Professional Documents
Culture Documents
net/publication/323374826
CITATIONS READS
0 346
3 authors, including:
Some of the authors of this publication are also working on these related projects:
NSF ITEST funded research "Scaling up STEM Learning with the VCL" View project
All content following this page was uploaded by Donghoon Kim on 02 December 2020.
Donghoon Kim*
Department of Computer Science,
Arkansas State University,
Jonesboro, AR, USA
Email: dhkim@astate.edu
*Corresponding author
Henry E. Schaffer
Office of Information Technology,
North Carolina State University,
Raleigh, NC, USA
Email: hes@ncsu.edu
Reference to this paper should be made as follows: Kim, D., Schaffer, H.E.
and Vouk, M.A. (xxxx) ‘About PaaS security’, Int. J. Cloud Computing,
Vol. X, No. Y, pp.xxx–xxx.
Biographical notes: Donghoon Kim received his PhD from the North Carolina
State University, USA. He is an Assistant Professor in Department of
Computer Science, Arkansas State University, USA. His research interests
include cloud computing security, high-performance computing, and software
engineering. Previously, he was a Software Engineer at the Samsung
Electronics, Korea after receiving his Master’s of Science at the Auburn
University, AL, USA.
Henry E. Schaffer received his PhD from the North Carolina State University.
He is a Professor Emeritus of Genetics and Biomathematics, and Coordinator
of Special IT Projects and Faculty Collaboration in the Office of Information
Technology at the North Carolina State University. He was a Co-PI of
SURAnet, one of the initial regional networks of the NSFnet. He has continued
working on the uses of ICT, with emphasis on cloud computing, in research
and education. He recently received an Endeavour Award from the North
Carolina Research and Education Network (NCREN) for his contributions to
education in North Carolina. He is a member of the ACM, Sigma Xi and the
IEEE Computer Society where he serves on the Editorial Advisory Board of the
IEEE CS IT Professional.
Mladen Alan Vouk received his PhD from the King’s College, University of
London, UK. He is a Distinguished Professor in Department of Computer
Science. He is also an Associate Vice Chancellor for Research Development,
and Director of the NC State Data Science Initiative. He has extensive
experience in both commercial software production and academic computing.
He is the author/co-author of over 300 publications. His interests include
software and security engineering, bio-informatics, scientific computing and
analytics, information technology assisted education, and high-performance
computing and clouds. He is a member of the IFIP Working Group 2.5 on
numerical software, and a recipient of the IFIP Silver Core award. He is an
IEEE Fellow, and a recipient of the IEEE Distinguished Service and Gold Core
Awards. He is a member of several IEEE societies, and of ASEE, ASQ (Senior
Member), ACM, and Sigma Xi.
This paper is a revised and expanded version of a paper entitled ‘PaaS security
countermeasures: a survey’ presented at 3rd International IBM Cloud Academy
Conference ICACON 2015, Budapest, Hungary, 21 May 2015.
1 Introduction
2 Background
Cloud computing offers services over the internet. We define the boundary among SaaS,
PaaS, and IaaS is using National Institute of Standards and Technology (NIST) cloud
model and its service layers as well as essential characteristics and deployment models
(Mell and Grance, 2011). The three service layers can be summarised as follows
(Armbrust et al., 2010; Mell and Grance, 2011):
4 D. Kim et al.
• SaaS: this is the application layer that most users access remotely. A SaaS
application uses services made available through PaaS, and IaaS, as well as its own,
application specific, functions. At this level, most of the vulnerabilities stem from
issues in the application itself. However, PaaS weaknesses such as those in the
underlying operating system or hypervisor may also manifest.
• PaaS: PaaS is the platform on which end-user facing applications are built upon. The
middleware PaaS offers may range from operating systems (OS), to hypervisors, to
programming language support, to different libraries and services, and service
construction tools. PaaS allows for higher-level programming with dramatically
reduced complexity; the consumer does not manage or control the underlying cloud
infrastructure including network, servers, OS or storage. Multi-tenant related
vulnerabilities are one of major concerns.
• Infrastructure as a service (IaaS): IaaS offers physical and virtual resources,
interconnection, and security. Deployment models include private cloud, community
cloud, public cloud, and hybrid cloud. IaaS vulnerabilities are the usual ones for data
centres including physical access and firewalls.
PaaS illustration shown in Figure 1 includes execution environment (e.g., GAE, .NET,
and JVM) and programming environment (e.g., APIs, IDEs, and Django). For example,
GAE runtime environment supports apps written in a variety of programming languages,
such as java, python, PHP, ad go (Google, 2015). GAE includes several features that
make it easy to build and deploy an application:
1 Persistent storage with queries, sorting and transactions.
2 Automatic scaling and load balancing.
3 Asynchronous task queues for performing work outside the scope of a request.
4 Scheduled tasks for triggering events at specified times or regular intervals.
5 Integration with other Google cloud services and APIs1, such as computing, storage,
networking, big data, services, and management.
GAE also provides development environments, software development kits (SDK).
There are many PaaS tools and environments. Their goal is to quickly and efficiently
design and deploy applications, and have them function reliably. The important thing to
remember is that security flaws that may exist in the PaaS layer can propagate to the SaaS
layer. A classical example may be vulnerabilities that may occur in the hypervisor or in
the security tools supplied to applications, such as SSL vulnerabilities (e.g., heart bleed
vulnerability2).
An example of an open-source cloud computing platform specifically designed for
education and research is VCL (Averitt et al., 2007; Schaffer et al., 2009). VCL supports
IaaS, Paas and SaaS. VCL environments can range from a simple software application to
high-performance computing (HPC) resources. From the point of view of security it
offers
1 a variety of authentication options (e.g., LDAP, shibboleth)
2 high security and isolation (e.g., IP-lock, local firewalls, point-to-point VLANs and
VPNs, one-time passwords, feedback confirmation, timeout, traffic monitoring)
3 sophisticated resource access and mapping privilege tree
About PaaS security 5
When considering PaaS security, we believe the problem is driven by virtualisation (and
utilisation) encouraged multi-tenancy with the primary problem prevention tool being
appropriate isolation of users, resources, and data. Table 1 provides an overview.
PaaS elements range from OS, to hypervisors and virtual platforms (VP) with java and
.NET. Unfortunately, such platforms may not offer fully secured hosting environments
due to the limitation of isolation mechanism. Being applications themselves, PaaS
elements may also harbour all the usual vulnerabilities that SaaS layer elements do (Kim
et al., 2014).
Rodero-Merino et al. (2012) discuss security vulnerability of clouds where tenants
share PaaS platform services and host multiple user applications on the same resources.
To achieve safe multi-tenancy, each application should run in an isolated environment.
They discuss the limitation of the OS as a hosting environments. For example, PaaS
providers may prefer to offer simplified abstractions that ease the development tasks.
However, the OS may not support a set of applications that could be run in the cloud.
Instead, each application could use containers that encompass the resources associated
with a particular task. They note three isolation options:
1 isolation at OS level
2 isolation by standard java security
3 isolation at VM level.
They summarise the main open security issues at different layers (i.e., OS, java VM, and
container) of a java PaaS platform and the security features for different VPs. They
expect that container technologies could be widely used to run user components. In fact,
Docker4 (2016) is such an open platform released in March 2013 that is growing in
popularity (see Google trends5). It uses resource isolation features of the Linux kernel and
provides lightweight containers to run processes in isolation. While Docker (2016),
Babcock (2016) and Hewitt (2015) solve a number of issues, the Docker solution is not
vulnerability free.
Mackay et al. (2012) proposed an integrated platform to reinforce the integrity and
security of cloud services. They present key features of the proposed architecture:
1 Service planning: service level agreement (SLA) should be negotiated.
2 End-to-end security: encryption techniques and authentication mechanisms.
3 Monitoring and enforcement: performance and stability metering and IDS (intrusion
detection system).
Deng et al. (2012) address requirements in the context of healthcare applications. They
identified core requirements for building trusted cloud architectures using Bessani’s et al.
(2012) work:
About PaaS security 7
1 separation of duties
2 isolation
3 verifiability of trustworthiness
4 integration into subscriber’s IT infrastructure.
Based on such core requirements, Deng et al. propose a design of a trustworthy
healthcare platform for PaaS by providing several security functionalities including
identity management, authorisation, and log services, access control and automatic audit
tool. Their platform is in compliance with EU data protection and privacy legislation.
Luo et al. (2011) present a virtualisation security framework based on the
requirements and solutions. The virtual security framework could have two modules such
as virtual system security with three layers [e.g., physical resources, virtual machine
manager (VMM), and VM] and virtualisation security management. They address virtual
system security with four parts:
1 VM system security architecture: they show three VM security system architectures
by comparing each structure in terms of efficiency and flexibility
2 access control: they show an access control framework about how resources flow
and communicate between VMs and VMM based on access control policy
3 virtual firewall (VF)
4 vIDS/vIPS: virtual intrusion detection system (vIDS) virtual intrusion prevention
system (vIPS).
The virtualisation security management could be conducted by either VMM or security
control layer, which has four roles: patch management, VM migration management, VM
image management, and audit.
Pasquier et al. (2015) explain how data across applications can be shared in cloud
using isolation mechanisms. They present information flow control (IFC) as a flexible
option; IFC is an approach to security that allows application writers to control how data
flows between the pieces of an application and the outside world (Krohn et al., 2007).
They use tags and labels for secrecy (i.e., confidentiality) and integrity that regulate flows
throughout the system; they use BLP model for secrecy and Biba model for integrity
(Bell and LaPadula, 1973; Biba, 1977).
4 Virtualisation
caches). They suggest several ways to avoid such side-channel attacks. First, cloud
providers may obfuscate both the internal structure of their services and the placement
policy in order to complicate an adversary’s attempts to place a VM on the same physical
machine as its target. Second, they enumerate many countermeasures against
side-channel attacks. But they also claim that such countermeasures have drawbacks;
these solutions are either impractical due to high overhead and non-standard hardware,
application-specificity, or an insufficiency that prevents full mitigation of the risk.
Avoiding co-residence would be an ultimate countermeasure against cross-VM attacks.
Finally, they claim that the best solution is simply to expose the risk and have the user
decide.
Okamura and Oyama (2010) evaluate the threat of CPU-based covert channels
between VMs on the XEN hypervisor where different VMs share a physical CPU (e.g., a
single-core uniprocessor). They have developed a system called CCCV (covert channels
using CPU loads between virtual machines) that creates a covert channel and
communicates data secretly; this enables processes in DomU virtual machines to
communicate with each other using a physical CPU as the communication medium.
CCCV consists of a sender process and a receiver process. A sender process runs in a
domain from which a malicious program sends secrets (e.g., a credit card number and a
password). A receiver process runs in a domain in which a peer of the malicious program
receives the secret. The communication failure happens when the weights of the credit
scheduler for the sender and receiver differ. However, they show that success of
communication depends on whether the CPU loads of processes other than the sender and
receiver vary significantly during communication.
To avoid timing side-channel attacks, Aviram et al. (2010) propose a timing channel
control based on provider-enforced deterministic execution by collecting all internal
timing channels into a single controllable channel at the cloud’s border, rather than
eliminating timing channels within a shared cloud domain. The cloud provider assigns
each job onto shared hardware within the cloud with statistical multiplexing and returns
the job’s output, which depends only on explicit inputs, not on timing of operations
within the cloud. Zhang et al. (2012) detail the construction of an access-driven
side-channel attack, where a malicious virtual machine (VM) extracts fine-grained
information (e.g., private ElGamal decryption key) from a co-resident victim VM running
Gnu privacy guard (GnuPG). They introduce numerous sources of channel noise and
develop a sequence of mechanisms to refine outputs from a support vector machine
(SVM) to reduce such sources of noise. They discuss several countermeasures with
benefits and downsides, such as avoiding co-residency, side-channel resistant algorithms,
and modifying CPU scheduling for the XEN credit scheduler. Zhang et al. (2014)
conducted cache-based side channel attacks in commercial cloud, PaaS that extract
sensitive application data (e.g., the number of items in a shopping cart). The attacker
instance in their framework can trace a victim’s execution paths inside shared
executables; it should monitor over time to trace the victim’s execution path in the
control flow graph (CFG). They describe that the existing countermeasures to
cache-based side channels may not be applicable to their attacks. Instead, they introduce
several countermeasures:
About PaaS security 9
libraries. Also, they show that overhead due to the additional integrity checks is relatively
small.
Wei et al. (2009) explore the problem of securely managing VM images. They
propose an imaging management system that controls access to VM images by granting
access permission. Image filters detect malicious images and remove user-specific
sensitive content from the images. These approach, conducted as the general
countermeasures, can be used on any cloud, for example, Amazon elastic computer cloud
(EC2), to protect sensitive information. In practice, Bugiel et al. (2011) could extract
highly sensitive information (e.g., passwords, keys, and credentials) from publicly
available Amazon machine images (AMIs) using an automated tool they developed. The
tool discovers the sensitive information (i.e., private keys and credentials) usually in the
home directory of users, the home directory of a super user (i.e., root), and common
locations for programs and configuration files. They suggest some countermeasures that
would require fundamental changes to the architecture by integrating Amazon specific
services into the EC2 cloud app store.
Suzaki et al. (2011) describe memory disclosure attack on memory de-duplication
[i.e., copy-on-write (COW)] vulnerability on VMs. They show that an attacker can detect
the existence of specific running applications and a downloaded file on another VM by
using the time difference in write access time between de-duplicated and
non-deduplicated page because de-duplication process takes longer than
non-deduplication process. Candidate pages for de-duplication are examined during a
certain amount of time in order to check if they are identical. A countermeasure to this
attack could be read-only pages for memory de-duplication since such pages do not need
to be re-written (overwritten).
Ristenpart et al. (2010) investigate the failure of random number generators (RNGs)
in a VM due to reuse of VM snapshots. Because of the limitation of RNSs in a VM, they
suggest guest RNS services with hardware-based RNGs or other external sources; they
have developed a general framework for hedging cryptographic operations.
Wu et al. (2010) present a novel virtual network model against the break of isolation.
Most hypervisors offer virtual network to connect VMs by using bridge and route while
remaining isolation among VMs. However, isolation is easy to break in the current virtual
network because all VMs share the bridge and route either working as a virtual hub or
virtual switch. They suggest that a virtual network model should have three layers:
1 Routing: a set of unique static IDs can be assigned to a shared network by the
administrator.
2 Firewall: this layer is to prevent both spoofing attacks and modification of routing
table from any packet (i.e., ARPing).
3 Shared network layer: each VM has a set of subnets.
Protecting data and maintaining data integrity is important for all cloud service delivery
models. PaaS is the key player in providing end-to-end data security and integrity in
multi-tenant situations since PaaS can be implemented as an independent framework. The
About PaaS security 11
PaaS framework needs to either directly or indirectly support four types of data
interaction modes:
1 total isolation
2 computations-to-data
3 data-to-computations
4 open data.
In all cases encryption at rest and encryption in motion must be an option, as should be
the ability to compartmentalise and isolate access and scope individual users see and
access.
Total isolation mode usually applies to very confidential data category. It may pertain
to proprietary data and/or federally regulated data that should be only accessible and
shared in a very isolated environment. Private clouds are probably the only suitable
environment for that, and even then one may want to consider more restrictive physical
solutions, e.g., a sensitive compartmented information facility (SCIF).
Computations-to-data category may also involve a very large amounts of data, which
is confidential information, that should be available only to authorised and authenticated
individuals and devices. Datasets of that type may be in the terabyte and even petabyte
range, and may not be easily moved around. On the other hand, there may be situations
where we may not want to move the data in this category out of the original storage even
if the size is not an issue. For example, local laws or policies may not allow that.
Therefore, mechanisms need to exist whereby computations using the data (e.g.,
analytics) are performed close to the data, i.e., we move computations to the data. PaaS
support would typically be needed for this type of operations.
Data-to-computations category is more along the lines that we often see today. Data
in this category can typically be downloaded or moved to other clouds or locations such
as end-user desktops. For example, relatively low volume data visualisations may fall
into this category, as may relatively small datasets that do not take long to download, etc.
This data may also be restricted to authorised and authenticated users.
Open data are made available to a broader public and may not require
any identification of the end user. If the size is an issue, then security-aware
computations-to-data model of access may be used, if not, data-to-computations may be
sufficient.
However, it is important to note that in order for cloud services, and PaaS layer, to be
reliable, trustworthy, secure and safe, the PaaS framework needs to collect provenance
information about the users, data sources, transactions on the data, users, and so on. This
becomes particularly important if data may have export/import or confidentiality
restrictions. Hence, PaaS services may need to worry about compliance issues (including
geo location and privacy). For example, some or all of the data may need to be collected
over encrypted channels, and in some cases encryption at rest will be a must. It is also
important that the data and interfaces to the data and the framework platforms are
usability aware (since that may have human element security implications).
Subashini and Kavitha (2011) detail data security for overall cloud service delivery
models. They indicate that additional security checks should be applied to the sensitive
data to ensure data security and prevent breaches; a PaaS provider has to offer strong
assurances that the data remains inaccessible between applications. They claim that a
12 D. Kim et al.
6 Some trends
We recognise three core elements of PaaS services (Figure 2). Multi-tenancy is the most
popular paradigm for achieving higher resource utilisation and economies of scale
About PaaS security 13
(Guo et al., 2007). Isolation technologies should enable better security in multi-tenancy
situations (Factor et al., 2013). PaaS services can be co-located through multiple VMs
(Jasti et al., 2010) and physical resources can be shared transparently across VMs to the
benefit of multiple users.
We observe three major trends in PaaS security. First, multi-tenancy is here to stay,
and so are multi-tenancy related security concerns (Kabbedijk et al., 2015). As discussed
in Section 3, there are various isolation mechanisms that can help mitigate multi-tenancy
concerns. Such mechanisms need to be assessed in the context of security as well as in
other properties such as performance, availability, manageability, and configurability.
Effective and efficient data sharing across isolation mechanisms should not be
overlooked.
Second, a side-channel attack is still a frequent vulnerability primarily due to
multi-tenant paradigm. The thing to note is that while a proper isolation can achieve
security protection among tenants, existing countermeasures may not be applicable to a
new side channel attack; the appropriate countermeasure to address a particular
side-channel attack may be too specific.
Figure 2 PaaS resources and services often rely on virtualisation and encourage multi-tenancy.
resulting real and potential security threats are often mitigated through isolation
Third, due to the growth in cloud applications dealing with sensitive data, protection of
sensitive data saved in a cloud (PaaS specifically) should be a major concern. Encryption
in motion and at rest is one way of managing the problem. As data proliferate, so do
regulations and policies attempting to protect the data, particularly personal data. There
need to be explicit and flexible services that can deal with import/export controls, and
different and changing policies and regulations. For example, EU has issued EU data
protection directive6. Organisations or governmental agencies have to comply with such
polices. However, storage capacity may reside in the cloud (Gondree and Peterson,
2013). As the era of big data has inevitably arrived, we may expect to see more robust
methods of data geo location and protection to cope with increasingly more stringent
requirements.
14 D. Kim et al.
7 Conclusions
Acknowledgements
This work was supported in part through NSF Grants 0910767, 1330553, and 1318564,
the US Army Research Office (ARO) Grant W911NF-08-1-0105 managed by the NCSU
Science of Security Initiative and the NSA Science of Security Lablet, and by the IBM
Shared University Research and Fellowships program funding.
References
Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D.,
Rabkin, A., Stoica, I. et al. (2010) ‘A view of cloud computing’, Communications of the ACM,
Vol. 53, No. 4, pp.50–58.
Ateniese, G., Burns, R., Curtmola, R., Herring, J., Khan, O., Kissner, L., Peterson, Z. and Song, D.
(2011) ‘Remote data checking using provable data possession’, ACM Transactions on
Information and System Security (TISSEC), Vol. 14, No. 1, p.12.
Averitt, S., Bugaev, M., Peeler, A., Shaffer, H., Sills, E., Stein, S., Thompson, J. and Vouk, M.
(2007) ‘Virtual computing laboratory (vcl)’, in Proceedings of the International Conference
on the Virtual Computing Initiative, pp.1–6.
Aviram, A., Hu, S., Ford, B. and Gummadi, R. (2010) ‘Determinating timing channels in compute
clouds’, in Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop,
ACM, pp.103–108.
Babcock, C. (2015) Gartner Gives Thumbs up to Docker Security [online]
http://www.informationweek.com/cloud/infrastructure-as-a-service/gartner-gives-thumbs-up-
todocker-security/d/d-id/1318612 (accessed February 2016).
Bell, D.E. and LaPadula, L.J. (1973) Secure Computer Systems: Mathematical Foundations,
Technical report, DTIC Document.
Bessani, A., Abbadi, I., Bugiel, S., Cesena, E., Deng, M., Gröne, M., Marnau, N., Nürnberger, S.,
Pasin, M. and Schirmer, N. (2012) ‘Tclouds: privacy and resilience for internet-scale critical
infrastructures’, European Research Activities in Cloud Computing, March, Chapter 6,
pp.160–186, Cambridge Scholars Publishing
Biba, K.J. (1977) Integrity Considerations for Secure Computer Systems, Technical report, DTIC
Document.
Bugiel, S., Nürnberger, S., Pöppelmann, T., Sadeghi, A.-R. and Schneider, T. (2011) ‘Amazonia:
when elasticity snaps back’, in Proceedings of the 18th ACM Conference on Computer and
Communications Security, ACM, pp.389–400.
Caron, E., Desprez, F. and Rouzaud-Cornabas, J. (2014) ‘Smart resource allocation to improve
cloud security’, in Security, Privacy and Trust in Cloud Systems, pp.103–143, Springer, Berlin
Heidelberg.
About PaaS security 15
Deng, M., Nalin, M., Petkovi´C.M., Baroni, I. and Marco, A. (2012) ‘Towards trustworthy health
platform cloud’, in Secure Data Management, pp.162–175, Springer, Heidelberg.
Docker (2016) Docker CVE Database [online] https://www.docker.com/docker-cvedatabase
(accessed 4 February 2016).
Dorey, P. and Leite, A. (2011) ‘Commentary: cloud computing – a security problem or solution?’,
Information Security Technical Report, Vol. 16, No. 3, pp.89–96.
Factor, M., Hadas, D., Hamama, A., Har’El, N., Kolodner, E.K., Kurmus, A., Shulman-Peleg, A.
and Sorniotti, A. (2013) ‘Secure logical isolation for multi-tenancy in cloud storage’, in 2013
IEEE 29th Symposium on Mass Storage Systems and Technologies (MSST), IEEE, pp.1–5.
Fernandes, D., Soares, L., Gomes, J., Freire, M. and Inácio, P. (2013) ‘Security issues in cloud
environments: a survey’, International Journal of Information Security, pp.1–58.
Gondree, M. and Peterson, Z.N. (2013) ‘Geolocation of data in the cloud’, in Proceedings of the
Third ACM Conference on Data and Application Security and Privacy, ACM, pp.25–36.
Google (2015) What is Google App Engine? [online] https://cloud.google.com/appengine/
docs/whatisgoogleappengine (accessed 15 January 2016).
Gruss, D., Maurice, C., Fogh, A., Lipp, M. and Mangard, S. (2016) ‘Prefetch side-channel attacks:
bypassing SMAP and kernel ASLR’, in Proceedings of the 2016 ACM SIGSAC Conference on
Computer and Communications Security, ACM, pp.368–379.
Guo, C.J., Sun, W., Huang, Y., Wang, Z.H. and Gao, B. (2007) ‘A framework for native
multitenancy application development and management’, in The 9th IEEE International
Conference on E-Commerce Technology and the 4th IEEE International Conference on
Enterprise Computing, E-Commerce, and E-Services, 2007, CEC/EEE 2007, IEEE,
pp.551–558
Hewitt, S. (2015) Pro Docker, Apress.
Jasti, A., Shah, P., Nagaraj, R. and Pendse, R. (2010) ‘Security in multi-tenancy cloud’, in 2010
IEEE International Carnahan Conference on Security Technology (ICCST), IEEE, pp.35–41.
Juels, A. and Oprea, A. (2013) ‘New approaches to security and availability for cloud data’,
Communications of the ACM, Vol. 56, No. 2, pp.64–73.
Kabbedijk, J., Bezemer, C.P., Jansen, S. and Zaidman, A. (2015) ‘Defining multi-tenancy: a
systematic mapping study on the academic and the industrial perspective’, Journal of Systems
and Software, Vol. 100, pp.139–148, New York City.
Kim, D., Vouk, M. et al. (2014) ‘A survey of common security vulnerabilities and corresponding
countermeasures for saas’, in Globecom Workshops (GC Wkshps), IEEE, pp.59–63.
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E. and Morris, R. (2007)
‘Information flow control for standard OS abstractions’, in ACM SIGOPS Operating Systems
Review, ACM, Vol. 41, pp.321–334.
Liu, C., Ranjan, R., Zhang, X., Yang, C. and Chen, J. (2015) ‘A big picture of integrity verification
of big data in cloud computing’, in Handbook on Data Centers, pp.631–645, Springer.
Lombardi, F. and Di Pietro, R. (2009) ‘KVMSEC: a security extension for linux kernel virtual
machines’, in Proceedings of the 2009 ACM Symposium on Applied Computing, ACM,
pp.2029–2034.
Lombardi, F. and Di Pietro, R. (2011) ‘Secure virtualization for cloud computing’, Journal of
Network and Computer Applications, Vol. 34, No. 4, pp.1113–1122.
Luo, S., Lin, Z., Chen, X., Yang, Z. and Chen, J. (2011) ‘Virtualization security for cloud
computing service’, in 2011 International Conference on Cloud and Service Computing
(CSC), IEEE, pp.174–179.
Mackay, M., Baker, T. and Al-Yasiri, A. (2012) ‘Security-oriented cloud computing platform for
critical infrastructures’, Computer Law & Security Review, Vol. 28, No. 6, pp.679–686.
Mell, P. and Grance, T. (2011) The Nist Definition of Cloud Computing, US Nat’l Inst. of Science
and Technology [online] http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.
16 D. Kim et al.
MITRE (2011) 2011 CWE/sans Top 25 Most Dangerous Software Error [online]
http://cwe.mitre.org/top25/ (accessed 6 April 2015).
Okamura, K. and Oyama, Y. (2010) ‘Load-based covert channels between Xen virtual machines’,
Proceedings of the 2010 ACM Symposium on Applied Computing – SAC ’10, p.173.
Osvik, D.A., Shamir, A. and Tromer, E. (2006) ‘Cache attacks and countermeasures: the case of
aes’, in Cryptographers? Track at the RSA Conference, pp.1–20, Springer.
Pasquier, T.F.M., Singh, J. and Bacon, J. (2015) ‘Information flow control for strong protection
with flexible sharing in paas’, in IC2E, International Workshop on Future of PaaS, IEEE.
Prasanth, A., Bajpei, M., Shrivastava, V. and Mishra, R.G. (2015) ‘Cloud computing: a survey of
associated services’, Book Chapter of Cloud Computing: Reviews, Surveys, Tools, Techniques
and Applications-An Open-Access eBook, HCTL Open, Hybrid Computing Technology Labs,
India.
Ristenpart, T. and Yilek, S. (2010) ‘When good randomness goes bad: virtual machine reset
vulnerabilities and hedging deployed cryptography’, in NDSS.
Ristenpart, T., Tromer, E., Shacham, H. and Savage, S. (2009) ‘Hey, you, get off of my cloud:
exploring information leakage in third-party compute clouds’, in Proceedings of the 16th ACM
Conference on Computer and Communications Security, ACM, pp.199–212.
Rodero-Merino, L., Vaquero, L.M., Caron, E., Muresan, A. and Desprez, F. (2012) ‘Building safe
paas clouds: a survey on security in multitenant software platforms’, Computers & Security,
Vol. 31, No. 1, pp.96–108.
Schaffer, H.E., Averitt, S.F., Hoit, M., Peeler, A., Sills, E.D., Vouk, M. et al. (2009) ‘NCSU’s
virtual computing lab: a cloud computing solution’, Computer, IEEE, Vol. 42, No. 7,
pp.94–97.
Sengupta, S., Kaulgud, V. and Sharma, V. (2011) ‘Cloud computing security–trends and research
directions’, in 2011 IEEE World Congress on Services (SERVICES), pp.524–531.
Subashini, S. and Kavitha, V. (2011) ‘A survey on security issues in service delivery models of
cloud computing’, Journal of Network and Computer Applications, Vol. 34, No. 1, pp.1–11.
Suzaki, K., Iijima, K., Yagi, T. and Artho, C. (2011) ‘Memory deduplication as a threat to the guest
OS’, Proceedings of the Fourth European Workshop on System Security – EUROSEC ’11,
pp.1–6.
Vaquero, L.M., Rodero-Merino, L. and Morán, D. (2011) ‘Locking the sky: a survey on IaaS cloud
security’, Computing, Vol. 91, No. 1, pp.93–118.
Wei, J., Zhang, X., Ammons, G., Bala, V. and Ning, P. (2009) ‘Managing security of virtual
machine images in a cloud environment’, in Proceedings of the 2009 ACM Workshop on
Cloud Computing Security, ACM, pp.91–96.
Wu, H.W.H., Ding, Y.D.Y., Winer, C. and Yao, L.Y.L. (2010) ‘Network security for virtual
machine in cloud computing’, 2010 5th International Conference on Computer Sciences and
Convergence Information Technology (ICCIT), 30 November, pp.18–21, IEEE.
Xiao, Z. and Xiao, Y. (2013) ‘Security and privacy in cloud computing’, Communications Surveys
Tutorials, IEEE, Vol. 15, No. 2, pp.843–859.
Xing, Y. and Zhan, Y. (2012) ‘Virtualization and cloud computing’, in Future Wireless Networks
and Information Systems, pp.305–312, Springer.
Zhang, Y., Juels, A., Reiter, M.K. and Ristenpart, T. (2012) ‘Cross-vm side channels and their use
to extract private keys’, in Proceedings of the 2012 ACM Conference on Computer and
Communications Security, ACM, pp.305–316.
Zhang, Y., Juels, A., Reiter, M.K. and Ristenpart, T. (2014) ‘Cross-tenant side-channel attacks in
PaaS clouds’, in Proceedings of the 2014 ACM SIGSAC Conference on Computer and
Communications Security, CCS’14, ACM, New York, NY, USA, pp.990–1003.
Zhou, Z., Reiter, M.K. and Zhang, Y. (2016) ‘A software approach to defeating side channels in
last-level caches’, in Proceedings of the 2016 ACM SIGSAC Conference on Computer and
Communications Security, pp.871–882, ACM.
About PaaS security 17
Notes
1 https://cloud.google.com/products/
2 http://heartbleed.com
3 http://irods.org
4 http://www.docker.com
5 http://www.google.com/trends/explore#q=docker
6 http://ec.europa.eu/justice/data-protection/index_en.htm