Abstract
The risk of unauthorized private data access is among the primary concerns for users of cloud-based services. For the common setting in which the infrastructure provider and the service provider are different, users have to trust their data to both parties, although they interact solely with the latter. In this paper we propose CloudFence, a framework for cloud hosting environments that provides transparent, fine-grained data tracking capabilities to both service providers, as well as their users. CloudFence allows users to independently audit the treatment of their data by third-party services, through the intervention of the infrastructure provider that hosts these services. CloudFence also enables service providers to confine the use of sensitive data in well-defined domains, offering additional protection against inadvertent information leakage and unauthorized access. The results of our evaluation demonstrate the ease of incorporating CloudFence on existing real-world applications, its effectiveness in preventing a wide range of security breaches, and its modest performance overhead on real settings.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
AWS taps social networks for identity verification, http://www.theregister.co.uk/2013/05/29/aws_social_identity_verification
Login with Amazon, http://login.amazon.com/
SiteBar: Multiple issues, http://www.securityfocus.com/archive/1/483364
VirtueMart Multiple SQL Injection Vulnerabilities, http://www.securityfocus.com/bid/37963
Attariyan, M., Flinn, J.: Automating configuration troubleshooting with dynamic information flow analysis. In: Proc. of OSDI (2010)
Bello, L., Russo, A.: Towards a Taint Mode for Cloud Computing Web Applications. In: Proc. of PLAS, pp. 1–12 (2012)
Berghel, H.: Identity Theft and Financial Fraud: Some Strangeness in the Proportions. Computer 45(1), 86–89 (2012)
Bisht, P., Hinrichs, T., Skrupsky, N., Venkatakrishnan, V.N.: WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction. In: Proc. of CCS, pp. 575–586 (2011)
Bosman, E., Slowinska, A., Bos, H.: Minemu: The World’s Fastest Taint Tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011)
Bowers, K.D., Juels, A., Oprea, A.: HAIL: a High-Availability and Integrity Layer for Cloud Storage. In: Proc. of CCS, pp. 187–198 (2009)
Brown, A., Chase, J.: Trusted Platform-as-a-Service: A Foundation for Trustworthy Cloud-Hosted Applications. In: Proc. of CCSW, pp. 15–20 (2011)
Chen, Y., Paxson, V., Katz, R.H.: What’s New About Cloud Computing Security? Tech. Rep. UCB/EECS-2010-5, EECS Department, University of California, Berkeley (January 2010), http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html
Cheng, W., Zhao, Q., Yu, B., Hiroshige, S.: TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting. In: Proc. of ISCC, pp. 749–754 (2006)
Clause, J., Li, W., Orso, A.: Dytan: A Generic Dynamic Taint Analysis Framework. In: Proc. of ISSTA, pp. 196–206 (2007)
Computerworld: Microsoft BPOS cloud service hit with data breach (December 2010), http://www.computerworld.com/s/article/9202078/Microsoft_BPOS_cloud_service_hit_with_data_breach
Crandall, J.R., Chong, F.T.: Minos: Control Data Attack Prevention Orthogonal to Memory Model. In: Proc. of MICRO, pp. 221–232 (2004)
Davis, B., Chen, H.: DBTaint: Cross-Application Information Flow Tracking via Databases. In: Proc. of WebApps (2010)
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: Proc. of OSDI (2010)
Feldman, A.J., Zeller, W.P., Freedman, M.J., Felten, E.W.: SPORC: Group Collaboration using Untrusted Cloud Resources. In: Proc. of OSDI (2010)
Geambasu, R., Kohno, T., Levy, A.A., Levy, H.M.: Vanish: Increasing Data Privacy with Self-Destructing Data. In: Proc. of USENIX Sec., pp. 299–316 (2009)
Gentry, C.: Fully Homomorphic Encryption Using Ideal Lattices. In: Proc. of STOC, pp. 169–178 (2009)
Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In: Proc. of NDSS (2011)
Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: Practical Dynamic Data Flow Tracking for Commodity Systems. In: Proc. of VEE (2012)
Kim, H.C., Keromytis, A.D., Covington, M., Sahita, R.: Capturing Information Flow with Concatenated Dynamic Taint Analysis. In: Proc. of ARES, pp. 355–362 (2009)
Kontaxis, G., Polychronakis, M., Keromytis, A.D., Markatos, E.P.: Privacy-preserving social plugins. In: Proceedings of the 21st USENIX Security Symposium (August 2012)
Krohn, M., Yip, A., Brodsky, M., Morris, R., Walfish, M.: A World Wide Web Without Walls. In: Proc. of HotNets (2007)
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Frans, M., Eddie, K., Morris, K.R.: Information Flow Control for Standard OS Abstractions. In: Proc. of SOSP, pp. 321–334 (2007)
Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In: Proc. of PLDI, pp. 190–200 (2005)
Mundada, Y., Ramachandran, A., Feamster, N.: SilverLine: Data and Network Isolation for Cloud Services. In: Proc. of HotCloud (2011)
Nethercote, N., Seward, J.: How to Shadow Every Byte of Memory Used by a Program. In: Proc. of VEE, pp. 65–74 (2007)
Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Proc. of NDSS (2005)
Portokalidis, G., Slowinska, A., Bos, H.: Argos: an Emulator for Fingerprinting Zero-Day Attacks. In: Proc. of EuroSys, pp. 15–27 (2006)
Preibusch, S.: Information Flow Control for Static Enforcement of User-Defined Privacy Policies. In: Proc. of POLICY, pp. 157–160 (2011)
Qin, F., Wang, C., Li, Z., Kim, H.S., Zhou, Y., Wu, Y.: LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In: Proc. of MICRO, pp. 135–148 (2006)
Zhao, Q., Bruening, D., Amarasinghe, S.: Efficient Memory Shadowing for 64-bit Architectures. In: Proc. of ISMM, pp. 93–102 (2010)
Zhao, Q., Bruening, D., Amarasinghe, S.: Umbra: Efficient and Scalable Memory Shadowing. In: Proc. of CGO, pp. 22–31 (2010)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds. In: Proc. of CCS, pp. 199–212 (2009)
Santos, N., Gummadi, K.P., Rodrigues, R.: Towards Trusted Cloud Computing. In: Proc. of HotCloud (2009)
Slowinska, A., Bos, H.: Pointless Tainting? Evaluating the Practicality of Pointer Tainting. In: Proc. of EuroSys, pp. 61–74 (2008)
Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A New Approach to Computer Security via Binary Analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)
Sophos: Groupon subsidiary leaks 300k logins, fixes fail, fails again (June 2011), http://nakedsecurity.sophos.com/2011/06/30/groupon-subsidiary-leaks-300k-logins-fixes-fail-fails-again/
The Wall Street Journal: Google Discloses Privacy Glitch (March 2009), http://blogs.wsj.com/digits/2009/03/08/1214/
Wang, W., Li, Z., Owens, R., Bhargava, B.: Secure and Efficient Access to Outsourced Data. In: Proc. of CCSW, pp. 55–66 (2009)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Proc. of CCS, pp. 116–127 (2007)
Yip, A., Wang, X., Zeldovich, N., Kaashoek, M.F.: Improving Application Security with Data Flow Assertions. In: Proc. of SOSP, pp. 291–304 (2009)
Zavou, A., Pappas, V., Kemerlis, V.P., Polychronakis, M., Portokalidis, G., Keromytis, A.D.: Cloudopsy: An Autopsy of Data Flows in the Cloud. In: Marinos, L., Askoxylakis, I. (eds.) HAS/HCII 2013. LNCS, vol. 8030, pp. 366–375. Springer, Heidelberg (2013)
Zavou, A., Portokalidis, G., Keromytis, A.D.: Taint-Exchange: a Generic System for Cross-process and Cross-host Taint Tracking. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol. 7038, pp. 113–128. Springer, Heidelberg (2011)
Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making Information Flow Explicit in HiStar. In: Proc. of OSDI (2006)
Zeldovich, N., Boyd-Wickizer, S., Mazières, D.: Securing Distributed Systems with Information Flow Control. In: Proc. of NSDI, pp. 293–308 (2008)
Zhang, Q., McCullough, J., Ma, J., Schear, N., Vrable, M., Vahdat, A., Snoeren, A.C., Voelker, G.M., Savage, S.: Neon: System Support for Derived Data Management. In: Proc. of VEE, pp. 63–74 (2010)
Zhu, D., Jung, J., Song, D., Kohno, T., Wetherall, D.: TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking. ACM Operating Systems Review 45(1), 142–154 (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pappas, V., Kemerlis, V.P., Zavou, A., Polychronakis, M., Keromytis, A.D. (2013). CloudFence: Data Flow Tracking as a Cloud Service. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-41284-4_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41283-7
Online ISBN: 978-3-642-41284-4
eBook Packages: Computer ScienceComputer Science (R0)