Bypassing Cloud Providers' data validation to store arbitrary data

A fundamental Software-as-a-Service (SaaS) characteristic in Cloud Computing is to be application-specific; depending on the application, Cloud Providers (CPs) restrict data formats and attributes allowed into their servers via a data validation process. An ill-defined data validation process may directly impact both security (e.g. application failure, legal issues) and accounting and charging (e.g. trusting metadata in file headers). Therefore, this paper investigates, evaluates (by means of tests), and discusses data validation processes of popular CPs. A proof of concept system was thus built, implementing encoders carefully crafted to circumvent data validation processes, ultimately demonstrating how large amounts of unaccounted, arbitrary data can be stored into CPs.

[1]  Veska Gancheva Data Security and Validation Framework for a Scientific Data Processing SOA Based System , 2011, 2011 Developments in E-systems Engineering.

[2]  File Format , 2009, Encyclopedia of Database Systems.

[3]  Eelco Visser,et al.  Integration of data validation and user interface concerns in a DSL for web applications , 2009, Software & Systems Modeling.

[4]  Sushil Jajodia,et al.  Steganalysis of Images Created Using Current Steganography Software , 1998, Information Hiding.

[5]  J. P. Yoon Techniques for data and rule validation in knowledge based systems , 1989, Proceedings of the Fourth Annual Conference on Computer Assurance, 'Systems Integrity, Software Safety and Process Security.

[6]  Gary C. Kessler,et al.  An Overview of Steganography for the Computer Forensics Examiner , 2004 .

[7]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[8]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[9]  Miroslav Goljan,et al.  Steganalysis based on JPEG compatibility , 2001, SPIE ITCom.

[10]  Dmitry Kozlov,et al.  Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing , 2008 .