[IEEE 2011 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops) - Seattle, WA, USA (2011.03.21-2011.03.25)] 2011 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops) - Challenges in securing the interface between the cloud and pervasive systems
Post on 20-Feb-2017
Challenges in Securing the Interface Between theCloud and Pervasive Systems
Brent LagesseCyberspace Science and Information Intelligence Research
Computational Sciences and EngineeringOak Ridge National Laboratory
AbstractCloud computing presents an opportunity for per-vasive systems to leverage computational and storage resourcesto accomplish tasks that would not normally be possible onsuch resource-constrained devices. Cloud computing can enablehardware designers to build lighter systems that last longer andare more mobile. Despite the advantages cloud computing offersto the designers of pervasive systems, there are some limitationsof leveraging cloud computing that must be addressed. We takethe position that cloud-based pervasive system must be securedholistically and discuss ways this might be accomplished.
In this paper, we discuss a pervasive system utilizing cloudcomputing resources and issues that must be addressed in sucha system. In this system, the users mobile device cannot alwayshave network access to leverage resources from the cloud, soit must make intelligent decisions about what data should bestored locally and what processes should be run locally. As aresult of these decisions, the user becomes vulnerable to attackswhile interfacing with the pervasive system.
Significant research has been focused on both cloud andpervasive computing in the last few years years; however,this research has not always examined the combination of thetwo ideas. From the perspective of the pervasive computingcommunity, clouds offer an opportunity to perform intensecomputation and large-scale data storage without introducinga significant load on devices that are designed to be minimallynoticeable. The use of clouds can enable hardware designersto create more compact devices that are less obtrusive tousers since there is less need for powerful processing andlarge storage hardware. Further, they can greatly extend thebattery life of mobile devices by offloading much of the logicused by applications, . Research has begun to emergethat connects pervasive and cloud systems , , but theseworks have not yet strongly addressed security issues in thesesystems. In the remainder of this paper, we talk about theadvantages of using cloud-based pervasive systems, and thendiscuss the security concerns that must be addressed whendesigning such systems. While our comments are mainlytargeted at systems based on traditional cloud computing, thesecurity aspect also applies to non-traditional systems such ascloudlets  and ad-hoc clouds.
Consider the following scenario. Alice utilizes a cloudservice to execute many of her applications. It also servesas storage for all of her work. This enables Alice to work
from anywhere without having to manage the location of herprojects or to worry if the system she is using has the abilityto execute the computationally intense applications that sheruns. The downside of such a system is that it requires Aliceto have near-constant connectivity to the network providingthe cloud resources. As a result, Alices batteries can be morequickly depleted than necessary if the network connectionis not managed correctly. Furthermore, there are many timeswhen Alice does not have network connectivity on the deviceshe is using. In some cases, this is because she does nothave network coverage in the area she is visiting or becauseshe is not allowed to use her wireless network cards. In thisscenario, Alice is traveling from her home to a conference.She is able to work on her presentation on the train to theairport, but once she boards the plane, she is required to turnoff her wireless network card for the duration of the flight;however, she still wants to continue work while on the plane.In this case, her pervasive system should be able to assurethat she has the applications and data necessary for her tocontinue working until she is able to reconnect to the cloud.Furthermore, this should happen secure so that all data andapplications are securely transferred to her laptop, and so thatthe laptop, which is an untrusted device, cannot damage thedata and applications through malware that might pre-exist onthe laptop.
In this case, the cloud is not just another system, but ratherit is an extension of the pervasive computing system. As aresult, these types of systems inherit both the vulnerabilitiesof the pervasive system and the cloud system. Further, theyalso inherit the constraints of the cloud and pervasive system.Neither traditional approach to cloud security or pervasivesecurity alone is sufficient. Cloud-based approaches to securitycan typically rely on static and powerful machines to eachother to execute their security mechanisms; however, with theaddition of pervasive computing elements, the security mech-anisms must be adapted to handle resource-constrained andlatency-adverse devices. Likewise, pervasive security solutionsvary widely based on the type of pervasive system. Many ofthese solutions utilize trust-based mechanisms. Additionallymany of these systems have the opportunity to leverage contextinformation as part of the security mechanism; however, withthe addition of the cloud component, which, by its nature,
1st IEEE PerCom Workshop on Pervasive Communities and Service Clouds
U.S. Government work not protected by U.S. copyright 106
attempts to abstract away the contextual details of the under-lying system, this pervasive approach becomes more difficultto apply to the full system.
II. ADVANTAGES OF CLOUD COMPUTING TO PERVASIVESYSTEMS
Cloud computing offers many advantages to pervasive sys-tems. The most attractive of which is the ability to storelarge amounts of data and to perform intense computation.Leveraging the resources of the cloud can lead to smallerand cheaper clients that, when paired with cloud services, canaccomplish tasks on par with more powerful systems. Thecloud also offers an opportunity to offload the issues associatedwith data management. If a pervasive system uses a reliablecloud service, it can avoid many of the issues associated withmobile data management. Additionally, the cloud also addsan opportunity for certain systems to either remove or addisolation as necessary to pervasive systems.
A. Thin Clients
Thin clients have always been used in designing pervasivesystems, but the downside is that these devices are resource-constrained and can very seldom accomplish complex tasks.Thin clients do provide extreme mobility of pervasive systemand can often be added to a system for a small cost. Cloudservices can enable these thin clients to operate with whatappears to be more power.
Cloud services could also act as an interface between theuser and the rest of the Internet. Data that the user requestscould be acquired by the ISPs cloud and presented in a mannerthat requires minimal effort by the users thin client since mostof the computation will be performed on the cloud.
B. Data Management
Much research has gone into data management , pre-fetching , , caching , consistency , and opportunis-tic transfer ,  of data in pervasive systems. While muchof this work can still be leveraged to improve the interfacebetween pervasive and cloud systems, it becomes less of anessential portion of the system. With the cloud acting as areliable source of storage, the pervasive system can avoid theburden of actively managing data to provide availability andrely on the cloud services to perform such work.
C. Isolation of Systems
In a technology-rich environment that consists of pervasivetechnology, but is not truly pervasive yet, users may use mul-tiple pervasive systems. These systems could take advantageof the cloud in two distinctly different ways when this is thecase. The first way that the cloud can be used is to removethe isolation between systems. In the case that the pervasivesystems that a person uses are from multiple vendors, itis possible that they do not have support through a directinterface for sharing of information and services. The cloudcan be used to remedy this situation. Pervasive services thatare moved to the cloud can be used by any of the systems,
and information such as user context can be shared throughcloud storage. There are many issues that would need to beworked out in a system such as this, but the cloud interfacecould further enhance otherwise isolated system.
The second way that the cloud can be used is to add isolationto systems. Since multiple cloud services exist that could beused with a pervasive system, pervasive systems can utilizeseveral different cloud services to store data and provide otherservices. The advantage of isolation is that it mitigates theusers exposure to vulnerabilities from improperly secured ormalicious cloud providers. If the user has either several ora single pervasive system it is likely that some portions ofthe pervasive systems do not really need to know anythingoccurring elsewhere. In the case of a single pervasive system,the system can avoid exposing personal data to risk by splittingits services between cloud providers. In doing this, the systemmakes it more difficult for all of the information to be retrievedto link personal data or understand what the user is doingthat may be necessary to keep private. Likewise, the user cansplit multiple systems over a variety of cloud providers toprevent those systems from linking together data that shouldnot otherwise be linked together. For example, if a user hasa pervasive system for assistive health care, the user wouldlikely not want that information available to other systems orpeople who do not have a need to know that information.
III. SECURITY RISKS
In this section we discuss the location of vulnerabilities inthe cloud-pervasive system. These vulnerabilities exist on thecloud itself (in terms of processing in storage), during themigration to and from the cloud, and in the processing andstorage in the pervasive system. Figure 1 demonstrates thelocation of these vulnerabilities in the interaction of a cloud-based pervasive system.
Security of cloud-based pervasive systems has been con-sidered by . The authors focus on augmenting mobiledevices with elastic resources from the cloud. The authors pro-pose an approach that involves using trustworthy containers,authentication, secure session management, logging/auditing,authorization, and access control. As the authors mention,this constitutes a first step toward securing their system. Weagree with their approach, but in this section we augment withseveral alternative methods of accomplishing a secure cloud-based pervasive system that should be considered dependingon the threat model and the constraints and purposes of thesystem itself.
A. On the Cloud
Most commonly considered threats in cloud computingfocus on security of information while on the cloud. As aresult, we will not discuss these threats in detail, but insteadwill just provide a brief overview. The main concerns in thisarea include the privacy of information stored on the cloud,the execution of correct code on the cloud, and availability ofinformation stored on the cloud.
Fig. 1: Locations of Vulnerabilities Between the Cloud and Pervasive Systems
Privacy is a concern since users are storing informationthat could be used against them on a third partys server.Encryption is one possible solution to this problem, but forcloud applications to utilize the data that is stored, they musthave an unencrypted version available. As a result, the cloudprovider typically controls the key to encrypted data that isstored on the cloud. This approach relies on the cloud providerbeing trustworthy and reliable. If there is a security breach onthe cloud, such as a malicious insider, then this assumptioncould lead to significant damage. Another solution that shouldbe considered is the adoption of homomorphic encryptiontechniques. Homomorphic encryption would enable the cloudto perform operations on the data without ever having tosee what is contained in the data; however, homomorphicencryption operations are computationally intense, so it maynot be feasible to do this for all information. It may beacceptable to strategically encrypt only specific pieces ofinformation that would drastically reduce the overall utilityto the attacker if they were to obtain the information storedon the cloud.
Furthermore, an attacker (especially if a cloud was ma-licious) could mine easily mine the data collected from avariety of pervasive systems. This is especially dangerous ifthese systems are utilizing context data to make decisions.This scenario is very likely in a cloud situation where thecloud provides more specialized services (such as activityrecognition from context information) rather than a moregeneralized cloud system. In Figure 2 we demonstrate onepossible privacy violation where the cloud receives informa-tion to process from a variety of sources and pieces togetherthat information to learn something it should not know. Forexample, a persons entertainment pervasive system may bekept in isolation from their healthcare pervasive system, but if
a cloud (or colluding clouds) were able to link the informationthrough usage patterns or some other technique, confidentialinformation could be leaked to the attacker.
Another issue that may arise with information and servicesprovided by the cloud is the execution of code on the cloud.The functionality and security of operational software canbe compromised at any time. Global software supply chainsprovide opportunities to insert malicious content during de-velopment, as does insider access during maintenance andoperation. As a result, software must be continually revalidatedto maintain assurance of its validity. The problem is com-pounded by streaming executables that can quickly distributemalicious payloads in cloud computing networks. Currentmethods are insufficient to deal with the required scope andfrequency of validation. The best testing processes can do nomore than sample massive populations of possible executions,and most executions remaining untested when software entersoperational use. Malicious content triggered by obscure inputconditions, for example, specific times or coordinates, willlikely escape detection in testing. Syntactic scanning of codedepends on pre-defined syntactic signatures. Scanning cannotfind problems for which no signatures exist, and is easilythwarted by simple obfuscation techniques. As a result, fastautomated validation that can be applied in dynamic cloudcomputing environments is needed.
Availability of services and data is another problem that canarise from the remoteness of the cloud. A common solutionof replication is possible (both by the clients and the clouds),but the result can lead to more issues of data managementto ensure consistency. The same is true for services that areprovided by the cloud. Services can be updated and improvedover time, which could lead to incons...