Abstract
The security of Cloud applications is always a major concern for application developers and operators. Protecting their users’ data confidentiality requires methods to avoid leakage from vulnerable software and unreliable cloud providers. Recently, hardware-based technologies emerged in the Cloud setting to isolate applications from the privileged access of cloud providers. One of those technologies is the Separation Kernel which aims at isolating safely the software components of applications. In this article, we propose a declarative methodology supported by a running prototype to determine the partitioning of a Cloud multi-component application in order to allow its placement on a Separation Kernel. We employ information-flow security techniques to determine how to partition the application, and showcase the methodology and prototype over a motivating scenario from an IoT application deployed to a central Cloud.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Open-sourced and freely available at: https://github.com/di-unipi-socc/sk.
- 2.
A Prolog program is a finite set of clauses of the form: a :- b1,...,bn. stating that a holds when b1 \(\wedge \ \cdots \ \wedge \) bn holds, where n \(\ge \) 0 and a, b1, ..., bn are atomic literals. Clauses with empty condition are also called facts. Prolog variables begin with upper-case letters, lists are denoted by square brackets, and negation by
- 3.
All the comparisons between labels are based on the ordering of the security lattice.
- 4.
The extended version of this article with full proofs and other aspects is freely available at https://github.com/di-unipi-socc/sk/tree/main/Examples/CloudExample.
- 5.
Full code of the prototype extension at https://github.com/di-unipi-socc/sk/blob/main/Examples/CloudExample/skplacerRecommend.pl.
- 6.
Full example code at https://github.com/di-unipi-socc/sk/tree/main/Examples/CloudExample.
References
AMD Secure Encrypted Virtualization (SEV). https://developer.amd.com/sev/. Accessed Nov 2021
Arm Confidential Compute Architecture (CCA). https://www.arm.com/why-arm/architecture/security-features/arm-confidential-compute-architecture. Accessed Nov 2021
AWS IoT Greengrass. https://aws.amazon.com/greengrass/. Accessed Nov 2021
Azure IoT Edge. https://azure.microsoft.com/services/iot-edge/. Accessed Nov 2021
Home Assistant. https://www.home-assistant.io/. Accessed Nov 2021
IFTTT. https://ifttt.com/. Accessed Nov 2021
Intel Trust Domain Extensions (TDX). https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html. Accessed Nov 2021
Almorsy, M., Grundy, J.C., Müller, I.: An analysis of the cloud computing security problem. CoRR abs/1609.01107 (2016)
Alpernas, K., et al.: Secure serverless computing using dynamic information flow control. In: OOPSLA, vol. 2, pp. 1–26 (2018)
Andronick, J.: From a proven correct microkernel to trustworthy large systems. In: Beckert, B., Marché, C. (eds.) FoVeOOS 2010. LNCS, vol. 6528, pp. 1–9. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18070-5_1
Bastys, I., Balliu, M., Sabelfeld, A.: If this then what? Controlling flows in IoT apps. In: ACM SIGSAC CCS 2018, pp. 1102–1119 (2018)
Bocci, A., Forti, S., Ferrari, G.L., Brogi, A.: Placing FaaS in the fog, securely. In: ITASEC 2021. CEUR Workshop Proceedings, vol. 2940, pp. 166–179 (2021)
Dam, M., Guanciale, R., Khakpour, N., Nemati, H., Schwarz, O.: Formal verification of information flow security for a simple arm-based separation kernel. In: ACM SIGSAC 2013, pp. 223–234. ACM (2013)
Datta, P., Kumar, P., Morris, T., Grace, M., Rahmati, A., Bates, A.: Valve: securing function workflows on serverless computing platforms. In: WWW, pp. 939–950 (2020)
Elsayed, M., Zulkernine, M.: IFCaaS: information flow control as a service for cloud security. In: ARES 2016, pp. 211–216. IEEE Computer Society (2016)
Forti, S., Ferrari, G.L., Brogi, A.: Secure cloud-edge deployments, with trust. Future Gener. Comput. Syst. 102, 775–788 (2020)
Forti, S., Paganelli, F., Brogi, A.: Probabilistic QoS-aware placement of VNF chains at the edge. Theory Pract. Logic Program. 22(1), 1–36 (2022)
Heitmeyer, C.L., Archer, M., Leonard, E.I., McLean, J.D.: Formal specification and verification of data separation in a separation kernel for an embedded system. In: ACMCCS 2006, pp. 346–355. ACM (2006)
Hinrichs, T.L., Gude, N.S., Casado, M., Mitchell, J.C., Shenker, S.: Practical declarative network management. In: WREN, pp. 1–10 (2009)
Kadioglu, S., Colena, M., Sebbah, S.: Heterogeneous resource allocation in Cloud Management. In: NCA 2016, pp. 35–38 (2016)
Kaufman, L.M.: Data security in the world of cloud computing. IEEE Secur. Priv. 7(4), 61–64 (2009)
Oak, A., Ahmadian, A.M., Balliu, M., Salvaneschi, G.: Language support for secure software development with enclaves. In: IEEE Computer Security Foundations Symposium (CSF 2021) (2021)
Rushby, J.M.: Design and verification of secure systems. In: Proceedings of the Eighth Symposium on Operating System Principles, SOSP 1981, pp. 12–21. ACM (1981)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)
Sabelfeld, A., Sands, D.: A per model of secure information flow in sequential programs. High. Order Symb. Comput. 14(1), 59–91 (2001)
Sahita, R., et al.: Security analysis of confidential-compute instruction set architecture for virtualized workloads. In: SEED, pp. 121–131. IEEE (2021)
Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., Klein, G.: seL4 enforces integrity. In: van Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds.) ITP 2011. LNCS, vol. 6898, pp. 325–340. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22863-6_24
Shaikh, F.B., Haider, S.: Security threats in cloud computing. In: ICITST 2011, pp. 214–219. IEEE (2011)
Tianfield, H.: Security issues in cloud computing. In: IEEE SMC 2012, pp. 1082–1089 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bocci, A., Guanciale, R., Forti, S., Ferrari, GL., Brogi, A. (2022). Secure Partitioning of Composite Cloud Applications. In: Montesi, F., Papadopoulos, G.A., Zimmermann, W. (eds) Service-Oriented and Cloud Computing. ESOCC 2022. Lecture Notes in Computer Science, vol 13226. Springer, Cham. https://doi.org/10.1007/978-3-031-04718-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-04718-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-04717-6
Online ISBN: 978-3-031-04718-3
eBook Packages: Computer ScienceComputer Science (R0)