A generic artifact-driven approach for provisioning, configuring, and managing infrastructure resources in the cloud

Provisioning, configuration, and management of infrastructure resources in the cloud is difficult due to diverse APIs offered by cloud providers. Because approaches for a common API are still in an early stage and may not be broadly accepted, individual artifacts can be used to interact with different providers. They require generic properties to describe the configuration of infrastructure resources and combine them with provider-specific information provided by the user. Such generic properties are determined in this thesis by looking at the infrastructure offerings of 14 different providers. The artifacts can be made available in public repositories similar to configuration management scripts originating in the DevOps community. However, trust in their good nature is a challenge because in contrast to configuration management scripts they are executed in a shared management environment. To control and restrict the actions they are performing in this shared environment, a method to confine their execution has been developed. The Linux security module Tomoyo has been chosen as a foundation for this. A policy associated with each artifact describes the artifact's permissions in detail. The artifacts are used in the context of the OASIS Topology and Orchestration Specifiction for Cloud Applications (TOSCA), an emerging standard supported by a number of industry partners. This standard allows to model a topology of resources to be provisioned at a provider. Each infrastructure resource, such as a virtual machine, gets an artifact assigned for provisioning purposes. Based on this standard, two simple tools as well as artifacts for four providers were developed. They show the viability of this artifact-driven approach

Active security vulnerability notification and resolution

The early version of the Internet was designed for connectivity only, without the consideration of security, and the Internet is consequently an open structure. Networked systems are vulnerable for a number of reasons; design error, implementation, and management. A vulnerability is a hole or weak point that can be exploited to compromise the security of the system. Operating systems and applications are often vulnerable because of design errors. Software vendors release patches for discovered vulnerabilities, and rely upon system administrators to accept and install patches on their systems. Many system administrators fail to install patches on time, and consequently leave their systems vulnerable to exploitation by hackers. This exploitation can result in various security breaches, including website defacement, denial of service, or malware attacks. The overall problem is significant with an average of 115 vulnerabilities per week being documented during 2005. This thesis considers the problem of vulnerabilities in IT networked systems, and maps the vulnerability types into a technical taxonomy. The thesis presents a thorough analysis of the existing methods of vulnerability management which determine that these methods have failed to mange the problem in a comprehensive way, and show the need for a comprehensive management system, capable of addressing the awareness and patch deploymentp roblems. A critical examination of vulnerability databasess tatistics over the past few years is provided, together with a benchmarking of the problem in a reference environment with a discussion of why a new approach is needed. The research examined and compared different vulnerability advisories, and proposed a generic vulnerability format towards automating the notification process. The thesis identifies the standard process of addressing vulnerabilities and the over reliance upon the manual method. An automated management system must take into account new vulnerabilities and patch deploymentt o provide a comprehensives olution. The overall aim of the research has therefore been to design a new framework to address these flaws in the networked systems harmonised with the standard system administrator process. The approach, known as AVMS (Automated Vulnerability Management System), is capable of filtering and prioritising the relevant messages, and then downloading the associated patches and deploying them to the required machines. The framework is validated through a proof-of-concept prototype system. A series of tests involving different advisories are used to illustrate how AVMS would behave. This helped to prove that the automated vulnerability management system prototype is indeed viable, and that the research has provided a suitable contribution to knowledge in this important domain.The Saudi Government and the Network Research Group at the University of Plymouth

Sql Injection Attacks and Countermeasures: a Survey of Website Development Practices

This study involved the development and subsequent use of a bespoke SQL Injection vulnerability scanner to analyze a set of unique approaches to common tasks, identified by conducting interviews with developers of high-traffic Web sites. The vulnerability scanner was developed to address many recognized shortcomings in existing scanning software, principal among which were the requirements for a comprehensive yet lightweight solution, with which to quickly test targeted aspects of online applications; and a scriptable, Linux-based system. Emulations of each approach were built, using PHP and MySQL, which were then analyzed with the aid of the bespoke scanner. All discovered vulnerabilities were resolved and despite the variety of approaches to securing online applications, adopted by those interviewed; a small number of root causes of SQL Injection vulnerabilities were identified. This allowed a SQL injection security checklist to be compiled to facilitate developers in identifying insecure practices prior to an online application\u27s initial release and following any modifications or upgrades

Functionality-based application confinement: A parameterised and hierarchical approach to policy abstraction for rule-based application-oriented access controls

Access controls are traditionally designed to protect resources from users, and consequently make access decisions based on the identity of the user, treating all processes as if they are acting on behalf of the user that runs them. However, this user-oriented approach is insufficient at protecting against contemporary threats, where security compromises are often due to applications running malicious code, either due to software vulnerabilities or malware. Application-oriented access controls can mitigate this threat by managing the authority of individual applications. Rule-based application-oriented access controls can restrict applications to only allow access to the specific finely-grained resources required for them to carry out their tasks, and thus can significantly limit the damage that can be caused by malicious code. Unfortunately existing application-oriented access controls have policy complexity and usability problems that have limited their use. This thesis proposes a new access control model, known as functionality-based application confinement (FBAC). The FBAC model has a number of unique features designed to overcome problems with previous approaches. Policy abstractions, known as functionalities, are used to assign authority to applications based on the features they provide. Functionalities authorise elaborate sets of finely grained privileges based on high-level security goals, and adapt to the needs of specific applications through parameterisation. FBAC is hierarchical, which enables it to provide layers of abstraction and encapsulation in policy. It also simultaneously enforces the security goals of both users and administrators by providing discretionary and mandatory controls. An LSM-based (Linux security module) prototype implementation, known as FBAC-LSM, was developed as a proof-of-concept and was used to evaluate the new model and associated techniques. The policy requirements of over one hundred applications were analysed, and policy abstractions and application policies were developed. Analysis showed that the FBAC model is capable of representing the privilege needs of applications. The model is also well suited to automaiii tion techniques that can in many cases create complete application policies a priori, that is, without first running the applications. This is an improvement over previous approaches that typically rely on learning modes to generate policies. A usability study was conducted, which showed that compared to two widely-deployed alternatives (SELinux and AppArmor), FBAC-LSM had significantly higher perceived usability and resulted in significantly more protective policies. Qualitative analysis was performed and gave further insight into the issues surrounding the usability of application-oriented access controls, and confirmed the success of the FBAC model

Performance Evaluation of Virtualization with Cloud Computing

Cloud computing has been the subject of many researches. Researches shows that cloud computing permit to reduce hardware cost, reduce the energy consumption and allow a more efficient use of servers. Nowadays lot of servers are used inefficiently because they are underutilized. The uses of cloud computing associate to virtualization have been a solution to the underutilisation of those servers. However the virtualization performances with cloud computing cannot offers performances equal to the native performances. The aim of this project was to study the performances of the virtualization with cloud computing. To be able to meet this aim it has been review at first the previous researches on this area. It has been outline the different types of cloud toolkit as well as the different ways available to virtualize machines. In addition to that it has been examined open source solutions available to implement a private cloud. The findings of the literature review have been used to realize the design of the different experiments and also in the choice the tools used to implement a private cloud. In the design and the implementation it has been setup experiment to evaluate the performances of public and private cloud.The results obtains through those experiments have outline the performances of public cloud and shows that the virtualization of Linux gives better performances than the virtualization of Windows. This is explained by the fact that Linux is using paravitualization while Windows is using HVM. The evaluation of performances on the private cloud has permitted the comparison of native performance with paravirtualization and HVM. It has been seen that paravirtualization hasperformances really close to the native performances contrary to HVM. Finally it hasbeen presented the cost of the different solutions and their advantages