SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment

Detalhes bibliográficos
Ano de defesa: 2018
Autor(a) principal: Carvalho, Carlos André Batista de
Orientador(a): Andrade, Rossana Maria de Castro
Banca de defesa: Não Informado pela instituição
Tipo de documento: Tese
Tipo de acesso: Acesso aberto
Idioma: eng
Instituição de defesa: Não Informado pela instituição
Programa de Pós-Graduação: Não Informado pela instituição
Departamento: Não Informado pela instituição
País: Não Informado pela instituição
Palavras-chave em Português:
Secure storage
Cloud security
Monitoring and auditing
Violation detection
Link de acesso: http://www.repositorio.ufc.br/handle/riufc/48100
Resumo: A cloud storage service implements security mechanisms to protect user data. Due to the customer needs and existing threats, the secure data sharing is a key issue highlighted in the literature. Moreover, due to the loss of control over the cloud infrastructure, it is essential to design security mechanisms that focus on the trust and transparency of the cloud services. The confidentiality, integrity, freshness and write-serializability are the security properties analyzed in this research. Usually, auditing and monitoring mechanisms are used to detect violations of security properties. However, an analysis of the literature reveals attacks that are not identified by existing solutions. Although a broker has been used to enable a real-time detection, it is necessary to identify collusion attacks resulted from malicious actions of this broker. The detection of integrity violations has not been properly addressed, ignoring the violations that result from the writing transactions performed by revoked users. Similarly, the reading by revoked users implies in confidentiality violations that must also be detected. Last, the verification of write-serializability violations should be effective, identifying properly the violation’s scenarios. Therefore, a secure storage service for cloud computing, called SCUDO, is proposed in this thesis to address these issues, improving the violation detection while allowing the data sharing. The detection of violations is based on the log of the performed transactions that is signed for purposes of non-repudiation. The evaluation of SCUDO is performed based on a formal model using Colored Petri Nets (CPNs) and a prototype deployed in a cloud infrastructure. The results show that the provider cannot deny a violation and attacks are detected as soon as possible, reducing the damage of an attack. Then, the security mechanisms at SCUDO can allow the provider and the broker to ensure security properties and show evidence that they are honest.
id UFC-7_95bc730de9080bd59bd44e854f774f52
oai_identifier_str oai:repositorio.ufc.br:riufc/48100
network_acronym_str UFC-7
network_name_str Repositório Institucional da Universidade Federal do Ceará (UFC)
repository_id_str
spelling Carvalho, Carlos André Batista deCastro, Miguel Franklin deAndrade, Rossana Maria de Castro2019-12-03T17:51:04Z2019-12-03T17:51:04Z2018CARVALHO, Carlos André Batista de. SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment. 2018. 109 f. Tese (Doutorado em Ciência da Computação) - Universidade Federal do Ceará, Fortaleza, 2018.http://www.repositorio.ufc.br/handle/riufc/48100A cloud storage service implements security mechanisms to protect user data. Due to the customer needs and existing threats, the secure data sharing is a key issue highlighted in the literature. Moreover, due to the loss of control over the cloud infrastructure, it is essential to design security mechanisms that focus on the trust and transparency of the cloud services. The confidentiality, integrity, freshness and write-serializability are the security properties analyzed in this research. Usually, auditing and monitoring mechanisms are used to detect violations of security properties. However, an analysis of the literature reveals attacks that are not identified by existing solutions. Although a broker has been used to enable a real-time detection, it is necessary to identify collusion attacks resulted from malicious actions of this broker. The detection of integrity violations has not been properly addressed, ignoring the violations that result from the writing transactions performed by revoked users. Similarly, the reading by revoked users implies in confidentiality violations that must also be detected. Last, the verification of write-serializability violations should be effective, identifying properly the violation’s scenarios. Therefore, a secure storage service for cloud computing, called SCUDO, is proposed in this thesis to address these issues, improving the violation detection while allowing the data sharing. The detection of violations is based on the log of the performed transactions that is signed for purposes of non-repudiation. The evaluation of SCUDO is performed based on a formal model using Colored Petri Nets (CPNs) and a prototype deployed in a cloud infrastructure. The results show that the provider cannot deny a violation and attacks are detected as soon as possible, reducing the damage of an attack. Then, the security mechanisms at SCUDO can allow the provider and the broker to ensure security properties and show evidence that they are honest.Um serviço de armazenamento na nuvem implementa mecanismos de segurança para proteger os dados dos usuários. Devido às necessidades dos clientes e às ameaças existentes, o compartilhamento seguro de dados é uma questão importante destacada na literatura. Além disso, devido à perda de controle sobre a infraestrutura de nuvem, é essencial projetar mecanismos de segurança focados transparência nos serviços em nuvem, aumentando a confiança nos mesmos. Normalmente, os mecanismos de auditoria e monitoramento são usados para detectar violações de propriedades de segurança. A confidencialidade, integridade, freshness e write-serializability são as propriedades de segurança analisadas nesta pesquisa. Uma análise da literatura revela ataques que não são detectados pelas soluções existentes. Um broker pode ser utilizado para viabilizar a detecção de violações em tempo real. Contudo, é necessário identificar ataques de conluio (collusion attacks) resultantes de ações maliciosas desse broker. Além disso, a detecção de violações de integridade não tem sido tratada adequadamente, ignorando a possibilidade de usuários cujas permissões foram revogadas escreva arquivos usando chaves antigas. Similarmente, é possível que usuários revogados consigam ler arquivos, violando a confidencialidade dos dados. Por fim, a verificação de write-serializability deve identificar adequadamente os cenários de violação existentes. Neste contexto, este trabalho propõe um serviço de armazenamento seguro para computação em nuvem, denominado SCUDO, melhorando a detecção de violações enquanto permite o compartilhamento de dados. Esta detecção de violações é baseada no log das transações realizadas que é assinado para prover o não repúdio dessas transações. A avaliação do SCUDO é feita com base em uma modelagem formal utilizando Redes de Petri Coloridas (CPNs), que é essencial para avaliar a segurança da solução proposta, e em um protótipo implantado em uma infraestrutura de nuvem. Como resultado, o provedor não pode negar uma violação e os ataques são detectados o mais rápido possível, reduzindo o dano desses ataques. Então, os mecanismos de segurança existentes no SCUDO permitem que o provedor e o broker ofereçam garantias quanto às propriedades de segurança e mostrem evidências que são honestos.Secure storageCloud securityMonitoring and auditingViolation detectionSCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environmentSCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environmentinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisengreponame:Repositório Institucional da Universidade Federal do Ceará (UFC)instname:Universidade Federal do Ceará (UFC)instacron:UFCinfo:eu-repo/semantics/openAccessLICENSElicense.txtlicense.txttext/plain; charset=utf-81748http://repositorio.ufc.br/bitstream/riufc/48100/4/license.txt8a4605be74aa9ea9d79846c1fba20a33MD54ORIGINAL2018_tese_cabcarvalho.pdf2018_tese_cabcarvalho.pdfapplication/pdf7692218http://repositorio.ufc.br/bitstream/riufc/48100/3/2018_tese_cabcarvalho.pdfbaf53a9f6e7e4fe4149f929073039bcdMD53riufc/481002019-12-03 14:51:04.351oai:repositorio.ufc.br:riufc/48100Tk9URTogUExBQ0UgWU9VUiBPV04gTElDRU5TRSBIRVJFClRoaXMgc2FtcGxlIGxpY2Vuc2UgaXMgcHJvdmlkZWQgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seS4KCk5PTi1FWENMVVNJVkUgRElTVFJJQlVUSU9OIExJQ0VOU0UKCkJ5IHNpZ25pbmcgYW5kIHN1Ym1pdHRpbmcgdGhpcyBsaWNlbnNlLCB5b3UgKHRoZSBhdXRob3Iocykgb3IgY29weXJpZ2h0Cm93bmVyKSBncmFudHMgdG8gRFNwYWNlIFVuaXZlcnNpdHkgKERTVSkgdGhlIG5vbi1leGNsdXNpdmUgcmlnaHQgdG8gcmVwcm9kdWNlLAp0cmFuc2xhdGUgKGFzIGRlZmluZWQgYmVsb3cpLCBhbmQvb3IgZGlzdHJpYnV0ZSB5b3VyIHN1Ym1pc3Npb24gKGluY2x1ZGluZwp0aGUgYWJzdHJhY3QpIHdvcmxkd2lkZSBpbiBwcmludCBhbmQgZWxlY3Ryb25pYyBmb3JtYXQgYW5kIGluIGFueSBtZWRpdW0sCmluY2x1ZGluZyBidXQgbm90IGxpbWl0ZWQgdG8gYXVkaW8gb3IgdmlkZW8uCgpZb3UgYWdyZWUgdGhhdCBEU1UgbWF5LCB3aXRob3V0IGNoYW5naW5nIHRoZSBjb250ZW50LCB0cmFuc2xhdGUgdGhlCnN1Ym1pc3Npb24gdG8gYW55IG1lZGl1bSBvciBmb3JtYXQgZm9yIHRoZSBwdXJwb3NlIG9mIHByZXNlcnZhdGlvbi4KCllvdSBhbHNvIGFncmVlIHRoYXQgRFNVIG1heSBrZWVwIG1vcmUgdGhhbiBvbmUgY29weSBvZiB0aGlzIHN1Ym1pc3Npb24gZm9yCnB1cnBvc2VzIG9mIHNlY3VyaXR5LCBiYWNrLXVwIGFuZCBwcmVzZXJ2YXRpb24uCgpZb3UgcmVwcmVzZW50IHRoYXQgdGhlIHN1Ym1pc3Npb24gaXMgeW91ciBvcmlnaW5hbCB3b3JrLCBhbmQgdGhhdCB5b3UgaGF2ZQp0aGUgcmlnaHQgdG8gZ3JhbnQgdGhlIHJpZ2h0cyBjb250YWluZWQgaW4gdGhpcyBsaWNlbnNlLiBZb3UgYWxzbyByZXByZXNlbnQKdGhhdCB5b3VyIHN1Ym1pc3Npb24gZG9lcyBub3QsIHRvIHRoZSBiZXN0IG9mIHlvdXIga25vd2xlZGdlLCBpbmZyaW5nZSB1cG9uCmFueW9uZSdzIGNvcHlyaWdodC4KCklmIHRoZSBzdWJtaXNzaW9uIGNvbnRhaW5zIG1hdGVyaWFsIGZvciB3aGljaCB5b3UgZG8gbm90IGhvbGQgY29weXJpZ2h0LAp5b3UgcmVwcmVzZW50IHRoYXQgeW91IGhhdmUgb2J0YWluZWQgdGhlIHVucmVzdHJpY3RlZCBwZXJtaXNzaW9uIG9mIHRoZQpjb3B5cmlnaHQgb3duZXIgdG8gZ3JhbnQgRFNVIHRoZSByaWdodHMgcmVxdWlyZWQgYnkgdGhpcyBsaWNlbnNlLCBhbmQgdGhhdApzdWNoIHRoaXJkLXBhcnR5IG93bmVkIG1hdGVyaWFsIGlzIGNsZWFybHkgaWRlbnRpZmllZCBhbmQgYWNrbm93bGVkZ2VkCndpdGhpbiB0aGUgdGV4dCBvciBjb250ZW50IG9mIHRoZSBzdWJtaXNzaW9uLgoKSUYgVEhFIFNVQk1JU1NJT04gSVMgQkFTRUQgVVBPTiBXT1JLIFRIQVQgSEFTIEJFRU4gU1BPTlNPUkVEIE9SIFNVUFBPUlRFRApCWSBBTiBBR0VOQ1kgT1IgT1JHQU5JWkFUSU9OIE9USEVSIFRIQU4gRFNVLCBZT1UgUkVQUkVTRU5UIFRIQVQgWU9VIEhBVkUKRlVMRklMTEVEIEFOWSBSSUdIVCBPRiBSRVZJRVcgT1IgT1RIRVIgT0JMSUdBVElPTlMgUkVRVUlSRUQgQlkgU1VDSApDT05UUkFDVCBPUiBBR1JFRU1FTlQuCgpEU1Ugd2lsbCBjbGVhcmx5IGlkZW50aWZ5IHlvdXIgbmFtZShzKSBhcyB0aGUgYXV0aG9yKHMpIG9yIG93bmVyKHMpIG9mIHRoZQpzdWJtaXNzaW9uLCBhbmQgd2lsbCBub3QgbWFrZSBhbnkgYWx0ZXJhdGlvbiwgb3RoZXIgdGhhbiBhcyBhbGxvd2VkIGJ5IHRoaXMKbGljZW5zZSwgdG8geW91ciBzdWJtaXNzaW9uLgo=Repositório InstitucionalPUBhttp://www.repositorio.ufc.br/ri-oai/requestbu@ufc.br || repositorio@ufc.bropendoar:2019-12-03T17:51:04Repositório Institucional da Universidade Federal do Ceará (UFC) - Universidade Federal do Ceará (UFC)false
dc.title.pt_BR.fl_str_mv SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment
dc.title.en.pt_BR.fl_str_mv SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment
title SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment
spellingShingle SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment
Carvalho, Carlos André Batista de
Secure storage
Cloud security
Monitoring and auditing
Violation detection
title_short SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment
title_full SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment
title_fullStr SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment
title_full_unstemmed SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment
title_sort SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment
author Carvalho, Carlos André Batista de
author_facet Carvalho, Carlos André Batista de
author_role author
dc.contributor.co-advisor.none.fl_str_mv Castro, Miguel Franklin de
dc.contributor.author.fl_str_mv Carvalho, Carlos André Batista de
dc.contributor.advisor1.fl_str_mv Andrade, Rossana Maria de Castro
contributor_str_mv Andrade, Rossana Maria de Castro
dc.subject.por.fl_str_mv Secure storage
Cloud security
Monitoring and auditing
Violation detection
topic Secure storage
Cloud security
Monitoring and auditing
Violation detection
description A cloud storage service implements security mechanisms to protect user data. Due to the customer needs and existing threats, the secure data sharing is a key issue highlighted in the literature. Moreover, due to the loss of control over the cloud infrastructure, it is essential to design security mechanisms that focus on the trust and transparency of the cloud services. The confidentiality, integrity, freshness and write-serializability are the security properties analyzed in this research. Usually, auditing and monitoring mechanisms are used to detect violations of security properties. However, an analysis of the literature reveals attacks that are not identified by existing solutions. Although a broker has been used to enable a real-time detection, it is necessary to identify collusion attacks resulted from malicious actions of this broker. The detection of integrity violations has not been properly addressed, ignoring the violations that result from the writing transactions performed by revoked users. Similarly, the reading by revoked users implies in confidentiality violations that must also be detected. Last, the verification of write-serializability violations should be effective, identifying properly the violation’s scenarios. Therefore, a secure storage service for cloud computing, called SCUDO, is proposed in this thesis to address these issues, improving the violation detection while allowing the data sharing. The detection of violations is based on the log of the performed transactions that is signed for purposes of non-repudiation. The evaluation of SCUDO is performed based on a formal model using Colored Petri Nets (CPNs) and a prototype deployed in a cloud infrastructure. The results show that the provider cannot deny a violation and attacks are detected as soon as possible, reducing the damage of an attack. Then, the security mechanisms at SCUDO can allow the provider and the broker to ensure security properties and show evidence that they are honest.
publishDate 2018
dc.date.issued.fl_str_mv 2018
dc.date.accessioned.fl_str_mv 2019-12-03T17:51:04Z
dc.date.available.fl_str_mv 2019-12-03T17:51:04Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/doctoralThesis
format doctoralThesis
status_str publishedVersion
dc.identifier.citation.fl_str_mv CARVALHO, Carlos André Batista de. SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment. 2018. 109 f. Tese (Doutorado em Ciência da Computação) - Universidade Federal do Ceará, Fortaleza, 2018.
dc.identifier.uri.fl_str_mv http://www.repositorio.ufc.br/handle/riufc/48100
identifier_str_mv CARVALHO, Carlos André Batista de. SCUDO: Secure CloUd storage service for Detecting viOlations of security properties in a data sharing environment. 2018. 109 f. Tese (Doutorado em Ciência da Computação) - Universidade Federal do Ceará, Fortaleza, 2018.
url http://www.repositorio.ufc.br/handle/riufc/48100
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.source.none.fl_str_mv reponame:Repositório Institucional da Universidade Federal do Ceará (UFC)
instname:Universidade Federal do Ceará (UFC)
instacron:UFC
instname_str Universidade Federal do Ceará (UFC)
instacron_str UFC
institution UFC
reponame_str Repositório Institucional da Universidade Federal do Ceará (UFC)
collection Repositório Institucional da Universidade Federal do Ceará (UFC)
bitstream.url.fl_str_mv http://repositorio.ufc.br/bitstream/riufc/48100/4/license.txt
http://repositorio.ufc.br/bitstream/riufc/48100/3/2018_tese_cabcarvalho.pdf
bitstream.checksum.fl_str_mv 8a4605be74aa9ea9d79846c1fba20a33
baf53a9f6e7e4fe4149f929073039bcd
bitstream.checksumAlgorithm.fl_str_mv MD5
MD5
repository.name.fl_str_mv Repositório Institucional da Universidade Federal do Ceará (UFC) - Universidade Federal do Ceará (UFC)
repository.mail.fl_str_mv bu@ufc.br || repositorio@ufc.br
_version_ 1847793310538661888

Registros relacionados