SECURING ELASTIC APPLICATIONS ON MOBILE DEVICES FOR CLOUD COMPUTING Xinwen Zhang,Joshua Schiffman,Simon Gibbs 2009 ACM Cloud Computing Security Workshop (CCSW) 1
Outline 2 Introduction Issue and challenges Elastic Framework Architecture Threat Model Security Objectives Authentication Authorization Conclusion
Introduction Cloud computing delivers new computing models for service providers and individual consumers Infrastructure-as-a-service (IaaS), Platform-as-a-service (PaaS), Software-as-a-service (SaaS) Enable novel IT business models Resource-on-demand, pay-as-you-go, and utility-computing Research exploration The benefits of cloud computing Cloud aware applications 3
Issue In the scope of consumer electronic (CE) devices, applications traditionally are constrained by limited resources such as low CPU frequency, small memory, and a battery-powered computing environment. We aim to design an elastic services protocol, which are augmented CE devices with cloud-based functionality. Executing elastic applications that can run efficiently on resource constrained devices. Seamlessly and transparently making use of cloud resources whenever needed 4
Key Definition in this paper Weblet: One or more weblet can consist of an elastic application. function independently, but communicate with each other. Elasticity manager: Installed in mobile devices Make decisions where weblet should be launched. Elasticity service: Residing on the cloud Arranges the execution resources of the weblet launched on the cloud 5
Elastic Application Overview Elastic service may not be the Iaas/Paas Provider 6
Scenario Weblet should be launched on one or more platforms in the cloud: Computation or communication intensive weblets usually strain the processors of mobile devices Such as image and video processing Launched on the device: Needing extensive access to local data. Such as User interface components (UI). Fast response is not a requirement. Cost concern Device is offline 7
Challenges(1/2) A new application model is needed: Support applications partitioned into multiple components Can run autonomously from the others [14,11] Communication[7] An appropriate protocol is needed between weblets during runtime Synchronize the state of the application [7] R. K. Balan, M. Satyanarayanan, S. Park, and T. Okoshi. Tactics-based remote execution for mobile computing. In Proc. of MobiSys, [14] A. Messer, I. Greenberg, P. Bernadat, D. Milojicic, D. Chen,T. Giuli, and X. Gu. Towards a distributed platform for resource-constrained devices. Technical Report HPL , HP Laboratories, [11] G. C. Hunt, M. L. Scott, G. C. Hunt, and M. L. Scott. The coign automatic distributed partitioning system. In Proc. Of OSDI,
Challenges(2/2) A set of cost objective functions are needed Should be optimized when elastic scheduling decisions are made Security and privacy considering some sensitive weblets and data migrating from device to cloud. 9
Elastic Framework Architecture 10
Security Assumptions We place trust in the Cloud Elasticity Services (CES) including cloud manager, application manager, cloud node manager, and CFI. Note. this assumption does not mean we completely trust the IaaS/Paas providers. Also, as part of the elastic framework we trust the elasticity manager on each device. We require that each user should first pair their DEM with a CES. 11
Threat Model : Threats to Mobile Devices Malware targeting mobile devices such as smartphones have become prevalent. including Symbian and iPhone platforms [12, 2] Malware can compromise the Device Elasticity Manager(DEM). Compromise of the device’s sensing components Bypass the elasticity manager and launch weblets on cloud platforms on behalf of the user 12 [12] M. Hypponen. State of cell phone malware in 2007, [2] Mcafee mobile security report 2009,
Threat Model: Threats to Cloud Platform and Application Container Misconfigurations of critical cloud components could lead to weblet compromise Weak authentication Access control settings Software vulnerabilities Malicious entities can change network and cost settings, or even cloud sensing information Other malicious activities can consume resources of cloud platform such as CPU cycles, storage, and network traffic. 13
Threat Model: Threats to Communication Channels Threats exist from active network entities such as packet injection and Man-in-the-Middle (MITM) attacks Eavesdrop DDoS Not only exhaust bandwidth resources, but also result in excessive charges to user accounts 14
Security Objectives Trustworthy weblet containers on both device and cloud: How trust is established with the container should not only rely on social and legal agreements (e.g., those for cloud providers), but also via technical mechanisms such as integrity measurement and attestation [4, 16]. Authentication and secure session management Authorization and access control Logging and auditing Behaviors of weblets should be logged and audited routinely to prevent malicious activities [4] Tcg mobile reference architecture specification, architecture-1.0.pdf. architecture-1.0.pdf [16]R. Sailer, T. Jaeger, X. Zhang, and L. van Doorn. Attestation-based policy enforcement for remote access. In Proc. of ACM CCS,
Secure Installation of Elastic Applications(1/2) Manifest: description of the application the developer signed SHA1 hash values of the individual weblets The location Where individual weblets can be installed and executed, (e.g., migratable, cloud side only, or device side only). 16
Secure Installation of Elastic Applications(2/2) User downloads and installs an application the installer will recompute and compare their hashes and with those in the bundle As an installation option, parts of the elastic application can be installed by the application manager into the CES. The cloud-based application manager also can download the same application from an application store To save communication overhead of mobile device. 17
Building Authentication between Weblets Goal: enable a weblet to authenticate another weblet of the same application in different location 18
wsk: weblet session keys wss: weblet secret Sig: Signature(use HMAC) 19
Secure Migration Assumption: VM migration by cloud infrastructure is transparent to end users and applications including SaaS providers If the VM’s IP address changes, the cloud provider would provide migration events and status to other service providers 20
Secure Migration 21
Authorization of Weblets: Scennario 22
Authorization of Weblets(1/2) Shared user credentials Each weblet has user credentials such as username and password or digital certificate of the web service. simplest solution, but implies that each weblet can represent the user and introduces risks, especially for those on cloud. Shared session information it shares application session key (ask) and secret(ass) Safer solution than the first one Usually is only valid for a short time period after authentication 23
Authorization of Weblets(2/2) Cloud based weblet forwards the requests to the authenticated device weblet, which has ask and ass. This enhances the security as session information is only available on the device. Multiple re-directions are needed communication overhead OAuth-like authentication It generates an authentication challenge on behalf of the user and redirects any responded authentication URL to the UI. If success, device weblet re-directs the resulting session information to the original requesting cloud weblet User can choose by himself. 24
Conclusion & Future work To augment computing, storage, and communication capabilities of applications for resource-constrained devices. We are developing an elastic application framework with new application model and elasticity infrastructure. This paper analyzes security threats to elastic applications and identifies security objectives that should be provided by the infrastructure We then propose authentication, secure migration, and different approaches to authorize weblets. Future work: A cost service for mobile users running elastic applications 25