HAL (Le Centre pour la Communication Scientifique Directe), Mar 30, 2017
Cloud computing is based on the sharing of physical resources among several virtual machines thro... more Cloud computing is based on the sharing of physical resources among several virtual machines through a virtualization layer providing software isolation. Despite advances in virtualization, data security and isolation guarantees remain important challenges for cloud providers. Some of the most prominent isolation violations come from side-channel attacks that aim at exploiting and using a leaky channel to obtain sensitive data such as encryption keys. Such channels may be created by vulnerable implementations of cryptographic algorithms, exploiting weaknesses of processor architectures or of resource sharing in the virtualization layer. In this paper, we provide a comprehensive survey of side-channel attacks (SCA) and mitigation techniques for virtualized environments, focusing on cache-based attacks. We review isolation challenges, attack classes and techniques. We also provide a layer-based taxonomy of applicable countermeasures , from the hardware to the application level, with an assessment of their effectiveness. Index Terms-side-channel attacks, cloud computing, cachebased side-channel attacks, timing attacks, isolation.
Replicated state machine is a fundamental concept used for obtaining fault tolerant distributed c... more Replicated state machine is a fundamental concept used for obtaining fault tolerant distributed computation. Legacy distributed computational architectures (such as Hadoop or Zookeeper) are designed to tolerate crashes of individual machines. Later, Byzantine fault-tolerant Paxos as well as self-stabilizing Paxos were introduced. Here we present for the first time the self-stabilizing Byzantine fault-tolerant version of a distributed replicated machine. It can cope with any adversarial takeover on less than one third of the participating replicas. It also ensures automatic recovery following any transient violation of the system state, in particular after periods in which more than one third of the participants are Byzantine. A prototype of self-stabilizing Byzantine-tolerant replicated Hadoop master node has been implemented. Experiments show that fully distributed recovery of cloud infrastructures against Byzantine faults can be made practical when relying on self-stabilization in local nodes. Thus automated cloud protection against a wide variety of faults and attacks is possible.
Proceedings of the 17th International Conference on Availability, Reliability and Security
The adoption of 5G services depends on the capacity to provide high-value services. In addition t... more The adoption of 5G services depends on the capacity to provide high-value services. In addition to enhanced performance, the capacity to deliver Security Service Level Agreements (SSLAs) and demonstrate their fulfillment would be a great incentive for the adoption of 5G services for critical 5G Verticals (e.g., service suppliers like Energy or Intelligent Transportation Systems) subject to specific industrial safety, security or service level rules and regulations (e.g., NIS or SEVESO Directives). Yet, responsibilities may be difficult to track and demonstrate because 5G infrastructures are interconnected and complex, which is a challenge anticipated to be exacerbated in future 6G networks. This paper describes a demonstrator and a use case that shows how 5G Service Providers can deliver SSLAs to their customers (Service Owners) by leveraging a set of network enablers developed in the INSPIRE-5Gplus project to manage their accountability, liability and trust placed in subcomponents of a service (subcontractors). The elaborated enablers are in particular a novel sTakeholder Responsibility, Ac-countabIity and Liability deScriptor (TRAILS), a Liability-Aware Service Management Referencing Service (LASM-RS), an anomaly detection tool (IoT-MMT), a Root Cause Analysis tool (IoT-RCA), two Remote Attestation mechanisms (Systemic and Deep Attestation), and two Security-by-Orchestration enablers (one for the 5G Core and one for the MEC).
After a cloud computing decade, the user-centric, fully interoperable, multi-provider cloud remai... more After a cloud computing decade, the user-centric, fully interoperable, multi-provider cloud remains a mirage. In currently deployed architectures, "horizontal" multi-cloud interoperability limitations come on top of "vertical" multi-layer security concerns. In this paper, we argue that an architecture with a hybrid design could be a viable solution. Indeed, we present a new virtualization architecture combining micro-hypervisor (MH), nested virtualization (NV)and component-based hypervisor (CBH) paradigms. Leveraging NV interoperability and legacy support, the architecture provides to users a transparent federation of multiple-provider resources. We also adopt a MH including CBH-like modules as NV lower-layer hypervisor to achieve both a minimal TCB and to enable users to directly control hypervisor components managing their resources.
Communications in computer and information science, 2015
SUPERCLOUD aims to fulfil the vision of user-centric secure and dependable clouds of clouds throu... more SUPERCLOUD aims to fulfil the vision of user-centric secure and dependable clouds of clouds through a new security management architecture and infrastructure. It will support user-centric deployments across multi-clouds enabling composition of innovative trustworthy services, thus uplifting Europe innovation capacity and competitiveness.
We present the architectural design of SUPERCLOUD, a technical framework allowing users of cloud ... more We present the architectural design of SUPERCLOUD, a technical framework allowing users of cloud services to deploy ensembles of computational, storage and data communication services transparently over a number of different cloud service providers (CSPs). Such ensembles, so-called user clouds or U-clouds are strictly isolated from each other and provide fine-grained security self-management facilities. To realize U-clouds, the SUPERCLOUD architecture is divided in three abstraction layers: the compute abstraction plane, the data abstraction plane, and the network abstraction plane. In this document, we describe the overall requirements for the architecture, the sub-architectures realizing the abstraction planes, as well as their interfaces and interconnections and provide a validation of the requirements with regard to two use cases arising from health care scenarios.
Technologies logicielles Architectures des systèmes, Oct 1, 2014
L’informatique en nuage s’est imposee comme une mutation majeure des technologies de l’informatio... more L’informatique en nuage s’est imposee comme une mutation majeure des technologies de l’information en offrant ressources et services a la demande. Elle repose sur la virtualisation qui permet de s’abstraire de l’infrastructure physique. Toutefois, la virtualisation suscite de nombreuses interrogations en termes de securite. Quelles sont les menaces pesant sur une infrastructure virtualisee ? De quels mecanismes dispose-t-on aujourd’hui pour se proteger contre ces menaces ? Ou en est la recherche et quelles perspectives offre-t-elle pour ameliorer la securite de ces systemes ? Cet article tente de donner des elements de reponse a ces questions a travers un tour d’horizon des defis, solutions, et directions futures concernant la securite de la virtualisation.
Cellular V2X for Connected Automated Driving, 2021
Security and privacy are two key requirements for vehicle‐to‐everything (V2X) communication and a... more Security and privacy are two key requirements for vehicle‐to‐everything (V2X) communication and applications, but the impact they can have on communication bandwidth and latency must be considered. This chapter examines C‐V2X security through a more detailed study of different communication formats and interfaces. That includes vehicle‐to‐network (V2N), in which in a more conventional form, vehicles communicate with the mobile network; vehicle‐to‐vehicle (V2V), in which vehicles communicate directly with each other; and vehicle‐to‐infrastructure (V2I), in which vehicles communicate with the wireless‐enabled road infrastructure. The chapter looks at C‐V2X security from the standpoint of V2N communications and V2V/V2I interactions. Both European Union and US security architectures follow similar principles and rely on public key infrastructures to deliver digital certificates to on‐board units and roadside units, referred to as end entities hereafter – US Security Credential Management System terminology.
This deliverable discusses means to derive and manage protection and performance goals of applica... more This deliverable discusses means to derive and manage protection and performance goals of applications for wireless sensor networks. Therefore the application parameters are quantified and trade-offs are analyzed. While metrics for performance goals are well-established and can be applied directly, the assessment of security properties needs additional studies. For this purpose attacks, countermeasures and state-of-the art security metrics are analyzed on their suitability for the assessment process of secure sensor networks. Due to the absence of direct approaches to develop secure systems, finally, a model-based approach is introduced that determines whether a given system satisfies the system’s requirements. By this, the models bridge the technical details of secure implementations and high level requirements. It eventually allows to express individual protection and performance goals for sensor node systems and its components in a direct natural way. TAMPRES Deliverable D1.3 Dis...
Despite its many foreseen benefits, the main barrier to adoption of cloud computing remains secur... more Despite its many foreseen benefits, the main barrier to adoption of cloud computing remains security. Vulnerabili-ties introduced by virtualization of computing resources, and unclear effectiveness of traditional security architectures in fully virtualized networks raise many security challenges [5]. The most critical issue remains resource sharing in a multi-tenant environment, which creates new attack vectors. The question is thus how to guarantee strong resource isolation, both on the computing and networking side. System and network complexity make manual security maintenance im-possible by human administrators. Computing and network-ing isolation over virtualized environments should thus be achieved and automated. Unfortunately, current solutions fail to achieve that goal: hugely fragmented, they tackle the problem only from one
In multi-cloud infrastructures, despite the great diversity of current isolation technologies, a ... more In multi-cloud infrastructures, despite the great diversity of current isolation technologies, a federating model to manage trust across layers or domains is still missing. Attempts to formalize trust establishment through horizontal and vertical Chains of Trust (CoTs) still lack a precise supporting technology. This paper is a first step towards reconciling the two standpoints towards a broader trust management framework. We consider the horizontal, single-layer case, focusing on Intel SGX as promising isolation technology. We propose a protocol for establishing trust between a chain of Intel SGX enclaves, both when they are located on the same and on remote platforms. Preliminary evaluation of an OpenSGX implementation shows our protocols present encouraging scalability results.
Datasets used for experimental results (Figure 5): (a) Compositional weaver efficiency; (b) incre... more Datasets used for experimental results (Figure 5): (a) Compositional weaver efficiency; (b) incremental weaving efficiency; (c) relative overhead of weaving in workflow; (d) weaver efficiency vs. aspect complexity. Type of data: raw and processed Hardware/software used: Intel Xeon E5-2650 Haswell at 2.60GHz with 64 GB of RAM; Testing input for all Mantus benchmarks: OpenStack-based ORBITS template described in paper, composed of a controller node and of 3 different group instances of compute nodes (Xen, KVM, LXC), with two virtual networks and relative network resources. Data format: CSV Source: Experiments
Datasets used for experimental results (Figure 5) for different virtualization configurations: (a... more Datasets used for experimental results (Figure 5) for different virtualization configurations: (a) Average TCP latency; (b) Average TCP throughput w.r.t. message size; (c) Request service response time for variable number of concurrent connections; (d) Request throughput per second for variable number of concurrent connections. Intel Xeon E5-2650 Haswell 2.60 GHz, 64 GB RAM, bare-metal OS: Centos 7 OpenStack, Linux KVM, Ubuntu 16.04, para-virtualized VirtIO drivers (network card, disk) Data format: CSV Source: Experiments
2017 IEEE 10th International Conference on Cloud Computing (CLOUD), 2017
Cloud provider barriers still stand. After a decade of cloud computing, customers struggle to ove... more Cloud provider barriers still stand. After a decade of cloud computing, customers struggle to overcome the challenge of crossing multi-provider clouds to benefit from fine-grained resource distribution, business independence from CSPs and cost savings. Although increasingly popular, most adopted IaaS intercloud solutions are generally limited to specific public cloud providers or present maintainability issues. Remaining hurdles include complexity of management and operations of such infrastructures, in presence of per-customer customizations and provider configurations. The Infrastructure as Code (IaC) paradigm is emerging as key enabler for IaaS multi-clouds, to develop and manage infrastructure configurations. However, due to complexity of the infrastructure life-cycle, to heterogeneity of composing resources and to user-customizations, this approach is far from being viable. In this paper, we explore an aspect-oriented approach to IaC deployment and management. We propose Mantus, a IaC-based multi-cloud builder composed of an aspectoriented Domain-Specific Language called TML, or TOSCA Manipulation Language, and a corresponding aspect weaver to inject flexibly non-functional services in TOSCA infrastructure templates. We show the practical feasibility of our approach, with also good results in terms of performance and scalability.
HAL (Le Centre pour la Communication Scientifique Directe), Mar 30, 2017
Cloud computing is based on the sharing of physical resources among several virtual machines thro... more Cloud computing is based on the sharing of physical resources among several virtual machines through a virtualization layer providing software isolation. Despite advances in virtualization, data security and isolation guarantees remain important challenges for cloud providers. Some of the most prominent isolation violations come from side-channel attacks that aim at exploiting and using a leaky channel to obtain sensitive data such as encryption keys. Such channels may be created by vulnerable implementations of cryptographic algorithms, exploiting weaknesses of processor architectures or of resource sharing in the virtualization layer. In this paper, we provide a comprehensive survey of side-channel attacks (SCA) and mitigation techniques for virtualized environments, focusing on cache-based attacks. We review isolation challenges, attack classes and techniques. We also provide a layer-based taxonomy of applicable countermeasures , from the hardware to the application level, with an assessment of their effectiveness. Index Terms-side-channel attacks, cloud computing, cachebased side-channel attacks, timing attacks, isolation.
Replicated state machine is a fundamental concept used for obtaining fault tolerant distributed c... more Replicated state machine is a fundamental concept used for obtaining fault tolerant distributed computation. Legacy distributed computational architectures (such as Hadoop or Zookeeper) are designed to tolerate crashes of individual machines. Later, Byzantine fault-tolerant Paxos as well as self-stabilizing Paxos were introduced. Here we present for the first time the self-stabilizing Byzantine fault-tolerant version of a distributed replicated machine. It can cope with any adversarial takeover on less than one third of the participating replicas. It also ensures automatic recovery following any transient violation of the system state, in particular after periods in which more than one third of the participants are Byzantine. A prototype of self-stabilizing Byzantine-tolerant replicated Hadoop master node has been implemented. Experiments show that fully distributed recovery of cloud infrastructures against Byzantine faults can be made practical when relying on self-stabilization in local nodes. Thus automated cloud protection against a wide variety of faults and attacks is possible.
Proceedings of the 17th International Conference on Availability, Reliability and Security
The adoption of 5G services depends on the capacity to provide high-value services. In addition t... more The adoption of 5G services depends on the capacity to provide high-value services. In addition to enhanced performance, the capacity to deliver Security Service Level Agreements (SSLAs) and demonstrate their fulfillment would be a great incentive for the adoption of 5G services for critical 5G Verticals (e.g., service suppliers like Energy or Intelligent Transportation Systems) subject to specific industrial safety, security or service level rules and regulations (e.g., NIS or SEVESO Directives). Yet, responsibilities may be difficult to track and demonstrate because 5G infrastructures are interconnected and complex, which is a challenge anticipated to be exacerbated in future 6G networks. This paper describes a demonstrator and a use case that shows how 5G Service Providers can deliver SSLAs to their customers (Service Owners) by leveraging a set of network enablers developed in the INSPIRE-5Gplus project to manage their accountability, liability and trust placed in subcomponents of a service (subcontractors). The elaborated enablers are in particular a novel sTakeholder Responsibility, Ac-countabIity and Liability deScriptor (TRAILS), a Liability-Aware Service Management Referencing Service (LASM-RS), an anomaly detection tool (IoT-MMT), a Root Cause Analysis tool (IoT-RCA), two Remote Attestation mechanisms (Systemic and Deep Attestation), and two Security-by-Orchestration enablers (one for the 5G Core and one for the MEC).
After a cloud computing decade, the user-centric, fully interoperable, multi-provider cloud remai... more After a cloud computing decade, the user-centric, fully interoperable, multi-provider cloud remains a mirage. In currently deployed architectures, "horizontal" multi-cloud interoperability limitations come on top of "vertical" multi-layer security concerns. In this paper, we argue that an architecture with a hybrid design could be a viable solution. Indeed, we present a new virtualization architecture combining micro-hypervisor (MH), nested virtualization (NV)and component-based hypervisor (CBH) paradigms. Leveraging NV interoperability and legacy support, the architecture provides to users a transparent federation of multiple-provider resources. We also adopt a MH including CBH-like modules as NV lower-layer hypervisor to achieve both a minimal TCB and to enable users to directly control hypervisor components managing their resources.
Communications in computer and information science, 2015
SUPERCLOUD aims to fulfil the vision of user-centric secure and dependable clouds of clouds throu... more SUPERCLOUD aims to fulfil the vision of user-centric secure and dependable clouds of clouds through a new security management architecture and infrastructure. It will support user-centric deployments across multi-clouds enabling composition of innovative trustworthy services, thus uplifting Europe innovation capacity and competitiveness.
We present the architectural design of SUPERCLOUD, a technical framework allowing users of cloud ... more We present the architectural design of SUPERCLOUD, a technical framework allowing users of cloud services to deploy ensembles of computational, storage and data communication services transparently over a number of different cloud service providers (CSPs). Such ensembles, so-called user clouds or U-clouds are strictly isolated from each other and provide fine-grained security self-management facilities. To realize U-clouds, the SUPERCLOUD architecture is divided in three abstraction layers: the compute abstraction plane, the data abstraction plane, and the network abstraction plane. In this document, we describe the overall requirements for the architecture, the sub-architectures realizing the abstraction planes, as well as their interfaces and interconnections and provide a validation of the requirements with regard to two use cases arising from health care scenarios.
Technologies logicielles Architectures des systèmes, Oct 1, 2014
L’informatique en nuage s’est imposee comme une mutation majeure des technologies de l’informatio... more L’informatique en nuage s’est imposee comme une mutation majeure des technologies de l’information en offrant ressources et services a la demande. Elle repose sur la virtualisation qui permet de s’abstraire de l’infrastructure physique. Toutefois, la virtualisation suscite de nombreuses interrogations en termes de securite. Quelles sont les menaces pesant sur une infrastructure virtualisee ? De quels mecanismes dispose-t-on aujourd’hui pour se proteger contre ces menaces ? Ou en est la recherche et quelles perspectives offre-t-elle pour ameliorer la securite de ces systemes ? Cet article tente de donner des elements de reponse a ces questions a travers un tour d’horizon des defis, solutions, et directions futures concernant la securite de la virtualisation.
Cellular V2X for Connected Automated Driving, 2021
Security and privacy are two key requirements for vehicle‐to‐everything (V2X) communication and a... more Security and privacy are two key requirements for vehicle‐to‐everything (V2X) communication and applications, but the impact they can have on communication bandwidth and latency must be considered. This chapter examines C‐V2X security through a more detailed study of different communication formats and interfaces. That includes vehicle‐to‐network (V2N), in which in a more conventional form, vehicles communicate with the mobile network; vehicle‐to‐vehicle (V2V), in which vehicles communicate directly with each other; and vehicle‐to‐infrastructure (V2I), in which vehicles communicate with the wireless‐enabled road infrastructure. The chapter looks at C‐V2X security from the standpoint of V2N communications and V2V/V2I interactions. Both European Union and US security architectures follow similar principles and rely on public key infrastructures to deliver digital certificates to on‐board units and roadside units, referred to as end entities hereafter – US Security Credential Management System terminology.
This deliverable discusses means to derive and manage protection and performance goals of applica... more This deliverable discusses means to derive and manage protection and performance goals of applications for wireless sensor networks. Therefore the application parameters are quantified and trade-offs are analyzed. While metrics for performance goals are well-established and can be applied directly, the assessment of security properties needs additional studies. For this purpose attacks, countermeasures and state-of-the art security metrics are analyzed on their suitability for the assessment process of secure sensor networks. Due to the absence of direct approaches to develop secure systems, finally, a model-based approach is introduced that determines whether a given system satisfies the system’s requirements. By this, the models bridge the technical details of secure implementations and high level requirements. It eventually allows to express individual protection and performance goals for sensor node systems and its components in a direct natural way. TAMPRES Deliverable D1.3 Dis...
Despite its many foreseen benefits, the main barrier to adoption of cloud computing remains secur... more Despite its many foreseen benefits, the main barrier to adoption of cloud computing remains security. Vulnerabili-ties introduced by virtualization of computing resources, and unclear effectiveness of traditional security architectures in fully virtualized networks raise many security challenges [5]. The most critical issue remains resource sharing in a multi-tenant environment, which creates new attack vectors. The question is thus how to guarantee strong resource isolation, both on the computing and networking side. System and network complexity make manual security maintenance im-possible by human administrators. Computing and network-ing isolation over virtualized environments should thus be achieved and automated. Unfortunately, current solutions fail to achieve that goal: hugely fragmented, they tackle the problem only from one
In multi-cloud infrastructures, despite the great diversity of current isolation technologies, a ... more In multi-cloud infrastructures, despite the great diversity of current isolation technologies, a federating model to manage trust across layers or domains is still missing. Attempts to formalize trust establishment through horizontal and vertical Chains of Trust (CoTs) still lack a precise supporting technology. This paper is a first step towards reconciling the two standpoints towards a broader trust management framework. We consider the horizontal, single-layer case, focusing on Intel SGX as promising isolation technology. We propose a protocol for establishing trust between a chain of Intel SGX enclaves, both when they are located on the same and on remote platforms. Preliminary evaluation of an OpenSGX implementation shows our protocols present encouraging scalability results.
Datasets used for experimental results (Figure 5): (a) Compositional weaver efficiency; (b) incre... more Datasets used for experimental results (Figure 5): (a) Compositional weaver efficiency; (b) incremental weaving efficiency; (c) relative overhead of weaving in workflow; (d) weaver efficiency vs. aspect complexity. Type of data: raw and processed Hardware/software used: Intel Xeon E5-2650 Haswell at 2.60GHz with 64 GB of RAM; Testing input for all Mantus benchmarks: OpenStack-based ORBITS template described in paper, composed of a controller node and of 3 different group instances of compute nodes (Xen, KVM, LXC), with two virtual networks and relative network resources. Data format: CSV Source: Experiments
Datasets used for experimental results (Figure 5) for different virtualization configurations: (a... more Datasets used for experimental results (Figure 5) for different virtualization configurations: (a) Average TCP latency; (b) Average TCP throughput w.r.t. message size; (c) Request service response time for variable number of concurrent connections; (d) Request throughput per second for variable number of concurrent connections. Intel Xeon E5-2650 Haswell 2.60 GHz, 64 GB RAM, bare-metal OS: Centos 7 OpenStack, Linux KVM, Ubuntu 16.04, para-virtualized VirtIO drivers (network card, disk) Data format: CSV Source: Experiments
2017 IEEE 10th International Conference on Cloud Computing (CLOUD), 2017
Cloud provider barriers still stand. After a decade of cloud computing, customers struggle to ove... more Cloud provider barriers still stand. After a decade of cloud computing, customers struggle to overcome the challenge of crossing multi-provider clouds to benefit from fine-grained resource distribution, business independence from CSPs and cost savings. Although increasingly popular, most adopted IaaS intercloud solutions are generally limited to specific public cloud providers or present maintainability issues. Remaining hurdles include complexity of management and operations of such infrastructures, in presence of per-customer customizations and provider configurations. The Infrastructure as Code (IaC) paradigm is emerging as key enabler for IaaS multi-clouds, to develop and manage infrastructure configurations. However, due to complexity of the infrastructure life-cycle, to heterogeneity of composing resources and to user-customizations, this approach is far from being viable. In this paper, we explore an aspect-oriented approach to IaC deployment and management. We propose Mantus, a IaC-based multi-cloud builder composed of an aspectoriented Domain-Specific Language called TML, or TOSCA Manipulation Language, and a corresponding aspect weaver to inject flexibly non-functional services in TOSCA infrastructure templates. We show the practical feasibility of our approach, with also good results in terms of performance and scalability.
Uploads
Papers by Marc Lacoste