Makan Pourzandi

A Quantitative Analysis of Current Security Concerns and Solutions for Cloud Computing

The development of cloud computing services is speeding up the rate in which the organizations outsource their computational services or sell their idle computational resources. Even though migrating to the cloud remains a tempting trend from a financial perspective, there are several other aspects that must be taken into account by companies before they decide to do so. One of the most important aspect refers to security: while some cloud computing security issues are inherited from the solutions adopted to create such services, many new security questions that are particular to these solutions also arise, including those related to how the services are organized and which kind of service/data can be placed in the cloud. Aiming to give a better understanding of this complex scenario, in this article we identify and classify the main security concerns and solutions in cloud computing, and propose a taxonomy of security in cloud computing, giving an overview of the current status of security in this emerging technology.

Secure software development by example

When trying to incorporate security into a program, software developers face either too much theoretical information that they cannot apply or exhaustive and discouraging recommendation lists. This article gives an overview of security concerns at each step of a projects life cycle.

Formal Verification and Validation of UML 2.0 Sequence Diagrams using Source and Destination of Messages

A major challenge in software development process is to advance error detection to early phases of the software life cycle. For this purpose, the Verification and Validation (V&V) of UML diagrams play a very important role in detecting flaws at the design phase. It has a distinct importance for software security, where it is crucial to detect security flaws before they can be exploited. This paper presents a formal V&V technique for one of the most popular UML diagrams: sequence diagrams. The proposed approach creates a PROMELA-based model from UML interactions expressed in sequence diagrams, and uses SPIN model checker to simulate the execution and to verify properties written in Linear Temporal Logic (LTL). The whole technique is implemented as an Eclipse plugin, which hides the model-checking formalism from the user. The main contribution of this work is to provide an efficient mechanism to be able to track the execution state of an interaction, which allows designers to write relevant properties involving send/receive events and source/destination of messages using LTL. Another important contribution is the definition of the PROMELA structure that provides a precise semantics of most of the newly UML 2.0 introduced combined fragments, allowing the execution of complex interactions. Finally, we illustrate the benefits of our approach through a security-related case study in a real world scenario.

Clusters and security: distributed security for distributed systems

Large-scale commodity clusters are used in an increasing number of domains: academic, research, and industrial environments. At the same time, these clusters are exposed to an increasing number of attacks coming from public networks. Therefore, mechanisms for efficiently and flexibly managing security have now become an essential requirement for clusters. However, despite the growing importance of cluster security, this field has been only minimally addressed by contemporary cluster administration techniques. This paper presents a high-level view of existing security challenges related to clusters and proposes a structured approach for handling security in clustered servers. The goal of this paper is to identify various necessarily-distributed security services and their related characteristics as a means of enhancing cluster security.

Cloud calculus: Security verification in elastic cloud computing platform

Cloud orchestration involves cloud resources scaling up and down, management, as well as manipulation to better respond users requests and to facilitate operational objectives of the service providers. These promote the elastic nature of cloud platform but force upon significant challenges to cloud service providers. Particularly, security issues such as inconsistency may arise while dynamic changes such as virtual machine migration occur. In this paper, we propose a formal framework for the specification of virtual machines migration and security policies updates. This framework enables us to verify that the global security policy after the migration is consistently preserved with respect to the initial one. To this end, we define a new calculus, namely cloud calculus that can be used to specify the topology of a cloud computing system and firewall security rules. It also enables specifying the virtual machines migration along with their security policies. The semantics of our calculus is based on structural congruence and a reduction relation. In order to verify the global security policy within the new configuration, we define a testing equivalence over cloud terms. Finally, we provide an illustrative case study to demonstrate the applicability of our approach.

Taxonomy of Distributed Denial of Service mitigation approaches for cloud computing

Cloud computing has a central role to play in meeting todays business requirements. However, Distributed Denial-of-Service (DDoS) attacks can threaten the availability of cloud functionalities. In recent years, many effort has been expended to detect the various DDoS attack types. In this survey paper, our concentration is on how to mitigate these attacks. We believe that cloud computing technology can substantially change the way we respond to a DDoS attack, based on a number of new characteristics, which were introduced with the advent of this technology. We first present a new taxonomy of DDoS mitigation strategies to organize the work. Then, we go on to discuss the main features of existing DDoS mitigation strategies and explain their functionalities in the cloud environment. Afterwards, we show how the existing DDoS mechanisms fit into the network topology of the cloud. Finally, we discuss some of these DDoS mechanisms in detail, and compare their behavior in the cloud. Our objective is to show how these characteristics bring a novel perspective to existing DDoS mechanisms, and so give researchers new insights into how to mitigate DDoS attacks in the cloud computing.

Usability of Security Specification Approaches for UML Design: A Survey.

Since it is the de facto language for software specification and design, UML is the target language used by almost all state of the art contributions handling security at specification and design level. However, these contributions differ in the covered security requirements, specification approaches, verification tools, etc. This paper investigates the main approaches adopted for specifying and enforcing security at UML design and surveys the related state of the art. The main contribution of this paper is a discussion of these approaches from usability viewpoint. A set of criteria has been defined and used in this usability discussion. The discussed UML approaches are stereotypes and tagged values, OCL, and behavior diagrams. Extending the UML meta-language or creating new meta-languages for security specification are also covered by this study.

Weaving security aspects into UML 2.0 design models

Security plays a predominant role in software engineering. Nowadays, security solutions are generally added to existing software either as an afterthought, or manually injected into software applications. However, given the complexity and pervasiveness of todays software systems, the current practices might not be completely satisfactory. In most cases, security features remain scattered and tangled throughout the entire software, resulting in complex applications that are hard to understand and maintain. In this paper, we propose an aspect-oriented modeling approach to systematically integrate security solutions into software during the early phases of the software development life cycle. First, we present the security design weaving approach, as well as the UML profile needed for specifying security aspects. Then, we illustrate the approach through an example for injecting the design-level security aspects into base models.

Aspect-Oriented Modeling for Representing and Integrating Security Concerns in UML

Security is a challenging task in software engineering. Enforcing security policies should be taken care of during the early phases of the software development process to more efficiently integrate security into software. Since security is a crosscutting concern that pervades the entire software, integrating security at the software design level may result in the scattering and tangling of security features throughout the entire design. To address this issue, we present in this paper an aspect-oriented modeling approach for specifying and integrating security concerns into UML design models. In the proposed approach, security experts specify high-level and generic security solutions that can be later instantiated by developers, then automatically woven into UML design. Finally, we describe our prototype implemented as a plug-in in a commercial software development environment.

XML distributed security policy for clusters

With the increasing use of clusters, efficient and flexible security has now become an essential requirement, though it has not yet been addressed in a coherent fashion for distributed systems. This paper presents a new security policy language for clusters: Distributed Security Policy (DSP). Based on XML, this language offers a precise and easy way to customize security of clusters. Contrary to other existing security policy languages, it is not limited to access control, and may be used for other security services such as clusters inner communication. Finally, the paper also explains how this security policy is used in practice, and how it is transparently enforced onto all nodes of the cluster.