2,062 research outputs found
Icebergs in the Clouds: the Other Risks of Cloud Computing
Cloud computing is appealing from management and efficiency perspectives, but
brings risks both known and unknown. Well-known and hotly-debated information
security risks, due to software vulnerabilities, insider attacks, and
side-channels for example, may be only the "tip of the iceberg." As diverse,
independently developed cloud services share ever more fluidly and aggressively
multiplexed hardware resource pools, unpredictable interactions between
load-balancing and other reactive mechanisms could lead to dynamic
instabilities or "meltdowns." Non-transparent layering structures, where
alternative cloud services may appear independent but share deep, hidden
resource dependencies, may create unexpected and potentially catastrophic
failure correlations, reminiscent of financial industry crashes. Finally, cloud
computing exacerbates already-difficult digital preservation challenges,
because only the provider of a cloud-based application or service can archive a
"live," functional copy of a cloud artifact and its data for long-term cultural
preservation. This paper explores these largely unrecognized risks, making the
case that we should study them before our socioeconomic fabric becomes
inextricably dependent on a convenient but potentially unstable computing
model.Comment: 6 pages, 3 figure
Plugging Side-Channel Leaks with Timing Information Flow Control
The cloud model's dependence on massive parallelism and resource sharing
exacerbates the security challenge of timing side-channels. Timing Information
Flow Control (TIFC) is a novel adaptation of IFC techniques that may offer a
way to reason about, and ultimately control, the flow of sensitive information
through systems via timing channels. With TIFC, objects such as files,
messages, and processes carry not just content labels describing the ownership
of the object's "bits," but also timing labels describing information contained
in timing events affecting the object, such as process creation/termination or
message reception. With two system design tools-deterministic execution and
pacing queues-TIFC enables the construction of "timing-hardened" cloud
infrastructure that permits statistical multiplexing, while aggregating and
rate-limiting timing information leakage between hosted computations.Comment: 5 pages, 3 figure
VXA: A Virtual Architecture for Durable Compressed Archives
Data compression algorithms change frequently, and obsolete decoders do not
always run on new hardware and operating systems, threatening the long-term
usability of content archived using those algorithms. Re-encoding content into
new formats is cumbersome, and highly undesirable when lossy compression is
involved. Processor architectures, in contrast, have remained comparatively
stable over recent decades. VXA, an archival storage system designed around
this observation, archives executable decoders along with the encoded content
it stores. VXA decoders run in a specialized virtual machine that implements an
OS-independent execution environment based on the standard x86 architecture.
The VXA virtual machine strictly limits access to host system services, making
decoders safe to run even if an archive contains malicious code. VXA's adoption
of a "native" processor architecture instead of type-safe language technology
allows reuse of existing "hand-optimized" decoders in C and assembly language,
and permits decoders access to performance-enhancing architecture features such
as vector processing instructions. The performance cost of VXA's virtualization
is typically less than 15% compared with the same decoders running natively.
The storage cost of archived decoders, typically 30-130KB each, can be
amortized across many archived files sharing the same compression method.Comment: 14 pages, 7 figures, 2 table
Deterministic Consistency: A Programming Model for Shared Memory Parallelism
The difficulty of developing reliable parallel software is generating
interest in deterministic environments, where a given program and input can
yield only one possible result. Languages or type systems can enforce
determinism in new code, and runtime systems can impose synthetic schedules on
legacy parallel code. To parallelize existing serial code, however, we would
like a programming model that is naturally deterministic without language
restrictions or artificial scheduling. We propose "deterministic consistency",
a parallel programming model as easy to understand as the "parallel assignment"
construct in sequential languages such as Perl and JavaScript, where concurrent
threads always read their inputs before writing shared outputs. DC supports
common data- and task-parallel synchronization abstractions such as fork/join
and barriers, as well as non-hierarchical structures such as producer/consumer
pipelines and futures. A preliminary prototype suggests that software-only
implementations of DC can run applications written for popular parallel
environments such as OpenMP with low (<10%) overhead for some applications.Comment: 7 pages, 3 figure
Seeking Anonymity in an Internet Panopticon
Obtaining and maintaining anonymity on the Internet is challenging. The state
of the art in deployed tools, such as Tor, uses onion routing (OR) to relay
encrypted connections on a detour passing through randomly chosen relays
scattered around the Internet. Unfortunately, OR is known to be vulnerable at
least in principle to several classes of attacks for which no solution is known
or believed to be forthcoming soon. Current approaches to anonymity also appear
unable to offer accurate, principled measurement of the level or quality of
anonymity a user might obtain.
Toward this end, we offer a high-level view of the Dissent project, the first
systematic effort to build a practical anonymity system based purely on
foundations that offer measurable and formally provable anonymity properties.
Dissent builds on two key pre-existing primitives - verifiable shuffles and
dining cryptographers - but for the first time shows how to scale such
techniques to offer measurable anonymity guarantees to thousands of
participants. Further, Dissent represents the first anonymity system designed
from the ground up to incorporate some systematic countermeasure for each of
the major classes of known vulnerabilities in existing approaches, including
global traffic analysis, active attacks, and intersection attacks. Finally,
because no anonymity protocol alone can address risks such as software exploits
or accidental self-identification, we introduce WiNon, an experimental
operating system architecture to harden the uses of anonymity tools such as Tor
and Dissent against such attacks.Comment: 8 pages, 10 figure
Conscript Your Friends into Larger Anonymity Sets with JavaScript
We present the design and prototype implementation of ConScript, a framework
for using JavaScript to allow casual Web users to participate in an anonymous
communication system. When a Web user visits a cooperative Web site, the site
serves a JavaScript application that instructs the browser to create and submit
"dummy" messages into the anonymity system. Users who want to send non-dummy
messages through the anonymity system use a browser plug-in to replace these
dummy messages with real messages. Creating such conscripted anonymity sets can
increase the anonymity set size available to users of remailer, e-voting, and
verifiable shuffle-style anonymity systems. We outline ConScript's
architecture, we address a number of potential attacks against ConScript, and
we discuss the ethical issues related to deploying such a system. Our
implementation results demonstrate the practicality of ConScript: a workstation
running our ConScript prototype JavaScript client generates a dummy message for
a mix-net in 81 milliseconds and it generates a dummy message for a
DoS-resistant DC-net in 156 milliseconds.Comment: An abbreviated version of this paper will appear at the WPES 2013
worksho
- …