Future Work

Although many advances of security mechanisms for protecting service integrity in multi-tenant cloud systems have been achieved, open questions still exist and need further investigation. We

discuss several of the most interesting ones as follows.

• Attestation for Stateful and Non-Deterministic Services: Our service integrity attestation schemes have assumed that the attested services are stateless and deterministic. However, some data processing functions are stateful and/or non-deterministic. For example, the computing results of a window-based stream operator, such as aggregation and join, rely on the window status, essentially, the entire tuples within the window. Although we have provided solutions for attesting window-based stream operators, further investigation is still needed to search for more efficient and effective way to attest stateful and non- deterministic services.

• Attestation for Web Services: Our work has focused on service integrity attestation schemes for dataflow processing applications. However, there are some other services that have unique characteristics such that existing techniques cannot be simply applied. For example, web services, currently as the dominate services running on Amazon EC2, may involve both session states shared by different web server replicas and persistent states stored in the database. It is hard to role back database for attestation. Thus, it is non-trivial to apply attestation techniques to web services.

• Profiling and Prediction for Service Integrity Attacks: Our service integrity attestation schemes belong to reactive approaches in that they aim to detect service integrity attacks and pinpoint malicious service providers after the attack actually happens. It would be interesting to investigate proactive approaches, which can predict attacks or detect vulnerabilities before an actual attack is launched. There have been some related existing work that focuses on profiling malware or kernel rootkit behavior [15, 56, 62]. However, these approaches focus on a single computer system, without leveraging the homogeneity feature in cloud computing systems. Moreover, these approaches cannot predict future attacks.

REFERENCES

[1] Amazon Elastic Compute Cloud. http://aws.amazon.com/ec2/. [2] Apache Hadoop System. http://hadoop.apache.org/core/.

[3] Microsoft Azure Services Platform. http://www.microsoft.com/azure/default.mspx. [4] Software as a Service. http://en.wikipedia.org/wiki/Software as a Service.

[5] The PlanetLab. http://www.planet-lab.org/. [6] Virtual Computing Lab. http://vcl.ncsu.edu/.

[7] D. J. Abadi and et al. The Design of the Borealis Stream Processing Engine. Proc. of CIDR, 2005.

[8] M. Abd-El-Malek, G. Ganger, G. Goodson, M. Reiter, and J. Wylie. Fault-scalable byzan- tine fault-tolerant services. In In the ACM Symposium on Operating Systems Principles (SOSP), 2005.

[9] M. Alam, M. Nauman, X. Zhang, T. Ali, and P. C.K. Hung. Behavioral attestation for business processes. InIEEE International Conference on Web Services, 2009.

[10] L. Alchaal, V. Roca, and M. Habert. Managing and securing web services with vpns. In

IEEE International Conference on Web Services, pages 236–243, San Diego, CA, June 2004.

[11] G. Alonso, F. Casati, H. Kuno, and V. Machiraju. Web Services Concepts, Architec- tures and Applications Series: Data-Centric Systems and Applications. Addison-Wesley Professional, 2002.

[12] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, and D. Song. Provable data possession at untrusted stores. InACM Conference on Computer and Com- munications Security (CCS), 2007.

[13] A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. Hypersentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proc. of the 17th ACM Conference on Computer and Communications Security (CCS), October 2010. [14] M. Balazinska, H. Balakrishnan, S. Madden, and M. Stonebraker. Fault-Tolerance in the

Borealis Distributed Stream Processing System. InACM SIGMOD International Confer- ence on Management of Data (SIGMOD 2005), 2005.

[15] U. Bayer, P. M. Comparetti, and C. Hlauschek. Scalable,behavior-based malware cluster- ing. In 16th Annual Network and Distributed System Security Symposium (NDSS 2009), San Diego, CA, 2009.

[16] S. Berger, R. Caceres, and et. al. TVDc: Managing security in the trusted virtual data- center. ACM SIGOPS Operating Systems Review, 42(1):40–47, 2008.

[17] K. Bowers, A. Juels, and A. Oprea. Hail: A high-availability and integrity layer for cloud storage. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), 2009.

[18] C. Bron and J. Kerbosch. Algorithm 457: finding all cliques of an undirected graph.

Communications of the ACM, 16(9):575–577, 1973.

[19] M. Burnside and A. D. Keromytis. F3ildcrypt: End-to-end protection of sensitive infor- mation in web services. InISC, pages 491–506, 2009.

[20] M. Castro and B. Liskov. Practcal byzantine fault tolerance. In Proceedings of the Third Symposium on Operating Systems Design and Implementation (OSDI), New Orleans, LA, 1999.

[21] M. Castro and B. Liskov. Practical byzantine fault tolerance and proactive recovery. ACM Transactions on Computer Systems, 20:398–461, 2002.

[22] F. Cazals and C. Karande. A note on the problem of reporting maximal cliques.Theoretical Computer Science, 407(1-3), 2008.

[23] A. Clement, M. Marchetti, E. Wong, L. Alvisi, and M. Dahlin. Making byzantine fault tol- erant systems tolerate byzantine faults. In6th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2009.

[24] J. Cowling, D. Myers, B. Liskov, R. Rodrigues, and L. Shrira. Hq replication: A hybrid quorum protocol for byzantine fault tolerance. In 7th Symposium on Operating Systems Design and Implementation (OSDI), 2006.

[25] J. Dean and S. Ghemawat. MapReduce: Simplified Data Processing on Large Clusters.

Proc. of USENIX Symposium on Operating System Design and Implementation, 2004. [26] J. Du, X. Gu, and T. Yu. Integrated service integrity attestation for multi-tenant cloud

systems. Submitted to IEEE Transactions on Dependable and Secure Computing (TDSC). [27] J. Du, X. Gu, and T. Yu. On verifying stateful dataflow processing services in large-scale cloud systems. In Proc. of ACM Conference on Computer and Communications Security (CCS) (poster session), October 2010.

[28] J. Du, N. Shah, and X. Gu. Adaptive data-driven service integrity attestation for multi- tenant cloud systems. In International Workshop on Quality of Service (IWQoS), San Jose, CA, 2011.

[29] J. Du, W. Wei, X. Gu, and T. Yu. Toward secure dataflow processing in open distributed systems. InProc. of ACM Scalable Trusted Computing Workshop (STC), November 2009. [30] J. Du, W. Wei, X. Gu, and T. Yu. Runtest: Assuring integrity of dataflow processing in cloud computing infrastructures. In ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2010.

[31] T. Erl. Service-Oriented Architecture (SOA): Concepts, Technology, and Design. Prentice Hall, 2005.

[32] C. Erway, C. Papamanthou, A. Kupcu, and R. Tamassia. Dynamic provable data pos- session. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), 2009.

[33] J. Garay and L. Huelsbergen. Software integrity protection using timed executable agents. In Proceedings of ACM Symposium on Information, Computer and Communications Se- curity (ASIACCS), Taiwan, March 2006.

[34] M. R. Garey and D. S. Johnson. A guide to the theory of np-completeness. InComputers and Intractability, 1979.

[35] T. Garfinkel, B. Pfaff, and et. al. Terra: A virtual machine-based platform for trusted computing. InProceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP), October 2003.

[36] B. Gedik, H. Andrade, and et. al. SPADE: the System S Declarative Stream Processing Engine. Proc. of SIGMOD, April 2008.

[37] D. Goldschlag, M. Reed, and P. Syverson. Onion routing for anonymous and private internet connections. Communications of the ACM, 42:39–41, 1999.

[38] J. L. Griffin, T. Jaeger, R. Perez, and R. Sailer. Trusted virtual domains: Toward secure distributed services. In Proceedings of First Workshop on Hot Topics in System Depend- ability, June 2005.

[39] The STREAM Group. STREAM: The Stanford Stream Data Manager. IEEE Data Engi- neering Bulletin, 26(1):19-26, March 2003.

[40] X. Gu, K. Nahrstedt, and et. al. QoS-Assured Service Composition in Managed Service Overlay Networks. Proc. of ICDCS, 194-202, 2003.

[41] X. Gu, K. Nahrstedt, and B. Yu. SpiderNet: An Integrated Peer-to-Peer Service Composi- tion Framework.Proc. of IEEE International Symposium on High-Performance Distributed Computing (HPDC-13), Honolulu, Hawaii, June 2004.

[42] X. Gu, S. Papadimitriou, P. S. Yu, and S.-P. Chang. Toward Learning-Based Failure Management for Distributed Stream Processing Systems. Proc. of ICDCS, June 2008. [43] X. Gu and H. Wang. Online Anomaly Prediction for Robust Cluster Systems. Proc.

of IEEE International Conference on Data Engineering (ICDE), Shanghai, China, April 2009.

[44] X. Gu, P. S. Yu, and K. Nahrstedt. Optimal Component Composition for Scalable Stream Processing. Proc. of ICDCS, 2005.

[45] A. Haeberlen, P. Kuznetsov, and P. Druschel. Peerreview: Practical accountability for distributed systems. InACM Symposium on Operating Systems Principles, 2007.

[46] T. Ho, B. Leong, R. Koetter, and et. al. Byzantine modification detection in multicast networks using randomized network coding. InIEEE ISIT, 2004.

[47] P. C. K. Hung, E. Ferrari, and B. Carminati. Towards standardized web services privacy technologies. In IEEE International Conference on Web Services, pages 174–183, San Diego, CA, June 2004.

[48] M. Isard, M. Budiu, Y. Yu, A. Birrell, and D. Fetterly. Dryad: Distributed data-parallel programs from sequential building blocks. Proc. of European Conference on Computer Systems (EuroSys), Lisbon, Portugal, 2007.

[49] N. Jain and et al. Design, Implementation, and Evaluation of the Linear Road Benchmark on the Stream Processing Core. Proc. of SIGMOD, 2006.

[50] K.-L.Wu, P. S. Yu, B. Gedik, Ki. Hildrum, C. C. Aggarwal, E. Bouillet, W. Fan, D. George, X. Gu, G. Luo, and H. Wang. Challenges and Experience in Prototyping a Multi-Modal Stream Analytic and Monitoring Application on System S. Proc. of VLDB, 1185-1196, 2007.

[51] E. Kaiser, W. Feng, and T. Schluessler. Fides: Remote anomaly-based cheat detection using client emulation. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), 2009.

[52] S. D. Kamvar, M. T. Schlosser, and H. Garcia-Molina. The EigenTrust Algorithm for Reputation Management in P2P Networks. InProceedings of the 12th International World Wide Web Conference, 2003.

[53] I. Koch. Fundamental study: Enumerating all connected maximal common subgraphs in two graphs. Theoretical Computer Science, 250(1-2):1–30, 2001.

[54] R. Kotla, L. Alvisi, M. Dahlin, A. Clement, and E. Wong. Zyzzyva: Speculative byzantine fault tolerance. InIn the ACM Symposium on Operating Systems Principles (SOSP), 2007. [55] L. Lamport, R. Shostak, and M. Pease. The byzantine generals problem. ACM Transac-

tions on Programming Languages and Systems, 4(3), 1982.

[56] A. Lanzi, M. Sharif, and W. Lee. Ktracer: A system for extracting kernel malware behavior. In 16th Annual Network and Distributed System Security Symposium (NDSS 2009), San Diego, CA, 2009.

[57] B. Liskov and R. Rodrigues. Tolerating byzantine faulty clients in a quorum system. In

Proceedings of the 26th IEEE International Conference on Distributed Computing Systems (ICDCS), 2006.

[58] L. Litty, H. A. L.-Cavilla, and D. Lie. Computer meteorology: Monitoring compute clouds. InProc. of 12th Workshop on Hot Topics in Operating Systems (HotOS), May 2009. [59] S. Pandit, D. H. Chau, S. Wang, and C. Faloutsos. NetProbe: A Fast and Scalable System

for Fraud Detection in Online Auction Networks. InProceedings of the 16th international conference on World Wide Web (WWW), 2007.

[60] P. Pietzuch, J. Ledlie, J. Shneidman, M. Roussopoulos, M. Welsh, and M. Seltzer. Network- Aware Operator Placement for Stream-Processing Systems.Proc. of ICDE’06, April 2006. [61] B. Raman, S. Agarwal, and et. al. The SAHARA Model for Service Composition Across Multiple Providers. Proceedings of the First International Conference on Pervasive Com- puting, August 2002.

[62] R. Riley, X. Jiang, and D. Xu. Multi-aspect profiling of kernel rootkit behavior. InProceed- ings of the 4th European Conference on Computer Systems (EuroSys 2009), Nuremberg, Germany, 2009.

[63] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off my cloud! exploring information leakage in third- party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), 2009.

[64] I. Roy, S. Setty, and et. al. Airavat: Security and privacy for MapReduce. InNSDI, April 2010.

[65] R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of a tcg-based integrity measurement architecture. InProceedings of 13th USENIX Security Symposium, San Diego, CA, August 2004.

[66] N. Santos, K. P. Gummadi, and R. Rodrigues. Towards trusted cloud computing. In

USENIX HotCloud, 2009.

[67] A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems. InProceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP), October 2005. [68] A. Seshadri, A. Perrig, L. van Doorn, and P. Khosla. Swatt: Software-based attestation

for embedded devices. InIEEE Symposium on Security and benign, May 2004.

[69] E. Shi, A. Perrig, and L. V. Doorn. Bind: A fine-grained attestation service for secure distributed systems. InProceedings of the IEEE Symposium on Security and Privacy, 2005. [70] M. Srivatsa, S. Balfe, K. G. Paterson, and P. Rohatgi. Trust management for secure information flows. InProceedings of the 15th ACM Conference on Computer and Commu- nications Security (CCS), 2008.

[71] M. Srivatsa and L. Liu. Securing publish-subscribe overlay services with eventguard. Proc. of ACM Computer and Communication Security (CCS), 2005.

[72] M. Srivatsa, L. Xiong, and L. Liu. Trustguard: Countering vulnerabilities in reputation management for decentralized overlay networks. In 14th World Wide Web Conference (WWW 2005), 2005.

[73] TPM Specifications Version 1.2.https://www.trustedcomputinggroup.org/downloads/

specifications/tpm/tpm.

[75] B. Vandiver, H. Balakrishnan, B. Liskov, and S. Madden. Tolerating byzantine faults in transaction processing systems using commit barrier scheduling. In Proceedings of 21st ACM Symposium on Operating Systems Principles (SOSP), 2007.

[76] K. Vikram, A. Prateek, and B. Livshits. Ripley: Automatically securing web 2.0 ap- plications through replicated execution. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), 2009.

[77] W. Wei, J. Du, X. Gu, and T. Yu. Securemr: A service integrity assurance framework for mapreduce. In Annual Computer Security Applications Conference (ACSAC), Honolulu, HI, 2009.

[78] P. Williams, R. Sion, and D. Shasha. The blind stone tablet: Outsourcing durability. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.

[79] T. Wood, A. Gerber, and K. K. Ramakrishnan. The case for enterprise-ready virtual private clouds. In USENIX HotCloud, 2009.

[80] M. Xie, H. Wang, J. Yin, and X. Meng. Integrity auditing of outsourced data. InInterna- tional Conference on Very Large Data Base (VLDB), 2007.

[81] W. Xu, V. N. Venkatakrishnan, R. Sekar, and I. V. Ramakrishnan. A framework for building privacy-conscious composite web services. In IEEE International Conference on Web Services, pages 655–662, Chicago, IL, September 2006.

[82] H. Zhang, M. Savoie, S. Campbell, S. Figuerola, G. von Bochmann, and B. S. Arnaud. Service-oriented virtual private networks for grid applications. In IEEE International Conference on Web Services, pages 944–951, Salt Lake City, UT, July 2007.

[83] Q. Zhang, T. Yu, and P. Ning. A framework for identifying compromised nodes in wireless sensor networks. ACM TISSEC, 11(3), 2008.