IFCaaS: Information Flow Control as a Service for Cloud Security

With the maturity of service-oriented architecture (SOA) and Web technologies, web services have become critical components of Software as a Service (SaaS) applications in cloud ecosystem environments. Most SaaS applications leverage multi-tenant data stores as a back end to keep and process data with high agility. Although these technologies promise impressive benefits, they put SaaS applications at risk against novel as well as prevalent attack vectors. This security risk is further magnified by the loss of control and lack of security enforcement over sensitive data manipulated by SaaS applications. An effective solution is needed to fulfill several requirements originating in the dynamic and complex nature of such applications. Inspired by the rise of Security as a Service (SecaaS) model, this paper introduces "Information Flow Control as a Service (IFCaaS)". IFCaaS lays the foundation of cloud-delivered IFC-based security analysis and monitoring services. As an example of the adoption of the IFCaaS, this paper presents a novel framework that addresses the detection of information flow vulnerabilities in SaaS applications. Our initial experiments show that the framework is a viable solution to protect against data integrity and confidentiality violations leading to information leakage.

[1]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[2]  Peter R. Pietzuch,et al.  CloudFilter: practical control of sensitive data propagation to the cloud , 2012, CCSW '12.

[3]  David M. Eyers,et al.  DEFCON: High-Performance Event Processing with Information Security , 2010, USENIX Annual Technical Conference.

[4]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[5]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[6]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[7]  Nick Feamster,et al.  SilverLine: Data and Network Isolation for Cloud Services , 2011, HotCloud.

[8]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[9]  Alejandro Russo,et al.  Towards a taint mode for cloud computing web applications , 2012, PLAS.

[10]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[11]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[12]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[13]  Angelos D. Keromytis,et al.  CloudFence: Data Flow Tracking as a Cloud Service , 2013, RAID.

[14]  nbspAbdullah Al-Shomrani,et al.  Big Data Security and Privacy Challenges , 2018 .

[15]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[16]  Jürgen Graf,et al.  Using JOANA for Information Flow Control in Java Programs - A Practical Guide , 2013, Software Engineering.

[17]  David M. Eyers,et al.  CloudSafetyNet: Detecting Data Leakage between Cloud Tenants , 2014, CCSW.

[18]  Patrick Martin,et al.  IDSaaS: Intrusion Detection System as a Service in Public Clouds , 2012, 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (ccgrid 2012).

[19]  Jens Krinke,et al.  Information Flow Control and Taint Analysis with Dependence Graphs , 2007 .