Flux Research Group / School of Computing
TCloud logo


The use of cloud computing has revolutionized the way in which cyber infrastructure is used and managed. The on-demand access to seemingly infinite resources provided by this paradigm has enabled technical innovation and indeed innovative business models and practices. This rosy picture is threatened, however, by increasing nefarious interest in cloud platforms. Specifically, the shared-tenant, shared-resource nature of cloud platforms, as well as the natural accrual of valuable information in cloud platforms, provide both the incentive and the possible means of exploitation.

To address these concerns we are developing a self-defending, self-evolving, and self-accounting trustworthy cloud platform, the TCloud. Our approach in realizing TCloud holds to the following five tenets. First, defense-in-depth through innate containment, separation and diversification at the architectural level. Second, least authority by clear separation of functionality and associated privilege within the architecture. Third, explicit orchestration of security functions based on cloud-derived and external intelligence. Fourth, moving-target-defense through deception and dynamic evolution of the platform. Fifth, verifiable accountability through lightweight validation and auditable monitoring, record keeping, and analysis.

We expect that our approach to fundamentally refactor the cloud architecture to explicitly enable security related functionality will lay the foundation for truly trustworthy cloud computing. Given the unrelenting push towards the use of cloud technologies we expect our work to be used across industry, healthcare, government and academia. We plan to release all software we develop to the community in open source form.

Available Software

Forthcoming Software

  • CloudSight — a tenant-oriented transparency framework for cross-layer cloud troubleshooting
    (read the paper)
  • Harpocrates — a system for moving secure computation from origin webservers to nodes in a CDN
    (read the paper)
  • Potassium — an OpenStack implementation of “penetration testing as a service”
    (read the paper)


  • CloudSight
    • Watch the video of CloudSight, based on a demonstration for the Network Research Exhibition at Supercomputing 2016.