Inevitable failure: The flawed trust assumption in the cloud

Yuqiong Sun, Giuseppe Petracca, Trent Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations

Abstract

IaaS clouds offer customers on-demand computing resources such as virtual machine, network and storage. To provision and manage these resources, cloud users must rely on a variety of cloud services. However, a wide range of vulnerabilities have been identified in these cloud services that may enable an adversary to compromise customers' computations or even the cloud platform itself. Using the motivation for adding mandatory access to commercial operating systems, we argue for the development of a secure cloud operating system (SCOS) to enforce mandatory access control (MAC) over cloud services and customer instances. To better understand the concrete challenges of building a SCOS, we examine the OpenStack cloud platform from two perspectives: (1) how attacks propagate across cloud services and (2) how adversaries leverage vulnerabilities in cloud services to attack hosts. Using this information, we review the application of three MAC approaches employed by "secure" commercial systems to evaluate their practical effectiveness for controlling cloud services. While MAC enforcement can improve security for cloud services, several threats remain unchecked. We outline a set of additional security policy goals that a SCOS must enforce to control threats from potentially compromised cloud services comprehensively. While we do not actually construct a SCOS in this paper, we hope that this study will initiate discussions that may lead to practical designs.

Original languageEnglish (US)
Title of host publicationCCSW 2014 - Proceedings of the 2014 ACM Cloud Computing Security Workshop, Co-located with CCS 2014
PublisherAssociation for Computing Machinery
Pages141-150
Number of pages10
EditionNovember
ISBN (Print)9781450332392
DOIs
StatePublished - Nov 7 2014
Event6th ACM Cloud Computing Security Workshop, CCSW 2014, Held in Conjunction with the 2014 ACM Computer and Communication Security, CCS 2014 - Scottsdale, United States
Duration: Nov 7 2014 → …

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
NumberNovember
Volume2014-November
ISSN (Print)1543-7221

Other

Other6th ACM Cloud Computing Security Workshop, CCSW 2014, Held in Conjunction with the 2014 ACM Computer and Communication Security, CCS 2014
Country/TerritoryUnited States
CityScottsdale
Period11/7/14 → …

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Inevitable failure: The flawed trust assumption in the cloud'. Together they form a unique fingerprint.

Cite this