop a patch because, by the time the developer learns about it, adversaries could already be exploiting the opening.

The log4j library allows Java software to log (report) certain conditions, and is widely used in Java software. A vulnerability in it could allow an adversary to execute arbitrary code in the context of the underlying software.

Put it all together and you get this: at the time the above headline was published, a system tool used by companies all over the world – in cloud servers, game servers and financial platforms – was already being exploited by hackers, allowing them to take control of servers and data centers.

News spread fast about the staggering vulnerability

93% of the world’s cloud services affected

According to the Wall Street Journal, “U.S. officials say hundreds of millions of devices are at risk, hackers could use the bug to steal data, install malware or take control.”

One estimate stated that the vulnerability affected 93% of enterprise cloud environments. At EPFL, all IT administrators were sent instructions to patch their server software immediately. Even Oracle Corporation, world leaders in information security, had to send out a distress call:

“Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by [our] Security Alert as soon as possible.”

It is hard to gauge the full extent of the damage caused, but it is clear that these vulnerabilities have real-world impact: among confirmed victims of the log4j bug are the Belgian Ministry of Defence, the UK’s National Health Service and a range of financial trading platforms. So the question begs itself – what are corporations like Oracle doing about it?

As a matter of fact, Oracle had already been working against this kind of vulnerability long before the log4j zero day. The log4j library uses deserialization: a server receives structured data (a form of code and object relationships) for processing. If the checks during deserialization are insufficient, and allow the attacker leeway in how the data is interpreted, it often results in RCE. Identifying the vulnerabilities exposed during the deserialization process had long been a subject of interest to Oracle researchers by 2020, when they reached out to Prof. Mathias Payer of EPFL’s HexHive lab:

“We had already covered fuzzing and program analysis, and had worked on cloud security as part of EPFL’s EcoCloud Center,” explains Prof. Payer, “but we had not approached these deserialization bugs.  Then we got to work with Oracle Labs (part of Oracle Inc) who provided funding via a gift. François Gauthier and Kostyantyn Vorobyov, two Oracle researchers from Oracle Labs introduced us to the complex technical issues that they were facing. And then we worked together, and developed a platform for discovering deserialization vulnerabilities.

“People have been attempting to find and exploit vulnerabilities in deserialization code, including Oracle’s, for years: either intent on gaining some kind of direct advantage, or to earn money by submitting bug reports. Either way, these are dedicated, manual attacks. In these manual attacks, the analyst thoroughly analyzes the source code of the target and then painstakingly crafts the exploit. What we have developed is a mechanism that automates the process, and allows Oracle to get ahead of the attackers.

Eight moves ahead, like a chess grandmaster

“In addition to this, the bugs that we are finding can be much more complex than the ones that experts are finding manually. Most analysts are trained to search to a depth of two manipulations: an entry and a control vector. Our platform creates an abstract dependency graph for all available classes, and can do a fuzzy search to a depth of up to eight manipulations.”

The battle between IT security managers and attackers is one where the defenders hope to find bugs before the attackers do. However, Prof. Payer explains that security managers have one key advantage when it comes to using HexHive’s platform: “Although our tool is neutral, i.e., it can be used by both attackers and defenders, developers have full access to and understanding of their own code, which gives them a huge advantage over a hacker when it comes to interpreting the results. They therefore have a very good chance of finding weak points before the attacker.”

Negotiations are under way to set up internships for HexHive researchers at Oracle Corporation. “This will be good for Oracle because they will have people who actually developed some of the code on site, which will make it easier to integrate the platform into their pipeline. Another thing I appreciate is that our prototype will remain open source, and bug reports will be published.”

So long as information technology is around, the battle between security managers and hackers will rage on. Thanks to their collaboration with HexHive, however, Oracle will be able to keep one step ahead of the aggressor: faster, higher, stronger.

Read More