264 research outputs found
Towards Tracking Data Flows in Cloud Architectures
As cloud services become central in an increasing number of applications,
they process and store more personal and business-critical data. At the same
time, privacy and compliance regulations such as GDPR, the EU ePrivacy
regulation, PCI, and the upcoming EU Cybersecurity Act raise the bar for secure
processing and traceability of critical data. Especially the demand to provide
information about existing data records of an individual and the ability to
delete them on demand is central in privacy regulations. Common to these
requirements is that cloud providers must be able to track data as it flows
across the different services to ensure that it never moves outside of the
legitimate realm, and it is known at all times where a specific copy of a
record that belongs to a specific individual or business process is located.
However, current cloud architectures do neither provide the means to
holistically track data flows across different services nor to enforce policies
on data flows. In this paper, we point out the deficits in the data flow
tracking functionalities of major cloud providers by means of a set of
practical experiments. We then generalize from these experiments introducing a
generic architecture that aims at solving the problem of cloud-wide data flow
tracking and show how it can be built in a Kubernetes-based prototype
implementation.Comment: 11 pages, 5 figures, 2020 IEEE 13th International Conference on Cloud
Computing (CLOUD
Towards non-intrusive software introspection and beyond
Continuous verification and security analysis of software systems are of paramount importance to many organizations. The state-of-the-art for such operations implements agent-based approaches to inspect the provisioned software stack for security and compliance issues. However, this approach, which runs agents on the systems being analyzed, is vulnerable to some attacks, can incur substantial performance impact, and can introduce significant complexity. In this paper, we present the design and prototype implementation of a general-purpose approach for Non-intrusive Software Introspection (NSI). By adhering to NSI, organizations hosting in the cloud can as well control the software introspection workflow with reduced trust in the provider. Experimental analysis of real-world applications demonstrates that NSI presents a lightweight and scalable approach, and has a negligible impact on the performance of applications running on the instance being introspected.Accepted manuscrip
An architecture for trustworthy services built on event based probing of untrusted guests
Numerous event-based probing methods exist for cloud computing environments allowing a trusted hypervisor to gain insight into guest activities. Such event based probing has been shown to be useful for detecting attacks, system hangs through watchdogs, and also for inserting exploit detectors before a system can be patched, among others. In this paper, we illustrate how to use such probing for trustworthy logging and highlight some of the challenges that existing event based probing mechanisms do not address. These challenges include ensuring a probe inserted at given address is trustworthy despite the lack of attestation available for probes that have been inserted dynamically. We show how probes can be inserted to ensure proper logging of every invocation of a probed instruction. When combined with attested boot of the hypervisor and guest machines, we can ensure the output stream of monitored events is trustworthy. Using these techniques we build a trustworthy log of certain guest-system-call events powering a cloud-tuned Intrusion Detection System (IDS). Additionally, we identify new types of events that must be added to existing probing systems to ensure attempts to circumvent probes within the guest appear in the log. We highlight the overhead penalties paid by guests to ensure log completeness when faced with probabilistic attacks and show promising results (less that 10% for guests) when a guest is willing to relax the trade-off between log completeness and overhead. Our demonstrative IDS shows the ability to detect common attack scenarios with simple policies built using our guest behavior recording system
Recommended from our members
Research and development of accounting system in grid environment
This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The Grid has been recognised as the next-generation distributed computing paradigm by seamlessly integrating heterogeneous resources across administrative domains as a single virtual system. There are an increasing number of scientific and business projects that employ Grid computing technologies for large-scale resource sharing and collaborations. Early adoptions of Grid computing technologies have custom middleware implemented to bridge gaps between heterogeneous computing backbones. These custom solutions form the basis to the emerging Open Grid Service Architecture (OGSA), which aims at addressing common concerns of Grid systems by defining a set of interoperable and reusable Grid services. One of common concerns as defined in OGSA is the Grid accounting service. The main objective of the Grid accounting service is to ensure resources to be shared within a Grid environment in an accountable manner by metering and logging accurate resource usage information. This thesis discusses the origins and fundamentals of Grid computing and accounting service in the context of OGSA profile. A prototype was developed and evaluated based on OGSA accounting-related standards enabling sharing accounting data in a multi-Grid environment, the World-wide Large Hadron Collider Grid (WLCG). Based on this prototype and lessons learned, a generic middleware solution was also implemented as a toolkit that eases migration of existing accounting system to be standard compatible.Engineering and Physical Sciences Research Council (EPSRC), Stanford Universit
Securing Infrastructure-as-a-Service Public Clouds Using Security Onion
The shift to Cloud computing has brought with it its specific security challenges concerning the loss of control, trust and multi-tenancy especially in Infrastructure-as-a-Service (IaaS) Cloud model. This article focuses on the design and development of an intrusion detection system (IDS) that can handle security challenges in IaaS Cloud model using an open source IDS. We have implemented a proof-of-concept prototype on the most deployed hypervisorâVMware ESXiâand performed various real-world cyber-attacks, such as port scanning and denial of service (DoS) attacks to validate the practicality and effectiveness of our proposed IDS architecture. Based on our experimental results we found that our Security Onion-based IDS can provide the required protection in a reasonable and effective manner
Demystifying Internet of Things Security
Break down the misconceptions of the Internet of Things by examining the different security building blocks available in Intel Architecture (IA) based IoT platforms. This open access book reviews the threat pyramid, secure boot, chain of trust, and the SW stack leading up to defense-in-depth. The IoT presents unique challenges in implementing security and Intel has both CPU and Isolated Security Engine capabilities to simplify it. This book explores the challenges to secure these devices to make them immune to different threats originating from within and outside the network. The requirements and robustness rules to protect the assets vary greatly and there is no single blanket solution approach to implement security. Demystifying Internet of Things Security provides clarity to industry professionals and provides and overview of different security solutions What You'll Learn Secure devices, immunizing them against different threats originating from inside and outside the network Gather an overview of the different security building blocks available in Intel Architecture (IA) based IoT platforms Understand the threat pyramid, secure boot, chain of trust, and the software stack leading up to defense-in-depth Who This Book Is For Strategists, developers, architects, and managers in the embedded and Internet of Things (IoT) space trying to understand and implement the security in the IoT devices/platforms
Analysis of current middleware used in peer-to-peer and grid implementations for enhancement by catallactic mechanisms
This deliverable describes the work done in task 3.1, Middleware analysis: Analysis of current middleware used in peer-to-peer and grid implementations for enhancement by catallactic mechanisms from work package 3, Middleware Implementation. The document is divided in four parts: The introduction with application scenarios and middleware requirements, Catnets middleware architecture, evaluation of existing middleware toolkits, and conclusions. -- Die Arbeit definiert Anforderungen an Grid und Peer-to-Peer Middleware Architekturen und analysiert diese auf ihre Eignung fĂŒr die prototypische Umsetzung der Katallaxie. Eine Middleware-Architektur fĂŒr die Umsetzung der Katallaxie in Application Layer Netzwerken wird vorgestellt.Grid Computing
Trusted Computing and Secure Virtualization in Cloud Computing
Large-scale deployment and use of cloud computing in industry
is accompanied and in the same time hampered by concerns regarding protection of
data handled by cloud computing providers. One of the consequences of moving
data processing and storage off company premises is that organizations have
less control over their infrastructure. As a result, cloud service (CS) clients
must trust that the CS provider is able to protect their data and
infrastructure from both external and internal attacks. Currently however, such
trust can only rely on organizational processes declared by the CS
provider and can not be remotely verified and validated by an external party.
Enabling the CS client to verify the integrity of the host where the
virtual machine instance will run, as well as to ensure that the virtual
machine image has not been tampered with, are some steps towards building
trust in the CS provider. Having the tools to perform such
verifications prior to the launch of the VM instance allows the CS
clients to decide in runtime whether certain data should be stored- or calculations
should be made on the VM instance offered by the CS provider.
This thesis combines three components -- trusted computing, virtualization technology
and cloud computing platforms -- to address issues of trust and
security in public cloud computing environments. Of the three components,
virtualization technology has had the longest evolution and is a cornerstone
for the realization of cloud computing. Trusted computing is a recent
industry initiative that aims to implement the root of trust in a hardware
component, the trusted platform module. The initiative has been formalized
in a set of specifications and is currently at version 1.2. Cloud computing
platforms pool virtualized computing, storage and network resources in
order to serve a large number of customers customers that use a multi-tenant
multiplexing model to offer on-demand self-service over broad network.
Open source cloud computing platforms are, similar to trusted computing, a
fairly recent technology in active development.
The issue of trust in public cloud environments is addressed
by examining the state of the art within cloud computing security and
subsequently addressing the issues of establishing trust in the launch of a
generic virtual machine in a public cloud environment. As a result, the thesis
proposes a trusted launch protocol that allows CS clients
to verify and ensure the integrity of the VM instance at launch time, as
well as the integrity of the host where the VM instance is launched. The protocol
relies on the use of Trusted Platform Module (TPM) for key generation and data protection.
The TPM also plays an essential part in the integrity attestation of the
VM instance host. Along with a theoretical, platform-agnostic protocol,
the thesis also describes a detailed implementation design of the protocol
using the OpenStack cloud computing platform.
In order the verify the implementability of the proposed protocol, a prototype
implementation has built using a distributed deployment of OpenStack.
While the protocol covers only the trusted launch procedure using generic
virtual machine images, it presents a step aimed to contribute towards
the creation of a secure and trusted public cloud computing environment
- âŠ