BIS613D CLOUD COMPUTING & SECURITY

MODULE – 4

Cloud Security

Syllabus: Cloud Security: Top concern for cloud users, Risks, Privacy Impact Assessment,
Cloud Data Encryption, Security of Database Services, OS security, VM Security, Security
Risks Posed by Shared Images and Management OS, XOAR, A Trusted Hypervisor, Mobile
Devices and Cloud Security. Cloud Security and Trust Management: Cloud Security
Defense Strategies, Distributed Intrusion/Anomaly Detection, Data and Software
Protection Techniques, Reputation-Guided Protection of Data Centers.

SECURITY, THE TOP CONCERN FOR CLOUD USERS

 Multi-tenancy allows multiple users to share the same server.

 This leads to better resource utilization and lower costs, but raises privacy and security risks.
 Example: In SaaS, if one server is compromised, private data (name, phone, credit card) of
many users can be leaked.
 Legal frameworks for cloud privacy lag behind technological development.
 Jurisdiction issues arise due to global data centers—unclear if laws of the user’s country,
storage country, or transit country apply.
 Outsourcing adds complexity: if CSP (Cloud Service Provider) outsources to multiple countries,
enforcing security laws becomes difficult.
 Law enforcement may demand access to private data (e.g., Microsoft subpoenaed for Hotmail
user emails).
 To minimize security risks, users must:
 Evaluate the CSP’s security policies and implementation.
 Analyze what type of data will be stored/processed.
 Ensure clear contracts that specify:
o CSP’s obligation to comply with privacy laws.
o Liability for data loss or misuse.
o Ownership rules of the data.
o Location of data storage and backups.
 Avoid storing sensitive data in the cloud if possible.
 Use tools like Google’s Secure Data Connector, which restricts access via firewall.
 Not suitable for apps like medical or HR data processing, where full data access is needed.
 If sensitive data must be stored, then ensure:
o Encryption is applied to data at rest and in transit.

CLOUD SECURITY RISKS

 Three broad classes of Risks:

1. Traditional threats :are those experienced for some time by any system connected to
the Internet

 The traditional threats begin at the user site.

1
BIS613D CLOUD COMPUTING & SECURITY

 The user must protect the infrastructure used to connect to the cloud and to interact with the
application running on the cloud.

 This task is more difficult because some components of this infrastructure are outside the
firewall protecting the user.

 Common Traditional attacks:

a.DDoS (Distributed Denial of Service) Attacks

 Goal: Overload cloud services to make them inaccessible to real users.

 Common and very impactful in large-scale cloud setups.

b. Phishing

 Attackers pretend to be legitimate entities to steal sensitive info like:

o Names, credit card numbers

o Social security numbers, login details

 Cloud systems that store personal data are attractive targets.

c. SQL Injection

 SQL queries are injected into web forms to:

o Access or manipulate databases

o Extract private data

 Happens when user inputs are not validated properly.

d. Cross-Site Scripting (XSS)

 Malicious scripts are injected into web pages.

 Affects users who visit those compromised pages.

 Can bypass web application security controls.

2. Availability of cloud services : refers to how reliably users can access their services and data
whenever needed.

 Cloud services can go down due to:

o Hardware/software failures

o Power outages

o Natural disasters or cyberattacks

 These events may lead to:

o Extended downtime

o Loss of productivity

2
BIS613D CLOUD COMPUTING & SECURITY

o Service disruption for many users globally

 Data Lock-In: Occurs when organizations are too dependent on one cloud provider.

 In case of service interruption or provider failure:

o Data may not be portable

o Business operations might come to a halt

 It becomes very difficult to move to another cloud provider quickly.

 There’s no guarantee that a cloud-hosted application:

 Will always return correct results

 Will perform consistently

3. Third-Party Control :Third-party control refers to the delegation of cloud infrastructure or

services to external vendors. This introduces serious risks due to lack of user control and
provider transparency

 Examples exist where data was lost or mishandled by third-party subcontractors.

 Loss of data due to inferior storage devices provided by third-party hardware vendors.

 Cloud providers could potentially access and misuse proprietary user data (Business

o secrets, customer data, and financial info may be at risk if:

 Data is not encrypted

 Provider ethics are questionable

 Most cloud contracts place full responsibility on the user, not the provider.

 Example: AWS Customer Agreement – clearly states:

 No liability for:

o Data loss

o Service outages

o Unauthorized access or deletion

 Auditability is poor in the cloud due to:

 Shared infrastructure

 Limited logging access

 Obscured data pathways

 Even if regulations exist, like:

 NIST guidelines (FIPS, FISMA),

 They apply mostly to US Government agencies, not general users.

3
BIS613D CLOUD COMPUTING & SECURITY

 The 2010 Cloud Security Alliance (CSA) report.

1.Abuse of Cloud Services
 Using cloud resources for malicious acts like DDoS attacks, spamming, or distributing malware.

 Example: A hacker using many AWS servers to send bulk spam or attack websites.
2. Insecure APIs

 APIs used to manage cloud services may lack proper security controls.

 Risk: Weak APIs can be exploited to bypass authentication or manipulate data.

3. Malicious Insiders
 Cloud employees or insiders may intentionally leak, steal, or damage data.

 Concern: Hiring and monitoring policies are not always transparent.

4. Shared Technology Issues
 Cloud platforms are multi-tenant, meaning multiple users share the same infrastructure.

 Risk: Vulnerabilities in Virtual Machine Monitors (VMMs) can let one user affect others.
5. Account or Service Hijacking

 Hackers stealing login credentials to take over a user’s cloud account.

 Impact: Can lead to data theft, unauthorized transactions, or identity misuse.

6. Data Loss or Leakage

 Important or sensitive data is lost or leaked to unauthorized people.

 Cause: May occur due to storage failures, poor backups, or attacks.

7. Unknown Risk Profile

 : Users are often unaware of how secure the cloud really is.

 Risk: Not knowing who accesses the data, where it's stored, or how it's protected.

Surfaces of attacks in cloud computing environment:

4
BIS613D CLOUD COMPUTING & SECURITY

 Three actors involved in the model considered are:

 the user, the service, and the cloud infrastructure,
 and there are six types of attacks possible,
 The user can be attacked from two directions: from the service and from the cloud. SSL
certificate spoofing, attacks on browser caches, or phishing attacks are examples of attacks that
originate at the service.
 The user can also be a victim of attacks that either originate at the cloud or spoofs that
originate from the cloud infrastructure.
 The service can be attacked from the user. Buffer overflow, SQL injection, and privilege
escalation are the common types of attacks from the service.
 The service can also be subject to attack by the cloud infrastructure; this is probably the most
serious line of attack.
 Limiting access to resources, privilege related attacks, data distortion, and injecting additional
operations are only a few of the many possible lines of attack originated at the cloud.
 The cloud infrastructure can be attacked by a user who targets the cloud control system.
 The types of attack are the same ones that a user directs toward any other cloud service.
 The cloud infrastructure may also be targeted by a service requesting an excessive number of
resources and causing the exhaustion of the resources.

PRIVACY AND PRIVACY IMPACT ASSESSMENT

 The term privacy refers to the right of an individual, a group of individuals, or an organization
to keep information of a personal or proprietary nature from being disclosed to others.
 Many nations view privacy as a basic human right. The Universal Declaration of Human Rights,
Article 12, states: “No one shall be subjected to arbitrary interference with his privacy, family,
home or correspondence, nor to attacks upon his honor and reputation. Everyone has the
right to the protection of the law against such interference or attacks.”
 At the same time, the right to privacy is limited by laws. For example, taxation laws require
individuals to share information about personal income or earnings.
 Individual privacy may conflict with other basic human rights, e.g., freedom of speech.
 Privacy laws differ from country to country; laws in one country may require public disclosure
of information considered private in other countries and cultures.
 Significant challenges related to privacy such as identity theft(personal information voluntarily
shared, but stolen from sites granted access to it or misused).
 Primarily public clouds where privacy has an entirely new dimension because the data, often
in an unencrypted form, resides on servers owned by a CSP. Services based on individual
preferences, the location of individuals, membership in social networks, or other personal
information present a special risk
 The owner of the data cannot rely exclusively on the CSP to guarantee the privacy of the data.
 Privacy concerns are different for the three cloud delivery models and also depend on the
actual context. For example, consider Gmail, a widely used SaaS delivery model.
 The main aspects of privacy are:

5
BIS613D CLOUD COMPUTING & SECURITY

 The lack of user control refers to the fact that user-centric data control is incompatible with
cloud usage. Once data is stored on the CSP’s servers, the user loses control of the exact
location, and in some instances the user could lose access to the data. For example, in case of
the Gmail service, the account owner has no control over where the data is stored or how long
old emails are stored in some backups of the servers.
 A CSP may obtain revenues from unauthorized secondary usage of the information, e.g., for
targeted advertising. There are no technological means to prevent this use.
 Data proliferation refers to the rapid and exponential increase in the generation, collection,
storage, and sharing of data across various platforms, systems, and devices. This massive
volume of information that can be difficult to manage, analyse and secure.
 Dynamic provisioning refers to threats due to outsourcing. A range of issues is very fuzzy; for
example, how to identify the subcontractors of a CSP, what rights to the data they have, and
what rights to data are transferable in case of bankruptcy or merger. There is a need for
legislation addressing the multiple aspects of privacy in the digital age.
 A document elaborated by the Federal Trade Commission for the U.S. Congress states:
“Consumer-oriented commercial Web sites that collect personal identifying information from
or about consumers online would be required to comply with the four widely accepted fair
information practices:
 Notice. Web sites would be required to provide consumers clear and conspicuous notice of their
information practices, including what information they collect, how they collect it (e.g., directly
or through nonobvious means such as cookies), how they use it, how they provide Choice,
Access, and Security to consumers, whether they disclose the information collected to other
entities, and whether other entities are collecting information through the site.
 Choice. Web sites would be required to offer consumers choices as to how their personal
identifying information is used beyond the use for which the information was provided (e.g., to
consummate a transaction). Such choice would encompass both internal secondary uses (such
as marketing back to consumers) and external secondary uses (such as disclosing data to other
entities).
 Access. Web sites would be required to offer consumers reasonable access to the information
a Web site has collected about them, including a reasonable opportunity to review information
and to correct inaccuracies or delete information.
 Security. Websites would be required to take reasonable steps to protect the security of the
information they collect from consumers. The Commission recognizes that the implementation
of these practices may vary with the nature of the information collected and the uses to which
it is put, as well as with technological developments. For this reason, the Commission
recommends that any legislation be phrased in general terms and be technologically neutral.
Thus, the definitions of fair information practices set forth in the statute should be broad
enough to provide flexibility to the implementing agency in promulgating its rules or
regulations.”

6
BIS613D CLOUD COMPUTING & SECURITY

 CLOUD DATA ENCRYPTION

o
o
o
o
o
o
o
o

7
BIS613D CLOUD COMPUTING & SECURITY

SECURITY OF DATABASE SERVICES

 Entities involved in DBaaS security include Data Owners, DBaaS Users, Cloud Service Providers
(CSPs), and Third Party Auditors (TPAs).
The main concerns are data integrity, confidentiality, and availability.

 Main causes of data loss are:

o Weak authorization, authentication, and accounting controls.

o Poor encryption key management and unencrypted data vulnerable to attacks.

o Operational failures, lack of backups, and insider threats (superusers misusing

privileges).

 Security threats come from both internal (insider misuse) and external attackers (spoofing,
sniffing, man-in-the-middle attacks, side channeling, illegal transactions, DoS attacks).
Illegal data recovery from deleted storage in multi-tenant environments is a major issue unless
complete scrubbing is done.

8
BIS613D CLOUD COMPUTING & SECURITY

 Data transmission risks arise when data moves over public networks without encryption.
➔ Encryption before transfer reduces risk.

 Other concerns include:

o Lack of knowledge about the physical location of data, making it hard to trace breaches.

o No fine-grained control over remote execution environments by users.

o Challenges in maintaining consistency across replicas when data is replicated for

availability and performance.

o Time-sensitive and expensive data provenance (tracking the origin and movement of
data).

 Legal and privacy issues arise as data privacy laws in regions like Europe and South America
prohibit data storage outside the country.

 DBaaS data availability is affected by several threats including:

• Resource exhaustion caused by imprecise specification of user needs or incorrect evaluation

of user specifications.
• Failures of the consistency management; multiple hardware and/or software failures lead to
in consistent views of user data.
• Failure of the monitoring and auditing system.

 DBaaS data confidentiality is affected by insider and outsider attacks, access control issues,
illegal data recovery from storage, network breaches, third-party access, inability to establish
the provenance of the data.

OPERATING SYSTEM SECURITY

 An operating system (OS) allows multiple applications to share the hardware resources of a
physical system, subject to a set of policies.

 A critical function ->protect applications against a wide range of malicious attacks such as
unauthorized access to privileged information, tempering with executable code, and spoofing.

 attacks ->target even single-user systems such as personal computers, tablets, or

smartphones. Data brought into the system may contain malicious code; this could occur via a
Java applet, or data imported by a browser from a malicious Web site.

 All elements of mandatory OS security are:

 Access control: policy specifies how the OS controls the access to different system objects

 Authentication usage: defines the authentication mechanisms the OS uses to authenticate a

principal

 Cryptographic usage policies: last specifies the cryptographic mechanisms used to protect the
data.

9
BIS613D CLOUD COMPUTING & SECURITY

 Applications with special privileges that perform security-related functions are called trusted
applications.

• Commercial OS do not support a multi-layered security; only distinguish between a

completely privileged security domain and a completely unprivileged one.
• Trusted paths, mechanisms supporting user interactions with trusted software, is critical
to system security.
• If such mechanisms do not exist, malicious software can impersonate trusted software.
• Some systems provide trust paths -login authentication and password changing and allow
servers to authenticate their clients.
• The solution to decompose a complex mechanism into several components with well-defined
roles.
 The access control mechanism consist of enforcer and decider components. The enforcer will
gather the required information about the agent attempting the access and will pass this
information to the decider. Finally, it will carry out the actions requested by the decider.
• A trusted-path mechanism is required to prevent malicious software invoked by an
authorized application. A trusted path is also required to prevent an impostor from
impersonating the decider agent.
• Java Virtual Machine (JVM) accepts byte code(compiled java code) in violation of language
semantics; moreover, it cannot protect itself from tampering by other applications.
• Closed-box platforms- cellular phones, game consoles, and automated Teller machines
(ATMs) could have embedded cryptographic keys reveal their true identity to authenticate
the software running on them. .
• A highly secure operating system is necessary but not sufficient ,Application-specific
security is also necessary.
• Security implemented above the operating system is better
• Ex: Electronic commerce that requires a digital signature on each transaction.

 VIRTUAL MACHINE SECURITY

10
BIS613D CLOUD COMPUTING & SECURITY

 Security in VMs is generally provided by the hypervisor (Figure 11.3A) or by a dedicated VM

that handles security services (Figure 11.3B). A secure Trusted Computing Base (TCB) is
essential; if TCB is compromised, the entire VM environment becomes insecure.
 Analysis of Xen and vBlades shows that VM technology offers stronger isolation than
traditional OS processes. A hypervisor controls privileged operations, enforcing memory, disk,
and network access isolation. Hypervisors are also less complex and better structured, making
them more resilient to attacks.
 A key limitation is that the hypervisor only sees raw data, not logical objects like files. Security
systems often need higher-level information, such as file-level visibility, which the hypervisor
doesn’t directly interpret.
 The hypervisor can save, restore, clone, and encrypt VM states. Cloning enables testing
potentially malicious applications in a safe environment. Replication enhances security and
reliability, and moving sensitive files to a dedicated VM provides protection against attacks
due to fast inter-VM communication.
 Advanced attackers can fingerprint VMs to avoid detection and can attempt to access VM
logging files to extract sensitive information such as cryptographic keys. These files must be
securely protected to prevent unauthorized access.
 Improved security through virtualization incurs certain costs:
 Higher hardware costs due to increased demand for CPU, memory, disk, and bandwidth.
 Development cost of hypervisors and modification needs for paravirtualization.
 Performance overhead as hypervisors must handle privileged operations
 Examples include:
 Livewire and Siren: These utilize isolation, inspection, and interposition.
o Inspection: Hypervisor can review guest VM states.
o Interposition: Hypervisor can trap and emulate privileged instructions.
 Prevention Systems: Include SVFS, NetTop, IntroVirt, and Terra.
o Terra uses a trusted hypervisor to securely partition VM resources.
 VMM-BASED THREATS

1.Starvation of resources and denial of service for some VMs.

 Probable causes:

• badly configured resource limits for some VMs.

• a rogue VM with the capability to bypass resource limits set in VMM.

2.VM side-channel attacks: malicious attack on one or more VMs by a rogue VM under the
same VMM.

 Probable causes:

 lack of proper isolation of inter-VM traffic due to misconfiguration of the virtual network
residing in the VMM.
 limitation of packet inspection devices to handle high speed traffic, e.g., video traffic.

11
BIS613D CLOUD COMPUTING & SECURITY

 presence of VM instances built from insecure VM images, e.g., a VM image having a guest
OS without the latest patches.

3. Buffer overflow attacks.

 VM-BASED THREATS

1.Deployment of rogue or insecure VM.:Unauthorized users may create insecure instances

from images or may perform unauthorized administrative actions on existing VMs.

 Probable cause:

• Improper configuration of access controls on VM administrative tasks such as instance

creation, launching, suspension, re-activation and so on.

2. Presence of insecure and tampered VM images in the VM image repository.

 Probable causes:

 lack of access control to the VM image repository.

 lack of mechanisms to verify the integrity of the images, e.g., digitally signed image.

SECURITY RISKS POSED BY SHARED IMAGES

 Image Sharing Risks

 Even trustworthy cloud providers like AWS can’t eliminate all risks.

 A key vulnerability lies in the use of shared Amazon Machine Images (AMIs).

 These AMIs are accessible via Quick Start or Community AMI menus and often used by first-
time or less experienced users.
 AMI Creation Process

 AMIs can be created from:

o Running systems(your live cloud server),
o Existing AMI (by modifying a template),
o VM images(a virtual machine file from outside).

 The process (called bundling) includes:

o Creating the image
o Compressing and encrypting it for protection
o Splitting it into chunks and uploading to S3(storage)
o Two procedures, ec2-bundle-image and ec2-bundle-volume, are used for creation of an
AMI.

12
BIS613D CLOUD COMPUTING & SECURITY

 Vulnerability Audit Findings

 A study of 5303 public AMIs (from 2010–2011) revealed serious vulnerabilities:

o 98% of Windows AMIs and 58% of Linux AMIs had critical security flaws.
o Average vulnerabilities per image: 46 (Windows), 11 (Linux)
o Some AMIs were outdated by 2–4 years.
 Key Security Risks Identified
o Backdoors & Leftover Credentials

 22% of Linux AMIs had hardcoded credentials:

o Passwords (100 cases), SSH keys (995), or both (90)

 Public SSH keys of the AMI creators were not removed, allowing unauthorized access.

 Password-based authentication enabled without cleaning user credentials.

o Cloud-init Script Omission:When not included:
o Host SSH keys are not regenerated, making AMIs vulnerable to man-in-the-middle
attacks.
o Attackers can identify shared keys using tools like NMap.
o Unsolicited Outgoing Connections

 Modified syslog daemons found that forwarded sensitive system logs to external entities.

 Hard to distinguish between legitimate and malicious outbound connections.

o Malware

 ClamAV detected:
o A Trojan-Spy variant with keylogging and file access abilities.
o A Trojan-Agent that decrypts stored browser passwords (Firefox).
 Risks for Image Creators

 Personal/private data exposed:

o Private keys, IPs, browser/shell history, deleted files, AWS API keys

 Unprotected ssh keys can be reused by attackers.

 Command history files recovered from 612 AMIs revealed sensitive data.

 Deleted files could be undeleted from 98% of AMIs using exundelete, with up to 40,000 files
recoverable from one image.

 Users must:

 Be cautious when selecting shared AMIs.

 Thoroughly clean AMIs before sharing.

13
BIS613D CLOUD COMPUTING & SECURITY

 Use tools like shred, scrub, zerofree, wipe to remove sensitive deleted data.

 Avoid including personal credentials or API keys in shared images.

 Ensure cloud-init is configured for key regeneration.

 SECURITY RISKS POSED BY A MANAGEMENT OS

 A virtual machine monitor, or hypervisor, is considerably smaller than operating system, e.g.,
the Xen VMM has ~ 60,000 lines of code.

 The Trusted Computer Base (TCB) of a cloud computing environment includes not only the
hypervisor but also the management OS.

 The management OS supports administrative tools, live migration, device drivers, and
device emulators.

 In Xen the management OS runs in Dom0; it manages the building of all user domains, a
process consisting of several steps:

 Allocate memory in the Dom0 address space and load the kernel of the guest OS from the
secondary storage.

 Allocate memory for the new VM and use foreign mapping to load the kernel to the new
VM.

 Set up the initial page tables for the new VM.

 Release the foreign mapping on the new VM memory, set up the virtual CPU registers and
launch the new VM.
 Possible actions of a malicious Dom0

 At the time it creates a DomU:

o Refuse to carry out the steps necessary to start the new VM.
o Modify the kernel of the guest OS to allow a third party to monitor and control the
execution of applications running under the new VM.

14
BIS613D CLOUD COMPUTING & SECURITY

o Undermine the integrity of the new VM by setting the wrong page tables and/or setup
wrong virtual CPU registers.

o Refuse to release the foreign mapping and access the memory while the new VM is
running.

 At run time:

o Dom0 exposes a set of abstract devices to the guest operating systems using split
drivers with the frontend of in a DomU and the backend in Dom0. We have to ensure
that run time communication through Dom0 is encrypted. Transport Layer Security
(TLS) does not guarantee that Dom0 cannot extract cryptographic keys from the
memory of the OS and applications running in DomU

HOW TO DEAL WITH RUN-TIME VULNERABILITY OF DOM0

 To implement a secure run-time system, we have to intercept and control the hypercalls used
for communication between a Dom0 that cannot be trusted and a DomU we want to protect.

 New hypercalls are necessary to protect:

o The privacy and integrity of the virtual CPU of a VM :When Dom0 wants to save the
state of the VM the hypercall should be intercepted and the contents of the virtual CPU
registers should be encrypted. When DomU is restored, the virtual CPU context should
be decrypted and then an integrity check should be carried out.

o The privacy and integrity of the VM virtual memory:The page table update hypercall
should be intercepted and the page should be encrypted so that Dom0 handles only
encrypted pages of the VM. To guarantee the integrity, the hypervisor should calculate
a hash of all the memory pages before they are saved by Dom0. An address translation
is necessary as a restored DomU may be allocated a different memory region.

o The freshness of the virtual CPU and the memory of the VM: The solution is to add to
the hash a version number.

 XOAR– BREAKING THE MONOLITHIC DESIGN OF THE TCB

15
BIS613D CLOUD COMPUTING & SECURITY

 Xoar is a modified version of Xen aimed at boosting system security.

 Assumes the system is professionally managed.
 Privileged access is only granted to administrators.
 Administrators are trusted: no financial incentives or desire to breach user trust.
 Main threats come from guest VMs:
 Data integrity or confidentiality breaches between guest VMs.
 Exploitation of guest code.
 Threats also exist in the initialization code of the management VM.
 The design goals of Xoar are:
• Maintain the functionality provided by Xen.
• Ensure transparency with existing management and VM interfaces.
• Tight control of privileges. Each component should only have the privileges required by its
function
• Minimize the interfaces of all components to reduce the possibility that a component can be
used by an attacker.
• Eliminate sharing. Make sharing explicit, whenever it cannot be eliminated, to allow
meaningful logging and auditing.
• Reduce the opportunity of an attack targeting a system component by limiting the time
window when the component runs.
 System booting is complex.
 Large modules used at boot are not needed after startup.
 The Xoarsystem has four types of components: permanent, self-destructing, restarted upon
request, and restarted on timer, see Figure 11.5:
 1.Permanent components;XenStore-State maintains all information regarding the state of the
system.
 2.Components used to boot the system; they self-destruct before any user VM is started. The
two components discover the hardware configuration of the server including the PCI drivers and
then boot the system:
• PCIBack– virtualizes access to PCI bus configuration.
• Bootstrapper– coordinates booting of the system
 . 3. Components restarted on each request:
• XenStore-Logic
• Toolstack–handles VMmanagementrequests, e.g., it requests the Builder to create a new
guest VMinresponse to a user request.
• Builder– initiates user VMs.
 4.Components restarted on a timer: the two components export physical storage device drivers
and the physical network driver to a guest VM.
• BlkBack– exports physical storage device drivers using udev8 rules.
• NetBack– exports the physical network driver.

16
BIS613D CLOUD COMPUTING & SECURITY

 Another component, QEMU, is responsible for device emulation. Bootstrapper, PCIBack, and
Builder are the most privileged components, but the first two are destroyed once Xoar is
initialized.
 The Builder is very small, it consists of only 13000 lines of code. XenStore is broken into two
compo nents, XenStore-Logic and XenStore-State. Access control checks are done by a small
monitor module in XenStore-State.
 Guest VMs share only the Builder, XenStore-Logic, and XenStore-State, see Fig ure 11.6. Users
of Xoar are able to only share service VMs with guest VMs that they control; to do so they specify
a tag on all of the devices of their hosted VMs.
 Auditing is more secure, whenever a VM is created, deleted, stopped, or restarted by Xoar the
action is recorded in an append-only database on a different server accessible via a secure
channel. Rebooting provides the means to ensure that a VM is in a known good state.
 To reduce the overhead and the increased startup time demanded by a reboot, Xoar uses
snapshots instead of rebooting. The service VMsnapshots itself when it is ready to service a
request. Similarly, snapshots of all components are taken immediately after their initialization
and before they start interacting with other services or guest VMs. Snapshots are implemented
using a copy-on-write mechanism9 to preserve any page about to be modified.

A TRUSTED HYPERVISOR

 Terra is a trusted hypervisor designed to support both traditional (open-box) and closed-box
platforms.
 For closed-box platforms, the platform owner cannot inspect or manipulate the system
contents.
 Supports hardware abstraction for both platform types.
 Applications can build their own software stack based on their security needs:
o High-security apps (e.g., financial systems, e-voting) should run under a minimal OS
with only essential functions.
o Low-assurance apps needing rich OS features should use commodity OS.
 Focus on Information Assurance (IA):

17
BIS613D CLOUD COMPUTING & SECURITY

o IA ensures integrity, availability, authenticity, non-repudiation, and confidentiality of

application data.
o IA also includes risk management in data processing, storage, and transmission.
 Support for:
o Trusted paths from user to application, allowing mutual identity verification between
human and VM.
o Attestation: Applications in closed-box VMs can cryptographically prove their identity
to a remote party.
o Strong isolation guarantees: Platform admin is denied root access, preventing
unauthorized control.
 Selected by the platform owner, but distinguishes between owner and user.
 Functions of Management VM:
o Limits number of guest VMs.
o Denies access to unapproved guest VMs.
o Grants/restricts I/O device access, and manages CPU, memory, and disk usage for VMs.
 Guest VMs access virtual hardware interfaces, including virtual network and device interfaces.
 The trusted hypervisor operates at the highest privilege level.
 Even platform owners cannot compromise the hypervisor.
 Provides closed-box semantics to application developers.
 Major security challenge comes from device drivers in VMs.
 Drivers, especially for high-end wireless and video cards, are large and varied.
 Many are hastily written, increasing vulnerabilities.
 Device drivers are typically the lowest quality software in OS kernels.
 Pose significant security risks.
 To protect Terra:
o Restrict driver access to sensitive data.
o Use hardware protection mechanisms to limit driver memory access.
o Prevent malicious I/O devices from exploiting features like DMA (Direct Memory
Access) to tamper with the hypervisor/kernel.

MOBILE DEVICES AND CLOUD SECURITY

 Mobile devices are an integral part of the cloud ecosystem, mobile applications use cloud
services to access and store data or to carry out a multitude of computational tasks. Security
challenges for mobile devices common to all computer and communication systems include
o Confidentiality– ensure that transmitted and stored data cannot be read by
unauthorized parties;
o Integrity– detect intentional or unintentional changes to transmitted and stored data;
o Availability– ensure that users can access cloud resources whenever needed; and
o Non-repudiation– the ability to ensure that a party to a contract cannot deny the
sending of a message that they originated
 The technology stack of a mobile device consists of the hardware, the firmware, the operating
system, and the applications.
 The separation between the firmware and the hardware of a mobile device is blurred. A
baseband processor is used solely for telephony services involving data transfers over cellular

18
BIS613D CLOUD COMPUTING & SECURITY

networks operating outside the control of the mobile OS which runs on the application
processor.
 Security-specific hardware and firmware store encryption keys, certificates, credentials, and
other sensitive information on some mobile devices.
 The nature of mobile devices places them at higher exposure to threats than stationary ones.
Mobile devices are designed to easily install applications, to use third-party applications from
application stores, and to communicate with computer clouds via often untrusted cellular and
WiFi networks.
 Mobile devices interact frequently with other systems to exchange data and often use untrusted
content.
 Mobile devices often require a short authentication passcode and may not support strong
storage encryption. Location services increase the risk of targeted attacks.
 Potential attackers are able to deter mine user’s location, correlate the location with
information from other sources on the individuals the user associates with, and infer other
sensitive information.
 Special precautions must then be taken due to exposure to the unique security threats affecting
mobile devices, including:
 Mobile malware.
 Stolen data due to loss, theft, or disposal.
 Unauthorized access.
 Electronic eavesdropping.
 Electronic tracking.
 Access to data by third party applications.
 Some of these threats can propagate to the cloud infrastructure a mobile device is connected
to. For example, files stored on the mobile devices subject to ransomeware and encrypted by a
malicious intruder can migrate to the backup stored on the cloud. The risks posed to the cloud
infrastructure by mobile devices are centered around data leakage and compromise.
 Such security risks are due to a set of reasons including:
 Loss of the mobile device, lock screen protection, enabling smudge attacks and other causes
leading to mobile access control. A smudge attack is a method to discern the password pattern
of a touchscreen device such as a cell phone or tablet computer.
 Lack of confidentiality protection for data in transit in unsafe or untrusted WiFi or cellular
networks.
 Unmatched firmware or software including operating system and application software
bypassing the security architecture, e.g., rooted/jailbroken devices. • Malicious mobile
applications bypassing access control mechanisms
CLOUD SECURITY AND TRUST MANAGEMENT
 Lack of trust between cloud users and service providers hinders cloud adoption.
 User concerns include:

 Privacy protection
 Security assurance
 Copyright protection

19
BIS613D CLOUD COMPUTING & SECURITY

 Complete reliance on cloud providers faces resistance from traditional PC/server users.
 Trust is a social problem, but can be solved with technical solutions
 Technology can build trust by ensuring:

 Justice
 Reputation
 Credit
 Assurance

 Cloud security threats are more complex than in traditional systems.

 Existing trust models from e-commerce (e.g., eBay, Amazon) are not sufficient for cloud
services.
 New data protection models are needed specifically for the cloud.
 Trust models from P2P networks and grid computing can be extended to protect cloud
platforms.
 Enhancing trust through technology is essential for cloud computing to become universally
accepted.

 Cloud Security Defense Strategies

 A healthy cloud ecosystem is desired to free users from abuses, violence, cheating, hacking,
viruses, rumors, pornography, spam, and privacy and copyright violations. The security demands
of three cloud service models, IaaS, PaaS, and SaaS, are described in this section. These security
models are based on various SLAs between providers and users

20
BIS613D CLOUD COMPUTING & SECURITY

 Basic Cloud Security

 Three basic cloud security enforcements are expected
 First, facility security in data centers demands on-site security year round. Biometric readers,
CCTV (close-circuit TV), motion detection, and man traps are often deployed.
 Network security demands fault-tolerant external firewalls, intrusion detection systems (IDSes),
and third-party vulnerability assessment.
 Platform security demands SSL and data decryption, strict password policies, and system trust
certification.
o Figure 4.31 shows the mapping of cloud models, where special security measures are
deployed at various cloud operating levels.
 User interfaces are applied to request services.
 The provisioning tool carves out the systems from the cloud to satisfy the requested ser vice.
 A security-aware cloud architecture demands security enforcement.
 Malware-based attacks such as network worms, viruses, and DDoS attacks exploit system
vulnerabilities.
 These attacks compromise system functionality or provide intruders unauthorized access to
critical information.
o Thus, security defenses are needed to protect all cluster servers and data centers. Here
are some cloud components that demand special security protection:
• Protection of servers from malicious software attacks such as worms, viruses, and malware
• Protection of hypervisors or VM monitors from software-based attacks and vulnerabilities
• Protection of VMs and monitors from service disruption and DoS attacks
• Protection of data and information from theft, corruption, and natural disasters
• Providing authenticated and authorized access to critical data and services
 Security Challenges in VMs
 Traditional network attacks include buffer overflows, DoS attacks, spyware, malware,
rootkits, Trojan horses, and worms.
 In a cloud environment, newer attacks may result from hypervisor malware, guest hopping
and hijacking, or VM rootkits.
 Another type of attack is the man-in-the-middle attack for VM migrations.
 In general, passive attacks steal sensitive data or passwords.
 Active attacks may manipulate kernel data structures which will cause major damage to cloud
servers.

21
BIS613D CLOUD COMPUTING & SECURITY

 An IDS can be a NIDS or a HIDS. Program shepherding can be applied to control and verify code
execution.
 Other defense technologies include using the RIO dynamic optimization infra structure, or
VMware’s vSafe and vShield tools, security compliance for hypervisors, and Intel vPro
technology. Others apply a hardened OS environment or use isolated execution and sandboxing.
 Cloud Defense Methods

 Virtualization enhances cloud security, but adds an extra software layer (VMs), which may
become a single point of failure.
 A single physical machine can be partitioned into multiple VMs (e.g., for server
consolidation).

 VM-level isolation provides:

 Protection against DoS attacks from other VMs.

 Security containment – attacks on one VM don’t affect others.

 The hypervisor ensures:

 Visibility into guest OS.

 Guest OS isolation and fault containment.
 VM failures are isolated and do not spread, leading to robust cloud environments.

 Malicious intrusions can damage hosts, networks, and storage if not isolated properly.
 Internet anomalies (in routers, gateways, etc.) can disrupt cloud services.
 Trust negotiation is usually performed through Service Level Agreements (SLAs).
 Public Key Infrastructure (PKI) can be enhanced using data center reputation systems.
 Worms and DDoS attacks must be contained quickly to maintain cloud reliability.
 Establishing cloud security is challenging, as data and software are shared by default in cloud
environments.

22
BIS613D CLOUD COMPUTING & SECURITY

Defense with Virtualization

 The VM is decoupled from the physical hardware.

 The entire VM can be represented as a software component and can be regarded as binary or
digital data.
 The VM can be saved, cloned, encrypted, moved, or restored with ease.
 VMs enable HA and faster disaster recovery.
 Live migration of VMs was suggested by many researchers for building distributed intrusion
detection systems (DIDSes).
 Multiple IDS VMs can be deployed at various resource sites including data centers.
Privacy and Copyright Protection

 Predictable configuration is offered to users before actual system integration.

 Yahoo! Pipes is an example of a lightweight cloud platform.
 Shared files and datasets can lead to risks of:

 Privacy breaches
 Security threats
 Copyright violations

 Users need robust cloud platforms with tools to build applications over large datasets.
 Google’s cloud platform uses in-house software for resource protection.
 Amazon EC2 secures resources using:
 HMEC (Hash-based Message Authentication Code)
 X.509 certificates
 Browser-initiated applications also need special protection in cloud environments.

 Security features desired in a secure cloud:

 Dynamic web services with full support from secure web technologies
 Established trust between users and providers through SLAs and reputation systems
 Effective user identity management and data-access management
 Single sign-on and single sign-off to reduce security enforcement overhead
 Auditing and copyright compliance through proactive enforcement
 Shifting of control of data operations from the client environment to cloud providers
 Protection of sensitive and regulated information in a shared environment

Distributed Intrusion/Anomaly Detection

 Data security is the weakest link in all cloud service models.

 New cloud security standards are needed to:

 Solve the data lock-in problem

 Address network attacks and abuses

 The IaaS model (e.g., Amazon) is highly vulnerable to external attacks.

 Role-based interface tools help manage cloud provisioning complexity.

23
BIS613D CLOUD COMPUTING & SECURITY

 Example: IBM’s Blue Cloud uses a role-based web portal.

 SaaS users may request services (e.g., secretarial work) from a shared cloud platform.

 Many cloud providers do not guarantee security, posing a risk to users.

 Cloud Security Threats

 Targets for attacks include:

o Virtual Machines (VMs)

o Guest Operating Systems
o Cloud-hosted software

 Intrusion Detection Systems (IDSes) are essential to stop threats early.

 Types of IDS Technologies

 Signature Matching IDS:

o Compares known attack patterns (signatures)

o Mature technology, but needs frequent signature updates

 Anomaly Detection IDS:

1. Identifies unusual traffic patterns

2. Detects unauthorized TCP sequences and network anomalies

 Distributed IDSes are required to:

1. Combat both signature-based and anomaly-based threats

2. Offer protection across multiple virtual environments

 Distributed Defense against DDoS Flooding Attacks

24
BIS613D CLOUD COMPUTING & SECURITY

 Cloud platforms operate across network domains, including edge networks where resources
are connected.

 DDoS (Distributed Denial of Service) attacks are often combined with worms and can cause:

 Buffer overflow
 Disk exhaustion
 Connection saturation

 Flooding attacks generate massive traffic from zombie machines toward a victim server.

 Figure 4.33(a) illustrates the attack pattern.

 Figure 4.33(b) shows a tree-like flow of the attack through routers.

 Attack traffic flows through a hierarchical pattern (like a tree), starting from many zombies and
funnelling through intermediate routers to the victim.

 The DDoS defense system works using change-point detection:

 Detects sudden spikes in traffic at transit routers

 Helps identify attacks early, before the target is overwhelmed

 This defense method is ideal for core cloud network protection.

 Provider-level cooperation helps eliminate the need for edge network intervention, improving
response efficiency and centralized control.

Data and Software Protection Techniques

Data Integrity and Privacy Protection

Users desire a software environment that provides many useful tools to build cloud applications
over large data sets. In addition to application software for MapReduce, BigTable, EC2, 3S, Hadoop,
AWS, GAE, and WebSphere2, users need some security and privacy protection software for using
the cloud.
Such software should offer the following features:

 Special APIs for authenticating users and sending e-mail using commercial accounts

25
BIS613D CLOUD COMPUTING & SECURITY

 Fine-grained access control to protect data integrity and deter intruders or hackers
 Shared data sets protected from malicious alteration, deletion, or copyright violation
 Ability to secure the ISP or cloud service provider from invading users’ privacy
 Personal firewalls at user ends to keep shared data sets from Java, JavaScript, and ActiveX
applets
 A privacy policy consistent with the cloud service provider’s policy, to protect against identity
theft, spyware, and web bugs
 VPN channels between resource sites to secure transmission of critical data objects

Data Coloring and Cloud Watermarking

 Shared files and datasets in the cloud pose risks to:

 Privacy
 Security
 Copyright protection

 Users seek trusted software environments that offer tools to build secure cloud
applications over protected data.
 Watermarking was traditionally used for digital copyright management.
 Data coloring is a modern approach where:

 Each data object is assigned a unique color (label).

 These colors distinguish different data objects for tracking and identification.

 User identity is also "colored", allowing matching between user and data color.
 Color matching supports various trust management functions, such as access control and
ownership validation.
 Cloud storage supports the full life cycle of watermarking:

 Generation
 Embedding

26
BIS613D CLOUD COMPUTING & SECURITY

 Extraction of watermarks in colored objects

 Data coloring is computationally lightweight, needing minimal processing compared to

traditional encryption.
 Cryptography, watermarking, and data coloring can be combined for stronger cloud data
protection.
 For deeper technical understanding, reference works by Hwang and Li are recommended.

Data Lock-in Problem and Proactive Solutions

 Cloud computing shifts both data and computation to cloud provider-managed server
clusters.
 Once data is in the cloud, it’s difficult to extract or move to another platform — this leads
to the data lock-in problem.

 Causes of Data Lock-In

 Lack of interoperability:
o Each cloud provider uses proprietary APIs, limiting data portability.
 Lack of application compatibility:
o Users must often rewrite applications from scratch when switching platforms.

 Solution involves creating standardized virtual platforms using:

 OVF (Open Virtualization Format):
o Platform-independent
o Efficient and extensible
o Open format for VM distribution and mobility

 Benefits of using OVF:

 Enables efficient and secure software migration

 Facilitates VM mobility between platforms
 Improves QoS (Quality of Service)
 Supports cross-cloud applications
 Allows workload migration among data centers
 Enables user-specific storage and application interoperability

Reputation-Guided Protection of Data Centers

Trust is a personal opinion, which is very subjective and often biased. Trust can be transitive but not
necessarily symmetric between two parties. Reputation is a public opinion, which is more objec tive
and often relies on a large opinion aggregation process to evaluate. Reputation may change or
decay over time. Recent reputation should be given more preference than past reputation. In this
section, we review the reputation systems for protecting data centers or cloud user communities.

27
BIS613D CLOUD COMPUTING & SECURITY

Reputation System Design Options

 Reputation refers to the collective opinion regarding the character, behavior, or reliability
of an entity such as a person, agent, service, or product. In cloud environments, reputation
systems are crucial for enhancing trust, especially since users often rely on third-party
providers to store data and run applications. These systems enable users to make
informed decisions by assessing past behavior or service quality
 Initially developed for P2P networks and e-commerce platforms like eBay and Amazon,
reputation systems are now being adapted for cloud computing. By incorporating trust
evaluations, they help mitigate risks like data breaches, unreliable services, and dishonest
users, while promoting accountability and service quality.

 P2P networks
 Multi-agent systems
 E-commerce
 Cloud computing

 Classification of Reputation Systems

A. Based on Architecture

 Centralized Reputation Systems

Governed by a single authority or central server, these systems are easier to implement
but are prone to scalability issues and single points of failure. Examples include Amazon,
Google, and eBay.
 Distributed Reputation Systems
Operate without a central authority, distributing reputation management across multiple
nodes. Though more complex, they offer better fault tolerance, scalability, and reliability,
making them ideal for large-scale or multi-cloud environments.

B. Based on Evaluation Scope

 User-Oriented Reputation Systems

Focus on individual users or agents, evaluating them based on reliability and past
behavior. Common in P2P networks.
 Resource/Site-Oriented Reputation Systems
Evaluate the entire cloud service or data center, rating the overall quality of services
offered.

28
BIS613D CLOUD COMPUTING & SECURITY

Several reputation system models have been developed in academic research:

 Eigentrust (Stanford University): Uses a trust matrix to evaluate behavior.

 PeerTrust (Georgia Tech): Designed for e-commerce, supports trustworthy transactions.
 PowerTrust (USC): Based on Internet traffic characteristics.
 QoS-based Ranking (Vu et al.): Ranks services using quality of service metrics.

Reputation systems strengthen cloud security by aiding trust negotiation, supporting SLA
enforcement, and working alongside identity management and access control systems. In hybrid
and multi-cloud models, reputation-based systems help guide vendor selection and resource
allocation, leading to efficient and trustworthy operations.

Reputation Systems for Clouds

 Data consistency is checked across multiple databases to maintain reliability.

 Copyright protection is enforced for wide-area content distribution.
 Cloud providers are primarily responsible for maintaining data integrity and consistency.
 Users can switch services freely, retaining control through exclusive access keys to their
data.
 Unique naming of data objects is essential to maintain global consistency.

 Unauthorized updates are prohibited, ensuring data security.

 Trust overlay networks can be used to implement hierarchical reputation systems for:
o Site-level protection
o File-level data object tracking
 This demands coarse-grained and fine-grained access control of shared resources.
 Existing P2P and e-commerce reputation systems can be adapted for cloud platforms.

 Centralized systems: Easier to implement but require high server reliability.

 Distributed systems: Offer scalability and better fault tolerance.

 Reputation systems must serve both cloud users and data centers.
 They track security breaches across all levels of the cloud infrastructure.
 Effective for:
o VM management
o Snapshot control using RPO (Recovery Point Objective)
o Safe data migration and cloning

 New mechanisms to support security include:

o Secured information logging
o Migration over secured Virtual LANs
o ECC-based encryption for secure virtual machine (VM) migration
 Sandboxes serve as:
o Safe execution environments
o Controlled environments for guest OS
o Security testbeds for third-party application code

29
BIS613D CLOUD COMPUTING & SECURITY

Trust Overlay Networks

 Reputation is a collective evaluation made by users and resource owners.

 Initially applied to P2P, multiagent, and e-commerce systems, reputation models are now
being adapted for trusted cloud services.
 Hwang and Li proposed using a trust overlay network to model relationships among data
center modules.

The trust overlay uses a Distributed Hash Table (DHT) to:

 Aggregate global reputations from local scores.

 Update and disseminate trust information efficiently.

The design includes two layers:

 Bottom layer: Manages trust negotiation, authentication, access authorization, trust

delegation, and data integrity.
 Top layer: Handles virus/worm signature dissemination, piracy detection, IDSes, and
worm containment.
 Content poisoning technique is a reputation-based defense against copyright violations in
cloud environments.
 Trusted interactions are enabled between cloud users and providers.
 Colored user IDs and data objects help enforce privacy through color matching.
 Content poisoning technique is a reputation-based defense against copyright violations in
cloud environments.
 Trusted interactions are enabled between cloud users and providers.
 Colored user IDs and data objects help enforce privacy through color matching.

30
BIS613D CLOUD COMPUTING & SECURITY

 Security policies can be varied dynamically to match changing cloud conditions.

 The goal is to establish a trusted environment that ensures high-quality and secure
services.
 Virtualization is key to enforcing security in data centers.
 Combined use of:
o Reputation systems: Protect access at the coarse-grained level.
o Watermarking mechanisms: Limit access at the fine-grained file level.
 A new form of Security as a Service (SaaS) is needed for:
o Widespread cloud adoption
o Application in personal, business, community, and government sectors
 Interoperability across clouds depends on a common operational standard to build a
healthy cloud ecosystem.

31