SGXIO: Generic Trusted I/O Path for Intel SGX

Application security traditionally strongly relies upon security of the underlying operating system. However, operating systems often fall victim to software attacks, compromising security of applications as well. To overcome this dependency, Intel introduced SGX, which allows to protect application code against a subverted or malicious OS by running it in a hardware-protected enclave. However, SGX lacks support for generic trusted I/O paths to protect user input and output between enclaves and I/O devices. This work presents SGXIO, a generic trusted path architecture for SGX, allowing user applications to run securely on top of an untrusted OS, while at the same time supporting trusted paths to generic I/O devices. To achieve this, SGXIO combines the benefits of SGX's easy programming model with traditional hypervisor-based trusted path architectures. Moreover, SGXIO can tweak insecure debug enclaves to behave like secure production enclaves. SGXIO surpasses traditional use cases in cloud computing and makes SGX technology usable for protecting user-centric, local applications against kernel-level keyloggers and likewise. It is compatible to unmodified operating systems and works on a modern commodity notebook out of the box. Hence, SGXIO is particularly promising for the broad x86 community to which SGX is readily available.Comment: To appear in CODASPY'1

A Review on Cloud Data Security Challenges and existing Countermeasures in Cloud Computing

Cloud computing (CC) is among the most rapidly evolving computer technologies. That is the required accessibility of network assets, mainly information storage with processing authority without the requirement for particular and direct user administration. CC is a collection of public and private data centers that provide a single platform for clients throughout the Internet. The growing volume of personal and sensitive information acquired through supervisory authorities demands the usage of the cloud not just for information storage and for data processing at cloud assets. Nevertheless, due to safety issues raised by recent data leaks, it is recommended that unprotected sensitive data not be sent to public clouds. This document provides a detailed appraisal of the research regarding data protection and privacy problems, data encrypting, and data obfuscation, including remedies for cloud data storage. The most up-to-date technologies and approaches for cloud data security are examined. This research also examines several current strategies for addressing cloud security concerns. The performance of each approach is then compared based on its characteristics, benefits, and shortcomings. Finally, go at a few active cloud storage data security study fields

Intranet Cloud Security

No Abstrac

Multi-way Cloud-Side Access Control for Encrypted Cloud Storage

Individuals support the incredible intensity of cloud computing, however can't completely believe the cloud providers to have protection delicate data, because of the nonattendance of client to-cloud controllability. To guarantee confidentiality, data administrators redistribute scrambled data rather than plaintexts. To impart the scrambled files to different clients, ciphertext-strategy attribute-based encryption can be used to direct fine-grained and administrator driven access control. Yet, this doesn't adequately get secure against different assaults. Numerous past schemes didn't concede the cloud supplier the capacity to check whether a downloader can decode. Along these lines, these files ought to be accessible to everybody open to the cloud storage. A noxious aggressor can download a great many files to dispatch monetary refusal of supportability assaults, which will to a great extent expend the cloud asset. The payer of the cloud service bears the cost. These worries ought to be settled in true open cloud storage. In this paper, we propose an answer for secure encoded cloud storages from EDoS assaults and give asset utilization responsibility. We present two conventions for various settings, trailed by execution and security examination. Furthermore, attribute-based control in the framework additionally empowers the cloud server to confine the entrance to those clients with a similar arrangement of attributes while protecting client security, i.e., the cloud server just realizes that the client satisfies the necessary predicate, however has no clue on the specific identity of the client

Semantically Secured Non-Deterministic Blum–Goldwasser Time-Based One-Time Password Cryptography for Cloud Data Storage Security

The security level of outsourced data is significant in cloud storage. Few research works have been designed for secured cloud data storage. However, the data security level was lower because the authentication performance was not effective. In order to overcome such drawbacks, a Semantically Secured Non-Deterministic Blum–Goldwasser Time-Based One-Time Password Cryptography (SSNBTOPC) Technique is proposed. The SSNBTOPC Technique comprises three steps, namely key generation, data encryption and data decryption for improving cloud data storage security with lower cost. Initially, in SSNBTOPC Technique, the client registers his/her detail to the cloud server. After registering, the cloud server generates the public key and secret key for each client. Then, clients in cloud encrypt their data with the public key and send the encrypted data to the cloud server for storing it in the database. Whenever the client needs to store or access the data on cloud storage, the client sends the request message to the cloud server. After getting the requests, cloud server authenticates the clients using their secret key and Time-based One-Time Password (TOTP). After the verification process, SSNBTOPC Technique allows only authorized clients to get data on cloud storage. During data accessing process, the client data is decrypted with their private key. This helps for SSNBTOPC Technique to improve the cloud storage security with a minimal amount of time. The SSNBTOPC Technique carried outs the experimental evaluation using factors such as authentication accuracy, computational cost and data security level with respect to a number of client and data. The experimental result shows that the SSNBTOPC Technique is able to increases the data security level and also reduces the computational cost of cloud storage when compared to state-of-the-art works

Privacy-Enhanced Dependable and Searchable Storage in a Cloud-of-Clouds

In this dissertation we will propose a solution for a trustable and privacy-enhanced storage architecture based on a multi-cloud approach. The solution provides the necessary support for multi modal on-line searching operation on data that is always maintained encrypted on used cloud-services. We implemented a system prototype, conducting an experimental evaluation. Our results show that the proposal offers security and privacy guarantees, and provides efficient information retrieval capabilities without sacrificing precision and recall properties on the supported search operations. There is a constant increase in the demand of cloud services, particularly cloud-based storage services. These services are currently used by different applications as outsourced storage services, with some interesting advantages. Most personal and mobile applications also offer the user the choice to use the cloud to store their data, transparently and sometimes without entire user awareness and privacy-conditions, to overcome local storage limitations. Companies might also find that it is cheaper to outsource databases and keyvalue stores, instead of relying on storage solutions in private data-centers. This raises the concern about data privacy guarantees and data leakage danger. A cloud system administrator can easily access unprotected data and she/he could also forge, modify or delete data, violating privacy, integrity, availability and authenticity conditions. A possible solution to solve those problems would be to encrypt and add authenticity and integrity proofs in all data, before being sent to the cloud, and decrypting and verifying authenticity or integrity on data downloads. However this solution can be used only for backup purposes or when big data is not involved, and might not be very practical for online searching requirements over large amounts of cloud stored data that must be searched, accessed and retrieved in a dynamic way. Those solutions also impose high-latency and high amount of cloud inbound/outbound traffic, increasing the operational costs. Moreover, in the case of mobile or embedded devices, the power, computation and communication constraints cannot be ignored, since indexing, encrypting/decrypting and signing/verifying all data will be computationally expensive. To overcome the previous drawbacks, in this dissertation we propose a solution for a trustable and privacy-enhanced storage architecture based on a multi-cloud approach, providing privacy-enhanced, dependable and searchable support. Our solution provides the necessary support for dependable cloud storage and multi modal on-line searching operations over always-encrypted data in a cloud-of-clouds. We implemented a system prototype, conducting an experimental evaluation of the proposed solution, involving the use of conventional storage clouds, as well as, a high-speed in-memory cloud-storage backend. Our results show that the proposal offers the required dependability properties and privacy guarantees, providing efficient information retrieval capabilities without sacrificing precision and recall properties in the supported indexing and search operations

Securing cloud-based data analytics: A practical approach

The ubiquitous nature of computers is driving a massive increase in the amount of data generated by humans and machines. The shift to cloud technologies is a paradigm change that offers considerable financial and administrative gains in the effort to analyze these data. However, governmental and business institutions wanting to tap into these gains are concerned with security issues. The cloud presents new vulnerabilities and is dominated by new kinds of applications, which calls for new security solutions. In the direction of analyzing massive amounts of data, tools like MapReduce, Apache Storm, Dryad and higher-level scripting languages like Pig Latin and DryadLINQ have significantly improved corresponding tasks for software developers. The equally important aspect of securing computations performed by these tools and ensuring confidentiality of data has seen very little support emerge for programmers. In this dissertation, we present solutions to a. secure computations being run in the cloud by leveraging BFT replication coupled with fault isolation and b. secure data from being leaked by computing directly on encrypted data. For securing computations (a.), we leverage a combination of variable-degree clustering, approximated and offline output comparison, smart deployment, and separation of duty to achieve a parameterized tradeoff between fault tolerance and overhead in practice. We demonstrate the low overhead achieved with our solution when securing data-flow computations expressed in Apache Pig, and Hadoop. Our solution allows assured computation with less than 10 percent latency overhead as shown by our evaluation. For securing data (b.), we present novel data flow analyses and program transformations for Pig Latin and Apache Storm, that automatically enable the execution of corresponding scripts on encrypted data. We avoid fully homomorphic encryption because of its prohibitively high cost; instead, in some cases, we rely on a minimal set of operations performed by the client. We present the algorithms used for this translation, and empirically demonstrate the practical performance of our approach as well as improvements for programmers in terms of the effort required to preserve data confidentiality