{"title":"Unity: secure and durable personal cloud storage","authors":"Beom Heyn Kim, Wei Huang, D. Lie","doi":"10.1145/2381913.2381920","DOIUrl":"https://doi.org/10.1145/2381913.2381920","url":null,"abstract":"Unity provides secure and durable storage for personal data that does not depend on the security or availability of a central service. Instead, Unity exploits the trend towards users having more personal computing devices and the increasing amounts of storage available on those devices. This motivates the design of Unity, which does not store data on the cloud provider at all, but instead leverages the availability of the cloud provider to mount a coordination service that enables a user's devices to provide durable storage for the user's data themselves.","PeriodicalId":300613,"journal":{"name":"Cloud Computing Security Workshop","volume":"85 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132019018","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Gaven J. Watson, R. Safavi-Naini, Mohsen Alimomeni, M. Locasto, S. Narayan
{"title":"LoSt: location based storage","authors":"Gaven J. Watson, R. Safavi-Naini, Mohsen Alimomeni, M. Locasto, S. Narayan","doi":"10.1145/2381913.2381926","DOIUrl":"https://doi.org/10.1145/2381913.2381926","url":null,"abstract":"For certain types of sensitive data (such as health records) it is important to know the geographic location of the file, e.g. that it is stored on servers within the USA. This is particularly important for determining applicable laws and regulations. In this paper we discuss the problem of verifying the location of files within distributed file storage systems such as the cloud. We consider a general setup for a distributed storage system and show that verifying location when such a system is fully malicious, is impossible. We then make plausible assumptions about the behavior of the system and provide a formal definition for Proofs of Location (PoL) in our setting. We show secure and efficient PoL schemes can be constructed by using a geolocation scheme and a Proof of Retrievability (PoR) scheme with a new added property that we call re-coding, which is of independent interest.","PeriodicalId":300613,"journal":{"name":"Cloud Computing Security Workshop","volume":"163 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124557805","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Towards a richer model of cloud app markets","authors":"Abhinav Srivastava, V. Ganapathy","doi":"10.1145/2381913.2381918","DOIUrl":"https://doi.org/10.1145/2381913.2381918","url":null,"abstract":"Major cloud providers have recently been building cloud markets, which serve as a hosting platform for VMs pre-installed with a variety of software stacks. Clients of cloud computing leverage such markets by downloading and instantiating the VMs that best suit their computing needs, thereby saving the effort needed to configure and build VMs from scratch.\u0000 This vision paper argues for a richer model of cloud markets. We envision a market of VM apps that can interact with client VMs in a rich set of ways to provide a number of services that are currently supported only by cloud providers. For example, clients can use VM apps to deploy virtual machine introspection-based security tools and various network middleboxes on their work VMs without requiring the cloud provider to deploy these services on their behalf. This paper presents a taxonomy of VM apps, analyzes the key requirements needed to realize such VM apps, and explores the design and trade-offs of various options to implement VM apps.","PeriodicalId":300613,"journal":{"name":"Cloud Computing Security Workshop","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114577220","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"CloudFilter: practical control of sensitive data propagation to the cloud","authors":"I. Papagiannis, P. Pietzuch","doi":"10.1145/2381913.2381931","DOIUrl":"https://doi.org/10.1145/2381913.2381931","url":null,"abstract":"A major obstacle for the adoption of cloud services in enterprises is the potential loss of control over sensitive data. Companies often have to safeguard a subset of their data because it is crucial to their business or they are required to do so by law. In contrast, cloud service providers handle enterprise data without providing guarantees and may put confidentiality at risk. In order to maintain control over their sensitive data, companies typically block all access to a wide range of cloud services at the network level. Such restrictions significantly reduce employee productivity while offering limited practical protection in the presence of malicious employees.\u0000 In this paper, we suggest a practical mechanism to ensure that an enterprise maintains control of its sensitive data while employees are allowed to use cloud services. We observe that most cloud services use HTTP as a transport protocol. Since HTTP offers well-defined methods to transfer files, inspecting HTTP messages allows the propagation of data between the enterprise and cloud services to be monitored independently of the implementation of specific cloud services. Our system, CloudFilter, intercepts file transfers to cloud services, performs logging and enforces data propagation policies. CloudFilter controls where files propagate after they have been uploaded to the cloud and ensures that only authorised users may gain access. We show that CloudFilter can be applied to control data propagation to Dropbox and GSS, describing the realistic data propagation policies that it can enforce.","PeriodicalId":300613,"journal":{"name":"Cloud Computing Security Workshop","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116161751","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Adam Bates, Benjamin Mood, Joe Pletcher, H. Pruse, Masoud Valafar, Kevin R. B. Butler
{"title":"Detecting co-residency with active traffic analysis techniques","authors":"Adam Bates, Benjamin Mood, Joe Pletcher, H. Pruse, Masoud Valafar, Kevin R. B. Butler","doi":"10.1145/2381913.2381915","DOIUrl":"https://doi.org/10.1145/2381913.2381915","url":null,"abstract":"Virtualization is the cornerstone of the developing third party compute industry, allowing cloud providers to instantiate multiple virtual machines (VMs) on a single set of physical resources. Customers utilize cloud resources alongside unknown and untrusted parties, creating the co-resident threat -- unless perfect isolation is provided by the virtual hypervisor, there exists the possibility for unauthorized access to sensitive customer information through the exploitation of covert side channels.\u0000 This paper presents co-resident watermarking, a traffic analysis attack that allows a malicious co-resident VM to inject a watermark signature into the network flow of a target instance. This watermark can be used to exfiltrate and broadcast co-residency data from the physical machine, compromising isolation without reliance on internal side channels. As a result, our approach is difficult to defend without costly underutilization of the physical machine. We evaluate co-resident watermarking under a large variety of conditions, system loads and hardware configurations, from a local lab environment to production cloud environments (Futuregrid and the University of Oregon's ACISS). We demonstrate the ability to initiate a covert channel of 4 bits per second, and we can confirm co-residency with a target VM instance in less than 10 seconds. We also show that passive load measurement of the target and subsequent behavior profiling is possible with this attack. Our investigation demonstrates the need for the careful design of hardware to be used in the cloud.","PeriodicalId":300613,"journal":{"name":"Cloud Computing Security Workshop","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122072360","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Angeliki Zavou, E. Athanasopoulos, G. Portokalidis, A. Keromytis
{"title":"Exploiting split browsers for efficiently protecting user data","authors":"Angeliki Zavou, E. Athanasopoulos, G. Portokalidis, A. Keromytis","doi":"10.1145/2381913.2381921","DOIUrl":"https://doi.org/10.1145/2381913.2381921","url":null,"abstract":"Offloading complex tasks to a resource-abundant environment like the cloud, can extend the capabilities of resource constrained mobile devices, extend battery life, and improve user experience. Split browsing is a new paradigm that adopts this strategy to improve web browsing on devices like smartphones and tablets. Split browsers offload computation to the cloud by design; they are composed by two parts, one running on the thin client and one in the cloud. Rendering takes place primarily in the latter, while a bitmap or a simplified web page is communicated to the client. Despite its difference with traditional web browsing, split browsing still suffers from the same types of threats, such as cross-site scripting. In this paper, we propose exploiting the design of split browsers to also utilize cloud resources for protecting against various threats efficiently. We begin by systematically studying split browsing architectures, and then proceed to propose two solutions, in parallel and inline cloning, that exploit the inherent features of this new browsing paradigm to accurately and efficiently protect user data against common web exploits. Our preliminary results suggest that our framework can be efficiently applied to Amazon's Silk, the most widely deployed at the time of writing, split browser.","PeriodicalId":300613,"journal":{"name":"Cloud Computing Security Workshop","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129160628","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Are AES x86 cache timing attacks still feasible?","authors":"K. Mowery, S. Keelveedhi, H. Shacham","doi":"10.1145/2381913.2381917","DOIUrl":"https://doi.org/10.1145/2381913.2381917","url":null,"abstract":"We argue that five recent software and hardware developments - the AES-NI instructions, multicore processors with per-core caches, complex modern software, sophisticated prefetchers, and physically tagged caches - combine to make it substantially more difficult to mount data-cache side-channel attacks on AES than previously realized. We propose ways in which some of the challenges posed by these developments might be overcome. We also consider scenarios where side-channel attacks are attractive, and whether our proposed workarounds might be applicable to these scenarios.","PeriodicalId":300613,"journal":{"name":"Cloud Computing Security Workshop","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114253322","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Revisiting DNS and WHOIS in the cloud era","authors":"B. Kaliski","doi":"10.1145/2381913.2381929","DOIUrl":"https://doi.org/10.1145/2381913.2381929","url":null,"abstract":"If the Internet is the original cloud, then ubiquitous Internet information services such as the Domain Name System (DNS) and WHOIS are among the classic cloud services. Although protocols from the 1980s running over ports 53 and 43 may appear to be a long way from today's cloud computing model, the services' profile - with points of presence around the world sharing a common data set and fulfilling billions of transactions per day - is much closer to \"cloud\" than one might expect. Indeed, all five essential characteristics of cloud computing appear, to varying extents, in the implementation of these early examples of the Software as a Service model.\u0000 In this talk, I'll reintroduce these protocols from a cloud perspective, describe their security mechanisms, including the DNS Security Extensions (DNSSEC), and share some emerging work on next-generation WHOIS in a more contemporary style that should also make it more secure. I'll also explain the essential role that cloud services play in mitigating Distributed Denial of Service (DDoS) attacks.","PeriodicalId":300613,"journal":{"name":"Cloud Computing Security Workshop","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122935387","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
John Aycock, Daniel Medeiros Nunes de Castro, M. Locasto, Chris Jarabek
{"title":"Babel: a secure computer is a polyglot","authors":"John Aycock, Daniel Medeiros Nunes de Castro, M. Locasto, Chris Jarabek","doi":"10.1145/2381913.2381922","DOIUrl":"https://doi.org/10.1145/2381913.2381922","url":null,"abstract":"Why should a user's computer be trusted at all? We propose a new model of the computer, Babel, that makes a user's computer appear as it normally would, but is actually untrusted to the point where it cannot run the code installed on it. Each computer, each process, speaks a different language, and a translator on the network, in the cloud, is needed to allow a user's computer to execute code. This has enormous implications. The user gets continuous protection, and multiple kinds of protection, with no need for security updates or patches. At the same time, the user effectively has an adjustable control that they can set based on their risk assessment and need for privacy. Babel can work perfectly well alongside existing systems, and opens new markets for security.","PeriodicalId":300613,"journal":{"name":"Cloud Computing Security Workshop","volume":"40 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122449866","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Christopher W. Fletcher, Marten van Dijk, S. Devadas
{"title":"Towards an interpreter for efficient encrypted computation","authors":"Christopher W. Fletcher, Marten van Dijk, S. Devadas","doi":"10.1145/2381913.2381928","DOIUrl":"https://doi.org/10.1145/2381913.2381928","url":null,"abstract":"Fully homomorphic encryption (FHE) techniques are capable of performing encrypted computation on Boolean circuits, i.e., the user specifies encrypted inputs to the program, and the server computes on the encrypted inputs. Applying these techniques to general programs with recursive procedures and data-dependent loops has not been a focus of attention. In this paper, we take a first step toward building an interpreter that, given programs with complex control flow, schedules efficient code suitable for the application of FHE schemes.\u0000 We first describe how programs written in a small Turing-complete instruction set can be executed with encrypted data and point out inefficiencies in this methodology. We then provide examples of scheduling (a) the greatest common divisor (GCD) problem using Euclid's algorithm and (b) the 3-Satisfiability (3SAT) problem using a recursive backtracking algorithm into path-levelized FHE computations. We describe how path levelization reduces control flow ambiguity and improves encrypted computation efficiency. Using these techniques and data-dependent loops as a starting point, we then build support for hierarchical programs made up of phases, where each phase corresponds to a fixed point computation that can be used to further improve the efficiency of encrypted computation.\u0000 In our setting, the adversary learns an estimate of the number of steps required to complete the computation, which we show is the least amount of leakage possible.","PeriodicalId":300613,"journal":{"name":"Cloud Computing Security Workshop","volume":"89 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-10-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114203843","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
