Information Flow Control for Secure Cloud Computing

Security concerns are widely seen as an obstacle to the adoption of cloud computing solutions. Information Flow Control (IFC) is a well understood Mandatory Access Control methodology. The earliest IFC models targeted security in a centralised environment, but decentralised forms of IFC have been designed and implemented, often within academic research projects. As a result, there is potential for decentralised IFC to achieve better cloud security than is available today. In this paper we describe the properties of cloud computing-Platform-as-a-Service clouds in particular-and review a range of IFC models and implementations to identify opportunities for using IFC within a cloud computing context. Since IFC security is linked to the data that it protects, both tenants and providers of cloud services can agree on security policy, in a manner that does not require them to understand and rely on the particulars of the cloud software stack in order to effect enforcement.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[3]  Marianne Winslett,et al.  VEX: Vetting Browser Extensions for Security Vulnerabilities , 2010, USENIX Security Symposium.

[4]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[5]  D. M. Hutton,et al.  Securing the Cloud: Cloud Computer Security Techniques and Tactics , 2012 .

[6]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[7]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[8]  Hao Chen,et al.  DBTaint: Cross-Application Information Flow Tracking via Databases , 2010, WebApps.

[9]  Jean Bacon,et al.  Enforcing User Privacy in Web Applications using Erlang , 2010 .

[10]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[11]  Adrian Perrig,et al.  CLAMP: Practical Prevention of Large-Scale Data Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[12]  R. V. van Nieuwpoort,et al.  The Grid 2: Blueprint for a New Computing Infrastructure , 2003 .

[13]  Dan Suciu SQL on an encrypted database: technical perspective , 2012, CACM.

[14]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[15]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[16]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[17]  Peter R. Pietzuch,et al.  PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks , 2011, WebApps.

[18]  Thomas Santen,et al.  Verifying the Microsoft Hyper-V Hypervisor with VCC , 2009, FM.

[19]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[20]  Marianne Winslett,et al.  Vetting browser extensions for security vulnerabilities with VEX , 2011, CACM.

[21]  Patrick Mutchler,et al.  GuardRails: A Data-Centric Web Application Security Framework , 2011, WebApps.

[22]  John McHugh An Information Flow Tool for Gypsy , 1985, 1985 IEEE Symposium on Security and Privacy.

[23]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[24]  Steven B. Lipner,et al.  A comment on the confinement problem , 1975, SOSP.

[25]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[26]  Vincent Simonet Flow Caml in a Nutshell , 2003 .

[27]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[28]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[29]  Alejandro Russo,et al.  A Taint Mode for Python via a Library , 2010, NordSec.

[30]  Herbert Bos,et al.  Minemu: The World's Fastest Taint Tracker , 2011, RAID.

[31]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.

[32]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[33]  Alberto G. Araiza Electronic Discovery in the Cloud , 2011 .

[34]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[35]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[36]  Angelos D. Keromytis,et al.  libdft: practical dynamic data flow tracking for commodity systems , 2012, VEE '12.

[37]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[38]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[39]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[40]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[41]  Stephen Biggs,et al.  Cloud Computing: The impact on digital forensic investigations , 2009, 2009 International Conference for Internet Technology and Secured Transactions, (ICITST).

[42]  Hakan Hacigümüs,et al.  Executing SQL over encrypted data in the database-service-provider model , 2002, SIGMOD '02.

[43]  Dawson R. Engler,et al.  EXE: Automatically Generating Inputs of Death , 2008, TSEC.

[44]  David Evans,et al.  Enforcing End-to-End Application Security in the Cloud - (Big Ideas Paper) , 2010, Middleware.

[45]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[46]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[47]  Matthias Schunter,et al.  Secure cloud maintenance: protecting workloads against insider attacks , 2012, ASIACCS '12.

[48]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[49]  Wenke Lee,et al.  A layered approach to simplified access control in virtualized systems , 2007, OPSR.

[50]  Ben Hardekopf,et al.  Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach , 2011, 2011 IEEE Symposium on Security and Privacy.

[51]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[52]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[53]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[54]  Vitaly Shmatikov,et al.  Airavat: Security and Privacy for MapReduce , 2010, NSDI.

[55]  Andrew C. Myers,et al.  Secure Information Flow and CPS , 2001, ESOP.

[56]  James W. Gray,et al.  Probabilistic interference , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[57]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[58]  Winnie Cheng,et al.  Abstractions for Usable Information Flow Control in Aeolus , 2012, USENIX Annual Technical Conference.

[59]  Steve Vandebogart,et al.  Make Least Privilege a Right (Not a Privilege) , 2005, HotOS.

[60]  SUMMARY OF RESPONSES TO THE PUBLIC CONSULTATION , 2010 .

[61]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[62]  David Evans,et al.  SafeWeb: A Middleware for Securing Ruby-Based Web Applications , 2011, Middleware.

[63]  Wenke Lee,et al.  xBook: Redesigning Privacy Control in Social Networking Platforms , 2009, USENIX Security Symposium.

[64]  Steven B. Lipner,et al.  Trusted Computer System Evaluation Criteria ( Orange Book ) December , 2001 .

[65]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[66]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[67]  Mukesh Singhal,et al.  Information flow control in cloud computing , 2010, 6th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2010).

[68]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[69]  David M. Eyers,et al.  Big Ideas Paper : Enforcing End-to-end Application Security in the Cloud , 2010 .

[70]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[71]  Peter G. Neumann,et al.  CHERI: a research platform deconflating hardware virtualisation and protection , 2012 .

[72]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[73]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[74]  Richard J. Feiertag A Technique for Proving Specifications are Multilevel Secure , 1980 .

[75]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[76]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[77]  The Sarbanes-Oxley Act: Implications for large-scale IT outsourcing , 2007 .

[78]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[79]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[80]  Christoforos E. Kozyrakis,et al.  Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications , 2009, USENIX Security Symposium.

[81]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[82]  Alejandro Russo,et al.  Towards a taint mode for cloud computing web applications , 2012, PLAS.

[83]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[84]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[85]  Rebecca T. Mercuri The HIPAA-potamus in health care data security , 2004, CACM.

[86]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[87]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[88]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[89]  Paul F. Syverson,et al.  The epistemic representation of information flow security in probabilistic systems , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[90]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[91]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[92]  David Lie,et al.  Auditing cloud management using information flow tracking , 2012, STC '12.

[93]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.

[94]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[95]  Dongxi Liu,et al.  Query encrypted databases practically , 2012, CCS '12.

[96]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.