Security and Privacy Issues in Cloud Storage

(1)

Security and Privacy Issues

in Cloud Storage

Qingni Shen

PhD, Associate Professor Peking University qingnishen@ss.pku.edu.cn

International View of the State-of-the-Art of

Cryptography and Security and its Use in Practice (II)

(2)

1. Pengfei Sun, Qingni Shen*, Ying Chen, Zhonghai Wu, Cong Zhang, Anbang Ruan, Liang Gu. POSTER: LBMS: Load Balancing based on Multilateral Security in the Cloud. In the Proceedings of the 18th ACM Conference on Computer and Communications Security(CCS 2011), pp: 861-864, October 17–21, 2011, Chicago, Illinois, USA.

2. Qingni Shen, Yahui Yang, Zhonghai Wu, Xin Yang, Lizhe Zhang, Xi Yu, Zhenmin Lao, Dandan Wang, Min Long. SAPSC: Security Architecture of Private Storage Cloud Based on HDFS. In Proc. of the 26th IEEE International Conference on Advanced Information Networking and Applications Workshops (WAINA-2012), pp: 1292-1297, Fukuoka, Japan, March 26-29, 2012

3. Qingni Shen, Xin Yang, Xi Yu, Yahui Yang, Zhonghai Wu. Towards Data Isolation and Collaboration in Storage Cloud. The 2011 IEEE Asia-Pacific Services Computing Conference (APSCC2011), pp: 139-146. December 12-15, 2011, Jeju, Korea.

4. Ying Chen, Qingni Shen*, Pengfei Sun, Yangwei Li, Sihan Qing. Reliable Migration Module in Trusted Cloud based on Security Label-Design and Implementation. In Proc. of the 26th IEEE International Parallel & Distributed Processing Symposium Workshops(IPDPS 2012). pp: 2230-2236, May 21-25, 2012, Shanghai, China.

5. Qingni Shen, Lizhe Zhang, Xin Yang, Yahui Yang, Zhonghai Wu, Ying Zhang. SecDM: Securing Data Migration between Cloud Storage Systems. In Proceedings of 2011 Ninth IEEE International Conference on Dependable, Autonomic and Secure Computing(CDAS2011),pp: 636-641. December 12-14, Sydney, Australia.

6. Xin Yang, Qingni Shen*, Yahui Yang, Sihan Qing. A Way of Key Management in Cloud Storage Based on Trusted Computing. In Proceedings of the 8th IFIP International Conference on Network and Parallel Computing (IFIP NPC 2011), pp: 135-145, Changsha, China. 2011.10

7. Yangwei Li, Qingni Shen, Cong Zhang, Pengfei Sun, Ying Chen, Sihan Qing. A Covert Channel Using Core Alternation.(WAINA-2012), pp: . 324-328, Fukuoka, Japan, March 26-29, 2012

(3)

OUTLINE

WHAT is CLOUD STORAGE for?

WHAT scenarios, security and privacy ISSUES will appear in CLOUD STORAGE?

WHAT are some of our RECENT works on?

 Security Architecture of Private Storage Cloud  A Core-Alternation Covert Channel

(4)

OUTLINE

WHAT scenarios, security and privacy ISSUES

will appear in CLOUD STORAGE?

 Security Architecture of Private Storage Cloud

 A Core-Alternation Covert Channel

(5)

Cloud Storage

Cloud Storage is an emergi ng technology that leverage s commodity hardware tied together to appear as a sing le storage device by the soft ware, such as a cluster appl ication, distributed file syst em and grid computing.

(6)

User Centric

 Data stored in the “Cloud”

 Data follows you & your devices  Data accessible anywhere

 Data can be shared with others

music preferences maps news contacts messages mailing lists photo e-mails calendar phone numbers investments

(7)

(8)

Privacy

∈

Security

？



“You can have security and not

have privacy, but you cannot have

privacy without security.”

—Tim Mather

A COMMON MISCONCEPTION IS

THAT DATA PRIVACY IS A SUBSET OF

INFORMATION SECURITY.

(9)

We think that Data privacy cares more about whether private data/info owner could have fully control rights on these data/info at any phase during its life cycle.

FACT

Unless the data privacy is addressed properly, customers do not want to store the mission-critical or private data like personally identifiable information, medical or financial records in cloud.

(10)

OUTLINE

WHAT scenarios, security and privacy ISSUES will appear in CLOUD STORAGE?

(11)

Resource Pools

HDFS Layer (Hadoop Distributed

File System) SLA Layer

(Service Level Agreement) Cloud Service Interface

Web Portals

Network Disk

Private Storage Cloud

Resource Scheduling Service

Data Transmission Service Fault-Tolerant

Service

Partner or Public Cloud subcloud

Custom Interface (REST，SOAP)

Storage Service

Standard Access Protocol (FTP、BT)

Node Service Load Balance Service Account Service Qos Control Service Charge Service

•SAPSC: Security Architecture of Private Storage Cloud Based on HDFS. WAINA-2012, pp: 1292-1297, Fukuoka, Japan, March 26-29, 2012

(12)

Scenarios 1

“Data Isolation”

 Case One

As an enterprise always partitions its own Private Storage

Cloud(PSC) into multiple sub-clouds by departments or

regions for management, it demands that the data of different sub-clouds be isolated from each other.

 Case Two

An enterprise hopes that its data stored in the PSC could be isolated from those in the Partner/Public Cloud.

 Case Three

When some of its data are placed in the Partner/Public Cloud, the enterprise wants them to be isolated from other enterprises’ data rest in the same Partner/Public cloud.

(13)

Issues in Scenarios 1

 First, internal attackers may access unauthorized data of other sub-clouds (or storage clusters) in the cloud; or

 Second, external attackers in the Partner/Public Cloud may intercept or tamper with the enterprise’s data stored in the two clouds(private storage cloud, and partner/public cloud).

SUGGESTION

It is helpful to enforce a flexible access control in the cloud, and to provide an optional private data en/decryption service in clients for protecting their private or critical data from leakage.

(14)

Scenarios 2

“_{Intra-Cloud Data Migration”}

 Case One

Load-balance service and Fault-tolerant service on the layer of HDFS will often automatically initiate large-scale data migration from one location to another within the cloud.

 Case Two

As his duty changes in the company, the employee’s data stored in some sub-cloud of the PSC will be migrated manually into a new sub-cloud accordingly.

 Case Three

If some data do not rest in the storage node nearby the visitor, but he will frequently access these data during the next period of time, then it is useful to migrate (or replicate) these data into those storage nodes close to the visitor automatically.

(15)

Issues in Scenarios 2

 First, an attacker may make the data being migrated into a wrong location and make it accessible for some unauthorized users; or

 Second, a malicious user may fake an internal migration request from some legal user to initiate an unexpected migration and make the data inaccessible for the legal user.

SUGGESTION

It should at first check if the source or target nodes be permitted or not to do the migration on these data in the cloud.

(16)

Scenarios 3

“_{Inter-Cloud Data Migration”}

 Case One

With the expansion of business, the company chooses to rent some

storage space in the Partner/Public cloud and moves some of its business data from the PSC to the new cloud.

 Case Two

For timely market analysis, a company would like to regularly get

some public or shared data from the Partner/Public Cloud and replicate them into the PSC for further analysis.

 Case Three

If an employee has to work for several days or months at some

place where he cannot approach the company’s PSC but can get to the Partner/Public Cloud. Then, he can replicate his data from the PSC into the Partner/Public Cloud before this trip, and vice versa.

(17)

Issues in Scenarios 3

 First, malicious intercept or modification risks may arise when sensitive/critical data are migrating between the two clouds; or

 Second, the availability of data is critical. For example, a fake response of successful migration from the target cloud will truncate the backup copies in the source cloud, leading to missing data.

SUGGESTION

It should ensure that the authenticity of migration messages can be identified correctly and the security of data transferring can be enforced efficiently.

(18)

OUTLINE

will appear in CLOUD STORAGE?

(19)

Security Architecture of PSC

based on HDFS

(20)

Security and Privacy Services

Flexible Access Control

Secure Intra-Cloud Migration Secure Inter-Cloud Migration

(21)

Motivation of Access Control

Flexibility

 Different corporations have different internal security requirements.

 Needs to provide a flexible security policy which could be easily customized to fit variant security

requirements.

Data Isolation

Data Sharing

Flexibility

(22)

Motivation of Access Control

 Data Isolation

 Storage Cloud is a common platform shared among many corporations, even market competitors.

 Needs to make sure data owned by one company would not be accessed by other ones if otherwise authorized.

Data Isolation

Data Sharing

Flexibility

(23)

Motivation of Access Control

Data Sharing

 Storage Cloud could be utilized as a data sharing point between different corporations.

 Needs to provide data sharing mechanisms on storage cloud while still under the restriction of data isolation principle.

Data Isolation

Data Sharing

Flexibility

(24)

Solutions of Access Control

RBAC & Chinese Wall based Policy

 Introduce “tags” to objects, i.e. files to be accessed  Introduce “roles” to subjects, i.e. clients who need to

access resources. Roles are defined as some logical expressions with tags and logical operators

 Introduce a kind of organization label (CW-org), which is assigned to subjects and objects.

Data Isolation

Data Sharing

Flexibility

(25)

Match the Labels

 Data Isolation is guaranteed by matches of the organization labels (CW-org), from the subject & object.

Data Isolation

Data Sharing

Flexibility

(26)

Negotiation Protocols

 Data Sharing is guaranteed by a set of negotiation protocols among the resource holder, the resource requester and the storage cloud.

Data Isolation

Data Sharing

Flexibility

(27)

•Towards Data Isolation and Collaboration in Storage Cloud. APSCC2011, pp: 139-146. December 12-15, 2011, Jeju, Korea.

(28)

(29)

(30)

Security and Privacy Services

Flexible Access Control

(31)

Requirements of Data Encryption

Some private data needs to be encrypted by keys and then transmitted to the cloud

Keys can be shared by specific users which are specified by the key owner. That is the data can be shared in a particular user group.

The encryption and decryption can only be operated by a special user and a special computer.

(32)

Achieved using TPM

(33)

Achieved using TPM

 Migrable key can be generated inside or outside a TPM, to encrypt storage key or data using binding key is a good way to figure out the limit of space of TPM.

 Except SRK, every key needs to be encrypted by its father key before its storage in or out of TPM. When Users’ infusing key into the TPM for the first time, they provide a password, but no more the next time. When the user want to use a key, he must provide right password.

(34)

An Example of Key Sharing

(35)

Security and Privacy Services

Flexible Access Control

(36)

Data replication

HDFS is consisted of one NameNode and some DataNodes.

The NameNode makes all decisions regarding replication of blocks.

The necessity for re-replication may arise due to many reasons: a DataNode may become unavailable, a replica may become corrupted, a hard disk on a DataNode may fail, or the replication factor of a file may be increased.

(37)

Cluster rebalancing

A HDFS cluster can easily become imbalanced, for example, when a new data node joins the cluster, thus increasing the use of network bandwidth. On the other hand, when some data nodes become full, new data blocks are placed on only non-full data nodes, thus reducing their read parallelism. It is important to redistribute data blocks when imbalance occurs.

(38)

Label-Based Data Migration

 According to the security labels marked on all the DataNodes, and the security rules as one new attribute in all files in HDFS, NameNode would determine which block has the intra-migration right to move into another DataNode except just by some rules HDFS has now.

(39)

Implementation of Label Marking

Each DataNode has an array of labels to take

these Security labels.

DataNode1 labe1 label2 label3 label4

0 1 1 0

DataNode2 labe1 label2 label3 label4

(40)

Each File has one Security rule.

The rule is made by some Security labels and three logic symbols, such as “&&”, “||”, “^”.

The rule is expressed by binary tree.

The NameNode need to take the value of each label on each DataNode to the file expression, when the result equals to 1, this file has the right, otherwise has no rights.

(41)

Security and Privacy Services

Flexible Access Control

(42)

Characteristic of Data Migration

 Commercial relation exists between clouds

 Transmission of mass data

 Many workers which execute transmission process concurrently

 Objective cloud has no idea about these workers, that is, identity who needs to access objective

cloud is a stranger on the objective cloud ‘s side

(43)

Using SSL to confirm security parameters including temporary ticket

Using temporary ticket to indicate the role of worker during transmission process

Source cloud should distribute ticket to trusted worker

Objective cloud should keep record of temporary tickets to check workers

Solutions of Data Migration

(44)

Implementation of Data Migration

•. SecDM: Securing Data Migration between Cloud Storage Systems. CDAS2011, CGC2011 pp: 636-641. December 12-14, Sydney, Australia.

NameNode NameNode Task Tracker Task Tracker Task Tracker

Get temporary ticket Using SSL DataNode DataNode DataNode DataNode JobTracker DataNode DataNode DataNode Tem pora ry ti cket T em po ra ry tic ke t Te_m po rary_tic ket

Send temporary ticket for verification ’ Is this Source Cloud’s Worker? . . . Data Migrating

(45)

OUTLINE

will appear in CLOUD STORAGE?

(46)

Motivation: Multi-core, more problem



Multi-core processors brings improvement in performance but also brings security

problem. We found a covert channel which can leak information in multi-core

environment.

(47)

Background



A covert channel is generally

referred to as a communication

mechanism that is neither

designed nor intended to transmit

information

(48)

Everywhere



This covert channel exists in most

operating systems and

virtualization platforms with

multi-core processors

(49)

Core-alternative channel



THREAT SCENARIO



We assume that an attacker has a

way to inject malicious code into a

process or domain managed by

another party.

(50)

Core-alternative channel

Sender: choose

 A sender could directly or indirectly choose on which core another process might run.

 When a core is busy and others are idle, the CPU schedule program will balance the tasks, some tasks will be moved to idle cores. However, when some tasks pined to this busy core by CPU affinity, then they cannot be moved.

(51)

Core-alternative channel

Receiver: identify

 A receiver can identify which core (processor) it runs on through APIC ID, Processor Serial Number or other information. We can get the APIC ID of a core from assembler language instruction CPUID.

(52)

Choose Core

(53)

CCCA (Covert Channels using

Core-alternation)



A prototype that creates a

core-alternative channel and

communicates data secretly

(54)

CCCA

The CCCA prototype shows the existence of core-alternative channel, and measure its bandwidth and accuracy.

The communication protocol is simple: it’s one-way transmission, and in one communication cycle, CCCA communicates 100 bits by repeating 1-bit communication 100 times.

(55)

CCCA

(56)

CCCA

When a sender sends information to a

receiver, it makes the receiver synchronize with itself at first. After synchronization, the sender and receiver communicate

information one bit at a time. The receiver

receives bits by getting the APIC ID of the core which it is running on.

(57)

CCCA

 The protocol consumes 270ms to communicate one bit.

 The sender sets its CPU affinity during the

270ms, if it changes its CPU affinity to the other core, it sends ‘1’. Otherwise, it sends ‘0’.

 And the receiver gets the APIC ID. If the APIC ID is different from the last APIC ID it got, it

receives bit‘1’. Otherwise, it receives bit ‘0’.

(58)

Communication Protocol

(59)

Evaluation

 The minimum cycle:

 31ms in Ubuntu 10  52ms in Xen hypervisor.  100% accuracy cycle:  270ms on Ubuntu 10  450ms on Xen hypervisor  Bandwidth:  3.70bit/s on Ubuntu 10

 2.22bit/s on Xen hypervisor.

(60)

OUTLINE

will appear in CLOUD STORAGE?

(61)

Future Works



Multi-tenants Data Isolation & Sharing



Secure Massive Data Migration

(62)