CloudSafetyNet: End-to-End Application Security in the Cloud

CloudSafetyNet：云中的端到端应用程序安全

• 批准号: EP/K008129/1
• 负责人: Peter Pietzuch
• 金额: $ 66.78万
• 依托单位: Imperial College London
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2013
• 资助国家: 英国
• 起止时间: 2013 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FK008129%2F1
• 关键词: CloudSafetyNet; End; Application; Security; Cloud

Cloud computing promises to revolutionise how companies, research institutions and government organisations, including the National Health Service (NHS), offer applications and services to users in the digital economy. By consolidating many services as part of a shared ICT infrastructure operated by cloud providers, cloud computing can reduce management costs, shorten the deployment cycle of new services and improve energy efficiency. For example, the UK government's G-Cloud initiative aims to create a cloud ecosystem that will enable government organisations to deploy new applications rapidly, and to share and reuse existing services. Citizens will benefit from increased access to services, while public-sector ICT costs will be reduced.Security considerations, however, are a major issue holding back the widespread adoption of cloud computing: many organisations are concerned about the confidentiality and integrity of their users' data when hosted in third-party public clouds. Today's cloud providers struggle to give strong security guarantees that user data belonging to cloud tenants will be protected "end-to-end", i.e. across the entire workflow of a complex cloud-hosted distributed application. This is a challenging problem because data protection policies associated with applications usually require the strict isolation of certain data while permitting the sharing of other data. As an example, consider a local council with two applications on the G-Cloud: one for calculating unemployment benefits and one for receiving parking ticket fines, with both applications relying on a shared electoral roll database. How can the local council guarantee that data related to unemployment benefits will never be exposed to the parking fine application, even though both applications share a database and the cloud platform?The focus of the CloudSafetNet project is to rethink fundamentally how platform-as-a-service (PaaS) clouds should handle security requirements of applications. The overall goal is to provide the CloudSafetyNet middleware, a novel PaaS platform that acts as a "safety net", protecting against security violations caused by implementation flaws in applications ("intra-tenant security") or vulnerabilities in the cloud platform itself ("inter-tenant security"). CloudSafetyNet follows a "data-centric" security model: the integrity and confidentiality of application data is protected according to data flow policies -- agreements between cloud tenants and the provider specifying the permitted and prohibited exchanges of data between application components. It will enforce data flow policies through multiple levels of security mechanisms following a "defence-in-depth" strategy: based on policies, it creates "data compartments" that contain one or more components and isolate user data. A small privileged kernel, which is part of the middleware and constitutes a trusted computing base (TCB), tracks the flow of data between compartments and prevents flows that would violate policies. Previously such information flow control (IFC) models have been used successfully to enhance programming language, operating system and web application security. To make such a secure PaaS platform a reality, we plan to overcome a set of research challenges. We will explore how cloud application developers can express data-centric security policies that can be translated automatically into a set of data flow constraints in a distributed system. An open problem is how these constraints can be tied in with trusted enforcement mechanisms that exist in today's PaaS clouds. Addressing this will involve research into new lightweight isolation and sand-boxing techniques that allow the controlled execution of software components. In addition, we will advance software engineering methodology for secure cloud applications by developing new software architectures and design patterns that are compatible with compartmentalised data flow enforcement.

云计算有望彻底改变公司、研究机构和政府组织（包括英国国家医疗服务体系（NHS））向数字经济中的用户提供应用和服务的方式。通过将许多服务整合为云提供商运营的共享ICT基础设施的一部分，云计算可以降低管理成本，缩短新服务的部署周期并提高能源效率。例如，英国政府的G-Cloud计划旨在创建一个云生态系统，使政府机构能够快速部署新的应用程序，并共享和重用现有的服务。公民将受益于更多的服务，而公共部门的ICT成本将会降低。然而，安全方面的考虑是阻碍云计算广泛采用的一个主要问题：许多组织担心用户数据托管在第三方公共云上时的保密性和完整性。今天的云提供商努力提供强大的安全保证，以确保属于云租户的用户数据将得到“端到端”的保护，即在复杂的云托管分布式应用程序的整个工作流程中。这是一个具有挑战性的问题，因为与应用程序相关的数据保护策略通常要求严格隔离某些数据，同时允许共享其他数据。例如，考虑一个地方议会在G-Cloud上有两个应用程序：一个用于计算失业救济金，另一个用于接收停车罚单罚款，这两个应用程序都依赖于共享的选民名册数据库。即使两个应用程序共享一个数据库和云平台，当地委员会如何保证与失业救济金相关的数据永远不会暴露给停车罚款应用程序？CloudSafetNet项目的重点是从根本上重新思考平台即服务（PaaS）云应该如何处理应用程序的安全需求。总体目标是提供CloudSafetyNet中间件，一个作为“安全网”的新型PaaS平台，防止由于应用程序中的实现缺陷（“租户内安全”）或云平台本身的漏洞（“租户间安全”）而导致的安全违规。CloudSafetyNet遵循“以数据为中心”的安全模型：根据数据流策略保护应用程序数据的完整性和机密性——云租户和提供商之间的协议，指定应用程序组件之间允许和禁止的数据交换。它将遵循“纵深防御”策略，通过多层安全机制强制执行数据流策略：基于策略，它创建包含一个或多个组件并隔离用户数据的“数据分区”。一个小的特权内核是中间件的一部分，它构成了一个可信计算基础（TCB），它跟踪分区之间的数据流，并防止可能违反策略的流。以前，这种信息流控制（IFC）模型已经成功地用于增强编程语言、操作系统和web应用程序的安全性。为了使这样一个安全的PaaS平台成为现实，我们计划克服一系列研究挑战。我们将探讨云应用程序开发人员如何表达以数据为中心的安全策略，这些策略可以自动转换为分布式系统中的一组数据流约束。一个悬而未决的问题是，如何将这些约束与存在于当今PaaS云中的可信强制机制绑定在一起。解决这个问题需要研究新的轻量级隔离和沙箱技术，这些技术允许软件组件的受控执行。此外，我们将通过开发与分区数据流执行兼容的新软件架构和设计模式，推进安全云应用程序的软件工程方法。

项目成果

BrowserFlow

浏览器流

• DOI: 10.1145/2988336.2988345
• 发表时间: 2016
• 作者: Papagiannis I

Glamdring: Automatic Application Partitioning for Intel SGX

• 发表时间: 2017-07
• 作者: Joshua Lind;Christian Priebe;D. Muthukumaran;Dan O'Keeffe;Pierre-Louis Aublin;Florian Kelbert;T. Reiher-T.-R

TrustJS: Trusted Client-side Execution of JavaScript

• DOI: 10.1145/3065913.3065917
• 发表时间: 2017-04
• 期刊: Proceedings of the 10th European Workshop on Systems Security
• 作者: David Goltzsche;C. Wulf;D. Muthukumaran;Konrad Rieck;P. Pietzuch;R. Kapitza

Information Flow Control for Secure Cloud Computing

• DOI: 10.1109/tnsm.2013.122313.130423
• 发表时间: 2014-01
• 期刊: IEEE Transactions on Network and Service Management
• 影响因子: 5.3
• 作者: J. Bacon;D. Eyers;Thomas Pasquier;Jatinder Singh;I. Papagiannis;P. Pietzuch

LibSEAL: Revealing Service Integrity Violations Using Trusting Execution

LibSEAL：使用信任执行揭示服务完整性违规行为

• 发表时间: 2018
• 作者: Aubin PL