Abstract
Cloud computing introduces a new paradigm shift in service delivery models. However, the potential benefits reaped from the adoption of this model are threatened by public accessibility of the cloud-hosted services and sharing of resources with other service tenants. This increases the potential for exploitation of newly discovered vulnerabilities that usually take a long time to discover and to mitigate. On the other hand, existing cloud platforms do not provide a means to validate the security of offered cloud services or mitigating security vulnerabilities that arise at runtime. We introduce VAM-aaS, Vulnerability Analysis and Mitigation as-a-service, as a novel, integrated, and online cloud-based security vulnerability analysis and mitigation service. VAM-aaS performs online service analysis to pinpoint new vulnerabilities and weaknesses. It then uses this information to generate security control integration and configuration scripts to block these discovered security holes at runtime. Our approach is based on a new vulnerability signature and mitigation-actions specification approach. We introduce our approach, describe implementation details, and describe an evaluation of our prototype on a set of .NET benchmark applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Almorsy, M., Grundy, J., Mueller, I.: An analysis of the cloud computing security problem. In: Asia Pacific Cloud Workshop, APSEC 2010, Sydney, Australia (2010)
Bau, J., et al.: State of the Art: Automated Black-Box Web Application Vulnerability Testing. In: 2010 IEEE Symposium on Security and Privacy (2010)
Kals, S., et al.: SecuBat: a web vulnerability scanner. In: Proc. of 15th Int. Conf. on World Wide, Web 2006, pp. 247–256. ACM, Edinburgh (2006)
Felmetsger, V., et al.: Toward automated detection of logic vulnerabilities in web applications. In: 19th USENIX Conf. on Security, Washington, DC (2010)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting Web application vulnerabilities. In: IEEE Symposium on Security and Privacy (2006)
Dasgupta, A., Narasayya, V., Syamala, M.: A Static Analysis Framework for Database Applications. In: 2009 IEEE Int. Conf. on Data Engineering (2009)
Martin, M., Livshits, B., Lam, M.: Finding application errors and security flaws using PQL: a program query language. In: 20th Conf. on Object-oriented Programming, Systems, Languages, and Applications, CA, USA (2005)
Lam, M.S., et al.: Securing web applications with static and dynamic information flow tracking. In: Symposium on Partial Evaluation and Semantics-based Program Manipulation, California, USA (2008)
Kieyzun, A., et al.: Automatic creation of SQL Injection and cross-site scripting attacks. In: 31st Int. Conf. on Software Engineering (2009)
Halfond, W.G.J., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: 14th Int. Symposium on Foundations of Software Engineering, Oregon, USA (2006)
Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011)
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: 30th Int. Conf. on Software Engineering. ACM, Leipzig (2008)
Hooimeijer, P., et al.: Fast and precise sanitizer analysis with BEK. In: 20th USENIX Conf. on Security 2011, p. 1. USENIX Association, San Francisco (2011)
Balzarotti, D., et al.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: IEEE Security and Privacy (2008)
Ganesh, V., Kieżun, A., Artzi, S., Guo, P.J., Hooimeijer, P., Ernst, M.: HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 1–19. Springer, Heidelberg (2011)
Monga, M., Paleari, R., Passerini, E.: A hybrid analysis framework for detecting web application vulnerabilities. In: 2009 ICSE Workshop on Software Engineering for Secure Systems, pp. 25–32 (2009)
Zhang, R., et al.: Static program analysis assisted dynamic taint tracking for software vulnerability discovery. In: Computers & Mathematics with Application, pp. 469–480 (2012)
NIST: Source Code Security Analysis Tool Functional Specification Version 1.1. In: NIST Special Publication 500-268 (May 2007) (accessed 2011)
Wurzinger, P., et al.: SWAP: mitigating XSS attacks using a reverse proxy. In: ICSE Workshop on Software Engineering for Secure Systems, Vancouver, pp. 33–39 (2009)
Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)
Kotha, R., Prasad, K., Naik, D.: Analysis of XSS attack Mitigation techniques based on Platforms and Browsers. In: SEA, CLOUD, DKMP, CS & IT, vol. 5, pp. 395–405 (2012)
Vogt, P., et al.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Network and Distributed System Security Symposium, San Diego, CA (2007)
CENZIC: Web Applications Security Trends Reports Q1-Q2 2010 (2010), cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2010.pdf
OWASP: Open Web Application Security Project, https://www.owasp.org
CWE: Common Weaknesses Enumeration, http://cwe.mitre.org
SharpDevelop, http://wiki.sharpdevelop.net/
Yiihaw:YIIHAW Is an Intelligent and High-performing Aspect Weave, http://yiihaw.tigris.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Almorsy, M., Grundy, J., Ibrahim, A.S. (2012). VAM-aaS: Online Cloud Services Security Vulnerability Analysis and Mitigation-as-a-Service. In: Wang, X.S., Cruz, I., Delis, A., Huang, G. (eds) Web Information Systems Engineering - WISE 2012. WISE 2012. Lecture Notes in Computer Science, vol 7651. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35063-4_30
Download citation
DOI: https://doi.org/10.1007/978-3-642-35063-4_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35062-7
Online ISBN: 978-3-642-35063-4
eBook Packages: Computer ScienceComputer Science (R0)