Computer Laboratory

CloudSafetyNet

"CloudSafetyNet: End-to-end application security in the cloud" will explore the use of Information Flow Control to achieve greater security in cloud computing.

EPSRC grant EP/K011510/1: January 2013 - December 2015
with Imperial College EP/K008129/1, see: lsds.doc.ic.ac.uk/projects/CloudSafetyNet

Overview from our EPSRC Proposal

Cloud computing promises to revolutionise how companies, research institutions and government organisations, including the National Health Service (NHS), offer applications and services to users in the digital economy. By consolidating many services as part of a shared ICT infrastructure operated by cloud providers, cloud computing can reduce management costs, shorten the deployment cycle of new services and improve energy efficiency. For example, the UK government's G-Cloud initiative aims to create a cloud ecosystem that will enable government organisations to deploy new applications rapidly, and to share and reuse existing services. Citizens will benefit from increased access to services, while public-sector ICT costs will be reduced.

Security considerations, however, are a major issue holding back the widespread adoption of cloud computing: many organisations are concerned about the confidentiality and integrity of their users' data when hosted in third-party public clouds. Today's cloud providers struggle to give strong security guarantees that user data belonging to cloud tenants will be protected "end-to-end", i.e. across the entire workflow of a complex cloud-hosted distributed application. This is a challenging problem because data protection policies associated with applications usually require the strict isolation of certain data while permitting the sharing of other data. As an example, consider a local council with two applications on the G-Cloud: one for calculating unemployment benefits and one for receiving parking ticket fines, with both applications relying on a shared electoral roll database. How can the local council guarantee that data related to unemployment benefits will never be exposed to the parking fine application, even though both applications share a database and the cloud platform?

The focus of the CloudSafetNet project is to rethink fundamentally how platform-as-a-service (PaaS) clouds should handle security requirements of applications. The overall goal is to provide the CloudSafetyNet middleware, a novel PaaS platform that acts as a "safety net", protecting against security violations caused by implementation flaws in applications ("intra-tenant security") or vulnerabilities in the cloud platform itself ("inter-tenant security"). CloudSafetyNet follows a "data-centric" security model: the integrity and confidentiality of application data is protected according to data flow policies -- agreements between cloud tenants and the provider specifying the permitted and prohibited exchanges of data between application components. It will enforce data flow policies through multiple levels of security mechanisms following a "defence-in-depth" strategy: based on policies, it creates "data compartments" that contain one or more components and isolate user data. A small privileged kernel, which is part of the middleware and constitutes a trusted computing base (TCB), tracks the flow of data between compartments and prevents flows that would violate policies. Previously such Information Flow Control (IFC) models have been used successfully to enhance programming language, operating system and web application security.

People

  • Jean Bacon, Cambridge PI
  • Jatinder Singh, Cambridge postdoc RA
  • Thomas Pasquier, Cambridge RA
  • Ronny (Hajoon) Koh, Cambridge PhD
  • Peter Pietzuch, Imperial PI
  • Dan O'Keeffe, Imperial postdoc RA
  • Divya Muthukumaran, Imperial postdoc RA
  • David Eyers, Visiting Research Fellow, Otago University, New Zealand
  • Brian Shand, CL VRF and English Cancer Registry, Public Health, England

Publications (giving an overview of the work to date:)

Publications for CSN and our related previous grant SmartFlow can be found under opera publications

Recent publications on CSN are:
"Information Flow Control for Secure Cloud Computing"
Jean Bacon, David Eyers, Thomas F. J.-M. Pasquier, Jatinder Singh, Ioannis Papagiannis, and Peter Pietzuch
IEEE TNSM, Transactions on Networks and Service Management, special issue on Cloud Services, March 2014.
This paper discusses the potential for IFC in cloud service provision and application deployment. Related work is described, including our own under SmartFlow. We look at IFC provision in languages, libraries and systems. For the cloud, we consider IFC at application level only, provided independently of the cloud and within the levels of the cloud software stack.

"FlowR: Aspect Oriented Programming for Information Flow Control in Ruby"
Thomas F. J.-M. Pasquier, Jean Bacon and Brian Shand
ACM Modularity 2014
The paper shows how IFC can be added, using Aspect Oriented programming, as a language library to Ruby using the AOP library Aquarium. This achieves IFC without the need to change the application (IFC can be added as a separate phase, by a security specialist), or the underlying implementation, e.g. in a cloud deployment. Assumptions are that the application developer is benevolent and the cloud deployment can be trusted.

"FlowK: Information Flow Control for the Cloud"
Thomas F. J.-M. Pasquier, Jean Bacon, and David Eyers
In 6th International Conference on Cloud Computing Technology and Science (CloudCom). IEEE, Dec 2014.
We argue that IFC provision at the OS/middleware level of PaaS and SaaS clouds is most appropriate. FlowK is a proof-of-concept implementation of IFC as an importable kernel module for Linux. To show the kernel module working with applications, a web service framework has been adapted to run using IFC above FlowK. The FlowK design minimises the reengineering required by applications to run with IFC, unlike other IFC implementations. Application managers need to be IFC-aware, application instances need not.

"Integrating Messaging Middleware and Information Flow Control"
Jatinder Singh, Thomas F. J.-M. Pasquier, Jean Bacon, and David Eyers
Accepted: IEEE IC2E (Cloud Engineering), March 9th - 12th, 2015.
This paper reports on work to make our SBUS middleware IFC-enabled and to integrate it with FlowK.

Several other submitted publications (under review at December 2014) describe aspects of our CSN work.
"Information Flow Control as an Alternative to Container Isolation"
"An Enhanced IFC Label Model to meet Cloud Application Policy Requirements"
"Expressing and Enforcing Location Requirements using IFC"
"20 Cloud Security Considerations for Supporting the Internet of Things"