skip to main content
10.1145/2664168.2664180acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Inevitable Failure: The Flawed Trust Assumption in the Cloud

Published: 07 November 2014 Publication History

Abstract

IaaS clouds offer customers on-demand computing resources such as virtual machine, network and storage. To provision and manage these resources, cloud users must rely on a variety of cloud services. However, a wide range of vulnerabilities have been identified in these cloud services that may enable an adversary to compromise customers' computations or even the cloud platform itself. Using the motivation for adding mandatory access to commercial operating systems, we argue for the development of a secure cloud operating system (SCOS) to enforce mandatory access control (MAC) over cloud services and customer instances. To better understand the concrete challenges of building a SCOS, we examine the OpenStack cloud platform from two perspectives: (1) how attacks propagate across cloud services and (2) how adversaries leverage vulnerabilities in cloud services to attack hosts. Using this information, we review the application of three MAC approaches employed by "secure" commercial systems to evaluate their practical effectiveness for controlling cloud services. While MAC enforcement can improve security for cloud services, several threats remain unchecked. We outline a set of additional security policy goals that a SCOS must enforce to control threats from potentially compromised cloud services comprehensively. While we do not actually construct a SCOS in this paper, we hope that this study will initiate discussions that may lead to practical designs.

References

[1]
ANDERSON, J. P. Computer security technology planning study. Tech. Rep. ESD-TR-73--51, The Mitre Corporation, Air Force Electronic Systems Division, Hanscom AFB, Badford, MA, 1972.
[2]
Apache CloudStack. http://cloudstack.apache.org/.
[3]
Security starts with your operating system. http://www.argus-systems.com/home3.shtml, 2008.
[4]
Selinux/audit2allow. http://fedoraproject.org/wiki/SELinux/audit2allow.
[5]
BADGER, L., STERNE, D. F., SHERMAN, D. L., WALKER, K. M., AND HAGHIGHAT, S. A. A domain and type enforcement UNIX prototype. In Proceedings of the 5th USENIX Security Symposium (1995).
[6]
XTS-400 Trusted Computer System, from BEA Systems, 2008. http: //www.baesystems.com/ProductsServices/bae_prod_csit_xts400.html.
[7]
BELL, D. E., AND LAPADULA, L. J. Secure computer system: Unified exposition and Multics interpretation. Tech. Rep. ESD-TR-75--306, Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), L. G. Hanscom Field, Bedford, MA, March 1976. Also, MITRE Technical Report MTR-2997.
[8]
BIBA, K. J. Integrity considerations for secure computer systems. Tech. Rep. MTR-3153, MITRE, April 1977.
[9]
BOEBERT, W. E., AND KAIN, R. Y. A practical alternative to hierarchical integrity policies. In Proceedings of the 8th National Computer Security Conference (1985).
[10]
BUGIEL, S., NÜRNBERGER, S., PÖPPELMANN, T., SADEGHI, A., AND SCHNEIDER, T. AmazonIA: When elasticity snaps back. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS) (2011), pp. 389--400.
[11]
BUTT, S., LAGAR-CAVILLA, H. A., SRIVASTAVA, A., AND GANAPATHY, V. Self-service cloud computing. In Proceedings of the 2012 ACM conference on Computer and communications security (New York, NY, USA, 2012), CCS '12, ACM, pp. 253--264.
[12]
CVE-2012--3542. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012--3542.
[13]
CVE-2012--4456. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012--4456.
[14]
CVE-2014-0167. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0167.
[15]
CHEN, H., LI, N., AND MAO, Z. Analyzing and comparing the protection quality of security enhanced operating systems. In NDSS (2009).
[16]
Cloudlinux. http://www.cloudlinux.com/.
[17]
Oracle solaris 11. http://www.oracle.com/us/products/servers-storage/solaris/solaris11/overview/index.html/.
[18]
CORBATÓ, F. J., AND VYSSOTSKY, V. A. Introduction and overview of the multics system. In Proceedings of the November 30--December 1, 1965, Fall Joint Computer Conference, Part I (New York, NY, USA, 1965), AFIPS '65 (Fall, part I), ACM, pp. 185--196.
[19]
DENNING, D. A Lattice Model of Secure Information Flow. Communications of the ACM 19, 5 (1976).
[20]
CVE-2012--3360. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012--3360.
[21]
CVE-2012--3361. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012--3361.
[22]
CVE-2012--3447. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012--3447.
[23]
CVE-2013-0247. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0247.
[24]
CVE-2013-0270. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0270.
[25]
CVE-2014--2828. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--2828.
[26]
Eucalyptus. https://www.eucalyptus.com/.
[27]
GIFFIN, J. T., JHA, S., AND MILLER, B. P. Detecting manipulated remote call streams. In Proceedings of the 11th USENIX Security Symposium (Berkeley, CA, USA, 2002), USENIX Association, pp. 61--79.
[28]
CVE-2014-0162. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0162.
[29]
HALLYN, S. E., AND KEARNS, P. Domain and type enforcement for Linux. In Proceedings of the 4th Annual Linux Showcase and Conference (Oct. 2000). At http://www.sagecertification.org/publications/library/proceedings/als00/2000papers/papers/full_papers/hallyn/hallyn_html/index.html.
[30]
HARDY, N. The confused deputy. Operating Systems Review 22, 4 (Oct. 1988), 36--38.
[31]
CVE-2011--4596. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011--4596.
[32]
CVE-2013-0208. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0208.
[33]
CVE-2014-0187. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0187.
[34]
LIDS Secure Linux System. http://www.lids.org/, 2008.
[35]
LOSCOCCO, P. A., SMALLEY, S. D., MUCKELBAUER, P. A., TAYLOR, R. C., TURNER, S. J., AND FARRELL, J. F. The Inevitability of Failure: The flawed assumption of security in modern computing environments. In Proceedings of the 21st National Information Systems Security Conference (October 1998), pp. 303--314.
[36]
MAYER, F., MACMILLAN, K., AND CAPLAN, D. SELinux by Example: Using Security-Enhanced Linux. Addison-Wesley, 2006.
[37]
MCILROY, M. D., AND REEDS, J. A. Multilevel security in the UNIX tradition. Software-Practice and Experience 22 (1992), 673--694.
[38]
NARAINE, R. Russinovich: Malware will thrive, even with Vista's UAC, April 2007. http://blogs.zdnet.com/security/?p=175.
[39]
AppArmor Linux application security. http://www. novell.com/linux/security/apparmor/, 2008.
[40]
Security-enhanced linux. http://www.nsa.gov/selinux.
[41]
OpenNebula. http://opennebula.org/.
[42]
OpenStack Open Source Cloud Computing Software. http://www.openstack.org//, 2008.
[43]
Openstack api quick start. http://docs.openstack. org/api/quick-start/content/.
[44]
OTT, A. Rsbac: Extending Linux security beyond the limits. http://www.rsbac.org/, 2008.
[45]
PROVOS, N. Improving host security with system call policies. In Proceedings of the 2003 USENIX Security Symposium (August 2003).
[46]
PROVOS, N., FRIEDL, M., AND HONEYMAN, P. Preventing privilege escalation. In Proceedings of the USENIX Security Symposium (Aug. 2003).
[47]
RISTENPART, T., TROMER, E., SHACHAM, H., AND SAVAGE, S. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security (2009).
[48]
SALTZER, J. H., AND SCHROEDER, M. D. The protection of information in computer systems. Proceedings of the IEEE 63, 9 (September 1975).
[49]
SCHELL, R., TAO, T., AND HECKMAN, M. Designing the GEMSOS security kernel for security and performance. In Proceedings of the National Computer Security Conference (1985).
[50]
SCHELLHORN, G., REIF, W., SCHAIRER, A., KARGER, P. A., AUSTEL, V., AND TOLL, D. Verification of a formal security model for multiapplicative smart cards. In Proceedings of the European Symposium on Research in Computer Security (2000), pp. 17--36.
[51]
Selinux/mls. http://fedoraproject.org/wiki/SELinux/MLS.
[52]
SUN MICROSYSTEMS. Trusted Solaris 8 Operating System. http://www.sun.com/software/solaris/trustedsolaris/, Feb. 2006.
[53]
CVE-2012--4406. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012--4406.
[54]
Reference Policy. http://oss.tresys.com/projects/refpolicy, 2008.
[55]
VARADARAJAN, V., KOOBURAT, T., FARLEY, B., RISTENPART, T., AND SWIFT, M. M. Resource-freeing attacks: improve your cloud performance (at your neighbor's expense). In ACM Conference on Computer and Communications Security (2012), pp. 281--292.
[56]
VIJAYAKUMAR, H., GE, X., PAYER, M., AND JAEGER, T. JIGSAW: Protecting resource access by inferring programmer expectations. In Proceedings of the 23rd USENIX Security Symposium (Aug. 2014), pp. 973--988.
[57]
VIJAYAKUMAR, H., SCHIFFMAN, J., AND JAEGER, T. Process Firewalls: Protecting processes during resource access. In Proceedings of the Eighth ACM European Conference on Computer Systems (EuroSys) (2013), pp. 57--70.
[58]
WAGNER, D., AND DEAN, D. Intrusion detection via static analysis. In Proceedings of the 2001 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2001), SP '01, IEEE Computer Society, pp. 156--.
[59]
WAGNER, D., AND SOTO, P. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security (New York, NY, USA, 2002), CCS '02, ACM, pp. 255--264.
[60]
WATSON, R. N. M. TrustedBSD: Adding trusted operating system features to FreeBSD. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference (2001), pp. 15--28.
[61]
WRIGHT, C., COWAN, C., SMALLEY, S., MORRIS, J., AND KROAH-HARTMAN, G. Linux Security Modules: General security support for the Linux kernel. In Proceedings of the 11th USENIX Security Symposium (August 2002), pp. 17--31.
[62]
ZHANG, F., CHEN, J., CHEN, H., AND ZANG, B. Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (New York, NY, USA, 2011), SOSP '11, ACM, pp. 203--216.
[63]
ZHANG, Y., AND REITER, M. K. Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In ACM Conference on Computer and Communications Security (2013).

Cited By

View all
  • (2022)Innovations and applications of operating system security with a hardware-software co-designChinese Science Bulletin10.1360/TB-2022-055767:32(3862-3871)Online publication date: 30-Jun-2022
  • (2019)On the Universally Composable Security of OpenStack2019 IEEE Cybersecurity Development (SecDev)10.1109/SecDev.2019.00015(20-33)Online publication date: Sep-2019
  • (2018)Design, Implementation and Verification of Cloud Architecture for Monitoring a Virtual Machine's Security HealthIEEE Transactions on Computers10.1109/TC.2017.278082367:6(799-815)Online publication date: 1-Jun-2018
  • Show More Cited By

Index Terms

  1. Inevitable Failure: The Flawed Trust Assumption in the Cloud

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCSW '14: Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security
      November 2014
      160 pages
      ISBN:9781450332392
      DOI:10.1145/2664168
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 07 November 2014

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. cloud computing
      2. mandatory access control
      3. security

      Qualifiers

      • Research-article

      Conference

      CCS'14
      Sponsor:

      Acceptance Rates

      CCSW '14 Paper Acceptance Rate 12 of 36 submissions, 33%;
      Overall Acceptance Rate 37 of 108 submissions, 34%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)21
      • Downloads (Last 6 weeks)12
      Reflects downloads up to 01 Mar 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2022)Innovations and applications of operating system security with a hardware-software co-designChinese Science Bulletin10.1360/TB-2022-055767:32(3862-3871)Online publication date: 30-Jun-2022
      • (2019)On the Universally Composable Security of OpenStack2019 IEEE Cybersecurity Development (SecDev)10.1109/SecDev.2019.00015(20-33)Online publication date: Sep-2019
      • (2018)Design, Implementation and Verification of Cloud Architecture for Monitoring a Virtual Machine's Security HealthIEEE Transactions on Computers10.1109/TC.2017.278082367:6(799-815)Online publication date: 1-Jun-2018
      • (2018)IaaS-cloud security enhancement: An intelligent attribute-based access control framework2018 Majan International Conference (MIC)10.1109/MINTC.2018.8363159(1-9)Online publication date: Mar-2018
      • (2016)PileusProceedings of the 32nd Annual Conference on Computer Security Applications10.1145/2991079.2991109(52-64)Online publication date: 5-Dec-2016
      • (2016)Hardening OpenStack Cloud Platforms against Compute Node CompromisesProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897851(341-352)Online publication date: 30-May-2016
      • (2015)Cloud ArmorProceedings of the 2015 IEEE 8th International Conference on Cloud Computing10.1109/CLOUD.2015.42(253-260)Online publication date: 27-Jun-2015

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media