Wassim Itani

Privacy as a Service: Privacy-Aware Data Storage and Processing in Cloud Computing Architectures

In this paper we present PasS (Privacy as a Service); a set of security protocols for ensuring the privacy and legal compliance of customer data in cloud computing architectures. PasS allows for the secure storage and processing of users’ confidential data by leveraging the tamper-proof capabilities of cryptographic coprocessors. Using tamper-proof facilities provides a secure execution domain in the computing cloud that is physically and logically protected from unauthorized access. PasS central design goal is to maximize users’ control in managing the various aspects related to the privacy of sensitive data. This is achieved by implementing user-configurable software protection and data privacy mechanisms. Moreover, PasS provides a privacy feedback process which informs users of the different privacy operations applied on their data and makes them aware of any potential risks that may jeopardize the confidentiality of their sensitive information. To the best of our knowledge, PasS is the first practical cloud computing privacy solution that utilizes previous research on cryptographic coprocessors to solve the problem of securely processing sensitive data in cloud computing infrastructures.

J2ME end-to-end security for M-commerce

This paper shows an end-to-end application-layer security solution for wireless enterprise applications using the Java 2 Platform Micro Edition (J2ME). The proposed solution uses pure Java components to provide end-to-end client authentication and data confidentiality between wireless J2ME based clients and J2EE based servers. This solution can be implemented with the available limited resources of a Java MIDP device, without any modification to the underlying protocols or wireless network infrastructure. A mobile banking application is used to illustrate the implementation of the proposed solution.

Energy-efficient incremental integrity for securing storage in mobile cloud computing

We present an energy-efficient protocol for ensuring the integrity of storage services in mobile cloud computing. The proposed protocol applies the concepts of incremental cryptography and trusted computing to design secure integrity data structures that protect the customer data while highly reducing the mobile client energy consumption and efficiently supporting dynamic data operations. The system design is analytically analyzed and experimentally implemented to demonstrate the energy savings it provides on mobile clients.

J2ME application-layer end-to-end security for m-commerce

This paper shows an end-to-end application-layer security solution for wireless enterprise applications using the Java 2 Platform Micro Edition (J2ME). The proposed solution uses pure Java components to provide end-to-end client authentication and data confidentiality and integrity between wireless J2ME-based clients and J2EE-based servers. This solution can be implemented with the available limited resources of a Java MIDP device, without any modification to the underlying protocols or wireless network infrastructure. A mobile banking application is used to illustrate the implementation of the proposed solution.

SPECSA: a scalable, policy-driven, extensible, and customizable security architecture for wireless enterprise applications

This paper presents SPECSA, a new, optimized, policy-driven security architecture for wireless enterprise applications. SPECSA is scalable, extensible, flexible, and customizable. It supports end-to-end client authentication, data integrity and confidentiality between wireless clients and enterprise servers. The security services provided by SPECSA are customized and controlled by an easily configurable security policy that specifies several security-related attributes, classifies network data based on sensitivity and content, and provides an abstraction for the communication and messaging between the client and the server. In addition, SPECSA provides a standard Application Programming Interface (API) that conceals to a great extent the complexity of security operations and programming from the application developer who may not be experienced with enterprise security programming. SPECSA was designed in a platform-neutral manner and can be implemented on a wide range of wireless clients ranging from low-end platforms such as the Java 2 Mobile Edition/Connected Limited Device Configuration (J2ME/CLDC) on limited-memory mobile devices to Personal Java and the Net Compact Framework on PDAs. On the server side, SPECSA can be implemented on any of the available enterprise server platforms. A sample implementation of SPECSA was developed for J2ME on the client-side and for Java 2 Enterprise Edition (J2EE) on the server-side.

Security analysis and solution for thwarting cache poisoning attacks in the Domain Name System

The Domain Name System is a crucial part of the Internets infrastructure, as it provides basic information that is vital for the proper operation of the Internet. The importance of DNS has caused it to be targeted by malicious attackers who are interested in causing damage and gaining personal benefits. Thus nowadays, DNS faces many security threats such as DNS spoofing and cache poisoning attacks. This paper presents S-DNS, an efficient security solution for thwarting cache poisoning attacks in the DNS hierarchy. The contribution of the S-DNS protocol lies in: (1) decreasing the success probability of DNS spoofing and cache poisoning by preventing man-in-the-middle attacks, (2) providing a backward compatible and simple security solution with low computation and communication overheads, (3) targeting the different DNS query interaction models from iterative, recursive, and caching schemes, and (4) employing an efficient Identity-Based Encryption key management scheme that relieves the different DNS interacting entities from the burden and complexities of traditional public-key infrastructures.

An enterprise policy-based security protocol for protecting relational database network objects

In this paper we present ESCORT, an Enterprise, policy-baSed seCurity prOtocol for protecting relational daTabase network objects. ESCORT is an efficient end-to-end security architecture that ensures the confidentiality and integrity of database objects flowing over network links between the Enterprise Information System (EIS) layer represented mainly in relational database servers and the client layer represented by a large variety of devices with diverse capabilities and resources. ESCORT is designed to provide the suitable security strength for a wide range of enterprise application configurations without compromising the applications efficiency and performance. It secures data based on content and sensitivity and highly surpasses the performance of bulk encryption protocols such as the SSL protocol and the TLS protocol by utilizing a customizable policy-based security architecture. This policy-based architecture makes use of the relational structure of database objects to provide flexible, multi-level, and fine-grained encryption and hashing methodologies that target the field level in the database result object. Moreover, ESCORTs security policy can be configured to hit the byte- level granularity in securing individual database fields. This makes ESCORT a very efficient choice for operation in wireless enterprise environments characterized by low-bandwidth wireless networks and supporting limited-resource wireless devices with low memory and processing power. ESCORT neither deals with the security of static data in the database store nor requires the encryption of database objects at the storage level. Results show a performance gain by a factor of three for ESCORT as compared to bulk encryption.

Reputation as a Service: A System for Ranking Service Providers in Cloud Systems

Today cloud service providers guarantee the quality of their services by defining a set of Service Level Agreements (SLAs) with their customers. SLAs binds the provider to a set of service level metrics typically related to service reliability, availability, performance, security, and billing. Generally, the SLA formally specifies the minimum expected service metrics that the provider is committed to supply and that the customer agrees to accede. A detailed description on SLA terms, levels, and the various legislations and conditions that accompany their specification is comprehensively presented in [34]. Unfortunately, SLAs typically lack any technical means of enforcement which leaves the customer’s data and software processes under the total control of the cloud service provider. Any failure to meet the SLA terms and obligations will have disastrous effects on the cloud customer and provider. The effects range from losing reputation and client trust to legal compliance, and financial penalties that may lead to putting an end to the entire business. This fact will put pressure and responsibility on the customers when selecting a particular cloud service provider for running their business processes and storing data. The severity of this selection is further aggravated when we estimate the serious losses incurred when dealing with “misbehaving” cloud providers or the technical difficulties, financial losses, and service downtimes accompanying the process of switching between service providers. Terabytes of data migration tasks over expensive communication links, software reconfiguration and adaptation, and data leakage and privacy implications are some factors that render the migration process highly expensive.

PETRA: a secure and energy-efficient software update protocol for severely-constrained network devices

In this paper we propose PETRA; an energy-efficient and secure software update protocol for severely-constrained network devices. PETRA ensures the authenticity and end-to-end integrity of software update components delivered from trusted content distribution networks. The protocol operates by employing a set of energy-efficient data structures and cryptographic constructs to efficiently detect any form of man-in-the-middle modification attacks on the update packets. This methodology contributes to a sizeable decrease in network traffic and as a result huge energy savings. This makes PETRA a very suitable security protocol for limited-resource battery-operated devices such as low-end mobile phones, wireless sensors, and even Radio Frequency Identification Devices (RFIDs) tags. Moreover, PETRA realizes an incremental security verification mechanism that allows the dynamic eager loading of received software components. This mechanism prevents any form of service disruption or operation downtime during the code upgrade process. A prototype PETRA implementation is tested on a grid of simulated micaz sensor nodes running the TinyOS operating system. A platform-independent performance analysis and an experimental simulation show that PETRA can achieve up to 30% average reduction in network-wide energy consumption.

Power management in virtualized data centers: state of the art

Cloud computing is an emerging technology in the field of computing that provides access to a wide range of shared resources. The rapid growth of cloud computing has led to establishing numerous data centers around the world. As data centers consume huge amounts of power, enhancing their power efficiency has become a major challenge in cloud computing. This paper surveys previous studies and researches that aimed to improve power efficiency of virtualized data centers. This survey is a valuable guide for researchers in the field of power efficiency in virtualized data centers following the cloud computing model.