Skip to main content
SpringerLink
Log in

CloudFence: Data Flow Tracking as a Cloud Service

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8145))

Included in the following conference series:

Abstract

The risk of unauthorized private data access is among the primary concerns for users of cloud-based services. For the common setting in which the infrastructure provider and the service provider are different, users have to trust their data to both parties, although they interact solely with the latter. In this paper we propose CloudFence, a framework for cloud hosting environments that provides transparent, fine-grained data tracking capabilities to both service providers, as well as their users. CloudFence allows users to independently audit the treatment of their data by third-party services, through the intervention of the infrastructure provider that hosts these services. CloudFence also enables service providers to confine the use of sensitive data in well-defined domains, offering additional protection against inadvertent information leakage and unauthorized access. The results of our evaluation demonstrate the ease of incorporating CloudFence on existing real-world applications, its effectiveness in preventing a wide range of security breaches, and its modest performance overhead on real settings.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. AWS taps social networks for identity verification, http://www.theregister.co.uk/2013/05/29/aws_social_identity_verification

  2. Login with Amazon, http://login.amazon.com/

  3. SiteBar: Multiple issues, http://www.securityfocus.com/archive/1/483364

  4. VirtueMart Multiple SQL Injection Vulnerabilities, http://www.securityfocus.com/bid/37963

  5. Attariyan, M., Flinn, J.: Automating configuration troubleshooting with dynamic information flow analysis. In: Proc. of OSDI (2010)

    Google Scholar 

  6. Bello, L., Russo, A.: Towards a Taint Mode for Cloud Computing Web Applications. In: Proc. of PLAS, pp. 1–12 (2012)

    Google Scholar 

  7. Berghel, H.: Identity Theft and Financial Fraud: Some Strangeness in the Proportions. Computer 45(1), 86–89 (2012)

    Article  Google Scholar 

  8. Bisht, P., Hinrichs, T., Skrupsky, N., Venkatakrishnan, V.N.: WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction. In: Proc. of CCS, pp. 575–586 (2011)

    Google Scholar 

  9. Bosman, E., Slowinska, A., Bos, H.: Minemu: The World’s Fastest Taint Tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  10. Bowers, K.D., Juels, A., Oprea, A.: HAIL: a High-Availability and Integrity Layer for Cloud Storage. In: Proc. of CCS, pp. 187–198 (2009)

    Google Scholar 

  11. Brown, A., Chase, J.: Trusted Platform-as-a-Service: A Foundation for Trustworthy Cloud-Hosted Applications. In: Proc. of CCSW, pp. 15–20 (2011)

    Google Scholar 

  12. Chen, Y., Paxson, V., Katz, R.H.: What’s New About Cloud Computing Security? Tech. Rep. UCB/EECS-2010-5, EECS Department, University of California, Berkeley (January 2010), http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html

  13. Cheng, W., Zhao, Q., Yu, B., Hiroshige, S.: TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting. In: Proc. of ISCC, pp. 749–754 (2006)

    Google Scholar 

  14. Clause, J., Li, W., Orso, A.: Dytan: A Generic Dynamic Taint Analysis Framework. In: Proc. of ISSTA, pp. 196–206 (2007)

    Google Scholar 

  15. Computerworld: Microsoft BPOS cloud service hit with data breach (December 2010), http://www.computerworld.com/s/article/9202078/Microsoft_BPOS_cloud_service_hit_with_data_breach

  16. Crandall, J.R., Chong, F.T.: Minos: Control Data Attack Prevention Orthogonal to Memory Model. In: Proc. of MICRO, pp. 221–232 (2004)

    Google Scholar 

  17. Davis, B., Chen, H.: DBTaint: Cross-Application Information Flow Tracking via Databases. In: Proc. of WebApps (2010)

    Google Scholar 

  18. Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: Proc. of OSDI (2010)

    Google Scholar 

  19. Feldman, A.J., Zeller, W.P., Freedman, M.J., Felten, E.W.: SPORC: Group Collaboration using Untrusted Cloud Resources. In: Proc. of OSDI (2010)

    Google Scholar 

  20. Geambasu, R., Kohno, T., Levy, A.A., Levy, H.M.: Vanish: Increasing Data Privacy with Self-Destructing Data. In: Proc. of USENIX Sec., pp. 299–316 (2009)

    Google Scholar 

  21. Gentry, C.: Fully Homomorphic Encryption Using Ideal Lattices. In: Proc. of STOC, pp. 169–178 (2009)

    Google Scholar 

  22. Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In: Proc. of NDSS (2011)

    Google Scholar 

  23. Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: Practical Dynamic Data Flow Tracking for Commodity Systems. In: Proc. of VEE (2012)

    Google Scholar 

  24. Kim, H.C., Keromytis, A.D., Covington, M., Sahita, R.: Capturing Information Flow with Concatenated Dynamic Taint Analysis. In: Proc. of ARES, pp. 355–362 (2009)

    Google Scholar 

  25. Kontaxis, G., Polychronakis, M., Keromytis, A.D., Markatos, E.P.: Privacy-preserving social plugins. In: Proceedings of the 21st USENIX Security Symposium (August 2012)

    Google Scholar 

  26. Krohn, M., Yip, A., Brodsky, M., Morris, R., Walfish, M.: A World Wide Web Without Walls. In: Proc. of HotNets (2007)

    Google Scholar 

  27. Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Frans, M., Eddie, K., Morris, K.R.: Information Flow Control for Standard OS Abstractions. In: Proc. of SOSP, pp. 321–334 (2007)

    Google Scholar 

  28. Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In: Proc. of PLDI, pp. 190–200 (2005)

    Google Scholar 

  29. Mundada, Y., Ramachandran, A., Feamster, N.: SilverLine: Data and Network Isolation for Cloud Services. In: Proc. of HotCloud (2011)

    Google Scholar 

  30. Nethercote, N., Seward, J.: How to Shadow Every Byte of Memory Used by a Program. In: Proc. of VEE, pp. 65–74 (2007)

    Google Scholar 

  31. Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Proc. of NDSS (2005)

    Google Scholar 

  32. Portokalidis, G., Slowinska, A., Bos, H.: Argos: an Emulator for Fingerprinting Zero-Day Attacks. In: Proc. of EuroSys, pp. 15–27 (2006)

    Google Scholar 

  33. Preibusch, S.: Information Flow Control for Static Enforcement of User-Defined Privacy Policies. In: Proc. of POLICY, pp. 157–160 (2011)

    Google Scholar 

  34. Qin, F., Wang, C., Li, Z., Kim, H.S., Zhou, Y., Wu, Y.: LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In: Proc. of MICRO, pp. 135–148 (2006)

    Google Scholar 

  35. Zhao, Q., Bruening, D., Amarasinghe, S.: Efficient Memory Shadowing for 64-bit Architectures. In: Proc. of ISMM, pp. 93–102 (2010)

    Google Scholar 

  36. Zhao, Q., Bruening, D., Amarasinghe, S.: Umbra: Efficient and Scalable Memory Shadowing. In: Proc. of CGO, pp. 22–31 (2010)

    Google Scholar 

  37. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds. In: Proc. of CCS, pp. 199–212 (2009)

    Google Scholar 

  38. Santos, N., Gummadi, K.P., Rodrigues, R.: Towards Trusted Cloud Computing. In: Proc. of HotCloud (2009)

    Google Scholar 

  39. Slowinska, A., Bos, H.: Pointless Tainting? Evaluating the Practicality of Pointer Tainting. In: Proc. of EuroSys, pp. 61–74 (2008)

    Google Scholar 

  40. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A New Approach to Computer Security via Binary Analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  41. Sophos: Groupon subsidiary leaks 300k logins, fixes fail, fails again (June 2011), http://nakedsecurity.sophos.com/2011/06/30/groupon-subsidiary-leaks-300k-logins-fixes-fail-fails-again/

  42. The Wall Street Journal: Google Discloses Privacy Glitch (March 2009), http://blogs.wsj.com/digits/2009/03/08/1214/

  43. Wang, W., Li, Z., Owens, R., Bhargava, B.: Secure and Efficient Access to Outsourced Data. In: Proc. of CCSW, pp. 55–66 (2009)

    Google Scholar 

  44. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Proc. of CCS, pp. 116–127 (2007)

    Google Scholar 

  45. Yip, A., Wang, X., Zeldovich, N., Kaashoek, M.F.: Improving Application Security with Data Flow Assertions. In: Proc. of SOSP, pp. 291–304 (2009)

    Google Scholar 

  46. Zavou, A., Pappas, V., Kemerlis, V.P., Polychronakis, M., Portokalidis, G., Keromytis, A.D.: Cloudopsy: An Autopsy of Data Flows in the Cloud. In: Marinos, L., Askoxylakis, I. (eds.) HAS/HCII 2013. LNCS, vol. 8030, pp. 366–375. Springer, Heidelberg (2013)

    Google Scholar 

  47. Zavou, A., Portokalidis, G., Keromytis, A.D.: Taint-Exchange: a Generic System for Cross-process and Cross-host Taint Tracking. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol. 7038, pp. 113–128. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  48. Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making Information Flow Explicit in HiStar. In: Proc. of OSDI (2006)

    Google Scholar 

  49. Zeldovich, N., Boyd-Wickizer, S., Mazières, D.: Securing Distributed Systems with Information Flow Control. In: Proc. of NSDI, pp. 293–308 (2008)

    Google Scholar 

  50. Zhang, Q., McCullough, J., Ma, J., Schear, N., Vrable, M., Vahdat, A., Snoeren, A.C., Voelker, G.M., Savage, S.: Neon: System Support for Derived Data Management. In: Proc. of VEE, pp. 63–74 (2010)

    Google Scholar 

  51. Zhu, D., Jung, J., Song, D., Kohno, T., Wetherall, D.: TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking. ACM Operating Systems Review 45(1), 142–154 (2011)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Columbia University, USA

    Vasilis Pappas, Vasileios P. Kemerlis, Angeliki Zavou, Michalis Polychronakis & Angelos D. Keromytis

Authors
  1. Vasilis Pappas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vasileios P. Kemerlis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angeliki Zavou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michalis Polychronakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027, NY, USA

    Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, 22030, Fairfax, VA, USA

    Angelos Stavrou

  3. Department of Computer Science, Portland State University, 97201, Portland, OR, USA

    Charles V. Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Pappas, V., Kemerlis, V.P., Zavou, A., Polychronakis, M., Keromytis, A.D. (2013). CloudFence: Data Flow Tracking as a Cloud Service. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41284-4_21

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41283-7

  • Online ISBN: 978-3-642-41284-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation