skip to main content
10.1145/2714576.2714594acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
short-paper

CAFE: A Virtualization-Based Approach to Protecting Sensitive Cloud Application Logic Confidentiality

Published: 14 April 2015 Publication History

Abstract

Cloud application marketplaces of modern cloud infrastructures offer a new software deployment model, integrated with the cloud environment in its configuration and policies. However, similar to traditional software distribution which has been suffering from software piracy and reverse engineering, cloud marketplaces face the same challenges that can deter the success of the evolving ecosystem of cloud software. We present a novel system named CAFE for cloud infrastructures where sensitive software logic can be executed with high secrecy protected from any piracy or reverse engineering attempts in a virtual machine even when its operating system kernel is compromised. The key mechanism is the end-to-end framework for the execution of applications, which consists of the secure encryption and distribution of confidential application binary files, and the runtime techniques to load, decrypt, and protect the program logic by isolating them from tenant virtual machines based on hypervisor-level techniques. We evaluate applications in several software categories which are commonly offered in cloud marketplaces showing that strong confidential execution can be provided with only marginal changes (around 100-220 lines of code) and minimal performance overhead.

References

[1]
Average Web Page Breaks 1600K. http://www.websiteoptimization.com/speed/tweak/average-web-page/.
[2]
Mstone. http://mstone.sourceforge.net/.
[3]
The Transport Layer Security (TLS) Protocol Version 1.2. http://tools.ietf.org/html/rfc5246.
[4]
A Description of the ARIA Encryption Algorithm, 2010. http://tools.ietf.org/search/rfc5794.
[5]
Themida, 2010. http://www.oreans.com.
[6]
VMProtect, 2010. http://vmpsoft.com/products/vmprotect/.
[7]
IOzone Filesystem Benchmark, Feb. 2013. http://www.iozone.org/.
[8]
A. Averbuch, M. Kiperberg, and N. J. Zaidenberg. Truly-Protect: An Efficient VM-Based Software Protection. IEEE Systems Journal, 7(3):455--466, Sept. 2013.
[9]
S. Checkoway and H. Shacham. Iago attacks: Why the system call api is a bad untrusted rpc interface. In Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '13, pages 253--264, New York, NY, USA, 2013. ACM.
[10]
X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of ASPLOS'08, New York, NY, USA, 2008.
[11]
C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148 Department of Computer Science University of Auckland July, page 36, 1997.
[12]
David Challener, Kent Yoder, Ryan Catherman, David Safford, Leendert Van Doorn. A Practical Guide to Trusted Computing. IBM Press, 2007.
[13]
B. Lee, Y. Kim, and J. Kim. binOb+: A framework for potent and stealthy binary obfuscation. In Proceedings of ASIACCS'10, New York, NY, USA, 2010.
[14]
C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In Proceedings of CCS'03, New York, NY, USA, 2003.
[15]
J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In Proceedings of SP'10, DC, USA, 2010.
[16]
J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An Execution Infrastructure for TCB Minimization. In Proceedings of the Eurosys'08, pages 315--328, New York, NY, USA, 2008.
[17]
I. V. Popov, S. K. Debray, and G. R. Andrews. Binary Obfuscation Using Signals. In Proceedings of USENIX Security'07, Berkeley, CA, USA, 2007.
[18]
D. R. K. Ports and T. Garfinkel. Towards application security on untrusted operating systems. In Proceedings of the 3rd Conference on Hot Topics in Security, HOTSEC'08, pages 1:1--1:7, Berkeley, CA, USA, 2008. USENIX Association.
[19]
C. Ranger, R. Raghuraman, A. Penmetsa, G. Bradski, and C. Kozyrakis. Evaluating MapReduce for Multi-core and Multiprocessor Systems. In Proceedings of HPCA'07, Washington, DC, USA, 2007.
[20]
Rob van der Meulen, Janessa Rivera. Gartner Says Worldwide Public Cloud Services Market to Total $131 Billion. http://www.gartner.com/newsroom/id/2352816.
[21]
M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Impeding Malware Analysis Using Conditional Code Obfuscation. Proceedings of NDSS'08, 2008.
[22]
A. Vasudevan, S. Chaki, L. Jia, J. McCune, J. Newsome, and A. Datta. Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework. In Proceedings of SP'13, pages 430--444, DC, USA, 2013.
[23]
Vasudevan, Amit and Parno, Bryan and Qu, Ning and Gligor, Virgil D and Perrig, Adrian. Lockdown: Towards a Safe and Practical Architecture for Security Applications on Commodity Platforms. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, 2012.

Cited By

View all
  • (2022)TrulyProtect—Virtualization-Based Protection Against Reverse EngineeringCyber Security10.1007/978-3-030-91293-2_15(353-366)Online publication date: 3-Apr-2022
  • (2022)Systematic analysis of software development in cloud computing perceptionsJournal of Software: Evolution and Process10.1002/smr.2485Online publication date: 29-Jun-2022
  • (2019)Recent trends in applying TPM to cloud computingSECURITY AND PRIVACY10.1002/spy2.933:1Online publication date: 28-Nov-2019
  • Show More Cited By

Index Terms

  1. CAFE: A Virtualization-Based Approach to Protecting Sensitive Cloud Application Logic Confidentiality

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
    April 2015
    698 pages
    ISBN:9781450332453
    DOI:10.1145/2714576
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 14 April 2015

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. cloud computing marketplace
    2. code confidentiality protection
    3. secure execution environment

    Qualifiers

    • Short-paper

    Conference

    ASIA CCS '15
    Sponsor:
    ASIA CCS '15: 10th ACM Symposium on Information, Computer and Communications Security
    April 14 - March 17, 2015
    Singapore, Republic of Singapore

    Acceptance Rates

    ASIA CCS '15 Paper Acceptance Rate 48 of 269 submissions, 18%;
    Overall Acceptance Rate 418 of 2,322 submissions, 18%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)3
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 14 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2022)TrulyProtect—Virtualization-Based Protection Against Reverse EngineeringCyber Security10.1007/978-3-030-91293-2_15(353-366)Online publication date: 3-Apr-2022
    • (2022)Systematic analysis of software development in cloud computing perceptionsJournal of Software: Evolution and Process10.1002/smr.2485Online publication date: 29-Jun-2022
    • (2019)Recent trends in applying TPM to cloud computingSECURITY AND PRIVACY10.1002/spy2.933:1Online publication date: 28-Nov-2019
    • (2017)DRIVEProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052975(728-742)Online publication date: 2-Apr-2017
    • (2016)Evolution of Attacks, Threat Models, and Solutions for Virtualized SystemsACM Computing Surveys10.1145/285612648:3(1-38)Online publication date: 8-Feb-2016

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media