Abstract
Cloud services help users reduce operational costs by sharing the hardware resources across multiple tenants. However, due to the shared physical resources, malicious users can build covert channels to leak sensitive information (e.g., encryption keys) between co-resident tenants. Cloud service providers have proposed to mitigate these concerns by offering physically isolated resources; however, cloud users have no ways to verify the actual configuration and level of the resource isolation. To increase the observability of disk storage isolation, we introduce two Proof of Isolation (PoI) schemes that enable cloud users to verify separated disk storage and dedicated disk storage, respectively. Our experimental results show that our PoI schemes are practical in both private and public cloud environments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In this paper, we call the memory on the disk drive as disk cache. The physical memory used as disk buffer is referred as page cache.
References
A. K. Fischman, A. H. Vermeulen: Keymap service architecture for a distributed storage system (2010)
Amazon Simple Storage Service (S3): http://aws.amazon.com/s3/
Amazon Web Services: aws.amazon.com
apgbfm, http://linux.die.net/man/1/apgbfm: http://linux.die.net/man/1/apgbfm
Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Peterson, Z., Song, D.: Provable data possession at untrusted stores. In: Proceedings of the 14th ACM conference on Computer and communications security, CCS ’07, pp. 598–609. ACM, New York, NY, USA (2007). DOI 10.1145/1315245.1315318. http://doi.acm.org/10.1145/1315245.1315318
Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM conference on Computer and communications security, CCS ’10, pp. 38–49. ACM, New York, NY, USA (2010). DOI 10.1145/1866307.1866313. http://doi.acm.org/10.1145/1866307.1866313
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T.L., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: SOSP, pp. 164–177 (2003)
Benson, K., Dowsley, R., Shacham, H.: Do you know where your cloud files are? In: CCSW, pp. 73–82 (2011)
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)
Bovet, D.P., Cesati, M.: Understanding the Linux Kernel - from I/O ports to process management: covers version 2.6 (3. ed.). O’Reilly (2005)
Bowers, K.D., van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: How to tell if your cloud files are vulnerable to drive crashes. In: ACM Conference on Computer and Communications Security, pp. 501–514 (2011)
Bowers, K.D., Juels, A., Oprea, A.: Hail: a high-availability and integrity layer for cloud storage. In: Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, pp. 187–198. ACM, New York, NY, USA (2009). DOI 10.1145/1653662.1653686. http://doi.acm.org/10.1145/1653662.1653686
Brewer, D.F.C., Nash, M.J.: The chinese wall security policy. In: IEEE Symposium on Security and Privacy, pp. 206–214 (1989)
Butt, S., Lagar-Cavilla, H.A., Srivastava, A., Ganapathy, V.: Self-service cloud computing. In: ACM Conference on Computer and Communications Security, pp. 253–264 (2012)
Calder, B., Wang, J., Ogus, A., Nilakantan, N., Skjolsvold, A., McKelvie, S., Xu, Y., Srivastav, S., Wu, J., Simitci, H., Haridas, J., Uddaraju, C., Khatri, H., Edwards, A., Bedekar, V., Mainali, S., Abbasi, R., Agarwal, A., ul Haq, M.F., ul Haq, M.I., Bhardwaj, D., Dayanand, S., Adusumilli, A., McNett, M., Sankaran, S., Manivannan, K., Rigas, L.: Windows azure storage: a highly available cloud storage service with strong consistency. In: SOSP, pp. 143–157 (2011)
Chen, B., Curtmola, R.: Towards self-repairing replication-based storage systems using untrusted clouds. In: Proceedings of the third ACM conference on Data and application security and privacy, CODASPY ’13, pp. 377–388. ACM, New York, NY, USA (2013). DOI 10.1145/2435349.2435402. http://doi.acm.org/10.1145/2435349.2435402
Cloud Security Alliance: The notorious nine: Cloud computing top threats in 2013 (2013)
Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: Proceedings of the 13th ACM conference on Computer and communications security, CCS ’06, pp. 79–88. ACM, New York, NY, USA (2006). DOI 10.1145/1180405.1180417. http://doi.acm.org/10.1145/1180405.1180417
Curtmola, R., Khan, O., Burns, R., Ateniese, G.: Mr-pdp: Multiple-replica provable data possession. In: Proceedings of the 2008 The 28th International Conference on Distributed Computing Systems, ICDCS ’08, pp. 411–420. IEEE Computer Society, Washington, DC, USA (2008). DOI 10.1109/ICDCS.2008.68. http://dx.doi.org/10.1109/ICDCS.2008.68
Dan@AWS: Best Practices for Using Amazon S3 (2009). http://aws.amazon.com/articles/1904
Dent, A.W.: The cramer-shoup encryption scheme is plaintext aware in the standard model. In: EUROCRYPT, pp. 289–307 (2006)
Dijk, M.V., Juels, A., Oprea, A., Rivest, R.L., Stefanov, E., Triandopoulos, N.: Hourglass schemes: How to prove that cloud files are encrypted. In: ACM Conference on Computer and Communications Security (2012)
Dodis, Y., Vadhan, S.P., Wichs, D.: Proofs of retrievability via hardness amplification. In: Theory of Cryptography Conference, pp. 109–127 (2009)
Erway, C., Küpçü, A., Papamanthou, C., Tamassia, R.: Dynamic provable data possession. In: Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, pp. 213–222. ACM, New York, NY, USA (2009). DOI 10.1145/1653662.1653688. http://doi.acm.org/10.1145/1653662.1653688
Eucalyptus, http://www.eucalyptus.com: www.eucalyptus.com
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. SIGOPS Oper. Syst. Rev. 37(5), 193–206 (2003). DOI 10.1145/1165389.945464. http://doi.acm.org/10.1145/1165389.945464
Gartiner, Inc.: Forecast overview: Public cloud services, worldwide, 2011–2016, 4q12 update (2013)
Ghemawat, S., Gobioff, H., Leung, S.T.: The google file system. In: SOSP, pp. 29–43 (2003)
III, G.G.R., Roussev, V.: Scalpel: A frugal, high performance file carver. In: DFRWS (2005)
Jacob, B., Ng, S., Wang, D.: Memory Systems: Cache, DRAM, Disk. Morgan Kaufmann Publishers Inc. (2007)
Jhawar, R., Piuri, V.: Fault tolerance management in iaas clouds. In: Proc. of the 1st IEEE-AESS Conference in Europe about Space and Satellite Telecommunications (ESTEL 2012), ESTEL 2012. Rome, Italy (2012)
Juels, A., Oprea, A.: New approaches to security and availability for cloud data. Commun. ACM 56(2), 64–73 (2013). DOI 10.1145/2408776.2408793. http://doi.acm.org/10.1145/2408776.2408793
Keller, E., Szefer, J., Rexford, J., Lee, R.B.: Nohype: virtualized cloud infrastructure without the virtualization. In: Proceedings of the 37th annual international symposium on Computer architecture, ISCA ’10, pp. 350–361. ACM, New York, NY, USA (2010). DOI 10.1145/1815961.1816010. http://doi.acm.org/10.1145/1815961.1816010
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: ACM Conference on Computer and Communications Security, pp. 199–212 (2009)
Shah, M.A., Swaminathan, R., Baker, M.: Privacy-preserving audit and extraction of digital contents. IACR Cryptology ePrint Archive 2008, 186 (2008)
Silberschatz, A., Galvin, P.B., Gagne, G.: Operating system concepts (7. ed.). Wiley (2005)
Spafford, E.: Opus: Preventing weak password choices
di Vimercati, S.D.C., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Over-encryption: management of access control evolution on outsourced data. In: Proceedings of the 33rd international conference on Very large data bases, VLDB ’07, pp. 123–134. VLDB Endowment (2007). http://dl.acm.org/citation.cfm?id=1325851.1325869
di Vimercati, S.D.C., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Support for write privileges on outsourced data. In: SEC, pp. 199–210 (2012)
Wang, C., Ren, K., Wang, J., Urs, K.M.R.: Harnessing the cloud for securely solving large-scale systems of linear equations. In: ICDCS, pp. 549–558 (2011)
Wang, Q., Ren, K., Yu, S., Lou, W.: Dependable and secure sensor data storage with dynamic integrity assurance. TOSN 8(1), 9 (2011)
Wang, Z., Jiang, X.: Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP ’10, pp. 380–395. IEEE Computer Society, Washington, DC, USA (2010). DOI 10.1109/SP.2010.30. http://dx.doi.org/10.1109/SP.2010.30
Wang, Z., Sun, K., Jajodia, S., Jing, J.: Disk storage isolation and verification in cloud. In: Globecom 2012. Anaheim, CA, USA (2012)
Wang, Z., Sun, K., Jajodia, S., Jing, J.: Terracheck: Verification of dedicated cloud storage. In: 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec ’13). Newark, NJ, USA (2013)
Wang, Z., Sun, K., Jajodia, S., Jing, J.: Verification of data redundancy in cloud storage. In: Proceedings of the 2013 International Workshop on Security in Cloud Computing (To Appear)
Watson, G.J., Safavi-Naini, R., Alimomeni, M., Locasto, M.E., Narayan, S.: Lost: location based storage. In: Proceedings of the 2012 ACM Workshop on Cloud computing security workshop, CCSW ’12, pp. 59–70. ACM, New York, NY, USA (2012). DOI 10.1145/2381913.2381926. http://doi.acm.org/10.1145/2381913.2381926
Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: High-speed covert channel attacks in the cloud. In: the 21st USENIX Security Symposium (Security’12) (2012)
Xiao, J., Xu, Z., Huang, H., Wang, H.: A covert channel construction in a virtualized environment. In: ACM Conference on Computer and Communications Security, pp. 1040–1042 (2012)
Xu, Y., Bailey, M., Jahanian, F., Joshi, K.R., Hiltunen, M.A., Schlichting, R.D.: An exploration of l2 cache covert channels in virtualized environments. In: CCSW, pp. 29–40 (2011)
Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable, and fine-grained data access control in cloud computing. In: INFOCOM, pp. 534–542 (2010)
Zhang, F., Chen, J., Chen, H., Zang, B.: Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP ’11, pp. 203–216. ACM, New York, NY, USA (2011). DOI 10.1145/2043556.2043576. http://doi.acm.org/10.1145/2043556.2043576
Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: Homealone: Co-residency detection in the cloud via side-channel analysis. In: IEEE Symposium on Security and Privacy, pp. 313–328 (2011)
Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-vm side channels and their use to extract private keys. In: Proceedings of the 2012 ACM conference on Computer and communications security, CCS ’12, pp. 305–316. ACM, New York, NY, USA (2012). DOI 10.1145/2382196.2382230. http://doi.acm.org/10.1145/2382196.2382230
Acknowledgements
This material is based upon work supported by the National Science Foundation under grant CT-20013A, by US Army Research Office under MURI grant W911NF-09-1-0525 and DURIP grant W911NF-11-1-0340, and by the Office of Naval Research under grant N0014-11-1-0471.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer Science+Business Media New York
About this chapter
Cite this chapter
Wang, Z., Sun, K., Jajodia, S., Jing, J. (2014). Proof of Isolation for Cloud Storage. In: Jajodia, S., Kant, K., Samarati, P., Singhal, A., Swarup, V., Wang, C. (eds) Secure Cloud Computing. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-9278-8_5
Download citation
DOI: https://doi.org/10.1007/978-1-4614-9278-8_5
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-9277-1
Online ISBN: 978-1-4614-9278-8
eBook Packages: Computer ScienceComputer Science (R0)