Computer Laboratory

CloudSafetyNet - CamFlow

"CloudSafetyNet: End-to-end application security in the cloud explores the use of Information Flow Control to achieve greater security in cloud computing."

EPSRC grant EP/K011510/1: January 2013 - June 2016
with Imperial College EP/K008129/1, see:

Continued Collaboration and Project Work after the EPSRC grant

Thomas Pasquier, RA and PhD student on the grant, moved to Harvard as a postdoc after the grant ended. His open source software, CamFlow, available at will be used at Harvard for work on provenance there as well as in continued research at Cambridge UK: a "Two Cambridges" project..

Project, Part 2 or 3/ACS, 2016/17

Prof. Jean Bacon (jmb25) will supervise a project on CamFlow in Cambridge, assisted by Dr Thomas Pasquier at Harvard US (still available via tfjmp2), Dr David Eyers at Otago University New Zealand (still available via dme26) and Dr Jatinder Singh (js573) in Cambridge. Anyone interested can look at the papers on Information Flow Control (IFC) in opera/publications and install CamFlow on their laptop, see

The aim of the project is to demonstrate how IFC can be used in practice - how labels comprising sets of tags representing security and integrity properties of entities (data, processes, ...) can be associated with the entities as metadata. The specific project can be flexible, depending on interest. One idea is to audit all data flows for an example program running on CamFlow and visualise the audit as a graph.

The rest of this page outlines the research to June 2016.

Overview from our EPSRC Proposal

Cloud computing promises to revolutionise how companies, research institutions and government organisations, including the National Health Service (NHS), offer applications and services to users in the digital economy. By consolidating many services as part of a shared ICT infrastructure operated by cloud providers, cloud computing can reduce management costs, shorten the deployment cycle of new services and improve energy efficiency. For example, the UK government's G-Cloud initiative aims to create a cloud ecosystem that will enable government organisations to deploy new applications rapidly, and to share and reuse existing services. Citizens will benefit from increased access to services, while public-sector ICT costs will be reduced.

Security considerations, however, are a major issue holding back the widespread adoption of cloud computing: many organisations are concerned about the confidentiality and integrity of their users' data when hosted in third-party public clouds. Today's cloud providers struggle to give strong security guarantees that user data belonging to cloud tenants will be protected "end-to-end", i.e. across the entire workflow of a complex cloud-hosted distributed application. This is a challenging problem because data protection policies associated with applications usually require the strict isolation of certain data while permitting the sharing of other data. As an example, consider a local council with two applications on the G-Cloud: one for calculating unemployment benefits and one for receiving parking ticket fines, with both applications relying on a shared electoral roll database. How can the local council guarantee that data related to unemployment benefits will never be exposed to the parking fine application, even though both applications share a database and the cloud platform?

The focus of the CloudSafetNet project is to rethink fundamentally how platform-as-a-service (PaaS) clouds should handle security requirements of applications. The overall goal is to provide the CloudSafetyNet middleware, a novel PaaS platform that acts as a "safety net", protecting against security violations caused by implementation flaws in applications ("intra-tenant security") or vulnerabilities in the cloud platform itself ("inter-tenant security"). CloudSafetyNet follows a "data-centric" security model: the integrity and confidentiality of application data is protected according to data flow policies -- agreements between cloud tenants and the provider specifying the permitted and prohibited exchanges of data between application components. It will enforce data flow policies through multiple levels of security mechanisms following a "defence-in-depth" strategy: based on policies, it creates "data compartments" that contain one or more components and isolate user data. A small privileged kernel, which is part of the middleware and constitutes a trusted computing base (TCB), tracks the flow of data between compartments and prevents flows that would violate policies. Previously such Information Flow Control (IFC) models have been used successfully to enhance programming language, operating system and web application security.

Progress to June 2016

Our first experiment (FlowR) was to enforce IFC for Ruby using Aspect Oriented Programming via the Aquarium library. We decided that IFC is best provided at the OS kernel level in the cloud. As proof of concept, FlowK used system call interception to enforce IFC. To achieve better performance, a Linux Security Module (LSM) was then developed as part of the CamFlow distributed IFC enforcement. Audit of flows was developed as a separate, stackable LSM as part of CamFlow. CamFlow has been released as open source software, see

CamFlow is at present integrated with the MQTT middleware. Our SBUS middleware is currently being modularised, prior to release as open source. The aim is to integrate CamFlow and SBUS middleware to create an IFC-enabled, fully featured messaging middleware.

In addition to the EPSRC grant, we have worked on Cloud Law with our colleagues at QMUL's Commercial Law Department, as part of the MCCRC project (Microsoft Cloud Computing Research Centre).
See opera publications for work on how IFC can be used to enforce law and regulation within and between clouds.

Presentations on CamFlow

Here Jean-CCSNA.pptx is a keynote, "Information Flow Control for Cloud and Internet of Things" given by Jean Bacon at the ICC workshop on Cloud Computing Systems, Networks, and Applications, June 12th 2015. It explains the motivation for IFC and animates the basic IFC manipulations, including declassification and endorsement, for a home monitoring example. The presentation was also given at the Technical University of Darmstadt, July 7th 2015.

A slightly extended version was given by Jean Bacon at Middleware 2016 for the federated workshops: Jean-MW16wkshops.pptx

Here is a 3 minute video by Thomas Pasquier on IFC.

Publications (giving an overview of the work to date:)

Publications for CSN and our related previous grant SmartFlow can be found under opera publications. The papers are available there.

Some publications on CSN are:
"Information Flow Control for Secure Cloud Computing" .pdf
Jean Bacon, David Eyers, Thomas F. J.-M. Pasquier, Jatinder Singh, Ioannis Papagiannis, and Peter Pietzuch
IEEE TNSM, Transactions on Networks and Service Management, special issue on Cloud Services, March 2014.
This paper discusses the potential for IFC in cloud service provision and application deployment. Related work is described, including our own under SmartFlow. We look at IFC provision in languages, libraries and systems. For the cloud, we consider IFC at application level only, provided independently of the cloud and within the levels of the cloud software stack.

A motivating paper for using IFC as part of a cloud-provided OS was given as the first ever Middleware Big Ideas paper in 2010.
Jean Bacon, David Evans, David M. Eyers, Matteo Miglivacca, Peter Pietzuch, and Brian Shand.
Big ideas paper: Enforcing end-to-end application security in the cloud. .pdf
In Proceedings ACM/IFIP/Usenix Middleware, pages 293-312, 2010.

At the end of the grant, we had another Middleware Big Ideas paper accepted, presenting the challenges involved in extending the use of IFC to the Internet of Things.
Jatinder Singh, Thomas F. J.-M. Pasquier, Jean Bacon, Raluca Diaconu, Julia Powles, and David Eyers.
Big Ideas paper: Policy-driven middleware for a legally-compliant Internet of Things. .pdf
In Proceedings 17th ACM/IFIP/Usenix Middleware, ACM, 2016.

"CamFlow: Managed Data-Sharing for Cloud Services" .pdf
is the definitive description of CamFlow flow control and audit as two LSMs. This became possible during the grant when LSMs became stackable. It is published in IEEE Transactions on Cloud Computing (since 2015) and is awaiting assignment to a particular issue.

"FlowK: Information Flow Control for the Cloud" .pdf
Thomas F. J.-M. Pasquier, Jean Bacon, and David Eyers
In 6th International Conference on Cloud Computing Technology and Science (CloudCom). IEEE, Dec 2014.
FlowK was a first, proof-of-concept OS-level implementation of IFC as an importable kernel module for Linux. To show the kernel module working with applications, a web service framework was adapted to run using IFC above FlowK. The FlowK design minimises the reengineering required by applications to run with IFC, unlike other IFC implementations. Application managers need to be IFC-aware, application instances need not.

"FlowR: Aspect Oriented Programming for Information Flow Control in Ruby" .pdf
Thomas F. J.-M. Pasquier, Jean Bacon and Brian Shand
ACM Modularity 2014.
The paper shows how IFC can be added, using Aspect Oriented programming, as a language library to Ruby using the AOP library Aquarium. This achieves IFC without the need to change the application (IFC can be added as a separate phase, by a security specialist), or the underlying implementation, e.g. in a cloud deployment. Assumptions are that the application developer is benevolent and the cloud deployment can be trusted.
After this work we decided that IFC is best enforced at OS level, obliging all applications running on the OS to use it.

"Integrating Messaging Middleware and Information Flow Control" .pdf
Jatinder Singh, Thomas F. J.-M. Pasquier, Jean Bacon, and David Eyers
IEEE IC2E (Cloud Engineering), March 9th - 12th, 2015.
This paper reports on work to make our SBUS middleware IFC-enabled and to integrate it with FlowK.

"Data-Centric Access Control for Cloud Computing" .pdf
is published in ACM SACMAT and shows how IFC can be used transparently by applications. The idea is that if an attempted flow fails, the system checks whether the attempting process has the privilege to change its IFC labels so that the flow can succeed. If so, the appropriate declassifier/endorser component is interposed to allow the flow across security domains. This has to be used with care and is intended to interpose mandated processes like encryption and anonymisation. Transparent declassification is dangerous e.g. top secret information could flow unintentionally from a privileged process.

"Information Flow Audit for PaaS Clouds." .pdf
is published in IC2E 2016 and gives detail of how an audit graph is constructed as part of IFC and how graph processing tools can be used to query the audit graph.

Other published papers are (see Opera pubications for details and pdfs):
General themes include how IFC can be used to ensure and demonstrate compliance with law and regulation (e.g. we have organised two workshops on Cloud Law (CLaw) at the IEEE IC2E conference), and how IFC might be extended to be used in the Internet of Things.

"Information Flow Control for Strong Protection with Flexible Sharing in PaaS" IEEE IC2E workshop on Future of PaaS, 2015
"Securing Information Flows for the Internet of Things" IEEE RIoT 2015
"Managing Big Data with Information Flow Control" IEEE Cloud 2015
"Expressing and Enforcing Location Requirements using IFC" IEEE IC2E first CLaw workshop 2015
"Data Flow Management and Compliance in Cloud Computing" IEEE Cloud Computing Magazine, special issue on Legal Clouds.
"Twenty Security Considerations for Cloud-Supported Internet of Things" IEEE IoT Journal, 2016
"Information Flow Audit for Transparency and Compliance in the Handling of Personal Data" second IEEE IC2E CLaw workshop, 2016


  • Jean Bacon, Cambridge PI
  • Jatinder Singh, Cambridge postdoc RA
  • Thomas Pasquier, Cambridge RA
  • Julia Powles, Cambridge lawyer
  • Raluca Diaconu, Cambridge Middleware postdoc RA
  • Peter Pietzuch, Imperial PI
  • Dan O'Keeffe, Imperial postdoc RA
  • Divya Muthukumaran, Imperial postdoc RA
  • David Eyers, Visiting Research Fellow, Otago University, New Zealand
  • Brian Shand, CL VRF and English Cancer Registry, Public Health, England