Bin Liang,Heng Liu,Wenchang Shi,Yanjun Wu

DOI: https://doi.org/10.1007/978-3-540-31979-5_10

2005-01-01

Abstract:In order to provide effective support to the principle of least privilege, considering the limitation of traditional privilege mechanisms, this paper proposes a new privilege control model called State-Based Privilege Control (SBPC) and presents the design and implementation of a prototype system for SBPC called Controlled Privilege Framework (CPF) on the Linux operating system platform. SBPC decomposes the time space of a process' lifetime into a series of privilege states according to activities of the process and its need for special permissions. The privilege state is closely related to the application logic of a process. It is the privilege state transfer event that stimulates a process to transfer from one privilege state into another one. For a specified process, there is a specific set of privileges corresponding to every privilege state of the process. With the implementation of CPF, experiment results show that fine-grain and automatic privilege control can be exercised transparently to traditional applications, threats of intrusion to a system can be reduced greatly, and support to the principle of least privilege can therefore be achieved effectively.

SHEN Qing-ni,QING Si-han,HE Ye-ping,LI Li-ping

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.10.012

2006-01-01

Abstract:Least privilege mechanism can provide a reasonable degree of security assurance for secure operating systems.This paper described a framework for implementing dynamically modified least privilege security policy,which combined role's duty separation property and domain's function separation property.Under the control of its new capability mechanism based on a process's executable image,current role and current domain,it restricted the process to the minimum amount of privileges within these contexts.This paper illustrated its implementation in ANSHENG OS v4.0,a copyrighted secure operating system satisfying all the specified requirements of Criteria class 4,"Structured-Protection",in GB17859-1999(equally,the B2 level in TCSEC) in China.Thus it demonstrates that this framework can help enforcing dynamically least privilege control on a secure operating system,while still providing a flexible efficient system.

Billoir, Eddie,Laborde, Romain,Rütschlé, Yves,Benzekri, Abdelmalek

DOI: https://doi.org/10.1007/s12243-024-01033-5

2024-05-17

Annals of Telecommunications

Abstract:With the new personal data protection or export control regulations, the principle of least privilege is mandatory and must be applied even for system administrators. This article explores the different approaches implemented by the main operating systems (namely Linux, Windows, FreeBSD, and Solaris) to control the privileges of system administrators in order to enforce the principle of least privilege. We define a set of requirements to manage these privileges properly, striving to balance adherence to the principle of least privilege and usability. We also present a deep analysis of each administrative privilege system based on these requirements and exhibit their benefits and limitations. This evaluation also covers the efficiency of the currently available solutions to assess the difficulty of performing administrative privileges management tasks. Following the results, the article presents the RootAsRole project, which aims to simplify Linux privilege management. We describe the new features introduced by the project and the difficulties we faced. This concrete experience allows us to highlight research challenges.

telecommunications

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Ryo Shimizu,Yuna Nunomura,Hideyuki Kanuka,Shimizu, Ryo

DOI: https://doi.org/10.1007/s10515-024-00420-5

IF: 1.677

2024-03-06

Automated Software Engineering

Abstract:Infrastructure as code (IaC) for the cloud, which automatically configures a system's cloud environment from source code, is an important practice thanks to its efficient, reproducible provisioning. On a cloud IaC definition (template), developers must carefully manage permission settings to minimize the risk of cyber-attacks. To this end, least privilege on IaC templates, i.e., the assignment of a necessary and sufficient set of permissions, is widely regarded as a best practice. However, the discovery of least privilege can be an error-prone, burdensome task for developers. This is partially because the execution of an action on the cloud sometimes implicitly requires permissions of other services, and since these are difficult to recognize without actual execution, developers are forced to manually iterate the execution of an action and the modification of permissions. In this work, we present an approach to automatically discover least privilege. Our approach utilizes a test suite, which represents what a system should achieve on the cloud, as an indicator of least privilege, and it iterates testing on the cloud and (re)configuration of permissions on the basis of the test results. We also propose a stepwise filtering technique that utilizes the co-occurrences of cloud services/actions and clustering-based pruning to efficiently rule out unnecessary permissions. Our experiments demonstrate that this filtering reduces the number of iterations compared to naive approaches, which directly affects the time and cost to discover least privilege. Moreover, three case studies show that our approach can identify least privilege on Amazon Web Services within a practical time.

computer science, software engineering

Yang Luo,Wu Luo,Tian Puyang,Qingni Shen,Anbang Ruan,Zhonghai Wu

DOI: https://doi.org/10.1109/cloud.2016.0017

2016-01-01

Abstract:The access control mechanisms of existing cloud systems, mainly OpenStack, fail to provide two key factors: i) centralized access mediation and ii) flexible policy customization. This situation prevents cloud administrators and end customers from enhancing their security. Furthermore, a variety of clouds have implemented their access control systems and policies in separated ways. This might confuse the customers whose businesses are built on multiple clouds, as they have to take efforts to accommodate their policies for different platforms. The OpenStack Security Modules (OSM) project has developed a least-invasive access control framework for OpenStack to enable different access control models to be implemented as loadable modules. This framework can be a good replacement of the existing permission checks in OpenStack and other platforms. We also propose an integration mechanism for multiple policies to form a single decision. This paper presents the design and implementation of OSM, including a new service called patron and an attachment module called access endpoint middleware (AEM). Experiments on the tempest benchmark indicate that OSM has improved the flexibility and security of policy management without affecting other services. Meantime, the average performance overhead remains as low as 7.3%, which is acceptable for practical use.

Yang Luo,Tian Puyang,Xiaoning Sun,Qingni Shen,Yahui Yang,Anbang Ruan,Zhonghai Wu

DOI: https://doi.org/10.1109/ICWS.2017.64

2017-01-01

Abstract:At present, a growing number of web applications especially cloud computing systems employ representational state transfer (REST) API as the interface to expose their services for simplicity and clarity. For security purposes, service providers prefer to control the access to the provided interface based on the principle of least privilege. However, how to divide the administrative privileges remains a difficulty in practice. In this work, we simplify the privilege partitioning problem into a classification problem of RESTful functions, so the permission to call a category of functions can be granted to a specific administrator. We propose a RESTful API classification approach called RestSep based on genetic algorithm. A classification is represented as a 2-dimensional matrix, which is used as the chromosome. Customized operators of selection, mutation and crossover are designed. The fitness function is designed to balance parameters such as number of categories, test case coverage, function overlapping, etc. Experiments on popular clouds like OpenStack and Kubernetes indicate RestSep can generate a self-explanatory classification result, which can serve as a guideline for privilege partitioning. The overhead of test generation is at most 13.1% and the overhead of genetic algorithm is at most 183.29s, which are acceptable for practical use.

Haoqi Wu,Zhengxuan Yu,Dapeng Huang,Haodong Zhang,Weili Han

DOI: https://doi.org/10.1109/trustcom50675.2020.00075

2020-01-01

Abstract:The state-of-the-art database-backed web applications usually assign full privileges to connections between applications and data sources. This phenomenon, which would enable a malicious attacker to easily compromise the applications through arbitrarily manipulating the data sources without the restriction of privileges, seriously breaks the principle of least privilege (PLP), a fundamental law of system security. Motivated to counter this problem, we propose a framework PDA (PLP over Data source Access) to automatically enforce this principle over data source access based on application-driven privilege separation. Our proposed PDA contributes from the following aspects: i) PDA achieves the privilege separation by intercepting database queries and enforcing privileged connections to database for each database query; ii) PDA can effectively defend against SQL-based vulnerabilities including buggy queries and SQL injection attacks. Lastly, we evaluate PDA on a widely used application platform, JForum, to demonstrate the effectiveness of PDA with a promising performance overhead of 8.13%.

Yang Luo,Tian Puyang,Wu Luo,Qingni Shen,Anbang Ruan,Zhonghai Wu

DOI: https://doi.org/10.1007/978-3-319-50011-9_17

2016-01-01

Abstract:Recently a large number of existing cloud systems adopt representational state transfer (REST) as the interface of their services. The end users or even components inside the cloud invoke RESTful calls to perform various actions. The authorization mechanisms of the existing clouds fail to supply two key elements: unified access control and flexible support for different policies. Moreover, different clouds usually provide distinct access control concepts and policy languages. This might cause confusion for customers whose business is distributed in multiple clouds. In this paper, we propose a multi-policy authorization framework called MultiPol to support various access control policies for OpenStack. The end users can customize or even integrate different policies together to form a single decision via logical connectors. This paper presents the design and implementation of MultiPol, including a new service called Policy Service and an attachment module called Request Filter. Experiments on OpenStack show that MultiPol has improved the flexibility and security of policy management without affecting other services. Meantime, the average performance overhead is as low as 7.8%, which is acceptable for practical use. Since MultiPol is built on REST, it is also adaptive to other clouds which also provide RESTful interfaces.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Jiaoli Shi,Chao Hu,Shimao Yao,Zhuolin Mei,Bin Wu,Hui Li

DOI: https://doi.org/10.1109/icpads60453.2023.00413

2023-01-01

Abstract:Efficiency, security, and flexibility are difficult to balance in a full policy hiding CP-ABE scheme. This paper creatively converts the privacy matching problem of access policy and a user’s private key to the privacy three-party set computation problem. Then the new privacy set computation problem is resolved by a message driven key generation method. Additionally, the ROBDD (Reduced Ordered Binary Decision Diagrams) is utilized to rich access structure expression and convert access policies into feasible path sets. Each feasible path is composed of attributes and these attributes are bound to the ciphertext using CP-ABE. Based on the innovative ideas mentioned above, we present a Lighten Fine-grained Access Control scheme supporting Full Policy Hidden (LFAC-FPH) that integrates data confidentiality protection, access policy rich expression but complete hiding, fine-grained access control, and lightweight terminal computing. Our scheme has three advantages: 1) High Efficiency. The proposed scheme can achieve fast privacy matching of access policies during user decryption. 2) Full Policy Hiding. The access policy bound by an owner on the ciphertext does not leak any information. Moreover, a user cannot know attributes they do not own. 3) High Flexibility. The decryption process does not require online from owners or KGC, and system attributes can be added at any time.

Yang Luo,Qingni Shen,Zhonghai Wu

DOI: https://doi.org/10.48550/arXiv.1903.09756

2019-03-23

Abstract:Access control is an important component for web services such as a cloud. Current clouds tend to design the access control mechanism together with the policy language on their own. It leads to two issues: (i) a cloud user has to learn different policy languages to use multiple clouds, and (ii) a cloud service provider has to customize an authorization mechanism based on its business requirement, which brings high development cost. In this work, a new access control policy language called PERM modeling language (PML) is proposed to express various access control models such as access control list (ACL), role-based access control (RBAC) and attribute-based access control (ABAC), etc. PML's enforcement mechanism is designed in an interpreter-on-interpreter manner, which not only secures the authorization code with sandboxing, but also extends PML to all programming languages that support Lua. PML is already adopted by real-world projects such as Intel's RMD, VMware's Dispatch, Orange's Gobis and so on, which proves PML's usability. The performance evaluation on OpenStack, CloudStack and Amazon Web Services (AWS) shows PML's enforcement overhead per request is under 5.9us.

Cryptography and Security

Sarath Pathari

DOI: https://doi.org/10.48550/arXiv.2004.14746

2020-04-30

Abstract:Secure distributed storage, which is a rising cloud administration, is planned to guarantee the mystery of re-appropriated data yet also to give versatile data access to cloud customers whose data is out of physical control. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is seen as a champion among the most reassuring frameworks that may be used to verify the confirmation of the administration. Be that as it may, the use of CP-ABE may yield an unavoidable security burst which is known as the abuse of access accreditation (for example decoding right). In this paper, we look at the two essential occurrences of access accreditation misuse: one is on the semi-believed specialist side, and the other is supportive of the cloud customer. To ease the abuse, we propose revocable CP-ABE based distributed storage structure with express renouncing, planned information getting to and numerous examining capacities alluded as Cloud+.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Fuzhi Cang,Mingxing Zhang,Yongwei Wu,Weimin Zheng

DOI: https://doi.org/10.3969/j.issn.1673-5188.2013.04.004

2013-01-01

Abstract:Despite the multifaceted advantages of cloud computing,concerns about data leakage or abuse impedes its adoption for security-sensi tive tasks.Recent investigations have revealed that the risk of unauthorized data access is one of the biggest concerns of users of cloud-based services.Transparency and accountability for data managed in the cloud is necessary.Specifically,when using a cloudhost service,a user typically has to trust both the cloud service provider and cloud infrastructure provider to properly handling private data.This is a multi-party system.Three particular trust models can be used according to the credibility of these providers.This pa per describes techniques for preventing data leakage that can be used with these different models.

Kaiping Xue,Weikeng Chen,Wei Li,Jianan Hong,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2018.2809679

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:People endorse the great power of cloud computing, but cannot fully trust the cloud providers to host privacy-sensitive data, due to the absence of user-to-cloud controllability. To ensure confidentiality, data owners outsource encrypted data instead of plaintexts. To share the encrypted files with other users, ciphertext-policy attribute-based encryption (CP-ABE) can be utilized to conduct fine-grained and owner-centric access control. But this does not sufficiently become secure against other attacks. Many previous schemes did not grant the cloud provider the capability to verify whether a downloader can decrypt. Therefore, these files should be available to everyone accessible to the cloud storage. A malicious attacker can download thousands of files to launch economic denial of sustainability (EDoS) attacks, which will largely consume the cloud resource. The payer of the cloud service bears the expense. Besides, the cloud provider serves both as the accountant and the payee of resource consumption fee, lacking the transparency to data owners. These concerns should be resolved in real-world public cloud storage. In this paper, we propose a solution to secure encrypted cloud storages from EDoS attacks and provide resource consumption accountability. It uses CP-ABE schemes in a black-box manner and complies with arbitrary access policy of the CP-ABE. We present two protocols for different settings, followed by performance and security analysis.

Rui Luo,Yuanzhi Yao,Weihai Li,Nenghai Yu

DOI: https://doi.org/10.1007/978-3-031-06761-7_43

2022-01-01

Abstract:Cloud storage service has significant advantages on both cost reduction and convenient data sharing. It frees data owners from technical management. However, it poses new challenges on privacy and security protection. To protect data confidentiality and privacy of users against malicious entities in the cloud, fine-grained data access control in cloud storage has become a challenging issue and draws considerable investigation. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic technique to address the above issue. In many scenarios, access policies are associated with privacy and sensitive information of users which needs to be preserved from disclosure. However, existing schemes cannot simultaneously support time-sensitive data publishing and attribute information preservation. In this paper, we propose a privacy-preserving time and attribute factors combined cloud data access control with computation outsourcing scheme (named PTAC). To preserve attribute privacy, we design a dual access policy tree mechanism where one access policy tree is public and another is sensitive and hidden. Moreover, time-sensitive data publishing can be achieved by combining CP-ABE with timed-release encryption. By using edge computing and cloud computing, we also outsource partitive computational cost of encryption and decryption to third parties. Extensive security and performance analysis demonstrate the security and efficiency of our proposed scheme in cloud storage. As a result, valuable attribute information in the access policy can be preserved in case of disclosing to unauthorized recipients.

Ehab Zaghloul,Kai Zhou,Jian Ren

DOI: https://doi.org/10.48550/arXiv.1801.02685

2018-01-09

Abstract:Cloud computing has changed the way enterprises store, access and share data. Data is constantly being uploaded to the cloud and shared within an organization built on a hierarchy of many different individuals that are given certain data access privileges. With more data storage needs turning over to the cloud, finding a secure and efficient data access structure has become a major research issue. With different access privileges, individuals with more privileges (at higher levels of the hierarchy) are granted access to more sensitive data than those with fewer privileges (at lower levels of the hierarchy). In this paper, a Privilege-based Multilevel Organizational Data-sharing scheme~(P-MOD) is proposed that incorporates a privilege-based access structure into an attribute-based encryption mechanism to handle these concerns. Each level of the privilege-based access structure is affiliated with an access policy that is uniquely defined by specific attributes. Data is then encrypted under each access policy at every level to grant access to specific data users based on their data access privileges. An individual ranked at a certain level can decrypt the ciphertext (at that specific level) if and only if that individual owns a correct set of attributes that can satisfy the access policy of that level. The user may also decrypt the ciphertexts at the lower levels with respect to the user's level. Security analysis shows that P-MOD is secure against adaptively chosen plaintext attack assuming the DBDH assumption <a class="link-external link-http" href="http://holds.The" rel="external noopener nofollow">this http URL</a> comprehensive performance analysis demonstrates that P-MOD is more efficient in computational complexity and storage space than the existing schemes in secure data sharing within an organization.

Cryptography and Security

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong,Nenghai Yu

DOI: https://doi.org/10.1109/tdsc.2020.2987903

2022-01-01

Abstract:Under the assumption of honest-but-curious cloud service provider, various cryptographic techniques have been used to address the issues of data access control and confidentiality in public cloud storage. Among which, attribute-based encryption (ABE) has been shown to be an attractive scheme. Although the technique of ABE brings in various benefits, its onerous overhead should not be ignored. In this article, based on an improved LSSS (linear secret sharing scheme) matrix expression integrated in CP-ABE (Ciphertext-Policy Attribute-Based Encryption) algorithm, we present an efficient and secure attribute-based access control scheme for the scenarios where multiple data are shared and encrypted with frequently used sub-policies. In the scheme, a user can store the parameters about a specific sub-policy in his/her first decryption, which can be reused in the subsequent data decryptions whose embedded access policies include the same sub-policy so as to significantly reduce the computation cost. Our proposed scheme is proved to be semantically secure under chosen plaintext attacks and can well preserve the confidentiality of the data sharing system. Our analysis and experimentation also show that our scheme does significantly reduce the decryption time and while trades in only very little storage overhead, and thus effectively promotes the efficiency.

Cong Wang,Kui Ren,Jia Wang

DOI: https://doi.org/10.1109/infcom.2011.5935305

2011-01-01

Abstract:Cloud computing enables customers with limited computational resources to outsource large-scale computational tasks to the cloud, where massive computational power can be easily utilized in a pay-per-use manner. However, security is the major concern that prevents the wide adoption of computation outsourcing in the cloud, especially when end-user's confidential data are processed and produced during the computation. Thus, secure outsourcing mechanisms are in great need to not only protect sensitive information by enabling computations with encrypted data, but also protect customers from malicious behaviors by validating the computation result. Such a mechanism of general secure computation outsourcing was recently shown to be feasible in theory, but to design mechanisms that are practically efficient remains a very challenging problem. Focusing on engineering computing and optimization tasks, this paper investigates secure outsourcing of widely applicable linear programming (LP) computations. In order to achieve practical efficiency, our mechanism design explicitly decomposes the LP computation outsourcing into public LP solvers running on the cloud and private LP parameters owned by the customer. The resulting flexibility allows us to explore appropriate security/efficiency tradeoff via higher-level abstraction of LP computations than the general circuit representation. In particular, by formulating private data owned by the customer for LP problem as a set of matrices and vectors, we are able to develop a set of efficient privacy-preserving problem transformation techniques, which allow customers to transform original LP problem into some random one while protecting sensitive input/output information. To validate the computation result, we further explore the fundamental duality theorem of LP computation and derive the necessary and sufficient conditions that correct result must satisfy. Such result verification mechanism is extremely efficient and incurs close-to-zero additional cost on both cloud server and customers. Extensive security analysis and experiment results show the immediate practicability of our mechanism design.