Doudou Fall

Enabling secure multitenancy in cloud computing: Challenges and approaches

Cloud computing provides a multitenant feature that enables an IT asset to host multiple tenants, improving its utilization rate. The feature provides economic benefits to both users and service providers since it reduces the management cost and thus lowers the subscription price. Many users are, however, reluctant to subscribe to cloud computing services due to security concerns. To advance deployment of cloud computing, techniques enabling secure multitenancy, especially resource isolation techniques, need to be advanced further. Difficulty lies in the fact that the techniques range and cross various technical domains, and it is difficult to get the big picture. To cope with that, this paper introduces technical layers and categories, with which it identifies and structures technical issues on enabling multitenancy by conducting a survey. Based on the survey result, this paper discusses technical maturity of multitenant cloud computing from the standpoint of security and the needs for developing both technical and operational security toward the development and wide deployment of multitenant cloud computing.

Risk Adaptive Authorization Mechanism (RAdAM) for Cloud Computing

Cloud computing provides many advantages for both the cloud service provider and the clients. It is also infamous for being highly dynamic and for having numerous security issues. The dynamicity of cloud computing implies that dynamic security mechanisms are being employed to enforce its security, especially in regards to access decisions. However, this is surprisingly not the case. Static traditional authorization mechanisms are being used in cloud environments, leading to legitimate doubts on their ability to fulfill the security needs of the cloud. We propose a risk adaptive authorization mechanism (RAdAM) for a simple cloud deployment, collaboration in cloud computing and federation in cloud computing. We use a fuzzy inference system to demonstrate the practicability of RAdAM. We complement RAdAM with a Vulnerability Based Authorization Mechanism (VBAM) which is a real-time authorization model based on the average vulnerability scores of the objects present in the cloud. We demonstrated the usefulness of VBAM in a use case featuring OpenStack.

Towards a Vulnerability Tree Security Evaluation of OpenStack's Logical Architecture

Cloud computings rapid development has favored the emergence of many other technologies like OpenStack, which is the most popular open-source cloud management software. OpenStack has received a lot of praise lately thanks to its ease of use and its vibrant community, but it has also started garnering attention in the national vulnerability database. Furthermore, OpenStack has a logical architecture in which, the degree of interconnectedness within and between the components is a source of many security concerns. To prevent the damages that can be caused by the combination of these security issues, we proposed a vulnerability tree security analysis of OpenStacks logical architecture that allowed us to generate ready-to-use vulnerability trees of the major services or components of the architecture. We also suggested an amendment of OpenStacks vulnerability naming, because the current naming does not cope well with our proposal.

UnPhishMe: Phishing Attack Detection by Deceptive Login Simulation through an Android Mobile App

Phishing attacks have been increasing recently. Attackers use clever social engineering techniques to convince their victims into clicking a malware or deceptive login-based webpages. Most solutions for this particular problem focus more on helping desktop computer users than mobile device users. Mobile device users are more vulnerable than their desktop counterparts because they are online most of the time and they have device limitations such as smaller screen size and low computational power. This paper presents UnPhishMe, an effective mobile application prototype that takes advantage of a particular weakness of phishing sites: they accept any kind of input information for authentication. UnPhishMe enables a mobile device user to create fake login account, with fake login credentials, that mimics user login procedure every time the user opens a login webpage and generates an alert to her. UnPhishMe determines whether the current login page shifts to another webpage after an authentication attempt. It does so by monitoring hashcode changes of the URL when the page is loading, listens to HttpURLConnection status code, and then makes a decision on whether the website is fraudulent or not. We measured the effectiveness of UnPhishMe by conducting a user experiment on android platforms and tested its detection accuracy, memory and CPU performance. The results show that UnPhishMe uses a very small amount of computational power and it is effective in assisting users to identify phishing attacks with an accuracy of 96%.

Security Risk Quantification Mechanism for Infrastructure as a Service Cloud Computing Platforms

Cloud computing has revolutionized information technology, in that It allows enterprises and users to lower computing expenses by outsourcing their needs to a cloud service provider. However, despite all the benefits it brings, cloud computing raises several security concerns that have not yet been fully addressed to a satisfactory note. Indeed, by outsourcing its operations, a client surrenders control to the service provider and needs assurance that data is dealt with in an appropriate manner. Furthermore, the most inherent security issue of cloud computing is multi-tenancy. Cloud computing is a shared platform where users’ data are hosted in the same physical infrastructure. A malicious user can exploit this fact to steal the data of the users whom he or she is sharing the platform with. To address the aforementioned security issues, we propose a security risk quantification method that will allow users and cloud computing administrators to measure the security level of a given cloud ecosystem. Our risk quantification method is an adaptation of the fault tree analysis, which is a modeling tool that has proven to be highly effective in mission-critical systems. We replaced the faults by the probable vulnerabilities in a cloud system, and with the help of the common vulnerability scoring system, we were able to generate the risk formula. In addition to addressing the previously mentioned issues, we were also able to quantify the security risks of a popular cloud management stack, and propose an architecture where users can evaluate and rank different cloud service providers.

Leveraging KVM Events to Detect Cache-Based Side Channel Attacks in a Virtualization Environment

Cache-based side channel attack (CSCa) techniques in virtualization systems are becoming more advanced, while defense methods against them are still perceived as nonpractical. The most recent CSCa variant called Flush + Flush has showed that the current detection methods can be easily bypassed. Within this work, we introduce a novel monitoring approach to detect CSCa operations inside a virtualization environment. We utilize the Kernel Virtual Machine (KVM) event data in the kernel and process this data using a machine learning technique to identify any CSCa operation in the guest Virtual Machine (VM). We evaluate our approach using Receiver Operating Characteristic (ROC) diagram of multiple attack and benign operation scenarios. Our method successfully separate the CSCa datasets from the non-CSCa datasets, on both trained and nontrained data scenarios. The successful classification also include the Flush + Flush attack scenario. We are also able to explain the classification results by extracting the set of most important features that separate both classes using their Fisher scores and show that our monitoring approach can work to detect CSCa in general. Finally, we evaluate the overhead impact of our CSCa monitoring method and show that it has a negligible computation overhead on the host and the guest VM.

Home Edge Computing (HEC): Design of a New Edge Computing Technology for Achieving Ultra-Low Latency

Edge computing systems (Cloudlet, Fog Computing, Multi-access Edge Computing) provide numerous benefits to information technology: reduced latency, improved bandwidth, battery lifetime, etc. Despite all the benefits, edge computing systems have several issues that could significantly reduce the performance of certain applications. Indeed, current edge computing technologies do not assure ultra-low latency for real-time applications and they encounter overloading issues for data processing. To solve the aforementioned issues, we propose Home Edge Computing (HEC): a new three-tier edge computing architecture that provides data storage and processing in close proximity to the users. The term “Home” in Home Edge Computing does not restrain our work to the homes of the users, we take into account other places where the users could connect to the Internet such as: companies, shopping malls, hospitals, etc. Our three-tier architecture is composed of a Home Server, an Edge Server and a Central Cloud which we also find in traditional edge computing architectures. The Home Server is located within the vicinities of the users which allow the achievement of ultra-low latency for applications that could be processed by the said server; this also help reduce the amount of data that could be treated in the Edge Server and the Central Cloud. We demonstrate the validity of our architecture by leveraging the EdgeCloudSim simulation platform. The results of the simulation show that our proposal can, in fact, help achieve ultra-low latency and reduce overloading issues.