Overview of SEHadoop
To improve Hadoop compromise resilience, we design a
new SEHadoop model through two major principles: enhancing
isolation level among Hadoop components and giving
least access privilege for Hadoop processes. When compromise
starts in Hadoop, strong isolation level can help Hadoop limit
the extent of compromise. It will enforce hackers to attack
one component at a time and slow down the pace of attacks.
Enforcing least access privilege for Hadoop components can
ensure that compromised Hadoop processes can only access
limited data. Comparing with original Hadoop, attackers need
to attack more components in SEHadoop to steal the same
amount of data. Since some Hadoop components may be
running on a large number of VMs, such as Data Node, Node
Manager and Container, they have larger possibility being
attacked than other Hadoop components have, e.g a malicious
VM of an attacker has better chance to co-reside with VMs
running Data Node to launch internal cloud attacks comparing
with VM running Name Node. We carefully examined these
components to ensure that the security mechanisms they are
using satisfy the two principles. The SEHadoop model consists
of SEHadoop runtime model, SEHadoop Block Token and
SEHadoop Delegation Token.