Skip to main content
SpringerLink
Log in

Proof of Isolation for Cloud Storage

  • Chapter
  • First Online:
Secure Cloud Computing

Abstract

Cloud services help users reduce operational costs by sharing the hardware resources across multiple tenants. However, due to the shared physical resources, malicious users can build covert channels to leak sensitive information (e.g., encryption keys) between co-resident tenants. Cloud service providers have proposed to mitigate these concerns by offering physically isolated resources; however, cloud users have no ways to verify the actual configuration and level of the resource isolation. To increase the observability of disk storage isolation, we introduce two Proof of Isolation (PoI) schemes that enable cloud users to verify separated disk storage and dedicated disk storage, respectively. Our experimental results show that our PoI schemes are practical in both private and public cloud environments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In this paper, we call the memory on the disk drive as disk cache. The physical memory used as disk buffer is referred as page cache.

References

  1. A. K. Fischman, A. H. Vermeulen: Keymap service architecture for a distributed storage system (2010)

    Google Scholar 

  2. Amazon Simple Storage Service (S3): http://aws.amazon.com/s3/

  3. Amazon Web Services: aws.amazon.com

  4. apgbfm, http://linux.die.net/man/1/apgbfm: http://linux.die.net/man/1/apgbfm

  5. Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Peterson, Z., Song, D.: Provable data possession at untrusted stores. In: Proceedings of the 14th ACM conference on Computer and communications security, CCS ’07, pp. 598–609. ACM, New York, NY, USA (2007). DOI 10.1145/1315245.1315318. http://doi.acm.org/10.1145/1315245.1315318

  6. Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM conference on Computer and communications security, CCS ’10, pp. 38–49. ACM, New York, NY, USA (2010). DOI 10.1145/1866307.1866313. http://doi.acm.org/10.1145/1866307.1866313

  7. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T.L., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: SOSP, pp. 164–177 (2003)

    Google Scholar 

  8. Benson, K., Dowsley, R., Shacham, H.: Do you know where your cloud files are? In: CCSW, pp. 73–82 (2011)

    Google Scholar 

  9. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)

    Article  MATH  Google Scholar 

  10. Bovet, D.P., Cesati, M.: Understanding the Linux Kernel - from I/O ports to process management: covers version 2.6 (3. ed.). O’Reilly (2005)

    Google Scholar 

  11. Bowers, K.D., van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: How to tell if your cloud files are vulnerable to drive crashes. In: ACM Conference on Computer and Communications Security, pp. 501–514 (2011)

    Google Scholar 

  12. Bowers, K.D., Juels, A., Oprea, A.: Hail: a high-availability and integrity layer for cloud storage. In: Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, pp. 187–198. ACM, New York, NY, USA (2009). DOI 10.1145/1653662.1653686. http://doi.acm.org/10.1145/1653662.1653686

  13. Brewer, D.F.C., Nash, M.J.: The chinese wall security policy. In: IEEE Symposium on Security and Privacy, pp. 206–214 (1989)

    Google Scholar 

  14. Butt, S., Lagar-Cavilla, H.A., Srivastava, A., Ganapathy, V.: Self-service cloud computing. In: ACM Conference on Computer and Communications Security, pp. 253–264 (2012)

    Google Scholar 

  15. Calder, B., Wang, J., Ogus, A., Nilakantan, N., Skjolsvold, A., McKelvie, S., Xu, Y., Srivastav, S., Wu, J., Simitci, H., Haridas, J., Uddaraju, C., Khatri, H., Edwards, A., Bedekar, V., Mainali, S., Abbasi, R., Agarwal, A., ul Haq, M.F., ul Haq, M.I., Bhardwaj, D., Dayanand, S., Adusumilli, A., McNett, M., Sankaran, S., Manivannan, K., Rigas, L.: Windows azure storage: a highly available cloud storage service with strong consistency. In: SOSP, pp. 143–157 (2011)

    Google Scholar 

  16. Chen, B., Curtmola, R.: Towards self-repairing replication-based storage systems using untrusted clouds. In: Proceedings of the third ACM conference on Data and application security and privacy, CODASPY ’13, pp. 377–388. ACM, New York, NY, USA (2013). DOI 10.1145/2435349.2435402. http://doi.acm.org/10.1145/2435349.2435402

  17. Cloud Security Alliance: The notorious nine: Cloud computing top threats in 2013 (2013)

    Google Scholar 

  18. Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: Proceedings of the 13th ACM conference on Computer and communications security, CCS ’06, pp. 79–88. ACM, New York, NY, USA (2006). DOI 10.1145/1180405.1180417. http://doi.acm.org/10.1145/1180405.1180417

  19. Curtmola, R., Khan, O., Burns, R., Ateniese, G.: Mr-pdp: Multiple-replica provable data possession. In: Proceedings of the 2008 The 28th International Conference on Distributed Computing Systems, ICDCS ’08, pp. 411–420. IEEE Computer Society, Washington, DC, USA (2008). DOI 10.1109/ICDCS.2008.68. http://dx.doi.org/10.1109/ICDCS.2008.68

  20. Dan@AWS: Best Practices for Using Amazon S3 (2009). http://aws.amazon.com/articles/1904

  21. Dent, A.W.: The cramer-shoup encryption scheme is plaintext aware in the standard model. In: EUROCRYPT, pp. 289–307 (2006)

    Google Scholar 

  22. Dijk, M.V., Juels, A., Oprea, A., Rivest, R.L., Stefanov, E., Triandopoulos, N.: Hourglass schemes: How to prove that cloud files are encrypted. In: ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  23. Dodis, Y., Vadhan, S.P., Wichs, D.: Proofs of retrievability via hardness amplification. In: Theory of Cryptography Conference, pp. 109–127 (2009)

    Google Scholar 

  24. Erway, C., Küpçü, A., Papamanthou, C., Tamassia, R.: Dynamic provable data possession. In: Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, pp. 213–222. ACM, New York, NY, USA (2009). DOI 10.1145/1653662.1653688. http://doi.acm.org/10.1145/1653662.1653688

  25. Eucalyptus, http://www.eucalyptus.com: www.eucalyptus.com

  26. Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. SIGOPS Oper. Syst. Rev. 37(5), 193–206 (2003). DOI 10.1145/1165389.945464. http://doi.acm.org/10.1145/1165389.945464

  27. Gartiner, Inc.: Forecast overview: Public cloud services, worldwide, 2011–2016, 4q12 update (2013)

    Google Scholar 

  28. Ghemawat, S., Gobioff, H., Leung, S.T.: The google file system. In: SOSP, pp. 29–43 (2003)

    Google Scholar 

  29. III, G.G.R., Roussev, V.: Scalpel: A frugal, high performance file carver. In: DFRWS (2005)

    Google Scholar 

  30. Jacob, B., Ng, S., Wang, D.: Memory Systems: Cache, DRAM, Disk. Morgan Kaufmann Publishers Inc. (2007)

    Google Scholar 

  31. Jhawar, R., Piuri, V.: Fault tolerance management in iaas clouds. In: Proc. of the 1st IEEE-AESS Conference in Europe about Space and Satellite Telecommunications (ESTEL 2012), ESTEL 2012. Rome, Italy (2012)

    Google Scholar 

  32. Juels, A., Oprea, A.: New approaches to security and availability for cloud data. Commun. ACM 56(2), 64–73 (2013). DOI 10.1145/2408776.2408793. http://doi.acm.org/10.1145/2408776.2408793

  33. Keller, E., Szefer, J., Rexford, J., Lee, R.B.: Nohype: virtualized cloud infrastructure without the virtualization. In: Proceedings of the 37th annual international symposium on Computer architecture, ISCA ’10, pp. 350–361. ACM, New York, NY, USA (2010). DOI 10.1145/1815961.1816010. http://doi.acm.org/10.1145/1815961.1816010

  34. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: ACM Conference on Computer and Communications Security, pp. 199–212 (2009)

    Google Scholar 

  35. Shah, M.A., Swaminathan, R., Baker, M.: Privacy-preserving audit and extraction of digital contents. IACR Cryptology ePrint Archive 2008, 186 (2008)

    Google Scholar 

  36. Silberschatz, A., Galvin, P.B., Gagne, G.: Operating system concepts (7. ed.). Wiley (2005)

    Google Scholar 

  37. Spafford, E.: Opus: Preventing weak password choices

    Google Scholar 

  38. di Vimercati, S.D.C., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Over-encryption: management of access control evolution on outsourced data. In: Proceedings of the 33rd international conference on Very large data bases, VLDB ’07, pp. 123–134. VLDB Endowment (2007). http://dl.acm.org/citation.cfm?id=1325851.1325869

  39. di Vimercati, S.D.C., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Support for write privileges on outsourced data. In: SEC, pp. 199–210 (2012)

    Google Scholar 

  40. Wang, C., Ren, K., Wang, J., Urs, K.M.R.: Harnessing the cloud for securely solving large-scale systems of linear equations. In: ICDCS, pp. 549–558 (2011)

    Google Scholar 

  41. Wang, Q., Ren, K., Yu, S., Lou, W.: Dependable and secure sensor data storage with dynamic integrity assurance. TOSN 8(1), 9 (2011)

    Google Scholar 

  42. Wang, Z., Jiang, X.: Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP ’10, pp. 380–395. IEEE Computer Society, Washington, DC, USA (2010). DOI 10.1109/SP.2010.30. http://dx.doi.org/10.1109/SP.2010.30

  43. Wang, Z., Sun, K., Jajodia, S., Jing, J.: Disk storage isolation and verification in cloud. In: Globecom 2012. Anaheim, CA, USA (2012)

    Google Scholar 

  44. Wang, Z., Sun, K., Jajodia, S., Jing, J.: Terracheck: Verification of dedicated cloud storage. In: 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec ’13). Newark, NJ, USA (2013)

    Google Scholar 

  45. Wang, Z., Sun, K., Jajodia, S., Jing, J.: Verification of data redundancy in cloud storage. In: Proceedings of the 2013 International Workshop on Security in Cloud Computing (To Appear)

    Google Scholar 

  46. Watson, G.J., Safavi-Naini, R., Alimomeni, M., Locasto, M.E., Narayan, S.: Lost: location based storage. In: Proceedings of the 2012 ACM Workshop on Cloud computing security workshop, CCSW ’12, pp. 59–70. ACM, New York, NY, USA (2012). DOI 10.1145/2381913.2381926. http://doi.acm.org/10.1145/2381913.2381926

  47. Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: High-speed covert channel attacks in the cloud. In: the 21st USENIX Security Symposium (Security’12) (2012)

    Google Scholar 

  48. Xiao, J., Xu, Z., Huang, H., Wang, H.: A covert channel construction in a virtualized environment. In: ACM Conference on Computer and Communications Security, pp. 1040–1042 (2012)

    Google Scholar 

  49. Xu, Y., Bailey, M., Jahanian, F., Joshi, K.R., Hiltunen, M.A., Schlichting, R.D.: An exploration of l2 cache covert channels in virtualized environments. In: CCSW, pp. 29–40 (2011)

    Google Scholar 

  50. Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable, and fine-grained data access control in cloud computing. In: INFOCOM, pp. 534–542 (2010)

    Google Scholar 

  51. Zhang, F., Chen, J., Chen, H., Zang, B.: Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP ’11, pp. 203–216. ACM, New York, NY, USA (2011). DOI 10.1145/2043556.2043576. http://doi.acm.org/10.1145/2043556.2043576

  52. Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: Homealone: Co-residency detection in the cloud via side-channel analysis. In: IEEE Symposium on Security and Privacy, pp. 313–328 (2011)

    Google Scholar 

  53. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-vm side channels and their use to extract private keys. In: Proceedings of the 2012 ACM conference on Computer and communications security, CCS ’12, pp. 305–316. ACM, New York, NY, USA (2012). DOI 10.1145/2382196.2382230. http://doi.acm.org/10.1145/2382196.2382230

Download references

Acknowledgements

This material is based upon work supported by the National Science Foundation under grant CT-20013A, by US Army Research Office under MURI grant W911NF-09-1-0525 and DURIP grant W911NF-11-1-0340, and by the Office of Naval Research under grant N0014-11-1-0471.

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Institute of Information Security, Chinese Academy of Sciences, 87A Minzhuang Road, Beijing, 100093, China

    Zhan Wang & Jiwu Jing

  2. Center for Secure Information Systems, George Mason University, Fairfax, VA, 22030-4422, USA

    Kun Sun & Sushil Jajodia

Authors
  1. Zhan Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kun Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sushil Jajodia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jiwu Jing
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhan Wang .

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, George Mason University, Fairfax, Virginia, USA

    Sushil Jajodia

  2. Center for Secure Information Systems, George Mason University, Fairfax, Virginia, USA

    Krishna Kant

  3. University of Milan, Crema, Italy

    Pierangela Samarati

  4. Computer Security Division, National Institute of Standards and Technology (NIST), Gaithersburg, Maryland, USA

    Anoop Singhal

  5. The MITRE Corporation, McLean, Virginia, USA

    Vipin Swarup

  6. Computing and Information Science Division, Information Sciences Directorate, Triangle Park, North Carolina, USA

    Cliff Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer Science+Business Media New York

About this chapter

Cite this chapter

Wang, Z., Sun, K., Jajodia, S., Jing, J. (2014). Proof of Isolation for Cloud Storage. In: Jajodia, S., Kant, K., Samarati, P., Singhal, A., Swarup, V., Wang, C. (eds) Secure Cloud Computing. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-9278-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-9278-8_5

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-9277-1

  • Online ISBN: 978-1-4614-9278-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation