Recent Cloud Computing papers:
- Emil Stefanov and Elaine Shi, Multi-cloud Oblivious Storage , Proceedings of the ACM conference on Computer & communications security (CCS), pp. 247-258, November, 2013 [pdf]
- This paper propose and implement an high-performance Oblivious Storage (ORAM) in the cloud system. The basic idea is the ORAM is split into 2 or more non-colluding clouds. By doing sothe it can shift the higher bandwidth communication to in-between the clouds where bandwidth provisioning is abundant. Then it can reduce one order of magnitude for the client-cloud bandwidth cost.
- Yinqian Zhang and Michael K. Reiter, Düppel: Retrofitting Commodity Operating Systems to Mitigate Cache Side Channels in the cCloud , Proceedings of the ACM conference on Computer & communications security (CCS), pp. 871-838, November, 2013 [pdf]
- This paper designed Düppel, to defend against the Cross-VM cache-based side-channel attacks. The basic idea for Düppel is to periodically perform the cleansing cache during the executions of the VM's critical codes, so this will add noise into the attacker's observations. Düppel provides two modes: sentinel mode and battle mode, with different accuracy of timers for cache cleaning. Optimization methods are used to improve the performance, like limiting the protection scope, and skipping unnecessary cache cleansing.
- Shakeel Butt, H. Andrés Lagar-Cavilla, Abhinav Srivastava, and Vinod Ganapathy, Self-service Cloud Computing , Proceedings of the ACM SIGSAC conference on Computer & communications security (CCS), pp. 253-264, November, 2012 [pdf]
- This paper presents a new self-service cloud computing model. In this model, the administrative privileges are split between a system-wide domain and per-client administrative domains. This provide the flexibility that the client can manage and perform the privileged system tasks. At the same time, the administrative domains cannot compromise the client VM's data or code. This will protect the client VM from a compromised administrative domains.
- Marten van Dijk, Ari Juels, Alina Oprea, Ronald L. Rivest, Emil Stefanov, and Nikos Triandopoulos, Hourglass Schemes: How to Prove that Cloud Files Are Encrypted , Proceedings of the ACM SIGSAC conference on Computer & communications security (CCS), pp. 265-280, November, 2012 [pdf]
- This paper proposes hourglass schemes protocol that can prove if the files stored in the clod is encrypted at rest, as the customers expected. Hourglass introduces an additional transformation called hourglass function, that change an encrypted file into an hourglass format. Then the data access time will be different between the data in ciphertext and in plaintext. These difference can be used as the proof of encryption.
- Venkatanathan Varadarajan, Thawan Kooburat, Benjamin Farley, Thomas Ristenpart, and Michael M. Swift, Resource-freeing Attacks: Improve Your Cloud Performance (at Your Neighbor's Expense) Proceedings of the ACM SIGSAC conference on Computer & communications security (CCS), pp. 281-292, November, 2012 [pdf]
- This paper introduces a new class of attacks, resource-freeing attacks (RFA), which tries to free up the victim's resources for the attacker's VM. It analyzed the resource interference between VMs sharing the same physical machine, at different types of workloads, and explored the contentions for the CPU and cache, with the effect of I/O interruptions.
- Yinqian Zhang, Ari Juels, Michael K. Reiter and Thomas Ristenpart, Cross-VM Side Channels and Their Use to Extract Private Keys, Proceedings of the ACM SIGSAC conference on Computer & communications security (CCS), pp. 305-316, November, 2011 [pdf]
- This paper presents a cache side-channel attacks among different virtual machines. The attacker uses inter processor interrupt to preempt the victim's vm, which it can scan the cache to observe the victim's cache behaviors. Then it uses a hiden Markov model to extract the keys.
- Deepa Srinivasan, Zhi Wang, Xuxian Jiang, and Dongyan Xu, Process Out-Grafting: An Efficient "Out-of-VM" Approach for Fined-Grained Process Execution Monitoring, Proceedings of the ACM SIGSAC conference on Computer & communications security (CCS), pp. 363-374, November, 2011 [pdf]
- This paper solves the isolation and compatibility challenges in the secure virtualization-based out-of-VM solution. In out-of-VM approach, the vulnerable systems are run as virtual machines while the security software are moved from inside to outside of the VM. This paper designed process out-grafting, in which the user-space of the monitored process is moved to the security VM while the kernel part is left in the production VM. Then the user process can be monitor. When the user process issues the system calls or meet page faults, a help module in the security VM will direct these requests into the production VM, in which a stub code will handle these and send back to the security VM. This can smoothly continue the process's existing while still being strictly isolated from the monitoring tool.
- Kevin D. Bowers, Marten van Dijk, Ari Juels, Alina Oprea, and Ronald L. Rivest, How to Tell if Your Cloud Files Are Vulnerable to Drive Crashes, Proceedings of the ACM SIGSAC conference on Computer & communications security (CCS), pp. 501-514, November, 2011 [pdf]
- This paper provides the remote customers a security service, Remote Assessment of Fault Tolerance (RAFT) to verify the the files stores in the cloud is in a fault-tolerant manner: distributed storage against hardware drive failures. In the verification process, customers can challenge the cloud servers to retrieve a set of random file blocks from the cloud file. Through observing the response timing and contents, the customers are able to check if the files are stored distributed in different servers, or just one servers for the mild cloud adversaries to reduce cost. Different adversaries models and network/hardware drive timing models are considered to validate the approach in real-world cloud environments
- Sven Bugiel, Stefan Nurnberger, Thomas Poppelmann, Ahmad-Reza Sadeghi and Thomas Scheider, AmazonIA: When Elasticity Snaps Back, Proceedings of the ACM SIGSAC conference on Computer & communications security (CCS), pp. 389-400, November, 2011 [pdf]
- This paper analyzed the cloud vulnerabilities in the Amazon Image provided by the publisher. First, this paper detects the privacy breach in the image. They have found a lot of critical information like keys, privacy data, source code, etc can be leaked through the Amazon Image accidentally. Then they analyzed the SSH vulnerabilities: they found potential backdoor in the SSH process, and the SSH provides adversaries chances to identify the Amazon images. Finally they proposed some countermeasures, such as more strict rules for image management, and regular scanning.
- Kehuan Zhang, Xiaoyong Zhou, Yangyi Chen, XiaoFeng Wang, and Yaoping Ruan, Sedic: privacy-aware data intensive computing on hybrid clouds, Proceedings of the ACM SIGSAC conference on Computer & communications security (CCS), pp. 515-526, November, 2011 [pdf]
- This paper tries to protect the confidentiality and privacy of data in customers' cloud computing. It leverages the hybrid cloud computing technique to split customers' task into different parts. It designed a system, called Sedic, which uses the special features of MapReduce to automatically partition a computing job based on the security level of data it works on. The customers can label the data in the files as private or public. Then the private data will be stored in the private node, which is assumed to be trusted, while the public data is stored in the public node, which can be observed by adversaries. Then the jobs are scheduled and executed with the restrictions that the operations with private data can never be leaked into the public cloud. To reduce the inter-cloud communication and the work load of the private cloud, optimization techniques are designed for automatic reducer analysis and transformation.
- Ahmed M. Azab, Peng Ning, and Xiaolan Zhang, SICE: A Hardware-Level Strongly Isolated Computing Environment for x86 Multi-core Platforms∗, Proceedings of the ACM SIGSAC conference on Computer & communications security (CCS), pp. 375-388, November, 2011 [pdf]
- This paper introduces SICE, Strongly Isolated Computing Environment, to provide a hardware-level isolated execution environment for X86 hardware platform. SICE can effectively minimize the TCB to create an isolation execution environment on commodity x86 platforms, which only includes the hardware, the BIOS, and the SMM (System Management Mode). This provides two different approaches for the SICE: time-sharing mode, that the legacy system and execution system can run on the platform by turns; multi-core mode, in which the legacy system and execution system can run on different cores at the same time. SICE can realize the goal of (1) fast context switch between different environments; (2) provide strong isolation for concurrent execution with the legacy hosts; (3) attestation to its integrity.
- Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, and Nathan C. Skalsky, HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity, Proceedings of the ACM conference on Computer & communications security (CCS), pp. 38-49, November, 2010 [pdf]
- This paper designed a framework called HyperSentry, to dynamically measure the integrity of running hypervisor. HyperSentry uses the System Management Mode (SMM) to manage the runtime measurement and protect the base code/data. Different from previous work, HyperSentry only introduced a software component which is property isolated from the hypervisor to achieve the in-context measurement of hypervisor's runtime features. The out-of-band channel, Intelligent Platform Management Interface (IPMI), is used to trigger the stealthy measurement. Then TPM is used for the attestation of the measurements. They studied the Xen as a case, to measure the code integrity and memory isolation integrity.
- Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage, Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds , Proceedings of the ACM conference on Computer & communications security (CCS), pp. 199-212, November, 2009 [pdf]
- This paper talks about the cross-VM side-channel information leakage in the cloud system. In the first part, this paper talks about the technique of mapping to identify the locations of instances in the cloud. Through analysis of the IP addresses, the attackers are able to identify the zones and locations of the victim's instances. In the second part, this paper talks about how to check the co-residence of the VMs. They use the network-based checks, which checking the packet round-trip times to see if two VMs are co-residing. They also exploit the hard disk as the covert channel to verify their results. In the third part, they introduce the techniques to place the adversaries' VMs together with the victim's VMs. They use Brute-forcing placement, abusing placement locality to realize this. In the last part, they introduce the cross-VM side-channel leakage. They talked about the cache-based covert channels, use these channels to detect the co-residence and estimate traffic rates, and also perform the keystroke timing attacks.
- Monirul Sharif, Wenke Lee, Weidong Cui and Andrea Lanzi, Secure In-VM Monitoring Using Hardware Virtualization , Proceedings of the ACM conference on Computer & communications security (CCS), pp. 477-487, November, 2009 [pdf]
- This paper designed a system, Secure In-VM Monitor (SIM), to monitor applications and activities inside the untrusted guest OSes. Current VMI mechanisms place the security monitor outside of the target VM, which can introduce significant performance degradations. SIM improves the performance by placing the security monitor inside the untrusted target OS. To provide the protections of the security monitor, SIM leveraged the Intel-VT hardware virtualization features to isolate the SIM memory address from the untrusted processes' memory address. The hypervisor provides the security of address space switching and entry/exit point checking for the security of monitoring mechanism.
- Kevin D. Bowers, Ari Juels, and Alina Oprea, HAIL: a High-availability and Integrity Layer for Cloud Storage , Proceedings of the ACM conference on Computer & communications security (CCS), pp. 187-198, November, 2009 [pdf]
- This paper designed a cloud storage system, called HAIL (High-Availability and Integrity Layer), to provide the storage service enabling attestation of availability and integrity. In this system, the file is distributed across a collection of servers or independent storage services, in redundant form. The verifier is able to test the availability and integrity of such files via a challenge-response protocol called Proofs Of Retrievability (PORs). The detection of file corruption will trigger the file recovery in other servers. HAIL can effectively ensure the file intactness against the strong Mobile and Byzantine attackers.
Usenix Security' 12
- Nuno Santos, Rodrigo Rodrigues, Krishna P. Gummadi, and Stefan Saroiu, Policy-sealed Data: a New Abstraction for Building Trusted Cloud Services, Proceedings of the USENIX Security symposium (Usenix Security), pp. 10-10, August, 2012 [pdf]
- This paper designed a system called Excalibur to seal and unseal data on the matched nodes based on customers' chosen policies. Excalibur uses the attribute-based encryption, in which the encryption key allows a piece of data to be encrypted and bound to a policy. A central monitor is introduced to perform the policy interpretation and enforcement.
- Taesoo Kim, Marcus Peinado, and Gloria Mainar-Ruiz, System-level Protection Against Cache-based Side-channel Attacks in the Cloud, Proceedings of the USENIX Security symposium (Usenix Security), pp. 11-11, August, 2012 [pdf]
- This paper introduces the STEALMEM, to protect against the cache-based side-channel attacks. STEALMEM works with existing commodity hardware and does not need require profound changes to application software. STEALMEM tries to mitigate the side-channel leakage in the last level cache, which can be shared by VMs in the same or different cores. It assigned steal pages for each core. Once these pages are placed in the cache, they cannot be replaced or evicted by other pages. This partitioning method can prevent the cache-based side-channel attacks due to cache evictions.
- Zhenyu Wu, Zhang Xu, and Haining Wang, Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud, Proceedings of the USENIX Security symposium (Usenix Security), pp. 9-9, August, 2012 [pdf]
- This paper designs and launch covert-channel attacks in the cloud system. They first try to exploit the cache contention as the channel to transmit the signal. This approaches is limited as it cannot apply to the VMs floating in different cores. They also design a second method: using the memory bus contention as the timing channel. Specifically, the sender issues some exotic memory operations such as unaligned memory address reading, which can cause the lock of the memory bus. Then the receiver can time the memory bus to receive the transmitted bits. Other approaches are also adopted to improve the effectiveness and accuracy: e.g., receiving confirmation, clock synchronization, error correction.
Usenix Security' 11
- Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl, Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space, Proceedings of the USENIX Security symposium (Usenix Security), pp. 5-5, August, 2011 [pdf]
- This paper studies the vulnerabilities in the cloud storage of SaaS model. Specifically they focus on the famous cloud storage service Dropbox, and found some possible attacks in the existing file transmission and storage policies. They discovered three attacks which can access the unauthorized files. The first one is Hash Value Manipulation attack: if the attacker knows the value of one file, he then is able to get the file from the Dropbox; the second one is Stolen Host ID attack: if the attacker gets the host ID of one account, then he is able to retrieve all the files from the account; the third one is Direct Download Attack: similarly, the attacker is able to download one file given the hash values with any valid host ID. This paper also introduces the Online Slack Space vulnerability, that the attacker can upload any number and size of files into Dropbox, without linking them to his account. Then he can get more space than he desires to get. Some countermeasures are proposed, e.g., data possession protocol, no chunks without linking, check for host ID activity, dynamic host ID, enforcement of data ownership, etc.
- Hwanju Kim, Sangwook Kim, Jinkyu Jeong, Joowon Lee, and Seungryoul Maeng, Demand-Based Coordinated Scheduling for SMP VMs, Proceedings of ACM international conference on Architectural support for programming languages and operating systems (ASPLOS), pp. 369-380, March, 2013 [pdf]
- This paper propose communication driven scheduling that controls time-sharing in response to inter-processor interrupts (IPIs) between virtual CPUs, and introduce a load-conscious CPU allocation policy to address load imbalance in heterogeneously consolidated environments
- Emil Stefanov and Elaine Shi, ObliviStore: High Performance Oblivious Cloud Storage, Proceedings of the IEEE Symposium on Security and Privacy (S&P), pp. 253-267, May, 2013 [pdf]
- This paper applied the Oblivious RAM (ORAM) into the cloud storage service, to protect the data from memory access pattern vulnerabilities. To achieve the performance of ORAM, the authors designed ObliviStore, a distributed ORAM-based cloud system. ObliviStore can achieve high throughput by realizing I/O operations asynchronous. Different optimizations and algorithms are designed to improve the performance, as well as eliminate the I/O timing channel vulnerabilities.
- Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome and Anupam Datta, Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework, Proceedings of the IEEE Symposium on Security and Privacy (S&P), pp. 430-444, May, 2013 [pdf]
- This paper design, implement and verify an eXtensible and Modular Hypervisor Framework (XMHF). XMHF can achieve three goals: modular extensibility (It is a comprehensible and flexible platform for building hypervisor applications, or "hyperapps"), automated verification (it can verify many security properties, e.g., memory integrity), and high performance. They proposed the methodology DRIVE (Designing hypervisors for Rigorous Integrity VErification), which try to design hypervisor with several properties: Modularity, Atomicity, Memory Access Control Protection, Correct Initialization, Proper Mediation and Safe State Updates.
- Yangchun Fu and Zhiqiang Lin, Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection, Proceedings of the IEEE Symposium on Security and Privacy (S&P), pp. 586-600, May, 2012 [pdf]
- This paper designed VMST (VM-Space Traveler), a virtual machine introspection (VMI) technique to bridge the semantic gap and generate the VMI tools. The key idea is to enable the in-guest legacy inspection program to become an introspection program to achieve the goal of full transparency against an in-guest OS kernel. To realize this, it first identify the introspection execution context. Then it automatically identify the data in the kernel code that is related to the introspection. Then it automatically redirect the data; and finally it keeps all the processes running at the VMM layer. Three key techniques are used in VMST: syscall execution context identification, redirectable data identification and kernel data redirection.
- Yinqian Zhang, Juels, A., Oprea, A., and Reiter, M.K., HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis, Proceedings of the IEEE Symposium on Security and Privacy (S&P), pp. 313-328, May, 2011 [pdf]
- This paper designed a system called HomeAlone, which enables the friendly VMs to detect whether there are foe VMs co-resides on the same cloud sever. This detection exploits techniques of side-channel attacks against L2 cache. Specifically, the friendly VMs can attempt to prime and probe some reserved space in the L2 cache, to detect if there are activities from the foe VMs. To eliminate the noise from other friendly VMs, Dom0, TLB, etc, some techniques are utilized, such as multi-probe classification, Physical address remapping, etc.
- Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Johnathon Giffin, and Wenke Lee, Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection, Proceedings of the IEEE Symposium on Security and Privacy (S&P), pp. 297-312, May, 2011 [pdf]
- This paper designs Virtuoso, a Virtual Machine Introspection to collect the in-guest VM's information outside of the guest VM, without the detailed knowledge of the guest operating system's inner workings. It first runs the programs in the guest VM for collecting system information as the training phases. Then it performs the dynamic analysis to capture all the code executed. Optimizations are used, like the interrupts and memory allocation filtering, executable dynamic slicing, to eliminate system's noise.
Then it automatically create programs to extract security-relevant information from outside the guest VMs. Virtuoso can achieve the goal of generality, reliability, security and high performance. However, it also has some limitations and does not support some features, e.g., multiple address space support, self-modifying code, relocation and ASLR.
- Takabi, H, Joshi, J.B.D, and Gail-Joon Ahn, Security and Privacy Challenges in Cloud Computing Environments, Proceedings of the IEEE Symposium on Security and Privacy (S&P), pp. 24-31, Nov, 2010 [pdf]
- This paper gives a general overview about the security and privacy in cloud computing, and some possible solutions;
- Zhi Wang and Xuxian Jiang, HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity, Proceedings of the IEEE Symposium on Security and Privacy (S&P), pp. 380-395, Nov, 2010 [pdf]
- This paper designed he HyperSafe, a lightweight architecture to provide the runtime control flow integrity of the hypervisor despite the presence of exploitable software bugs. HyperSafe includes two independent methods: non-bypassable memory lockdown to protect the hypervisor's code and static data from being compromised, and restricted pointer indexing to protect the integrity of hypervisor control flow graph. Specifically, in the non-bypassable memory lockdown, HyperSafe set a WP (write-protect) bit for the page tables. This bit is turned off to deny the malicious modification of the page tables, while turned on and off atomically to allow the benign modification of the page table. In restricted pointer indexing, the hypervisor's indirected control transfer (indirect call/jump and ret instructions) is converted to the indexes and stored in the Target Table. When the indirect transfer happens, HyperSafe will check the index in the Target Table to check if such transfer is allowed.