research-article

Public Access

Pileus: protecting user resources from vulnerable cloud services

Authors:

Giuseppe Petracca,

Trent JaegerAuthors Info & Claims

ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

Pages 52 - 64

https://doi.org/10.1145/2991079.2991109

Published: 05 December 2016 Publication History

Abstract

Cloud computing platforms are now constructed as distributed, modular systems of cloud services, which enable cloud users to manage their cloud resources. However, in current cloud platforms, cloud services fully trust each other, so a malicious user may exploit a vulnerability in a cloud service to obtain unauthorized access to another user's data. To date, over 150 vulnerabilities have been reported in cloud services in the OpenStack cloud. Research efforts in cloud security have focused primarily on attacks originating from user VMs or compromised operating systems rather than threats caused by the compromise of distributed cloud services, leaving cloud users open to attacks from these vulnerable cloud services. In this paper, we propose the Pileus cloud service architecture, which isolates each user's cloud operations to prevent vulnerabilities in cloud services from enabling malicious users to gain unauthorized access. Pileus deploys stateless cloud services "on demand" to service each user's cloud operations, limiting cloud services to the permissions of individual users. Pileus leverages the decentralized information flow control (DIFC) model for permission management, but the Pileus design addresses special challenges in the cloud environment to: (1) restrict how cloud services may be allowed to make security decisions; (2) select trustworthy nodes for access enforcement in a dynamic, distributed environment; and (3) limit the set of nodes a user must trust to service each operation. We have ported the OpenStack cloud platform to Pileus, finding that we can systematically prevent compromised cloud services from attacking other users' cloud operations with less than 3% additional latency for the operation. Application of the Pileus architecture to Open-Stack shows that confined cloud services can service users' cloud operations effectively for a modest overhead.

References

[1]

CVE-2012-3360. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3360.

[2]

Openstack keystone token. http://docs.openstack.org/admin-guide/keystone_tokens.html.

[3]

Amazon EC2. http://aws.amazon.com/ec2.

[4]

O. Arden, M. D. George, J. Liu, K. Vikram, A. Askarov, and A. C. Myers. Sharing mobile code securely with information flow control. In Proc. 2012 IEEE Security and Privacy, 2012.

Digital Library

[5]

J. Bacon, D. Eyers, T. Pasquier, J. Singh, I. Papagiannis, and P. Pietzuch. Information Flow Control for Secure Cloud Computing. IEEE Transactions on Network and System Management, SI Cloud Service Management, 11(1):76--89, 2014.

[6]

A. Baumann, M. Peinado, and G. Hunt. Shielding applications from an untrusted cloud with haven. In Proc. 11th USENIX OSDI, 2014.

Digital Library

[7]

W. E. Boebert and R. Y. Kain. A practical alternative to hierarchical integrity policies. In Proceedings of the 8th National Computer Security Conference, 1985.

[8]

S. Bugiel, S. Nürnberger, T. Pöppelmann, A. Sadeghi, and T. Schneider. AmazonIA: When elasticity snaps back. In Proc. ACM CCS'11.

Digital Library

[9]

S. Butt, H. A. Lagar-Cavilla, A. Srivastava, and V. Ganapathy. Self-service cloud computing. In Proc. ACM CCS'12.

Digital Library

[10]

CVE-2012-0030. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0030.

[11]

W. Cheng, D. R. K. Ports, D. A. Schultz, V. Popic, A. Blankstein, J. A. Cowling, D. Curtis, L. Shrira, and B. Liskov. Abstractions for usable information flow control in aeolus. In USENIX ATC'12.

Digital Library

[12]

CVE-2012-5625. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5625.

[13]

CVE-2013-4183. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4184.

[14]

D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, 1976.

Digital Library

[15]

P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and event processes in the asbestos operating system. In Proc. ACM SOSP'05.

Digital Library

[16]

L. Gong. A secure identity-based capability system. In Proc. IEEE Security and Privacy, 1989.

[17]

N. Hardy. The confused deputy. Operating Systems Review, 22(4):36--38, Oct. 1988.

Digital Library

[18]

P. A. Karger. Limiting the damage potential of discretionary trojan horses. In Proc. IEEE Security and Privacy, 1987.

[19]

P. A. Karger and A. J. Herbert. An augmented capability architecture to support lattice security and traceability of access. In Proceedings of the 1984 IEEE Symposium on Security and Privacy, pages 2--12, 1984.

[20]

P. A. Karger and A. J. Herbert. An augmented capability architecture to support lattice security and traceability of access. In Proc. IEEE Security and Privacy, 1984.

[21]

M. N. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard OS abstractions. In Proc. ACM SOSP'07.

Digital Library

[22]

libselinux. http://www.rpmfind.net//linux/RPM/fedora/devel/rawhide/armhfp/l/libselinux-2.4-5.fc24.armv7hl.html.

[23]

J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. Fabric: A platform for secure distributed computation and storage. In Proc. ACM SOSP'09.

Digital Library

[24]

A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proc. 16th ACM SOSP, 1997.

Digital Library

[25]

A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM TOCS, 9(4):410--442, Oct. 2000.

Digital Library

[26]

Security-enhanced linux. http://www.nsa.gov/selinux.

[27]

OpenStack Open Source Cloud Computing Software. http://www.openstack.org//, 2008.

[28]

OpenStack Message Security. https://wiki.openstack.org/wiki/MessageSecurity/.

[29]

T. Pasquier, J. Singh, D. Eyers, and J. Bacon. CamFlow: Managed Data-Sharing for Cloud Services. IEEE Transactions on Cloud Computing, 2015.

[30]

C. Priebe, D. Muthukumaran, D. O' Keeffe, D. Eyers, B. Shand, R. Kapitza, and P. Pietzuch. Cloudsafetynet: Detecting data leakage between cloud tenants. In Proc. ACM CCSW'14.

Digital Library

[31]

K. P. N. Puttaswamy, C. Kruegel, and B. Y. Zhao. Silverline: Toward data confidentiality in storage-intensive cloud applications. In Proc. 2nd ACM SOCC, 2011.

Digital Library

[32]

Rackspace Cloud Servers. http://www.rackspace.com/cloud/.

[33]

I. Roy, D. E. Porter, M. D. Bond, K. S. McKinley, and E. Witchel. Laminar: Practical fine-grained decentralized information flow control. In Proc. ACM PLDI, 2009.

Digital Library

[34]

N. Santos, R. Rodrigues, K. P. Gummadi, and S. Saroiu. Policy-sealed data: A new abstraction for building trusted cloud services. In Proc. 21st USENIX Security, 2012.

Digital Library

[35]

J. Schiffman, Y. Sun, H. Vijayakumar, and T. Jaeger. Cloud verifier: Verifiable auditing service for IaaS clouds. In Proc. IEEE SERVICE'13.

Digital Library

[36]

The SEPostgreSQL Project. https://wiki.postgresql.org/wiki/Main_Page.

[37]

J. S. Shapiro, J. M. Smith, and D. J. Farber. Eros: A fast capability system. In Proc. ACM SOSP'99.

Digital Library

[38]

J. S. Shapiro and S. Weber. Verifying the EROS confinement mechanism. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, pages 166--176, 2000.

Digital Library

[39]

CVE-2012-4573. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4573.

[40]

CVE-2012-5482. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5482.

[41]

CVE-2013-4354. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4354.

[42]

CVE-2015-3221. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3221.

[43]

Y. Sun, G. Petracca, and T. Jaeger. Inevitable failure: The flawed trust assumption in the cloud. In Proc. ACM CCSW'14.

Digital Library

[44]

Y. Sun, G. Petracca, T. Jaeger, H. Vijayakumar, and J. Schiffman. Cloudarmor: Protecting cloud commands from compromised cloud services. In Proc. IEEE CLOUD'15.

Digital Library

[45]

W.-K. Sze, A. Srivastava, and R. Sekar. Hardening OpenStack Cloud Platforms against Compute Node Compromises. Technical report, ASIACCS 2016, May 2016.

Digital Library

[46]

R. Ta-Min, L. Litty, and D. Lie. Splitting interfaces: making trust between applications and operating systems configurable. In Proc. USENIX OSDI'07.

Digital Library

[47]

A. S. Tanenbaum, S. J. Mullender, and R. van Renesse. Using sparse capabilities in a distributed operating system. In Proc. ICDCS'86.

[48]

D. M. E. Thomas F. J.-M. Pasquier, Jean Bacon. Flowk: Information flow control for the cloud. In Proc. IEEE CloudCom'14.

Digital Library

[49]

W.E.Boebert. On the inability of an unmodified capability machine to enforce the *-property. In Proc. 7th DoD/NBS Computer Security Conference, 1984.

[50]

C. Wright, C. Cowan, J. Morris, S. Smalley, and G. Kroah-Hartman. Linux security module framework. In Ottawa Linux Symposium, volume 8032, page 6, 2002.

[51]

N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In Proc. USENIX OSDI'06.

Digital Library

[52]

N. Zeldovich, S. Boyd-Wickizer, and D. Mazières. Securing distributed systems with information flow control. In Proc. USENIX NSDI'08.

Digital Library

[53]

F. Zhang, J. Chen, H. Chen, and B. Zang. Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proc. ACM SOSP'11.

Digital Library

Cited By

Alqahtani FAlmutairi MSheldon F(2024)Cloud Security Using Fine-Grained Efficient Information Flow TrackingFuture Internet10.3390/fi1604011016:4(110)Online publication date: 25-Mar-2024
https://doi.org/10.3390/fi16040110
Lu JLi WSun JXiao RLiao B(2024)Secure and Real-Time Traceable Data Sharing in Cloud-Assisted IoTIEEE Internet of Things Journal10.1109/JIOT.2023.331476411:4(6521-6536)Online publication date: 15-Feb-2024
https://doi.org/10.1109/JIOT.2023.3314764
Zheng DTong KLim MChan WGoh W(2023)AfterImage: Evading Traditional Indicator of Compromise (IOC) Blocking2023 IEEE International Conference on Service Operations and Logistics, and Informatics (SOLI)10.1109/SOLI60636.2023.10425081(1-6)Online publication date: 11-Dec-2023
https://doi.org/10.1109/SOLI60636.2023.10425081
Show More Cited By

Pileus: protecting user resources from vulnerable cloud services
1. Security and privacy
  1. Security services
  2. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

A Conceptual Platform of SLA in Cloud Computing
DASC '11: Proceedings of the 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing

Cloud computing is a promising technology, where the infrastructure, developing platform, software and storage are delivered as a service. With the development of cloud computing, more and more cloud service providers emerge. However, there are no ...
Cloud service engineering
ICSE '10: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 2

Building on compute and storage virtualization, Cloud Computing provides scalable, network-centric, abstracted IT infrastructure, platforms, and applications as on-demand services that are billed by consumption. Cloud Service Engineering is the ...
soCloud: a service-oriented component-based PaaS for managing portability, provisioning, elasticity, and high availability across multiple clouds

Multi-cloud computing is a promising paradigm to support very large scale world wide distributed applications. Multi-cloud computing is the usage of multiple, independent cloud environments, which assumed no priori agreement between cloud providers or ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

December 2016

614 pages

ISBN:9781450347716

DOI:10.1145/2991079

Conference Chair:
Stephen Schwab
USC Information Sciences Institute
,
Program Chairs:
Wil Robertson
Northeastern University
,
Davide Balzarotti
Eurecom

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

ACSAC '16

Sponsor:

ACSA

ACSAC '16: 2016 Annual Computer Security Applications Conference

December 5 - 8, 2016

California, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
568
Total Downloads

Downloads (Last 12 months)63
Downloads (Last 6 weeks)10

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alqahtani FAlmutairi MSheldon F(2024)Cloud Security Using Fine-Grained Efficient Information Flow TrackingFuture Internet10.3390/fi1604011016:4(110)Online publication date: 25-Mar-2024
https://doi.org/10.3390/fi16040110
Lu JLi WSun JXiao RLiao B(2024)Secure and Real-Time Traceable Data Sharing in Cloud-Assisted IoTIEEE Internet of Things Journal10.1109/JIOT.2023.331476411:4(6521-6536)Online publication date: 15-Feb-2024
https://doi.org/10.1109/JIOT.2023.3314764
Zheng DTong KLim MChan WGoh W(2023)AfterImage: Evading Traditional Indicator of Compromise (IOC) Blocking2023 IEEE International Conference on Service Operations and Logistics, and Informatics (SOLI)10.1109/SOLI60636.2023.10425081(1-6)Online publication date: 11-Dec-2023
https://doi.org/10.1109/SOLI60636.2023.10425081
Lu JSun JXiao RJin S(2022)DIFCSComputers and Security10.1016/j.cose.2022.102678117:COnline publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1016/j.cose.2022.102678
Ren YLiu GNitu VShao WKennedy RParmer GWood TTchana AGavrilovska AZadok E(2020)Fine-grained isolation for scalable, dynamic, multi-tenant edge cloudsProceedings of the 2020 USENIX Conference on Usenix Annual Technical Conference10.5555/3489146.3489210(927-942)Online publication date: 15-Jul-2020
https://dl.acm.org/doi/10.5555/3489146.3489210
Alqahtani FDuraibi STosic PSheldon F(2020)Information Flow Control to Secure Data in the Cloud2020 International Conference on Computational Science and Computational Intelligence (CSCI)10.1109/CSCI51800.2020.00241(1288-1294)Online publication date: Dec-2020
https://doi.org/10.1109/CSCI51800.2020.00241
Petracca GSun YReineh AMcDaniel PGrossklags JJaeger THeninger NTraynor P(2019)EntrustProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361378(567-584)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361378
Alrawi OZuo CDuan RKasturi RLin ZSaltaformaggio BHeninger NTraynor P(2019)The betrayal at cloud cityProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361377(551-566)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361377
Hogan KMaleki HRahaeimehr RCanetti Rvan Dijk MHennessey JVaria MZhang H(2019)On the Universally Composable Security of OpenStack2019 IEEE Cybersecurity Development (SecDev)10.1109/SecDev.2019.00015(20-33)Online publication date: Sep-2019
https://doi.org/10.1109/SecDev.2019.00015
OConnor TEnck WPetullo WVerma A(2018)PivotWallProceedings of the Symposium on SDN Research10.1145/3185467.3185474(1-14)Online publication date: 28-Mar-2018
https://dl.acm.org/doi/10.1145/3185467.3185474
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents