Tian Puyang,Qingni Shen,Yang Luo,Wu Luo,Zhonghai Wu

DOI: https://doi.org/10.1109/ICC.2017.7997107

2017-01-01

Abstract:Failing to promote the least privilege principle in administration can lead to substantial vulnerabilities in cloud computing. A malicious insider like a compromised cloud administrator can affect security of data and workloads belonging to cloud customers. Enforcing the least privilege principle in cloud administration can fairly restrict the permissions of administrators and reduce the attack surface. However, writing a least privilege policy can be hard and error prone for cloud service providers. In this paper, we propose a framework called Least Privilege for Cloud (LPCloud) to address these concerns. LPCloud automatically produces policies for minimization of administrators' privileges at the granularity of representational state transfer (REST) application program interfaces (API), and enforces the policies without affecting current systems. Specifically, we introduce a novel algorithm to partition privileges based on dependencies between API calls. This paper presents design of LPCloud, including a service called Policy Generator which produces partitioned policies and a component named Policy Enforcer to enforce the policies. We implement a prototype of our framework in OpenStack Mitaka. Experiments indicate that LPCloud can produce proper policies to enforce the least privilege principle. Meantime, the average performance overhead is 10.1% which is in acceptable level.

Junzan Zhou,Bo Zhou,Shanping Li

DOI: https://doi.org/10.1109/COMPSACW.2014.108

2014-01-01

Abstract:Recently, cloud computing has become popular for its unique advantages. Many applications have been migrated to cloud as web services. However, evaluating the performance of cloud services is non-trivial. Performance testing is one of the dominant techniques for evaluating system performance. In this paper, we present a model and template-based approach that automatically generates test scripts and test cases to measure service performance in an enterprise private cloud. We describe how load is generated automatically from our tool. Our empirical study shows the proposed approach can significantly decrease the cost of performance testing and help reveal potential performance issues.

Alexandre Verdet,Mohammad Hamdaqa,Leuson Da Silva,Foutse Khomh

2023-08-08

Abstract:Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools, allowing the community to conveniently manage and configure cloud infrastructure using scripts. However, the scripting process itself does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. As a result, ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices. In order to understand how practitioners deal with this problem, in this work, we perform an empirical study analyzing the adoption of IaC scripted security best practices. First, we select and categorize widely recognized Terraform security practices promulgated in the industry for popular cloud providers such as AWS, Azure, and Google Cloud. Next, we assess the adoption of these practices by each cloud provider, analyzing a sample of 812 open-source projects hosted on GitHub. For that, we scan each project configuration files, looking for policy implementation through static analysis (checkov). Additionally, we investigate GitHub measures that might be correlated with adopting these best practices. The category Access policy emerges as the most widely adopted in all providers, while Encryption in rest are the most neglected policies. Regarding GitHub measures correlated with best practice adoption, we observe a positive, strong correlation between a repository number of stars and adopting practices in its cloud infrastructure. Based on our findings, we provide guidelines for cloud practitioners to limit infrastructure vulnerability and discuss further aspects associated with policies that have yet to be extensively embraced within the industry.

Cryptography and Security,Software Engineering

Yang Luo,Tian Puyang,Xiaoning Sun,Qingni Shen,Yahui Yang,Anbang Ruan,Zhonghai Wu

DOI: https://doi.org/10.1109/ICWS.2017.64

2017-01-01

Abstract:At present, a growing number of web applications especially cloud computing systems employ representational state transfer (REST) API as the interface to expose their services for simplicity and clarity. For security purposes, service providers prefer to control the access to the provided interface based on the principle of least privilege. However, how to divide the administrative privileges remains a difficulty in practice. In this work, we simplify the privilege partitioning problem into a classification problem of RESTful functions, so the permission to call a category of functions can be granted to a specific administrator. We propose a RESTful API classification approach called RestSep based on genetic algorithm. A classification is represented as a 2-dimensional matrix, which is used as the chromosome. Customized operators of selection, mutation and crossover are designed. The fitness function is designed to balance parameters such as number of categories, test case coverage, function overlapping, etc. Experiments on popular clouds like OpenStack and Kubernetes indicate RestSep can generate a self-explanatory classification result, which can serve as a guideline for privilege partitioning. The overhead of test generation is at most 13.1% and the overhead of genetic algorithm is at most 183.29s, which are acceptable for practical use.

Ruoyu Wu,Xinwen Zhang,Gail‐Joon Ahn,Hadi Sharifi,Haiyong Xie

IF: 56.9

2013-01-01

Science

Abstract:Organizations and enterprises have been outsourcing their computation, storage, and workflows to Infrastructure-as-a-Service (IaaS) based cloud platforms. The heterogeneity and high diversity of IaaS cloud environment demand a comprehensive and finegrained access control mechanism, in order to meet dynamic, extensible, and highly configurable security requirements of these cloud consumers. However, existing security mechanisms provided by IaaS cloud providers do not satisfy these requirements. To address such an emergent demand, we propose a new cloud service called access control as a service (ACaaS), a service-oriented architecture in cloud to support multiple access control models, with the spirit of pluggable access control modules in modern operating systems. As a proof-of-concept reference prototype, we design and implement ACaaSRBAC to provide role-based access control (RBAC) for Amazon Web Services (AWS), where cloud customers can easily integrate the service into enterprise applications in order to extend RBAC policy enforcement in AWS. We describe challenges and lessons in implementing ACaaSRBAC, demonstrate how this service can be seamlessly integrated with enterprise cloud applications, and discuss evaluation results.

Feitong Qiao,Aryana Mohammadi,Jürgen Cito,Mark Santolucito

2024-02-24

Abstract:Infrastructure as Code (IaC) has enabled cloud customers to have more agility in creating and modifying complex deployments of cloud-provisioned resources. By writing a configuration in IaC languages such as CloudFormation, users can declaratively specify their infrastructure and CloudFormation will handle the creation of the resources. However, understanding the complexity of IaC deployments has emerged as an unsolved issue. In particular, estimating the cost of an IaC deployment requires estimating the future usage and pricing models of every cloud resource in the deployment. Gaining transparency into predicted usage/costs is a leading challenge in cloud management. Existing work either relies on historical usage metrics to predict cost or on coarse-grain static analysis that ignores interactions between resources. Our key insight is that the topology of an IaC deployment imposes constraints on the usage of each resource, and we can formalize and automate the reasoning on constraints by using an SMT solver. This allows customers to have formal guarantees on the bounds of their cloud usage. We propose a tool for fine-grained static usage analysis that works by modeling the inter-resource interactions in an IaC deployment as a set of SMT constraints, and evaluate our tool on a benchmark of over 1000 real world IaC configurations.

Software Engineering

Ruoyu Wu,Xinwen Zhang,Gail-Joon Ahn,Hadi Sharifi,Haiyong Xie

DOI: https://doi.org/10.1109/SocialCom.2013.66

2013-01-01

Abstract:Organizations and enterprises have been outsourcing their computation, storage, and workflows to Infrastructure-as-a-Service (IaaS) based cloud platforms. The heterogeneity and high diversity of IaaS cloud environment demand a comprehensive and fine-grained access control mechanism, in order to meet dynamic, extensible, and highly configurable security requirements of these cloud consumers. However, existing security mechanisms provided by IaaS cloud providers do not satisfy these requirements. To address such an emergent demand, we propose a new cloud service called access control as a service (ACaaS), a service-oriented architecture in cloud to support multiple access control models, with the spirit of plug gable access control modules in modern operating systems. As a proof-of-concept reference prototype, we design and implement ACaaS_RBAC to provide role-based access control (RBAC) for Amazon Web Services (AWS), where cloud customers can easily integrate the service into enterprise applications in order to extend RBAC policy enforcement in AWS.

Bin Liang,Heng Liu,Wenchang Shi,Yanjun Wu

DOI: https://doi.org/10.1007/978-3-540-31979-5_10

2005-01-01

Abstract:In order to provide effective support to the principle of least privilege, considering the limitation of traditional privilege mechanisms, this paper proposes a new privilege control model called State-Based Privilege Control (SBPC) and presents the design and implementation of a prototype system for SBPC called Controlled Privilege Framework (CPF) on the Linux operating system platform. SBPC decomposes the time space of a process' lifetime into a series of privilege states according to activities of the process and its need for special permissions. The privilege state is closely related to the application logic of a process. It is the privilege state transfer event that stimulates a process to transfer from one privilege state into another one. For a specified process, there is a specific set of privileges corresponding to every privilege state of the process. With the implementation of CPF, experiment results show that fine-grain and automatic privilege control can be exercised transparently to traditional applications, threats of intrusion to a system can be reduced greatly, and support to the principle of least privilege can therefore be achieved effectively.

Eric Pauley,Ryan Sheatsley,Blaine Hoak,Quinn Burke,Yohan Beugin,Patrick McDaniel

DOI: https://doi.org/10.1109/SP46214.2022.9833784

2022-04-11

Abstract:Public clouds provide scalable and cost-efficient computing through resource sharing. However, moving from traditional on-premises service management to clouds introduces new challenges; failure to correctly provision, maintain, or decommission elastic services can lead to functional failure and vulnerability to attack. In this paper, we explore a broad class of attacks on clouds which we refer to as cloud squatting. In a cloud squatting attack, an adversary allocates resources in the cloud (e.g., IP addresses) and thereafter leverages latent configuration to exploit prior tenants. To measure and categorize cloud squatting we deployed a custom Internet telescope within the Amazon Web Services us-east-1 region. Using this apparatus, we deployed over 3 million servers receiving 1.5 million unique IP addresses (56% of the available pool) over 101 days beginning in March of 2021. We identified 4 classes of cloud services, 7 classes of third-party services, and DNS as sources of exploitable latent configurations. We discovered that exploitable configurations were both common and in many cases extremely dangerous; we received over 5 million cloud messages, many containing sensitive data such as financial transactions, GPS location, and PII. Within the 7 classes of third-party services, we identified dozens of exploitable software systems spanning hundreds of servers (e.g., databases, caches, mobile applications, and web services). Lastly, we identified 5446 exploitable domains spanning 231 eTLDs-including 105 in the top 10,000 and 23 in the top 1000 popular domains. Through tenant disclosures we have identified several root causes, including (a) a lack of organizational controls, (b) poor service hygiene, and (c) failure to follow best practices. We conclude with a discussion of the space of possible mitigations and describe the mitigations to be deployed by Amazon in response to this study.

Cryptography and Security

Yutang Xia,Yang Luo,Wu Luo,Qingni Shen,Yahui Yang,Zhonghai Wu

DOI: https://doi.org/10.1109/icassp49357.2023.10094806

2023-01-01

Abstract:With the widely application of cloud, a series of privacy challenges arise. Generally, encryption methods are used to ensure privacy, which may result in high computation and communication overheads. Access control is another fundamental and important measure to protect resources. Usually cloud computing systems are managed through RESTful web services and users can conduct access control measures like role-based access control (RBAC) to manage the permissions to RESTful resources. By running integration test, test cases and the corresponding RESTful permissions can be parsed out automatically. We are the first to define the role engineering problem based on integration test and summarize three metrics for role engineering. Then we propose a novel role engineering method based on spectral clustering analysis which supporting more feature set such as permission weight, role hierarchy and customized number of roles. Finally, we conduct experiments using real integration test on three cloud computing systems to demonstrate the effectiveness and performance, outperforming prior works.

Nicholas Springer,Wu-chang Feng

DOI: https://doi.org/10.48550/arXiv.2107.12566

2021-07-27

Abstract:Organizations have rapidly shifted infrastructure and applications over to public cloud computing services such as AWS (Amazon Web Services), Google Cloud Platform, and Azure. Unfortunately, such services have security models that are substantially different and more complex than traditional enterprise security models. As a result, misconfiguration errors in cloud deployments have led to dozens of well-publicized breaches. This paper describes Thunder CTF, a scaffolded, scenario-based CTF (Capture-the-Flag) for helping students learn about and practice cloud security skills. Thunder CTF is easily deployed at minimal cost and is highly extensible to allow for crowd-sourced development of new levels as security issues evolve in the cloud.

Cryptography and Security

Yang Hu,Wenxi Wang,Sarfraz Khurshid,Mohit Tiwari

2024-06-09

Abstract:Identity and Access Management (IAM) is an access control service in cloud platforms. To securely manage cloud resources, customers need to configure IAM to specify the access control rules for their cloud organizations. However, incorrectly configured IAM can be exploited to cause a security attack such as privilege escalation (PE), leading to severe economic loss. To detect such PEs due to IAM misconfigurations, third-party cloud security services are commonly used. The state-of-the-art services apply whitebox penetration testing techniques, which require access to complete IAM configurations. However, the configurations can contain sensitive information. To prevent the disclosure of such information, customers need to manually anonymize the configuration. In this paper, we propose a precise greybox penetration testing approach called TAC for third-party services to detect IAM PEs. To mitigate the dual challenges of labor-intensive anonymization and potentially sensitive information disclosures, TAC interacts with customers by selectively querying only the essential information needed. Our key insight is that only a small fraction of information in the IAM configuration is relevant to the IAM PE detection. We first propose IAM modeling, enabling TAC to detect a broad class of IAM PEs based on the partial information collected from queries. To improve the efficiency and applicability of TAC, we aim to minimize interactions with customers by applying Reinforcement Learning (RL) with Graph Neural Networks (GNNs), allowing TAC to learn to make as few queries as possible. Experimental results on both synthetic and real-world tasks show that, compared to state-of-the-art whitebox approaches, TAC detects IAM PEs with competitively low false negative rates, employing a limited number of queries.

Cryptography and Security,Software Engineering

Tiago Espinha Gasiba,Iosif Andrei-Cristian,Ulrike Lechner,Maria Pinto-Albuquerque

DOI: https://doi.org/10.1145/3465481.3470030

2021-08-17

Abstract:Improper deployment of software can have serious consequences, ranging from simple downtime to permanent data loss and data breaches. Infrastructure as Code tools serve to streamline delivery by promising consistency and speed, by abstracting away from the underlying actions. However, this simplicity may distract from architectural or configuration faults, potentially compromising the secure development lifecycle. One way to address this issue involves awareness training. Sifu is a platform that provides education on security through serious games, developed in the industry, for the industry. The presented work extends the Sifu platform with challenges addressing Terraform-aided cloud deployment on Amazon Web Services. This paper proposes an evaluation pipeline behind the challenges, and provides details of the vulnerability detection and feedback mechanisms, as well as a novel technique for detecting undesired differences between a given architecture and a target result. Furthermore, this paper quantifies the challenges’ perceived usefulness and impact, by evaluating the challenges among a total of twelve participants. Our preliminary results show that the challenges are suitable for education and the industry, with potential usage in internal training. A key finding is that, although the participants understand the importance of secure coding, their answers indicate that universities leave them unprepared in this area. Finally, our results are compared with related industry works, to extract and provide good practices and advice for practitioners.

Mikhail Kazdagli,Mohit Tiwari,Akshat Kumar

DOI: https://doi.org/10.48550/arXiv.2205.01240

2022-06-13

Abstract:Modern software systems rely on mining insights from business sensitive data stored in public clouds. A data breach usually incurs significant (monetary) loss for a commercial organization. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to properly configure and periodically update. Security negligence and human errors often lead to misconfiguring IAM policies which may open a backdoor for attackers. To address these challenges, first, we develop a novel framework that encodes generating optimal IAM policies using constraint programming (CP). We identify reducing dark permissions of cloud users as an optimality criterion, which intuitively implies minimizing unnecessary datastore access permissions. Second, to make IAM policies interpretable, we use graph representation learning applied to historical access patterns of users to augment our CP model with similarity constraints: similar users should be grouped together and share common IAM policies. Third, we describe multiple attack models and show that our optimized IAM policies significantly reduce the impact of security attacks using real data from 8 commercial organizations, and synthetic instances.

Cryptography and Security,Artificial Intelligence

Gaoshou Zhai,Jie Zeng,Miaoxia Ma,Liang Zhang

DOI: https://doi.org/10.1109/isa.2008.61

2008-01-01

Abstract:Nowadays, technologies of information security have been attached more and more importance to and it's a critical problem to take measures to ensure the reliability of related trustworthy software such as secure operating systems (SOSs). Thereafter, it's always necessary for such systems to be taken complete and rigorous security test and evaluation among development team and/or by third-party security certification organization. However, such software testing is usually time consuming, cost consuming and boresome and thus technologies of software testing automation have alluring application foreground in that field. In this paper, methods and technologies about how to test a SOS automatically are discussed in breadth and in depth at first. Then least privilege is studied and the corresponding modules of security enhancement are added to Linux based on Linux Kernel Modules (LKM). Finally, a prototype of automatic security testing as to such least privilege mechanism is implemented and the results are analyzed.

Suman Jana,Úlfar Erlingsson,Iulia Ion

DOI: https://doi.org/10.48550/arXiv.1510.07308

2015-10-26

Abstract:Clustering software into peer groups based on its apparent functionality allows for simple, intuitive categorization of software that can, in particular, help identify which software uses comparatively more privilege than is necessary to implement its functionality. Such relative comparison can improve the security of a software ecosystem in a number of ways. For example, it can allow market operators to incentivize software developers to adhere to the principle of least privilege, e.g., by encouraging users to use alternative, less-privileged applications for any desired functionality. This paper introduces software peer group analysis, a novel technique to identify least privilege violation and rank software based on the severity of the violation. We show that peer group analysis is an effective tool for detecting and estimating the severity of least privilege violation. It provides intuitive, meaningful results, even across different definitions of peer groups and security-relevant privileges. Our evaluation is based on empirically applying our analysis to over a million software items, in two different online software markets, and on a validation of our assumptions in a medium-scale user study.

Cryptography and Security

SHEN Qing-ni,QING Si-han,HE Ye-ping,LI Li-ping

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.10.012

2006-01-01

Abstract:Least privilege mechanism can provide a reasonable degree of security assurance for secure operating systems.This paper described a framework for implementing dynamically modified least privilege security policy,which combined role's duty separation property and domain's function separation property.Under the control of its new capability mechanism based on a process's executable image,current role and current domain,it restricted the process to the minimum amount of privileges within these contexts.This paper illustrated its implementation in ANSHENG OS v4.0,a copyrighted secure operating system satisfying all the specified requirements of Criteria class 4,"Structured-Protection",in GB17859-1999(equally,the B2 level in TCSEC) in China.Thus it demonstrates that this framework can help enforcing dynamically least privilege control on a secure operating system,while still providing a flexible efficient system.

Billoir, Eddie,Laborde, Romain,Rütschlé, Yves,Benzekri, Abdelmalek

DOI: https://doi.org/10.1007/s12243-024-01033-5

2024-05-17

Annals of Telecommunications

Abstract:With the new personal data protection or export control regulations, the principle of least privilege is mandatory and must be applied even for system administrators. This article explores the different approaches implemented by the main operating systems (namely Linux, Windows, FreeBSD, and Solaris) to control the privileges of system administrators in order to enforce the principle of least privilege. We define a set of requirements to manage these privileges properly, striving to balance adherence to the principle of least privilege and usability. We also present a deep analysis of each administrative privilege system based on these requirements and exhibit their benefits and limitations. This evaluation also covers the efficiency of the currently available solutions to assess the difficulty of performing administrative privileges management tasks. Following the results, the article presents the RootAsRole project, which aims to simplify Linux privilege management. We describe the new features introduced by the project and the difficulties we faced. This concrete experience allows us to highlight research challenges.

telecommunications

Anirban Bhattacharjee,Yogesh Barve,Aniruddha Gokhale,Takayuki Kuroda

DOI: https://doi.org/10.48550/arXiv.1904.02184

2019-04-03

Software Engineering

Abstract:Users of cloud platforms often must expend significant manual efforts in the deployment and orchestration of their services on cloud platforms due primarily to having to deal with the high variabilities in the configuration options for virtualized environment setup and meeting the software dependencies for each service. Despite the emergence of many DevOps cloud automation and orchestration tools, users must still rely on specifying low-level scripting details for service deployment and management using Infrastructure-as-Code (IAC). Using these tools required domain expertise along with a steep learning curve. To address these challenges in a tool-and-technology agnostic manner, which helps promote interoperability and portability of services hosted across cloud platforms, we present initial ideas on a GUI based cloud automation and orchestration framework called CloudCAMP. It incorporates domain-specific modeling so that the specifications and dependencies imposed by the cloud platform and application architecture can be specified at an intuitive, higher level of abstraction without the need for domain expertise using Model-Driven Engineering(MDE) paradigm. CloudCAMP transforms the partial specifications into deployable Infrastructure-as-Code (IAC) using the Transformational-Generative paradigm and by leveraging an extensible and reusable knowledge base. The auto-generated IAC can be handled by existing tools to provision the services components automatically. We validate our approach quantitatively by showing a comparative study of savings in manual and scripting efforts versus using CloudCAMP.

Xiaoli Zhang,Wei Geng,Yiqiao Song,Hongbing Cheng,Ke Xu,Qi Li

DOI: https://doi.org/10.1109/tnet.2023.3282100

2024-01-01

Abstract:In the trend of network middleboxes as a service, enterprise customers adopt in-the-cloud deep packet inspection (DPI) services to protect networks. As network misconfigurations and hardware failures notoriously exist, recent efforts envision to ensure the execution integrity of DPI services in untrusted clouds. However, they either require enterprise customers to know proprietary DPI rulesets of cloud providers or introduce forbidden overhead in the network context. In the paper, we propose a privacy-preserving and lightweight verification scheme that efficiently checks whether in-the-cloud DPI services run correctly without leaking private DPI rulesets. Particularly, our design introduces one trusted third party to perform privacy-preserving and trustworthy ruleset evaluation and DPI execution verification. Meanwhile, it devises a novel DPI ruleset authentication method that enables tamper-proof DPI operations and facilitates fast proof generation. The proofs can be verified without requiring the verifier to always maintain all rulesets. To further reduce the verification costs while resisting cloud cheating behaviors like bias treatments of packets, it employs a commitment-based delayed sampling mechanism which requires the DPI services to first demonstrate that all packets have been processed before receiving sampling decisions. Moreover, extensive experiments are conducted based on Click modules. The results show that the proposed scheme is practical and only incurs the real-time overhead of 10-20 microseconds.