Securing Access to Cloud Computing for Critical Infrastructure

Doctoral thesis English OPEN
Younis, YA

Cloud computing offers cost effective services on-demand which encourage critical infrastructure providers to consider migrating to the cloud. Critical infrastructures are considered as a backbone of modern societies such as power plants and water. Information in cloud computing is likely to be shared among different entities, which could have various degrees of sensitivity. This requires robust isolation and access control mechanisms. Although various access control models and policies have been developed, they cannot fulfil requirements for a cloud based access control system. The reason is that cloud computing has a diverse sets of security requirements and unique security challenges such as multi-tenant and heterogeneity of security policies, rules and domains.\ud \ud This thesis provides a detailed study of cloud computing security challenges and threats, which were used to identify security requirements for various critical infrastructure providers. We found that an access control system is a crucial security requirement for the surveyed critical infrastructure providers. Furthermore, the requirement analysis was used to propose a new criteria to evaluate access control systems for cloud computing. Moreover, this work presents a new cloud based access control model to meet the identified cloud access control requirements. The model does not only ensure the secure sharing of resources among potential untrusted tenants, but also has the capacity to support different access permissions for the same cloud user.\ud \ud Our focused in the proposed model is the lack of data isolation in lower levels (CPU caches), which could lead to bypass access control models to gain some sensitive information by using cache side-channel attacks. Therefore, the thesis investigates various real attack scenarios and the gaps in existing mitigation approaches. It presents a new Prime and Probe cache side-channel attack, which can give detailed information about addresses accessed by a virtual machine with no need for any information about cache sets accessed by the virtual machine. The design, implementation and evaluation of a proposed solution preventing cache side-channel attacks are also presented in the thesis. It is a new lightweight solution, which introduces very low overhead (less than 15,000 CPU cycles). It can be applied in any operating system and prevents cache side-channel attacks in cloud computing. The thesis also presents a new detecting cache side-channel attacks solution. It focuses on the infrastructure used to host cloud computing tenants by counting cache misses caused by a virtual machine. The detection solutions has 0% false negative and 15% false positive.
  • References (28)
    28 references, page 1 of 3

    Y. A. Younis, K. Kifayat, and M. Merabti, “An Access Control Model for Cloud Computing,” J. Inf. Secur. Appl., vol. 19, no. 1, pp. 45-60, Feb. 2015 A. Younis, Y., Kifayat, K., Shi, Q., & Askwith, B. A New Prime and Probe Cache SideChannel Attack for Cloud Computing. In the 13th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC-2015) (p. 7), Liverpool UK. 2015.

    A. Younis, Y., Kifayat, K., & Merabti, M. A Novel Evaluation Criteria to Cloud Based Access Control Models. In The 11th IEEE International Conference on Innovations in Information Technology (IIT'15) (p. 6), Dubai, UAE. 2015.

    A Younis, Y., Kifayat, K. & Merabti, M., 2014. Cache Side-Channel Attacks in Cloud Computing. The Second International Conference on Cloud Security Management ICCSM-2014. (p. 10), Reading, UK. 2014.

    A. Younis, Y., Merabti, M. & Kifayat, K. Cloud Computing Security & Privacy Challenges. In The 15th annual post graduate symposium on the convergence of telecommunications, networking and broadcasting. p. 6, Liverpool, UK. 2014.

    L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev, “Nonmonopolizable caches,” ACM Trans. Archit. Code Optim., vol. 8, no. 4, pp. 1-21, Jan.

    [79] J. Kong and O. Aciicmez, “Architecting against software cache-based side-channel attacks,” IEEE Trans. Comput., vol. 62, no. 7, pp. 1276-1288, 2013.

    [77] [78] [80] [81] [82] [83] [84] [85] [86] [87] D. Bernstein, “OProfile overhead,”. 2014.

    [88] A. Almutairi, M. Sarfraz, and S. Basalamah, “A Distributed Access Control Architecture for Cloud Computing,” IEEE Software, vol. 29, no. 2, pp. 36-44, 2012.

    [89] D. F. Ferraiolo, J. F. Barkley, and D. R. Kuhn, “A role-based access control model and reference implementation within a corporate intranet,” ACM Trans. Inf. Syst. Secur., vol. 2, no. 1, pp. 34-64, Feb. 1999.

  • Metrics
    No metrics available
Share - Bookmark