Skip to main content
SpringerLink
Log in

VAM-aaS: Online Cloud Services Security Vulnerability Analysis and Mitigation-as-a-Service

  • Conference paper
Web Information Systems Engineering - WISE 2012 (WISE 2012)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 7651))

Included in the following conference series:

Abstract

Cloud computing introduces a new paradigm shift in service delivery models. However, the potential benefits reaped from the adoption of this model are threatened by public accessibility of the cloud-hosted services and sharing of resources with other service tenants. This increases the potential for exploitation of newly discovered vulnerabilities that usually take a long time to discover and to mitigate. On the other hand, existing cloud platforms do not provide a means to validate the security of offered cloud services or mitigating security vulnerabilities that arise at runtime. We introduce VAM-aaS, Vulnerability Analysis and Mitigation as-a-service, as a novel, integrated, and online cloud-based security vulnerability analysis and mitigation service. VAM-aaS performs online service analysis to pinpoint new vulnerabilities and weaknesses. It then uses this information to generate security control integration and configuration scripts to block these discovered security holes at runtime. Our approach is based on a new vulnerability signature and mitigation-actions specification approach. We introduce our approach, describe implementation details, and describe an evaluation of our prototype on a set of .NET benchmark applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Almorsy, M., Grundy, J., Mueller, I.: An analysis of the cloud computing security problem. In: Asia Pacific Cloud Workshop, APSEC 2010, Sydney, Australia (2010)

    Google Scholar 

  2. Bau, J., et al.: State of the Art: Automated Black-Box Web Application Vulnerability Testing. In: 2010 IEEE Symposium on Security and Privacy (2010)

    Google Scholar 

  3. Kals, S., et al.: SecuBat: a web vulnerability scanner. In: Proc. of 15th Int. Conf. on World Wide, Web 2006, pp. 247–256. ACM, Edinburgh (2006)

    Google Scholar 

  4. Felmetsger, V., et al.: Toward automated detection of logic vulnerabilities in web applications. In: 19th USENIX Conf. on Security, Washington, DC (2010)

    Google Scholar 

  5. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting Web application vulnerabilities. In: IEEE Symposium on Security and Privacy (2006)

    Google Scholar 

  6. Dasgupta, A., Narasayya, V., Syamala, M.: A Static Analysis Framework for Database Applications. In: 2009 IEEE Int. Conf. on Data Engineering (2009)

    Google Scholar 

  7. Martin, M., Livshits, B., Lam, M.: Finding application errors and security flaws using PQL: a program query language. In: 20th Conf. on Object-oriented Programming, Systems, Languages, and Applications, CA, USA (2005)

    Google Scholar 

  8. Lam, M.S., et al.: Securing web applications with static and dynamic information flow tracking. In: Symposium on Partial Evaluation and Semantics-based Program Manipulation, California, USA (2008)

    Google Scholar 

  9. Kieyzun, A., et al.: Automatic creation of SQL Injection and cross-site scripting attacks. In: 31st Int. Conf. on Software Engineering (2009)

    Google Scholar 

  10. Halfond, W.G.J., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: 14th Int. Symposium on Foundations of Software Engineering, Oregon, USA (2006)

    Google Scholar 

  11. Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  12. Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: 30th Int. Conf. on Software Engineering. ACM, Leipzig (2008)

    Google Scholar 

  13. Hooimeijer, P., et al.: Fast and precise sanitizer analysis with BEK. In: 20th USENIX Conf. on Security 2011, p. 1. USENIX Association, San Francisco (2011)

    Google Scholar 

  14. Balzarotti, D., et al.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: IEEE Security and Privacy (2008)

    Google Scholar 

  15. Ganesh, V., Kieżun, A., Artzi, S., Guo, P.J., Hooimeijer, P., Ernst, M.: HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 1–19. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  16. Monga, M., Paleari, R., Passerini, E.: A hybrid analysis framework for detecting web application vulnerabilities. In: 2009 ICSE Workshop on Software Engineering for Secure Systems, pp. 25–32 (2009)

    Google Scholar 

  17. Zhang, R., et al.: Static program analysis assisted dynamic taint tracking for software vulnerability discovery. In: Computers & Mathematics with Application, pp. 469–480 (2012)

    Google Scholar 

  18. NIST: Source Code Security Analysis Tool Functional Specification Version 1.1. In: NIST Special Publication 500-268 (May 2007) (accessed 2011)

    Google Scholar 

  19. Wurzinger, P., et al.: SWAP: mitigating XSS attacks using a reverse proxy. In: ICSE Workshop on Software Engineering for Secure Systems, Vancouver, pp. 33–39 (2009)

    Google Scholar 

  20. Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  21. Kotha, R., Prasad, K., Naik, D.: Analysis of XSS attack Mitigation techniques based on Platforms and Browsers. In: SEA, CLOUD, DKMP, CS & IT, vol. 5, pp. 395–405 (2012)

    Google Scholar 

  22. Vogt, P., et al.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Network and Distributed System Security Symposium, San Diego, CA (2007)

    Google Scholar 

  23. CENZIC: Web Applications Security Trends Reports Q1-Q2 2010 (2010), cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2010.pdf

  24. OWASP: Open Web Application Security Project, https://www.owasp.org

  25. CWE: Common Weaknesses Enumeration, http://cwe.mitre.org

  26. SharpDevelop, http://wiki.sharpdevelop.net/

  27. Yiihaw:YIIHAW Is an Intelligent and High-performing Aspect Weave, http://yiihaw.tigris.org/

Download references

Author information

Authors and Affiliations

  1. Computer Science and Software Engineering Center, Swinburne University of Technology, Melbourne, Australia

    Mohamed Almorsy, John Grundy & Amani S. Ibrahim

Authors
  1. Mohamed Almorsy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John Grundy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Amani S. Ibrahim
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Computer Science, Fudan University, 825 Zhangheng Rd., Shanghai, 201203, China

    X. Sean Wang

  2. Department of Computer Science, College of Engineering, Science and Engineering Offices, The University of Illinois at Chicago, 851 South Morgan Street (M/C 152), 60607-7053, Chicago, Illinois, USA

    Isabel Cruz

  3. Department of Informatics and Telecommunications, University of Athens, GR15784, Ilisia, Athens, Greece

    Alex Delis

  4. Centre for Applied Informatics, Victoria University, PO Box 14428, 8001, Melbourne, VIC, Australia

    Guangyan Huang

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Almorsy, M., Grundy, J., Ibrahim, A.S. (2012). VAM-aaS: Online Cloud Services Security Vulnerability Analysis and Mitigation-as-a-Service. In: Wang, X.S., Cruz, I., Delis, A., Huang, G. (eds) Web Information Systems Engineering - WISE 2012. WISE 2012. Lecture Notes in Computer Science, vol 7651. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35063-4_30

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-35063-4_30

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-35062-7

  • Online ISBN: 978-3-642-35063-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation