Proof of Isolation for Cloud Storage

Cloud services help users reduce operational costs by sharing the hardware resources across multiple tenants. However, due to the shared physical resources, malicious users can build covert channels to leak sensitive information (e.g., encryption keys) between co-resident tenants. Cloud service providers have proposed to mitigate these concerns by offering physically isolated resources; however, cloud users have no ways to verify the actual configuration and level of the resource isolation. To increase the observability of disk storage isolation, we introduce two Proof of Isolation (PoI) schemes that enable cloud users to verify separated disk storage and dedicated disk storage, respectively. Our experimental results show that our PoI schemes are practical in both private and public cloud environments.

[1]  Sushil Jajodia,et al.  Disk storage isolation and verification in cloud , 2012, 2012 IEEE Global Communications Conference (GLOBECOM).

[2]  Alexander W. Dent,et al.  The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model , 2006, IACR Cryptol. ePrint Arch..

[3]  Matti A. Hiltunen,et al.  An exploration of L2 cache covert channels in virtualized environments , 2011, CCSW '11.

[4]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[5]  Mary Baker,et al.  Privacy-Preserving Audit and Extraction of Digital Contents , 2008, IACR Cryptol. ePrint Arch..

[6]  Ju Wang,et al.  Windows Azure Storage: a highly available cloud storage service with strong consistency , 2011, SOSP.

[7]  Wenjing Lou,et al.  Dependable and Secure Sensor Data Storage with Dynamic Integrity Assurance , 2009, IEEE INFOCOM 2009.

[8]  Cong Wang,et al.  Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing , 2010, 2010 Proceedings IEEE INFOCOM.

[9]  Ari Juels,et al.  HAIL: a high-availability and integrity layer for cloud storage , 2009, CCS.

[10]  V. Piuri,et al.  Fault tolerance management in IaaS clouds , 2012, 2012 IEEE First AESS European Conference on Satellite Telecommunications (ESTEL).

[11]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[12]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[13]  Yevgeniy Dodis,et al.  Proofs of Retrievability via Hardness Amplification , 2009, IACR Cryptol. ePrint Arch..

[14]  Zhenyu Wu,et al.  Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[15]  GhemawatSanjay,et al.  The Google file system , 2003 .

[16]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[17]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[18]  Basit Shafiq,et al.  Data and Applications Security and Privacy XXVII , 2013, Lecture Notes in Computer Science.

[19]  Hai Huang,et al.  A covert channel construction in a virtualized environment , 2012, CCS '12.

[20]  Howard Gobioff,et al.  The Google file system , 2003, SOSP '03.

[21]  Hovav Shacham,et al.  Do you know where your cloud files are? , 2011, CCSW '11.

[22]  Ronald L. Rivest,et al.  How to tell if your cloud files are vulnerable to drive crashes , 2011, CCS '11.

[23]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[24]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[25]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[26]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[27]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[28]  Cong Wang,et al.  Harnessing the Cloud for Securely Solving Large-Scale Systems of Linear Equations , 2011, 2011 31st International Conference on Distributed Computing Systems.

[29]  Ronald L. Rivest,et al.  Hourglass schemes: how to prove that cloud files are encrypted , 2012, CCS.

[30]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[31]  Ari Juels,et al.  New approaches to security and availability for cloud data , 2013, CACM.

[32]  Golden G. Richard,et al.  Scalpel: A Frugal, High Performance File Carver , 2005, DFRWS.

[33]  Abhinav Srivastava,et al.  Self-service cloud computing , 2012, CCS '12.

[34]  Reza Curtmola,et al.  MR-PDP: Multiple-Replica Provable Data Possession , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[35]  Sushil Jajodia,et al.  Over-encryption: Management of Access Control Evolution on Outsourced Data , 2007, VLDB.

[36]  Sushil Jajodia,et al.  TerraCheck: Verification of Dedicated Cloud Storage , 2013, DBSec.

[37]  Reza Curtmola,et al.  Towards self-repairing replication-based storage systems using untrusted clouds , 2013, CODASPY.

[38]  Reihaneh Safavi-Naini,et al.  LoSt: location based storage , 2012, CCSW '12.

[39]  Sushil Jajodia,et al.  Support for Write Privileges on Outsourced Data , 2012, SEC.

[40]  Rafail Ostrovsky,et al.  Searchable symmetric encryption: improved definitions and efficient constructions , 2006, CCS '06.

[41]  Bruce Jacob,et al.  Memory Systems: Cache, DRAM, Disk , 2007 .

[42]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[43]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[44]  Sushil Jajodia,et al.  Verification of data redundancy in cloud storage , 2013, Cloud Computing '13.

[45]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.