See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/323374826

About PaaS security

Article  in  International Journal of Cloud Computing · January 2017

DOI: 10.1504/IJCC.2017.10011287

CITATIONS READS
0 346

3 authors, including:

Donghoon Kim Henry E. Schaffer

Arkansas State University - Jonesboro North Carolina State University
19 PUBLICATIONS   91 CITATIONS    57 PUBLICATIONS   1,813 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

NSF ITEST funded research "Scaling up STEM Learning with the VCL" View project

Cloud security View project

All content following this page was uploaded by Donghoon Kim on 02 December 2020.

The user has requested enhancement of the downloaded file.

Int. J. Cloud Computing, Vol. X, No. Y, xxxx 1

About PaaS security

Donghoon Kim*
Department of Computer Science,
Arkansas State University,
Jonesboro, AR, USA
Email: dhkim@astate.edu
*Corresponding author

Henry E. Schaffer
Office of Information Technology,
North Carolina State University,
Raleigh, NC, USA
Email: hes@ncsu.edu

Mladen Alan Vouk

Department of Computer Science,
North Carolina State University,
Raleigh, NC, USA
Email: vouk@ncsu.edu

Abstract: Platform as a service (PaaS) provides middleware resources to cloud

customers. As demand for PaaS services increases, so do concerns about the
security of PaaS. This paper discusses principal PaaS security and integrity
requirements, and vulnerabilities and the corresponding countermeasures. We
consider three core cloud elements – multi-tenancy, isolation, and virtualisation
and how they relate to PaaS services and security trends and concerns such as
user and resource isolation, side-channel vulnerabilities in multi-tenant
environments, and protection of sensitive data and recommend a number of
effective procedures which can help in providing security.

Keywords: platform as a service; PaaS; cloud; vulnerability; countermeasure;

vitalisation; isolation; multi-tenancy; side-channel attacks; data integrity.

Reference to this paper should be made as follows: Kim, D., Schaffer, H.E.
and Vouk, M.A. (xxxx) ‘About PaaS security’, Int. J. Cloud Computing,
Vol. X, No. Y, pp.xxx–xxx.

Biographical notes: Donghoon Kim received his PhD from the North Carolina
State University, USA. He is an Assistant Professor in Department of
Computer Science, Arkansas State University, USA. His research interests
include cloud computing security, high-performance computing, and software
engineering. Previously, he was a Software Engineer at the Samsung
Electronics, Korea after receiving his Master’s of Science at the Auburn
University, AL, USA.

Copyright © 20XX Inderscience Enterprises Ltd.

2 D. Kim et al.

Henry E. Schaffer received his PhD from the North Carolina State University.
He is a Professor Emeritus of Genetics and Biomathematics, and Coordinator
of Special IT Projects and Faculty Collaboration in the Office of Information
Technology at the North Carolina State University. He was a Co-PI of
SURAnet, one of the initial regional networks of the NSFnet. He has continued
working on the uses of ICT, with emphasis on cloud computing, in research
and education. He recently received an Endeavour Award from the North
Carolina Research and Education Network (NCREN) for his contributions to
education in North Carolina. He is a member of the ACM, Sigma Xi and the
IEEE Computer Society where he serves on the Editorial Advisory Board of the
IEEE CS IT Professional.

Mladen Alan Vouk received his PhD from the King’s College, University of
London, UK. He is a Distinguished Professor in Department of Computer
Science. He is also an Associate Vice Chancellor for Research Development,
and Director of the NC State Data Science Initiative. He has extensive
experience in both commercial software production and academic computing.
He is the author/co-author of over 300 publications. His interests include
software and security engineering, bio-informatics, scientific computing and
analytics, information technology assisted education, and high-performance
computing and clouds. He is a member of the IFIP Working Group 2.5 on
numerical software, and a recipient of the IFIP Silver Core award. He is an
IEEE Fellow, and a recipient of the IEEE Distinguished Service and Gold Core
Awards. He is a member of several IEEE societies, and of ASEE, ASQ (Senior
Member), ACM, and Sigma Xi.

This paper is a revised and expanded version of a paper entitled ‘PaaS security
countermeasures: a survey’ presented at 3rd International IBM Cloud Academy
Conference ICACON 2015, Budapest, Hungary, 21 May 2015.

1 Introduction

Platform as a service (PaaS) allows cloud developers and providers of higher-level

services [i.e., software as a service (SaaS)] to build and deploy applications by hiding the
complexity of lower level functions and services. Figure 1 illustrates cloud service
models with PaaS features based on Fernandes et al. (2013).
PaaS enables lower costs and higher computing efficiency by enabling better
utilisation, often based on multi-tenancy, through virtualisation technology. There are
many PaaS providers (commercial, academic, open source, proprietary, etc.) that offer
different types and ranges of features, tools and services. For example, Amazon web
services, Google app engine (GAE), LongJump, IBM BlueMix, Salesforce, etc. As long
as the products (i.e., applications) developed on top of PaaS are connected via the
internet, both PaaS vendors and clients should have security concerns. Furthermore,
multi-tenancy is the key source of security concerns when multiple PaaS services reside
on a single physical server. To achieve safe (or secure) multi-tenancy, PaaS solutions
must have a way to isolate tenants from each other. There are a number of survey papers
that address overall security in cloud computing environments (Dorey and Leite, 2011;
Fernandes et al., 2013; Prasanth et al., 2015; Sengupta et al., 2011; Subashini and
Kavitha, 2011; Xiao and Xiao, 2013). Throughout this paper, we make three main
contributions:
 About PaaS security 3

• Issues in PaaS security and corresponding countermeasures: this paper discusses

major PaaS security and privacy requirements, vulnerabilities and the corresponding
countermeasures reported since 2009.
• Categorisation in PaaS security: this paper considers three potential sources of
security issues
1 software platform and isolation
2 virtualisation
3 data security and integrity.
In practice, many PaaS vulnerabilities may overlap with SaaS or IaaS vulnerabilities
since they are frequently interrelated. Many general vulnerability categories, such as
the CWE/SANS top 25 (MITRE, 2015), are present in the PaaS layer as well as in
the SaaS layer (Kim et al., 2014).
• Some trends in PaaS security: we have observed three major security trends of PaaS
services based on three core elements of PaaS services that are interrelated which
may lead to the security vulnerability.
The rest of this article is organised as follows. Section 3, 4, and 5 discuss principal
categories of vulnerabilities and the corresponding countermeasures. Section 6 addresses
the PaaS security trends we observed. Section 7 concludes this paper.

Figure 1 Cloud service model with PaaS features

2 Background

Cloud computing offers services over the internet. We define the boundary among SaaS,
PaaS, and IaaS is using National Institute of Standards and Technology (NIST) cloud
model and its service layers as well as essential characteristics and deployment models
(Mell and Grance, 2011). The three service layers can be summarised as follows
(Armbrust et al., 2010; Mell and Grance, 2011):
4 D. Kim et al.

• SaaS: this is the application layer that most users access remotely. A SaaS
application uses services made available through PaaS, and IaaS, as well as its own,
application specific, functions. At this level, most of the vulnerabilities stem from
issues in the application itself. However, PaaS weaknesses such as those in the
underlying operating system or hypervisor may also manifest.
• PaaS: PaaS is the platform on which end-user facing applications are built upon. The
middleware PaaS offers may range from operating systems (OS), to hypervisors, to
programming language support, to different libraries and services, and service
construction tools. PaaS allows for higher-level programming with dramatically
reduced complexity; the consumer does not manage or control the underlying cloud
infrastructure including network, servers, OS or storage. Multi-tenant related
vulnerabilities are one of major concerns.
• Infrastructure as a service (IaaS): IaaS offers physical and virtual resources,
interconnection, and security. Deployment models include private cloud, community
cloud, public cloud, and hybrid cloud. IaaS vulnerabilities are the usual ones for data
centres including physical access and firewalls.
PaaS illustration shown in Figure 1 includes execution environment (e.g., GAE, .NET,
and JVM) and programming environment (e.g., APIs, IDEs, and Django). For example,
GAE runtime environment supports apps written in a variety of programming languages,
such as java, python, PHP, ad go (Google, 2015). GAE includes several features that
make it easy to build and deploy an application:
1 Persistent storage with queries, sorting and transactions.
2 Automatic scaling and load balancing.
3 Asynchronous task queues for performing work outside the scope of a request.
4 Scheduled tasks for triggering events at specified times or regular intervals.
5 Integration with other Google cloud services and APIs1, such as computing, storage,
networking, big data, services, and management.
GAE also provides development environments, software development kits (SDK).
There are many PaaS tools and environments. Their goal is to quickly and efficiently
design and deploy applications, and have them function reliably. The important thing to
remember is that security flaws that may exist in the PaaS layer can propagate to the SaaS
layer. A classical example may be vulnerabilities that may occur in the hypervisor or in
the security tools supplied to applications, such as SSL vulnerabilities (e.g., heart bleed
vulnerability2).
An example of an open-source cloud computing platform specifically designed for
education and research is VCL (Averitt et al., 2007; Schaffer et al., 2009). VCL supports
IaaS, Paas and SaaS. VCL environments can range from a simple software application to
high-performance computing (HPC) resources. From the point of view of security it
offers
1 a variety of authentication options (e.g., LDAP, shibboleth)
2 high security and isolation (e.g., IP-lock, local firewalls, point-to-point VLANs and
VPNs, one-time passwords, feedback confirmation, timeout, traffic monitoring)
3 sophisticated resource access and mapping privilege tree
 About PaaS security 5

4 real-time monitoring of reliability and security.

We are in the process of developing an NC-wide university data science and analytics
cloud environment based on VCL that uses iRODS3 as the data-bus. The VCL also
interoperates with commercial cloud offerings – e.g., Amazon and IBM. This is where
interesting security and privacy interactions occur. For example, mapping and matching
of security properties available in one cloud onto those available in another cloud.
Table 1 An overview of major PaaS security concerns

Category Vulnerability Countermeasures

Software Isolation for multi-tenancy Isolation at each layer, container
platform (Rodero-Merino et al., 2012)

Integrity of cloud services Integrated platform, architecture

(Mackay et al., 2012)
Cloud architecture Specific requirements
(Deng et al., 2012; Luo et al., 2011)
Data sharing in isolation IFC (Pasquier et al., 2015)
Virtualisation Side-channel attacks Obfuscating internal structures
(Ristenpart et al., 2009), timing channel control
(Aviram et al., 2010), cached-based method
(Zhang et al., 2014), disable sharing of LLC lines
(Zhou et al., 2016), stronger kernel isolation
(Gruss et al., 2016)
CPU-based covert channel CCCV (Okamura and Oyama, 2010)
Covert channel in Small allocation of resources, physical and
micro-architecture functional hierarchies (Caron et al., 2014)
Virtualisation-based cloud Monitoring system
computing (Lombardi and Di Pietro, 2009)
Managing VM images Imaging management systems
(Wei et al., 2009)
Sensitive information Architecture change (Bugiel et al., 2011)
Memory disclosure attack on Read-only page flag (Suzaki et al., 2011)
memory de-duplication
Limitation of random External sources (Ristenpart and Yilek, 2010)
number generator
Virtual network Virtual network model (Wu et al., 2010)
Data Sensitive data Additional security check, storing metadata
information (Subashini and Kavitha, 2011)
Data loss and leakage Security components (e.g., identity management,
log service, access control), secure block storage
(Vaquero et al., 2011; Deng et al., 2012)
Data integrity MAC with Merkle tree-based structure
(Juels and Oprea, 2013)
Data relocation Constraint-based data geo-location
(Gondree and Peterson, 2013)
Big data processing Efficient security mechanism (HLA, E-PDP)
(Liu et al., 2015)
6 D. Kim et al.

When considering PaaS security, we believe the problem is driven by virtualisation (and
utilisation) encouraged multi-tenancy with the primary problem prevention tool being
appropriate isolation of users, resources, and data. Table 1 provides an overview.

3 Software platform and isolation

PaaS elements range from OS, to hypervisors and virtual platforms (VP) with java and
.NET. Unfortunately, such platforms may not offer fully secured hosting environments
due to the limitation of isolation mechanism. Being applications themselves, PaaS
elements may also harbour all the usual vulnerabilities that SaaS layer elements do (Kim
et al., 2014).
Rodero-Merino et al. (2012) discuss security vulnerability of clouds where tenants
share PaaS platform services and host multiple user applications on the same resources.
To achieve safe multi-tenancy, each application should run in an isolated environment.
They discuss the limitation of the OS as a hosting environments. For example, PaaS
providers may prefer to offer simplified abstractions that ease the development tasks.
However, the OS may not support a set of applications that could be run in the cloud.
Instead, each application could use containers that encompass the resources associated
with a particular task. They note three isolation options:
1 isolation at OS level
2 isolation by standard java security
3 isolation at VM level.
They summarise the main open security issues at different layers (i.e., OS, java VM, and
container) of a java PaaS platform and the security features for different VPs. They
expect that container technologies could be widely used to run user components. In fact,
Docker4 (2016) is such an open platform released in March 2013 that is growing in
popularity (see Google trends5). It uses resource isolation features of the Linux kernel and
provides lightweight containers to run processes in isolation. While Docker (2016),
Babcock (2016) and Hewitt (2015) solve a number of issues, the Docker solution is not
vulnerability free.
Mackay et al. (2012) proposed an integrated platform to reinforce the integrity and
security of cloud services. They present key features of the proposed architecture:
1 Service planning: service level agreement (SLA) should be negotiated.
2 End-to-end security: encryption techniques and authentication mechanisms.
3 Monitoring and enforcement: performance and stability metering and IDS (intrusion
detection system).
Deng et al. (2012) address requirements in the context of healthcare applications. They
identified core requirements for building trusted cloud architectures using Bessani’s et al.
(2012) work:
 About PaaS security 7

1 separation of duties
2 isolation
3 verifiability of trustworthiness
4 integration into subscriber’s IT infrastructure.
Based on such core requirements, Deng et al. propose a design of a trustworthy
healthcare platform for PaaS by providing several security functionalities including
identity management, authorisation, and log services, access control and automatic audit
tool. Their platform is in compliance with EU data protection and privacy legislation.
Luo et al. (2011) present a virtualisation security framework based on the
requirements and solutions. The virtual security framework could have two modules such
as virtual system security with three layers [e.g., physical resources, virtual machine
manager (VMM), and VM] and virtualisation security management. They address virtual
system security with four parts:
1 VM system security architecture: they show three VM security system architectures
by comparing each structure in terms of efficiency and flexibility
2 access control: they show an access control framework about how resources flow
and communicate between VMs and VMM based on access control policy
3 virtual firewall (VF)
4 vIDS/vIPS: virtual intrusion detection system (vIDS) virtual intrusion prevention
system (vIPS).
The virtualisation security management could be conducted by either VMM or security
control layer, which has four roles: patch management, VM migration management, VM
image management, and audit.
Pasquier et al. (2015) explain how data across applications can be shared in cloud
using isolation mechanisms. They present information flow control (IFC) as a flexible
option; IFC is an approach to security that allows application writers to control how data
flows between the pieces of an application and the outside world (Krohn et al., 2007).
They use tags and labels for secrecy (i.e., confidentiality) and integrity that regulate flows
throughout the system; they use BLP model for secrecy and Biba model for integrity
(Bell and LaPadula, 1973; Biba, 1977).

4 Virtualisation

Virtualisation is a major component of cloud computing as we know it today. The growth

of cloud computing would not have been possible without supporting virtualisation
technologies; the use of virtualisation enables sharing of resources (and through that it
encourages multi-tenancy). This brings the challenges of multi-tenant vulnerabilities
(Xing and Zhan, 2012).
Ristenpart et al. (2009) discuss multi-tenant vulnerabilities. They show that
adversaries may be able to identify internal cloud structure. Based on this, a comprised
VM is able to mount near a target VMs as a co-resident. This approach can lead to cross
VM side channel attacks due to the sharing of physical resources (e.g., via CPU’s data
8 D. Kim et al.

caches). They suggest several ways to avoid such side-channel attacks. First, cloud
providers may obfuscate both the internal structure of their services and the placement
policy in order to complicate an adversary’s attempts to place a VM on the same physical
machine as its target. Second, they enumerate many countermeasures against
side-channel attacks. But they also claim that such countermeasures have drawbacks;
these solutions are either impractical due to high overhead and non-standard hardware,
application-specificity, or an insufficiency that prevents full mitigation of the risk.
Avoiding co-residence would be an ultimate countermeasure against cross-VM attacks.
Finally, they claim that the best solution is simply to expose the risk and have the user
decide.
Okamura and Oyama (2010) evaluate the threat of CPU-based covert channels
between VMs on the XEN hypervisor where different VMs share a physical CPU (e.g., a
single-core uniprocessor). They have developed a system called CCCV (covert channels
using CPU loads between virtual machines) that creates a covert channel and
communicates data secretly; this enables processes in DomU virtual machines to
communicate with each other using a physical CPU as the communication medium.
CCCV consists of a sender process and a receiver process. A sender process runs in a
domain from which a malicious program sends secrets (e.g., a credit card number and a
password). A receiver process runs in a domain in which a peer of the malicious program
receives the secret. The communication failure happens when the weights of the credit
scheduler for the sender and receiver differ. However, they show that success of
communication depends on whether the CPU loads of processes other than the sender and
receiver vary significantly during communication.
To avoid timing side-channel attacks, Aviram et al. (2010) propose a timing channel
control based on provider-enforced deterministic execution by collecting all internal
timing channels into a single controllable channel at the cloud’s border, rather than
eliminating timing channels within a shared cloud domain. The cloud provider assigns
each job onto shared hardware within the cloud with statistical multiplexing and returns
the job’s output, which depends only on explicit inputs, not on timing of operations
within the cloud. Zhang et al. (2012) detail the construction of an access-driven
side-channel attack, where a malicious virtual machine (VM) extracts fine-grained
information (e.g., private ElGamal decryption key) from a co-resident victim VM running
Gnu privacy guard (GnuPG). They introduce numerous sources of channel noise and
develop a sequence of mechanisms to refine outputs from a support vector machine
(SVM) to reduce such sources of noise. They discuss several countermeasures with
benefits and downsides, such as avoiding co-residency, side-channel resistant algorithms,
and modifying CPU scheduling for the XEN credit scheduler. Zhang et al. (2014)
conducted cache-based side channel attacks in commercial cloud, PaaS that extract
sensitive application data (e.g., the number of items in a shopping cart). The attacker
instance in their framework can trace a victim’s execution paths inside shared
executables; it should monitor over time to trace the victim’s execution path in the
control flow graph (CFG). They describe that the existing countermeasures to
cache-based side channels may not be applicable to their attacks. Instead, they introduce
several countermeasures:
 About PaaS security 9

1 disabling the clflush instruction

2 increasing background noise with more applications
3 disallowing resource sharing of memory pages that serve as flush-reload attack
vectors.
Zhou et al. (2016) presented side-channel attacks via last-level caches (LLC) due to
physical memory sharing across cores which leads to leak information among tenants in a
cloud. They proposed two countermeasures:
1 A copy-on-access design dynamically controls the sharing of physical memory pages
between security domains. This countermeasure may have less cost compared with
disabling memory pages sharing for flush-reload side channel attacks (Zhang et al.,
2014)
2 For prime probe attacks which launch side-channel attacks via caches (Osvik et al.,
2006), a memory management system is to limit the number of cache lines per cache
set that the each security domain can occupy simultaneously.
Gruss et al. (2016) introduced a prefetch side channel attacks where attackers can reuse
existing code by exploiting major weakness in prefetch instructions. The prefetch
instructions enable execute only pages prefetching in inaccessible kernel memory without
privilege levels access permissions. By this procedure, an attacker is able to obtain
information on all kernel pages. They also presented a countermeasure against prefetch
side-channel attacks on commodity systems that involves reorganising the user and
kernel address space to protect kernel address-space layout randomisation (KASLR).
They proposed the so-called stronger kernel isolation, which un-maps user pages from
the kernel physical direct map when kernel pages are mapped in user space by switching
the address translation table immediately after the context switch into the kernel.
Caron et al. (2014) state that virtualisation is the current trend in the cloud and
requires security and performance isolation between users and VMs. They describe
several vulnerabilities and countermeasures for covert channels in micro-architecture
components shared between VMs. Lack of isolation of micro-architectural components
may lead to creation of covert channels between VMs. On the other hand, mechanisms
with strong isolation lead to a large overhead. They claim that it is possible to reduce
covert channels through smart allocation of resources for strong isolation while keeping a
good consolidation of the platform. They propose a model that has physical (i.e.,
geographical) and functional hierarchies. A functional hierarchy can divide a platform
into available zone; it avoids sharing both hardware components and the same component
backup. They also show the performance based on the relationship between isolation and
consolidation. The performance depends on the physical isolation of workloads; the
contention on memory channels or processor caches on shared physical machine is a
major cause of the decrease in performance.
Lombardi and Pietro (2011) show how virtualisation can increase the security of
cloud computing. They propose a monitoring system called advanced cloud protection
system (ACPS) by extending the KVMsec (Lombardi and Di Pietro, 2009). ACPS
monitors the integrity of key components such as key kernel and middleware by
performing a checksum of such components; it checks behaviour and integrity of cloud
components via logging and periodic checksum verification of executable files and
10 D. Kim et al.

libraries. Also, they show that overhead due to the additional integrity checks is relatively
small.
Wei et al. (2009) explore the problem of securely managing VM images. They
propose an imaging management system that controls access to VM images by granting
access permission. Image filters detect malicious images and remove user-specific
sensitive content from the images. These approach, conducted as the general
countermeasures, can be used on any cloud, for example, Amazon elastic computer cloud
(EC2), to protect sensitive information. In practice, Bugiel et al. (2011) could extract
highly sensitive information (e.g., passwords, keys, and credentials) from publicly
available Amazon machine images (AMIs) using an automated tool they developed. The
tool discovers the sensitive information (i.e., private keys and credentials) usually in the
home directory of users, the home directory of a super user (i.e., root), and common
locations for programs and configuration files. They suggest some countermeasures that
would require fundamental changes to the architecture by integrating Amazon specific
services into the EC2 cloud app store.
Suzaki et al. (2011) describe memory disclosure attack on memory de-duplication
[i.e., copy-on-write (COW)] vulnerability on VMs. They show that an attacker can detect
the existence of specific running applications and a downloaded file on another VM by
using the time difference in write access time between de-duplicated and
non-deduplicated page because de-duplication process takes longer than
non-deduplication process. Candidate pages for de-duplication are examined during a
certain amount of time in order to check if they are identical. A countermeasure to this
attack could be read-only pages for memory de-duplication since such pages do not need
to be re-written (overwritten).
Ristenpart et al. (2010) investigate the failure of random number generators (RNGs)
in a VM due to reuse of VM snapshots. Because of the limitation of RNSs in a VM, they
suggest guest RNS services with hardware-based RNGs or other external sources; they
have developed a general framework for hedging cryptographic operations.
Wu et al. (2010) present a novel virtual network model against the break of isolation.
Most hypervisors offer virtual network to connect VMs by using bridge and route while
remaining isolation among VMs. However, isolation is easy to break in the current virtual
network because all VMs share the bridge and route either working as a virtual hub or
virtual switch. They suggest that a virtual network model should have three layers:
1 Routing: a set of unique static IDs can be assigned to a shared network by the
administrator.
2 Firewall: this layer is to prevent both spoofing attacks and modification of routing
table from any packet (i.e., ARPing).
3 Shared network layer: each VM has a set of subnets.

5 Data security and integrity

Protecting data and maintaining data integrity is important for all cloud service delivery
models. PaaS is the key player in providing end-to-end data security and integrity in
multi-tenant situations since PaaS can be implemented as an independent framework. The
 About PaaS security 11

PaaS framework needs to either directly or indirectly support four types of data
interaction modes:
1 total isolation
2 computations-to-data
3 data-to-computations
4 open data.
In all cases encryption at rest and encryption in motion must be an option, as should be
the ability to compartmentalise and isolate access and scope individual users see and
access.
Total isolation mode usually applies to very confidential data category. It may pertain
to proprietary data and/or federally regulated data that should be only accessible and
shared in a very isolated environment. Private clouds are probably the only suitable
environment for that, and even then one may want to consider more restrictive physical
solutions, e.g., a sensitive compartmented information facility (SCIF).
Computations-to-data category may also involve a very large amounts of data, which
is confidential information, that should be available only to authorised and authenticated
individuals and devices. Datasets of that type may be in the terabyte and even petabyte
range, and may not be easily moved around. On the other hand, there may be situations
where we may not want to move the data in this category out of the original storage even
if the size is not an issue. For example, local laws or policies may not allow that.
Therefore, mechanisms need to exist whereby computations using the data (e.g.,
analytics) are performed close to the data, i.e., we move computations to the data. PaaS
support would typically be needed for this type of operations.
Data-to-computations category is more along the lines that we often see today. Data
in this category can typically be downloaded or moved to other clouds or locations such
as end-user desktops. For example, relatively low volume data visualisations may fall
into this category, as may relatively small datasets that do not take long to download, etc.
This data may also be restricted to authorised and authenticated users.
Open data are made available to a broader public and may not require
any identification of the end user. If the size is an issue, then security-aware
computations-to-data model of access may be used, if not, data-to-computations may be
sufficient.
However, it is important to note that in order for cloud services, and PaaS layer, to be
reliable, trustworthy, secure and safe, the PaaS framework needs to collect provenance
information about the users, data sources, transactions on the data, users, and so on. This
becomes particularly important if data may have export/import or confidentiality
restrictions. Hence, PaaS services may need to worry about compliance issues (including
geo location and privacy). For example, some or all of the data may need to be collected
over encrypted channels, and in some cases encryption at rest will be a must. It is also
important that the data and interfaces to the data and the framework platforms are
usability aware (since that may have human element security implications).
Subashini and Kavitha (2011) detail data security for overall cloud service delivery
models. They indicate that additional security checks should be applied to the sensitive
data to ensure data security and prevent breaches; a PaaS provider has to offer strong
assurances that the data remains inaccessible between applications. They claim that a
12 D. Kim et al.

framework should have a functionality of storing meta-data information in different

locations which would make information unavailable if a malicious user tries to recover
it. Vaquero et al. (2011) address that the threats of data loss and leakage are increasing in
the cloud due to the architectural or operational characteristics of the cloud environments
(e.g., insecure APIs, shared environment, etc.). Deng et al. (2012) employ various
techniques to protect data in their platform. They show how a health trusted PaaS should
manage sensitive data (e.g., a patient’s data) with security components such as identity
management, log service and access control. They introduce secure block storage that
provides version control for encrypted data chunks to prevent replay attacks.
Juels and Oprea (2013) describe new techniques for data integrity and freshness
verification that secure cloud data. For data integrity, they use an authentication scheme
by computing message authentication codes (MAC) for each data block. The size of each
data block is 4KB, a fixed-size segment. For freshness verification, they use a counter or
version number with each file block which also must be authenticated. They claim that
their authentication mechanism is practical and scalable by reducing the storage overhead
due to a Merkle tree-based structure. They introduce their auditing framework that offers
tenants visibility into the correct operation of the cloud. They mention several open
problems as follows:
1 performing computations over tenant’s encrypted data
2 ensuring tenant isolation
3 geolocation of data.
Geo location of data is of particular commercial interest recently because of regulatory
and legal compliance. For example, providers should store customer data within national
boundaries. Gondree and Peterson (2013) propose a framework of using constraint-based
data geo location. Their framework could bind data to a location with assurance in that it
can protect unexpected cloud data relocation. Geographic region options may be able to
resolve various concerns such as performance of web services, regulatory compliance of
sensitive data, and the delay added by an attacker.
An interest in ‘cloud and big data’ grows, so does importance of data protection and
trustworthiness. Liu et al. (2015) analyse security and privacy in big data application and
cloud computing. They propose a lifecycle of integrity verification for big data in cloud
computing. As the dataset in big data applications are very large and require heavy scale
processing, the security approaches related to big data and cloud need efficiency. They
discuss several effective and efficient security mechanism for integrity verification as
well as standard schemes. For example, homomorphic linear authenticator (HLA) or
homomorphic verifiable tag (HVT) are technologies that use verification metadata based
on homomorphic signatures to authenticate. This approach has evolved from standard
digital schemes (RSA and BLS). efficiency provable data possession (E-PDP) with
sampling can achieve better efficiency than secure provable data possession (S-PDP)
(Ateniese et al., 2011; Liu et al., 2015).

6 Some trends

We recognise three core elements of PaaS services (Figure 2). Multi-tenancy is the most
popular paradigm for achieving higher resource utilisation and economies of scale
 About PaaS security 13

(Guo et al., 2007). Isolation technologies should enable better security in multi-tenancy
situations (Factor et al., 2013). PaaS services can be co-located through multiple VMs
(Jasti et al., 2010) and physical resources can be shared transparently across VMs to the
benefit of multiple users.
We observe three major trends in PaaS security. First, multi-tenancy is here to stay,
and so are multi-tenancy related security concerns (Kabbedijk et al., 2015). As discussed
in Section 3, there are various isolation mechanisms that can help mitigate multi-tenancy
concerns. Such mechanisms need to be assessed in the context of security as well as in
other properties such as performance, availability, manageability, and configurability.
Effective and efficient data sharing across isolation mechanisms should not be
overlooked.
Second, a side-channel attack is still a frequent vulnerability primarily due to
multi-tenant paradigm. The thing to note is that while a proper isolation can achieve
security protection among tenants, existing countermeasures may not be applicable to a
new side channel attack; the appropriate countermeasure to address a particular
side-channel attack may be too specific.

Figure 2 PaaS resources and services often rely on virtualisation and encourage multi-tenancy.
resulting real and potential security threats are often mitigated through isolation

Third, due to the growth in cloud applications dealing with sensitive data, protection of
sensitive data saved in a cloud (PaaS specifically) should be a major concern. Encryption
in motion and at rest is one way of managing the problem. As data proliferate, so do
regulations and policies attempting to protect the data, particularly personal data. There
need to be explicit and flexible services that can deal with import/export controls, and
different and changing policies and regulations. For example, EU has issued EU data
protection directive6. Organisations or governmental agencies have to comply with such
polices. However, storage capacity may reside in the cloud (Gondree and Peterson,
2013). As the era of big data has inevitably arrived, we may expect to see more robust
methods of data geo location and protection to cope with increasingly more stringent
requirements.
14 D. Kim et al.

7 Conclusions

Throughout this paper, we have surveyed PaaS security and corresponding

countermeasures. One thing to keep in mind is that if real isolation is desired, then the
user needs to ‘own’ the whole stack and so multi-tenancy in any form is probably not a
good idea. In that case bare machine loads or sole-use of a hypervisor may be the only
safe solutions. Of course, this may come at the expense of utilisation efficiency of
computational and storage resources. We also show several major trends in PaaS security,
which will benefit the cloud security community greatly to build secure PaaS framework.

Acknowledgements

This work was supported in part through NSF Grants 0910767, 1330553, and 1318564,
the US Army Research Office (ARO) Grant W911NF-08-1-0105 managed by the NCSU
Science of Security Initiative and the NSA Science of Security Lablet, and by the IBM
Shared University Research and Fellowships program funding.

References
Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D.,
Rabkin, A., Stoica, I. et al. (2010) ‘A view of cloud computing’, Communications of the ACM,
Vol. 53, No. 4, pp.50–58.
Ateniese, G., Burns, R., Curtmola, R., Herring, J., Khan, O., Kissner, L., Peterson, Z. and Song, D.
(2011) ‘Remote data checking using provable data possession’, ACM Transactions on
Information and System Security (TISSEC), Vol. 14, No. 1, p.12.
Averitt, S., Bugaev, M., Peeler, A., Shaffer, H., Sills, E., Stein, S., Thompson, J. and Vouk, M.
(2007) ‘Virtual computing laboratory (vcl)’, in Proceedings of the International Conference
on the Virtual Computing Initiative, pp.1–6.
Aviram, A., Hu, S., Ford, B. and Gummadi, R. (2010) ‘Determinating timing channels in compute
clouds’, in Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop,
ACM, pp.103–108.
Babcock, C. (2015) Gartner Gives Thumbs up to Docker Security [online]
http://www.informationweek.com/cloud/infrastructure-as-a-service/gartner-gives-thumbs-up-
todocker-security/d/d-id/1318612 (accessed February 2016).
Bell, D.E. and LaPadula, L.J. (1973) Secure Computer Systems: Mathematical Foundations,
Technical report, DTIC Document.
Bessani, A., Abbadi, I., Bugiel, S., Cesena, E., Deng, M., Gröne, M., Marnau, N., Nürnberger, S.,
Pasin, M. and Schirmer, N. (2012) ‘Tclouds: privacy and resilience for internet-scale critical
infrastructures’, European Research Activities in Cloud Computing, March, Chapter 6,
pp.160–186, Cambridge Scholars Publishing
Biba, K.J. (1977) Integrity Considerations for Secure Computer Systems, Technical report, DTIC
Document.
Bugiel, S., Nürnberger, S., Pöppelmann, T., Sadeghi, A.-R. and Schneider, T. (2011) ‘Amazonia:
when elasticity snaps back’, in Proceedings of the 18th ACM Conference on Computer and
Communications Security, ACM, pp.389–400.
Caron, E., Desprez, F. and Rouzaud-Cornabas, J. (2014) ‘Smart resource allocation to improve
cloud security’, in Security, Privacy and Trust in Cloud Systems, pp.103–143, Springer, Berlin
Heidelberg.
 About PaaS security 15

Deng, M., Nalin, M., Petkovi´C.M., Baroni, I. and Marco, A. (2012) ‘Towards trustworthy health
platform cloud’, in Secure Data Management, pp.162–175, Springer, Heidelberg.
Docker (2016) Docker CVE Database [online] https://www.docker.com/docker-cvedatabase
(accessed 4 February 2016).
Dorey, P. and Leite, A. (2011) ‘Commentary: cloud computing – a security problem or solution?’,
Information Security Technical Report, Vol. 16, No. 3, pp.89–96.
Factor, M., Hadas, D., Hamama, A., Har’El, N., Kolodner, E.K., Kurmus, A., Shulman-Peleg, A.
and Sorniotti, A. (2013) ‘Secure logical isolation for multi-tenancy in cloud storage’, in 2013
IEEE 29th Symposium on Mass Storage Systems and Technologies (MSST), IEEE, pp.1–5.
Fernandes, D., Soares, L., Gomes, J., Freire, M. and Inácio, P. (2013) ‘Security issues in cloud
environments: a survey’, International Journal of Information Security, pp.1–58.
Gondree, M. and Peterson, Z.N. (2013) ‘Geolocation of data in the cloud’, in Proceedings of the
Third ACM Conference on Data and Application Security and Privacy, ACM, pp.25–36.
Google (2015) What is Google App Engine? [online] https://cloud.google.com/appengine/
docs/whatisgoogleappengine (accessed 15 January 2016).
Gruss, D., Maurice, C., Fogh, A., Lipp, M. and Mangard, S. (2016) ‘Prefetch side-channel attacks:
bypassing SMAP and kernel ASLR’, in Proceedings of the 2016 ACM SIGSAC Conference on
Computer and Communications Security, ACM, pp.368–379.
Guo, C.J., Sun, W., Huang, Y., Wang, Z.H. and Gao, B. (2007) ‘A framework for native
multitenancy application development and management’, in The 9th IEEE International
Conference on E-Commerce Technology and the 4th IEEE International Conference on
Enterprise Computing, E-Commerce, and E-Services, 2007, CEC/EEE 2007, IEEE,
pp.551–558
Hewitt, S. (2015) Pro Docker, Apress.
Jasti, A., Shah, P., Nagaraj, R. and Pendse, R. (2010) ‘Security in multi-tenancy cloud’, in 2010
IEEE International Carnahan Conference on Security Technology (ICCST), IEEE, pp.35–41.
Juels, A. and Oprea, A. (2013) ‘New approaches to security and availability for cloud data’,
Communications of the ACM, Vol. 56, No. 2, pp.64–73.
Kabbedijk, J., Bezemer, C.P., Jansen, S. and Zaidman, A. (2015) ‘Defining multi-tenancy: a
systematic mapping study on the academic and the industrial perspective’, Journal of Systems
and Software, Vol. 100, pp.139–148, New York City.
Kim, D., Vouk, M. et al. (2014) ‘A survey of common security vulnerabilities and corresponding
countermeasures for saas’, in Globecom Workshops (GC Wkshps), IEEE, pp.59–63.
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E. and Morris, R. (2007)
‘Information flow control for standard OS abstractions’, in ACM SIGOPS Operating Systems
Review, ACM, Vol. 41, pp.321–334.
Liu, C., Ranjan, R., Zhang, X., Yang, C. and Chen, J. (2015) ‘A big picture of integrity verification
of big data in cloud computing’, in Handbook on Data Centers, pp.631–645, Springer.
Lombardi, F. and Di Pietro, R. (2009) ‘KVMSEC: a security extension for linux kernel virtual
machines’, in Proceedings of the 2009 ACM Symposium on Applied Computing, ACM,
pp.2029–2034.
Lombardi, F. and Di Pietro, R. (2011) ‘Secure virtualization for cloud computing’, Journal of
Network and Computer Applications, Vol. 34, No. 4, pp.1113–1122.
Luo, S., Lin, Z., Chen, X., Yang, Z. and Chen, J. (2011) ‘Virtualization security for cloud
computing service’, in 2011 International Conference on Cloud and Service Computing
(CSC), IEEE, pp.174–179.
Mackay, M., Baker, T. and Al-Yasiri, A. (2012) ‘Security-oriented cloud computing platform for
critical infrastructures’, Computer Law & Security Review, Vol. 28, No. 6, pp.679–686.
Mell, P. and Grance, T. (2011) The Nist Definition of Cloud Computing, US Nat’l Inst. of Science
and Technology [online] http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.
16 D. Kim et al.

MITRE (2011) 2011 CWE/sans Top 25 Most Dangerous Software Error [online]
http://cwe.mitre.org/top25/ (accessed 6 April 2015).
Okamura, K. and Oyama, Y. (2010) ‘Load-based covert channels between Xen virtual machines’,
Proceedings of the 2010 ACM Symposium on Applied Computing – SAC ’10, p.173.
Osvik, D.A., Shamir, A. and Tromer, E. (2006) ‘Cache attacks and countermeasures: the case of
aes’, in Cryptographers? Track at the RSA Conference, pp.1–20, Springer.
Pasquier, T.F.M., Singh, J. and Bacon, J. (2015) ‘Information flow control for strong protection
with flexible sharing in paas’, in IC2E, International Workshop on Future of PaaS, IEEE.
Prasanth, A., Bajpei, M., Shrivastava, V. and Mishra, R.G. (2015) ‘Cloud computing: a survey of
associated services’, Book Chapter of Cloud Computing: Reviews, Surveys, Tools, Techniques
and Applications-An Open-Access eBook, HCTL Open, Hybrid Computing Technology Labs,
India.
Ristenpart, T. and Yilek, S. (2010) ‘When good randomness goes bad: virtual machine reset
vulnerabilities and hedging deployed cryptography’, in NDSS.
Ristenpart, T., Tromer, E., Shacham, H. and Savage, S. (2009) ‘Hey, you, get off of my cloud:
exploring information leakage in third-party compute clouds’, in Proceedings of the 16th ACM
Conference on Computer and Communications Security, ACM, pp.199–212.
Rodero-Merino, L., Vaquero, L.M., Caron, E., Muresan, A. and Desprez, F. (2012) ‘Building safe
paas clouds: a survey on security in multitenant software platforms’, Computers & Security,
Vol. 31, No. 1, pp.96–108.
Schaffer, H.E., Averitt, S.F., Hoit, M., Peeler, A., Sills, E.D., Vouk, M. et al. (2009) ‘NCSU’s
virtual computing lab: a cloud computing solution’, Computer, IEEE, Vol. 42, No. 7,
pp.94–97.
Sengupta, S., Kaulgud, V. and Sharma, V. (2011) ‘Cloud computing security–trends and research
directions’, in 2011 IEEE World Congress on Services (SERVICES), pp.524–531.
Subashini, S. and Kavitha, V. (2011) ‘A survey on security issues in service delivery models of
cloud computing’, Journal of Network and Computer Applications, Vol. 34, No. 1, pp.1–11.
Suzaki, K., Iijima, K., Yagi, T. and Artho, C. (2011) ‘Memory deduplication as a threat to the guest
OS’, Proceedings of the Fourth European Workshop on System Security – EUROSEC ’11,
pp.1–6.
Vaquero, L.M., Rodero-Merino, L. and Morán, D. (2011) ‘Locking the sky: a survey on IaaS cloud
security’, Computing, Vol. 91, No. 1, pp.93–118.
Wei, J., Zhang, X., Ammons, G., Bala, V. and Ning, P. (2009) ‘Managing security of virtual
machine images in a cloud environment’, in Proceedings of the 2009 ACM Workshop on
Cloud Computing Security, ACM, pp.91–96.
Wu, H.W.H., Ding, Y.D.Y., Winer, C. and Yao, L.Y.L. (2010) ‘Network security for virtual
machine in cloud computing’, 2010 5th International Conference on Computer Sciences and
Convergence Information Technology (ICCIT), 30 November, pp.18–21, IEEE.
Xiao, Z. and Xiao, Y. (2013) ‘Security and privacy in cloud computing’, Communications Surveys
Tutorials, IEEE, Vol. 15, No. 2, pp.843–859.
Xing, Y. and Zhan, Y. (2012) ‘Virtualization and cloud computing’, in Future Wireless Networks
and Information Systems, pp.305–312, Springer.
Zhang, Y., Juels, A., Reiter, M.K. and Ristenpart, T. (2012) ‘Cross-vm side channels and their use
to extract private keys’, in Proceedings of the 2012 ACM Conference on Computer and
Communications Security, ACM, pp.305–316.
Zhang, Y., Juels, A., Reiter, M.K. and Ristenpart, T. (2014) ‘Cross-tenant side-channel attacks in
PaaS clouds’, in Proceedings of the 2014 ACM SIGSAC Conference on Computer and
Communications Security, CCS’14, ACM, New York, NY, USA, pp.990–1003.
Zhou, Z., Reiter, M.K. and Zhang, Y. (2016) ‘A software approach to defeating side channels in
last-level caches’, in Proceedings of the 2016 ACM SIGSAC Conference on Computer and
Communications Security, pp.871–882, ACM.
 About PaaS security 17

Notes
1 https://cloud.google.com/products/
2 http://heartbleed.com
3 http://irods.org
4 http://www.docker.com
5 http://www.google.com/trends/explore#q=docker
6 http://ec.europa.eu/justice/data-protection/index_en.htm

View publication stats