Cloud Security & Trusted Services · 2019-12-23 · Cloud Security & Trusted Services QINGNI SHEN. PhD, Professor. Vice Director, Department of Cybersecurity. School of Software and

Cloud Security & Trusted Services

QINGNI SHENPhD, Professor

Vice Director, Department of CybersecuritySchool of Software and Microelectronics

Peking University

IES’19, 15-16 April 2019, Hongkong, China

School of Software and Microelectronics, Peking University

OUTLINE

Issues for Cloud Security & Trusted Services

—What are top threats or risks in public clouds?

—How about the security of clouds at present?

—How about the compliance of SLA for trusted services in clouds?

Research at CyberSecurity Lab@PKU


Cloud Computing

• Cloud Computing Reference Architecture — five major actors

• The Cloud Provider and Cloud Consumer share the control of resources in a cloud system— Security is also a shared responsibility.


2016 IEEE International Conference on Smart Cloud

Challenges and Opportunities in Edge Computing Using the cloud as a centralized server increases the frequency of communication between edge

devices, such as smartphones, tablets, and geographically distant cloud data centers.

Collaboration in Multicloud Computing Environments: Framework and Security Issues E.G. Appirio cloud storage---Salesforce cloud customers store info in Amazon S3.

IEEE Computer, 2013







OUTLINE


TOP THREATS

1. Data Breaches2. Weak Identity, Credential and Access Management3. Insecure APIs4. System and Application Vulnerabilities5. Account Hijacking6. Malicious Insiders7. Advanced Persistent Threats (APTs)8. Data Loss9. Insufficient Due Diligence10. Abuse and Nefarious Use of Cloud Services11. Denial of Service12. Shared Technology Issues

The Treacherous 12Cloud Computing Top Threats in 2016


KEY RISKS

GB/T 35279-20171.法律风险 Legal Risk2.政策与组织风险 Policy and Organization Risk

① 可移植性风险（过度依赖风险） Portability Risk(Over-Dependency)② 可审查性风险（合规风险） Auditability Risk(Compliance)

3.技术风险 Technology Risk ① 数据泄露风险 Data Breaches Risk② 隔离失败风险 Isolation Failure Risk ③ API滥用风险 APIs Abuse Risk ④ 业务连续性风险 Business Continuity Risk⑤ 基础设施不可控风险 Infrastructure Uncontrollability Risk ⑥ 运营风险 Operating Risk ⑦ 恶意人员风险 Malicious Insiders Risk


- SLA (Service Level Agreement）- Non-negotiable agreements or Negotiated agreements

KEY ISSUES

Special Publication 800-144:2011

1.控制权 Governance 2.合规性 Compliance 3.信任 Trust 4.软硬件架构 Architecture 5.身份和访问管理 Identity and Access Management 6.软件隔离 Software Isolation 7.数据保护 Data Protection 8.可用性 Availability 9.事件响应 Incident Response

Can be used to address the consumer’s concerns.e.g. data ownership, breach notification, isolation of tenant app,

data encryption, compliance with laws and regulations.Prescribed completely by the

cloud provider







OUTLINE


It's clear that AWS and Microsoft Azure are the two top public cloud providers.


Network SecurityPhysical Security System Security People & Process Security

Well-known security models built-in the cloud

Security-enhanced services validated by big customers

Global security experts benefit for every customer

AWS and the General Data Protection Regulation (GDPR) 2017

AWSSecurity has always been our highest priority – truly “job zero”


AWSShared Responsibility Model


ISO 9001 ISO 27001/270017/270018SOC 1/SSAE 16/ISAE 3402SOC 2SOC 3HIPAAPCI DSS Level 1MPAACSAMTCS Tier 3 CertificationFedRAMP(SM)DIACAP & FISMA ITARDoD CSM Levels 1-2 and 3-5FIPS 140-2信息安全等级保护 3 级认证Information Security Classified Protection(Level 3)

http://aws.amazon.com/compliance/

AWSCertifications


CSPs CSA STAR CCSM IAF FedRAMP LOW IMPACT LEVEL

FedRAMP MODERATE IMPACT LEVEL ISO/IEC 27001 GB/T 31168

Aliyun √ √ √

KingSoft √ √

JD √

AWS √ √ √ √

Windows Azure √ √ √ √

Different Cloud Service Providers (CSPs)With Different Certifications







OUTLINE


CLOUD 2015

A Survey of Penalty Calculation in Cloud SLA

A Competitive Penalty Model for Availability Based Cloud SLA

Some CSPs claim in their SLAs that theresponsibility of reporting violationbelongs to the cloud consumers.

some other CSPs do not defined clearlythe onus of violation report yet, whichmay cause the unclear responsibilityissues. Google

Microsoft

Amazon

IBM

Baidu

Tencent

Aliyun


Trust Validation of Cloud IaaS: A Customer Centric Approach

(TrustCom 2016)

Compliance-based Multi-dimensional Trust Evaluation System for determining

trustworthiness of Cloud Service Providers (Future Generation Computer Systems 2017)

Validating SLA Compliance of Cloud Service Providers

CC: Cloud Clients OR Cloud Consumers







OUTLINE


CyberSecurity Lab

• Five faculty members + 10 PhD candidates and 9 Master Candidates

Government Agencies• National Natural Science Foundation

of China• Ministry of Science and Technology• National Information Security

Standardization Technical CommitteeIndustry• Tencent• Huawei• AWS• Intel• Octa Innovation

Collaborators

Members

• Create novel technologies for achieving system security and trustworthiness, data privacy protection.

• Collaborate with public and private sectors to conduct experiments in real world settings.

• Train high-quality cybersecurity professionals.

Objectives

19


InternetMobile Internet IOT

Computers Storage Network TPM/SGX/Blockchain

CloudComputing

EdgeComputing

Big Data Trusted Services

Attribute Based Encryption Sharing Service(Data Breach)

Data Integrity Verification and Restore Service(Data Loss)

Platform Integrity Attestation Service(system/app vulnerabilities)

Resource Accounting Service(abuse of cloud services) etc.

System Security

Least Privilege (Malicious Insider)

Access Control (Insecure API)

VM Deployment/Load Balancing Security(Shared tech Issues)

VMs/Containers Isolation(isolation failure) etc.

Research Jobs on System Security & Trusted Services


System Security

Making the cloud computing platform more security


[1]Making least privilege the low-hanging fruit in clouds(ICC 2017)

[2]RestSep: Towards a Test-Oriented Privilege Partitioning Approach for RESTful APIs(ICWS 2017)

[3]RestPL: Towards a Request-Oriented Policy Language for Arbitrary RESTful APIs(ICWS 2016)

Security Issue: A malicious insider can affect security of data and workloads belonging to cloud customers. Least privilege can fairly restrict the permissions of administrators and reduce the attack surface.

Least Privilege: a Test-Oriented Privilege Partition Approach

Existing Solutions: A survey of role miningData sources: Logs, use cases, policy files, a certain scenario ACM Computing Surveys, 2016

Our Solutions[1-3]: Test-Oriented Privilege Partition

We simplify the privilege partitioning problem into aclassification problem of RESTful functions.


[4] An Access Control Policy Specification Language Based on Metamodel (Journal of Software, Accepted in July, 2018)[5] MultiPol Towards a Multi-policy Authorization Framework for RESTful Interfaces in the Cloud(ICICS 2017)[6] OpenStack Security Modules: A Least-Invasive Access Control Framework for the Cloud(CLOUD 2016)

Access Control: An Authorization Library Supporting ACL, RBAC, ABAC Models in Golang

Security Issue: Access control models are hard-coded into the cloud and lack the flexibility to be altered.

Existing Solutions: AWS/Azure/OpenStack design their own policy languages and authorization mechanisms.The customers whose businesses are built on multi-clouds have to accommodate policies for different platforms.

Our Solutions[4-6]:

We provide an authorization framework irrelative to policy languages, access control models and programming languages.


[7]Secure Virtual Machine Placement and Load Balancing Algorithms with High Efficiency(ISPA 2018)

[8]A Secure Virtual Machine Deployment Strategy to Reduce Co-residency in Cloud(TrustCom 2017)

[9]SeLance: Secure Load Balancing of Virtual Machines in Cloud(TrustCom 2016)

VM Deployment/Load Balancing Security

Security Issue: VMs Co-Residency Threat, Malicious host threat

Existing Solutions: i) do intrusion detection, ii) mitigate threats by restricting the VM’s own side-channels or unnecessary permissions, iii) improve the VM management policy to make the attack more difficult.

Our Solutions[6-9]:

e.g. in [9], SeLance attempts to decouple the proceduresof VM selection and VM placement. And an informationleakage model was built to predict the risk between VMsand hosts. So, the VM selection and placement dependson the leakage prediction of each migration.


Trusted Containers/VMs with SGX for Isolation

[10] SCONE: Secure Linux Containers with Intel SGX(SECURITY 2016)[11] Fast, scalable and secure onloading of edge functions using AirBox (SEC 2016)[12] Preliminary Study of Trusted Execution Environments on Heterogeneous Edge Platforms(SEC 2018)[13] Secure Distributed Computing on Untrusted Fog Infrastructures Using Trusted Linux Containers(CloudCom 2018)

Issue: In clouds, Linux containers managed by Docker or Kubernetes have a lower resource footprint, faster startup times, and higher I/O performance compared to virtual machines (VMs) on hypervisors. Yet their weaker isolation guarantees, enforced through software kernel mechanisms, make it easier for attackers to compromise the confidentiality and integrity of application data within containers.

Existing Solutions[10-13]:

e.g. [10] SCONE is a secure container mechanism for Docker that uses the SGX trusted execution support of Intel CPUs to protect container processes from outside attacks.[11-13] focus on containers/VMs isolation in fog or edge platforms

Intel SGX makes (part of) one Application gain ability to defend its own secrets from privileged Software(e.g. Hypervisor or OS).


Trusted Services

Providing services for users to validate the SLA Compliance of CSPs


[14] Fully Secure Hidden Ciphertext-Policy Attribute-based Proxy Re-encryption(ICICS 2017)[15] Practical Large Universe Attribute-Set Based Encryption in the Standard Model(ICICS 2017) [16] A Practical Construction for Large Universe Hierarchical Attribute-Based Encryption(CCPE, 2016) [17] Ciphertext-policy attribute-based encryption with user and authority accountability(SecureComm 2015)[18] A Joint Bloom Filter and Cross-encoding for Data Verification and Recovery in Cloud (ISCC 2017)[19] FMR-PDP: Flexible Multiple-Replica Provable Data Possession in Cloud Storage(ISCC 2017)

Data Encryption Sharing & Integrity Verification Services

Issue: How to make sure no data breach/leakage, or no data Loss

Existing Solutions: i) CP-ABE, KP-ABE; ii) POR: Proof of Retrievability; iii) PDP: Provable Data Possession

Our Solutions[14-19]:

PKUSS-Course APP

e.g. in [17], we proposed a practical large universe CP-ABE with user and authority accountability in the white-box model.e.g. in [18], we proposed a novel cross-encoding recovery method based erasure code and Bloom Filter , supporting dynamic data operations and making the verification practical and efficient.


[20] Partial Attestation: Towards Cost-Effective and Privacy-Preserving Remote Attestations(TrustCom 2016)[21] TProv: Towards a Trusted Provenance-Aware Service Based on Trusted Computing(ICWS 2018)

Platform Integrity Verification Service

Issue: How to verify the trustworthiness and correctness of the remote software systems in cloud platforms

Existing Solutions: Trusted Computing, but high performance costsExisting provenance-aware solutions fail to convey a genuine provenance information to a cloud user

e.g., in [20], Our model enables the challenger to attest the specified security requirements of the target platform, instead of quoting and verifying the complete detailed configurations.

Our Solutions[20-21]:

e.g., in [21], we establish a trusted provenance-aware service through integrating Trusted Computing. We introduce Merkle Hash Tree to reduce the length of Chain of Trust and enable parallel validation for the trustworthiness of provenance information.


[22] S-FaaS: Trustworthy and Accountable Function-as-a-Service using Intel SGX(arXiv 2018)[23] REM: Resource-Efficient Mining for Blockchains(USENIX SECURITY 2017) -Secure Instruction Counting with Intel SGX[24] EnGarde: Mutually-Trusted Inspection of SGX Enclaves（ICDCS 2017）[25] Hardware-Assisted Secure Resource Accounting under a Vulnerable Hypervisor(VEE 2015)

Issues: Compromised system administrators or remote attackers can potentially reduce the computing resourcesassigned for valid users, violating SLA, and redirect the stolen resources for their own benefit.

Hardware-Assisted Resources Accounting for SLA Compliance

Existing Solutions[22-25]:

e.g. in [22-24], Hardware support for system management mode (SMM) and Intel SGXcan provide secure resource accounting, even if the hypervisor or privileged OS iscompromised.

e.g., in [23], Its key idea, Proof-of-Useful-Work (PoUW), involves miners providingtrustworthy reporting on CPU cycles they devote to inherently useful workloads.

Blockchains are immutable digital ledger systems implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority.


Trias: Blockchain-driven Trustworthy Cloud Ecosystem

Challenge 1: Application ExecutionHow to ensure a piece of software has been correctly loaded and executed?

Challenge 2: Software DevelopmentHow to ensure a piece of software has been correctly developed and assembled?

Challenge 3: Service ManagementHow to ensure a set of software has been correctly configured and managed?

Whether a (general-purpose) application (at any scale) will behave as expected.

https://www.trias.one


Trusted Execution Layer

Supporting Pluggable and Interconnected Ledgers

Trusted Computing Technology are used to protect the running state of consensus nodes from any malicious programs running in it.

Gossip protocols are further enforced to disseminate and aggregate trustworthy status among the nodes, so that the ultimate model reflects how frequent a node is directly or iteratively indirectly inspected by other nodes.

The trustworthy status is exposed to the upper layer distributed ledgers, helping them to accelerate the consensus procedure while achieving higher level security strength. Currently supporting: Ethereum and Hyperledger Fabric.

Dynamic module switching is implemented by the parallel double-chain structure: one for main service chain, the other for the configuration chain. Through the sidechain technology, the configuration update and confirmation information can be accurately flowed in both directions between the configuration chain and the service backbone.


Trusted Development LayerConstructing General-purpose Applications with Distributed Ledgers

Implementing blockchain-driven traceable and verifiable software development framework. DevOps tools are modified to use blockchain for critical data storage and communications. The critical artefact of the full DevOps cycle for a target application is genuinely recorded.

Chaining security-checking components with the DevOps cycle to implement automatically or incentive-manually security criteria verification. The key verification results are attached to the critical DevOps artefact to genuinely reflect the security implications of the target application.

Iterating the Dev-Sec-Ops processes to gradually identify the security properties of any piece of software. Utilizing the underlying blockchain to implement and incentive tamper-proof software construction.

From the source code, blockchain is used to guarantee the trusted data flow and trusted audit of enterprise information system in the complete DevOps life cycle.

We use blockchain to connect the security module (Sec) to guarantee each linksin the complete DevOps process, and to find problems at the source.

We use blockchain to connectartificial intelligence module (AI), to analyse the safety problems in depth, to predict the security situation and to implement the emergency response in time.

Mining key Information in the with Prometh, establishing enterprise data center with the security degree model.


Trusted Service Layer

Ready-to-use Blockchain-ready Service/Software Components

Reusable general-purpose software components and services developed or migrated with the lower layer blockchain-driven toolchains, ledgers and trustworthy computing capabilities.

Forming the building blocks for the upper layers to create general-purpose enterprise-ready DSaaS.

Initially supported components, for satisfying the most general needs from existing usage scenarios:

Production Traceability Service Module

Supply-chain Traceability Service Module

Block Trading Service Module

Supply-chain Finance Service Module

Privacy-preserving Data Exchange Service Module

More key components to migrate:

Tensorflow, Hadoop, Ngnix, Kafka, Elastisearch, Django, etc.


Future Cloud Platforms

—MultiCloud, Public Cloud

—Cloud with Edge Computing

Future Research Jobs

—Integrating TEE for isolation and self-accounting

—Integrating Blockchain for immutable provenance and validation

Summary


Thank You

Documents

Cloud Security & Trusted Services · 2019-12-23 · Cloud Security & Trusted Services QINGNI SHEN. PhD, Professor. Vice Director, Department of Cybersecurity. School of Software and