Skip to main content
SpringerLink
Log in

Secure Partitioning of Composite Cloud Applications

  • Conference paper
  • First Online:
Service-Oriented and Cloud Computing (ESOCC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13226))

Included in the following conference series:

  • 603 Accesses

Abstract

The security of Cloud applications is always a major concern for application developers and operators. Protecting their users’ data confidentiality requires methods to avoid leakage from vulnerable software and unreliable cloud providers. Recently, hardware-based technologies emerged in the Cloud setting to isolate applications from the privileged access of cloud providers. One of those technologies is the Separation Kernel which aims at isolating safely the software components of applications. In this article, we propose a declarative methodology supported by a running prototype to determine the partitioning of a Cloud multi-component application in order to allow its placement on a Separation Kernel. We employ information-flow security techniques to determine how to partition the application, and showcase the methodology and prototype over a motivating scenario from an IoT application deployed to a central Cloud.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Open-sourced and freely available at: https://github.com/di-unipi-socc/sk.

  2. 2.

    A Prolog program is a finite set of clauses of the form: a :- b1,...,bn. stating that a holds when b1 \(\wedge \ \cdots \ \wedge \) bn holds, where n \(\ge \) 0 and a, b1, ..., bn are atomic literals. Clauses with empty condition are also called facts. Prolog variables begin with upper-case letters, lists are denoted by square brackets, and negation by 

  3. 3.

    All the comparisons between labels are based on the ordering of the security lattice.

  4. 4.

    The extended version of this article with full proofs and other aspects is freely available at https://github.com/di-unipi-socc/sk/tree/main/Examples/CloudExample.

  5. 5.

    Full code of the prototype extension at https://github.com/di-unipi-socc/sk/blob/main/Examples/CloudExample/skplacerRecommend.pl.

  6. 6.

    Full example code at https://github.com/di-unipi-socc/sk/tree/main/Examples/CloudExample.

References

  1. AMD Secure Encrypted Virtualization (SEV). https://developer.amd.com/sev/. Accessed Nov 2021

  2. Arm Confidential Compute Architecture (CCA). https://www.arm.com/why-arm/architecture/security-features/arm-confidential-compute-architecture. Accessed Nov 2021

  3. AWS IoT Greengrass. https://aws.amazon.com/greengrass/. Accessed Nov 2021

  4. Azure IoT Edge. https://azure.microsoft.com/services/iot-edge/. Accessed Nov 2021

  5. Home Assistant. https://www.home-assistant.io/. Accessed Nov 2021

  6. IFTTT. https://ifttt.com/. Accessed Nov 2021

  7. Intel Trust Domain Extensions (TDX). https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html. Accessed Nov 2021

  8. Almorsy, M., Grundy, J.C., Müller, I.: An analysis of the cloud computing security problem. CoRR abs/1609.01107 (2016)

    Google Scholar 

  9. Alpernas, K., et al.: Secure serverless computing using dynamic information flow control. In: OOPSLA, vol. 2, pp. 1–26 (2018)

    Google Scholar 

  10. Andronick, J.: From a proven correct microkernel to trustworthy large systems. In: Beckert, B., Marché, C. (eds.) FoVeOOS 2010. LNCS, vol. 6528, pp. 1–9. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18070-5_1

    Chapter  Google Scholar 

  11. Bastys, I., Balliu, M., Sabelfeld, A.: If this then what? Controlling flows in IoT apps. In: ACM SIGSAC CCS 2018, pp. 1102–1119 (2018)

    Google Scholar 

  12. Bocci, A., Forti, S., Ferrari, G.L., Brogi, A.: Placing FaaS in the fog, securely. In: ITASEC 2021. CEUR Workshop Proceedings, vol. 2940, pp. 166–179 (2021)

    Google Scholar 

  13. Dam, M., Guanciale, R., Khakpour, N., Nemati, H., Schwarz, O.: Formal verification of information flow security for a simple arm-based separation kernel. In: ACM SIGSAC 2013, pp. 223–234. ACM (2013)

    Google Scholar 

  14. Datta, P., Kumar, P., Morris, T., Grace, M., Rahmati, A., Bates, A.: Valve: securing function workflows on serverless computing platforms. In: WWW, pp. 939–950 (2020)

    Google Scholar 

  15. Elsayed, M., Zulkernine, M.: IFCaaS: information flow control as a service for cloud security. In: ARES 2016, pp. 211–216. IEEE Computer Society (2016)

    Google Scholar 

  16. Forti, S., Ferrari, G.L., Brogi, A.: Secure cloud-edge deployments, with trust. Future Gener. Comput. Syst. 102, 775–788 (2020)

    Article  Google Scholar 

  17. Forti, S., Paganelli, F., Brogi, A.: Probabilistic QoS-aware placement of VNF chains at the edge. Theory Pract. Logic Program. 22(1), 1–36 (2022)

    Article  MathSciNet  Google Scholar 

  18. Heitmeyer, C.L., Archer, M., Leonard, E.I., McLean, J.D.: Formal specification and verification of data separation in a separation kernel for an embedded system. In: ACMCCS 2006, pp. 346–355. ACM (2006)

    Google Scholar 

  19. Hinrichs, T.L., Gude, N.S., Casado, M., Mitchell, J.C., Shenker, S.: Practical declarative network management. In: WREN, pp. 1–10 (2009)

    Google Scholar 

  20. Kadioglu, S., Colena, M., Sebbah, S.: Heterogeneous resource allocation in Cloud Management. In: NCA 2016, pp. 35–38 (2016)

    Google Scholar 

  21. Kaufman, L.M.: Data security in the world of cloud computing. IEEE Secur. Priv. 7(4), 61–64 (2009)

    Article  Google Scholar 

  22. Oak, A., Ahmadian, A.M., Balliu, M., Salvaneschi, G.: Language support for secure software development with enclaves. In: IEEE Computer Security Foundations Symposium (CSF 2021) (2021)

    Google Scholar 

  23. Rushby, J.M.: Design and verification of secure systems. In: Proceedings of the Eighth Symposium on Operating System Principles, SOSP 1981, pp. 12–21. ACM (1981)

    Google Scholar 

  24. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)

    Article  Google Scholar 

  25. Sabelfeld, A., Sands, D.: A per model of secure information flow in sequential programs. High. Order Symb. Comput. 14(1), 59–91 (2001)

    Article  Google Scholar 

  26. Sahita, R., et al.: Security analysis of confidential-compute instruction set architecture for virtualized workloads. In: SEED, pp. 121–131. IEEE (2021)

    Google Scholar 

  27. Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., Klein, G.: seL4 enforces integrity. In: van Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds.) ITP 2011. LNCS, vol. 6898, pp. 325–340. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22863-6_24

    Chapter  Google Scholar 

  28. Shaikh, F.B., Haider, S.: Security threats in cloud computing. In: ICITST 2011, pp. 214–219. IEEE (2011)

    Google Scholar 

  29. Tianfield, H.: Security issues in cloud computing. In: IEEE SMC 2012, pp. 1082–1089 (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Pisa, Pisa, Italy

    Alessandro Bocci, Stefano Forti, Gian-Luigi Ferrari & Antonio Brogi

  2. KTH Royal Institute of Technology, Stockholm, Sweden

    Roberto Guanciale

Authors
  1. Alessandro Bocci
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roberto Guanciale
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stefano Forti
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Gian-Luigi Ferrari
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Antonio Brogi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alessandro Bocci .

Editor information

Editors and Affiliations

  1. University of Southern Denmark, Odense, Denmark

    Fabrizio Montesi

  2. University of Cyprus, Nicosia, Cyprus

    George Angelos Papadopoulos

  3. Martin Luther University Halle-Wittenberg, Halle (Saale), Germany

    Wolf Zimmermann

Rights and permissions

Reprints and permissions

Copyright information

© 2022 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bocci, A., Guanciale, R., Forti, S., Ferrari, GL., Brogi, A. (2022). Secure Partitioning of Composite Cloud Applications. In: Montesi, F., Papadopoulos, G.A., Zimmermann, W. (eds) Service-Oriented and Cloud Computing. ESOCC 2022. Lecture Notes in Computer Science, vol 13226. Springer, Cham. https://doi.org/10.1007/978-3-031-04718-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-04718-3_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-04717-6

  • Online ISBN: 978-3-031-04718-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation