Horizon Project

Horizon is a novel cloud architecture aimed at providing data and computation security within a cloud. Horizon builds upon three premises: (1) strong isolation on end-hosts, (2) fine-grained isolation in the cloud network, and (3) cloud-wide information flow control. To protect the end-hosts, Horizon develops a new layered hypervisor, and disaggregated virtualization stack with key features of: language safety, software fault isolation, and integrated software verification.

Horizon relies on a new hypervisor designed from scratch with the primary goal of strong and secure isolation. Towards this goal, we implement the hypervisor, device virtualization layer, and the VM management toolchain in a safe programming language, Rust.

To provide secure cloud network environment, Horizon relies on a new network architecture and implements a distributed network firewall, where all network communication and exchange of rights are mediated and controlled by the rules of the object capability system (CapNet). To protect the cloud data, Horizon develops a set of abstractions and mechanisms to enforce cloud-wide information flow control. In Horizon all data is labeled. The hypervisor mediates all communication of each virtual machine and enforces propagation of labels and security checks for each cloud computation.


Home
Horizon Secure Cloud Horizon is a novel cloud architecture aimed at providing data and computation security within a cloud. Horizon builds upon three premises: (1) strong isolation on end-hosts, (2) fine-grained isolation in the cloud network, and (3) cloud-wide information flow control. To protect the end-hosts, Horizon develops a new layered hypervisor, and disaggregated virtualization stack with key features of: language safety, software fault isolation, and integrated software verification. Horizon relies on a new hypervisor designed from scratch with the primary goal of strong and secure isolation. Towards this goal, we implement the hypervisor, device virtualization layer, and the VM management toolchain in a safe programming language, Rust. To provide secure cloud network environment, Horizon relies on a new network architecture and implements a distributed network firewall, where all network communication and exchange of rights are mediated and controlled by the rules of the object capability system (CapNet). To protect the cloud data, Horizon develops a set of abstractions and mechanisms to enforce cloud-wide information flow control. In Horizon all data is labeled. The hypervisor mediates all communication of each virtual machine and enforces propagation of labels and security checks for each cloud computation. Documentation and Publications Horizon: Secure Large-Scale Scientific Cloud Computing

Updated: May, 2019