CloudSafetyNet: End-to-End Application Security in the Cloud

Lead Research Organisation: University of Cambridge
Department Name: Computer Laboratory


Cloud computing promises to revolutionise how companies, research institutions and government organisations, including the National Health Service (NHS), offer applications and services to users in the digital economy. By consolidating many services as part of a shared ICT infrastructure operated by cloud providers, cloud computing can reduce management costs, shorten the deployment cycle of new services and improve energy efficiency. For example, the UK government's G-Cloud initiative aims to create a cloud ecosystem that will enable government organisations to deploy new applications rapidly, and to share and reuse existing services. Citizens will benefit from increased access to services, while public-sector ICT costs will be reduced.

Security considerations, however, are a major issue holding back the widespread adoption of cloud computing: many organisations are concerned about the confidentiality and integrity of their users' data when hosted in third-party public clouds. Today's cloud providers struggle to give strong security guarantees that user data belonging to cloud tenants will be protected "end-to-end", i.e. across the entire workflow of a complex cloud-hosted distributed application. This is a challenging problem because data protection policies associated with applications usually require the strict isolation of certain data while permitting the sharing of other data. As an example, consider a local council with two applications on the G-Cloud: one for calculating unemployment benefits and one for receiving parking ticket fines, with both applications relying on a shared electoral roll database. How can the local council guarantee that data related to unemployment benefits will never be exposed to the parking fine application, even though both applications share a database and the cloud platform?

The focus of the CloudSafetNet project is to rethink fundamentally how platform-as-a-service (PaaS) clouds should handle security requirements of applications. The overall goal is to provide the CloudSafetyNet middleware, a novel PaaS platform that acts as a "safety net", protecting against security violations caused by implementation flaws in applications ("intra-tenant security") or vulnerabilities in the cloud platform itself ("inter-tenant security"). CloudSafetyNet follows a "data-centric" security model: the integrity and confidentiality of application data is protected according to data flow policies -- agreements between cloud tenants and the provider specifying the permitted and prohibited exchanges of data between application components. It will enforce data flow policies through multiple levels of security mechanisms following a "defence-in-depth" strategy: based on policies, it creates "data compartments" that contain one or more components and isolate user data. A small privileged kernel, which is part of the middleware and constitutes a trusted computing base (TCB), tracks the flow of data between compartments and prevents flows that would violate policies. Previously such information flow control (IFC) models have been used successfully to enhance programming language, operating system and web application security.

To make such a secure PaaS platform a reality, we plan to overcome a set of research challenges. We will explore how cloud application developers can express data-centric security policies that can be translated automatically into a set of data flow constraints in a distributed system. An open problem is how these constraints can be tied in with trusted enforcement mechanisms that exist in today's PaaS clouds. Addressing this will involve research into new lightweight isolation and sand-boxing techniques that allow the controlled execution of software components. In addition, we will advance software engineering methodology for secure cloud applications by developing new software architectures and design patterns that are compatible with compartmentalised data flow enforcement.


10 25 50
Description How to provide Information Flow Control in Cloud Software so that applications do not need to be reengineered to use IFC.
Exploitation Route making cloud computing more secure and demonstrating compliance with contracts between providers and tenants
Sectors Digital/Communication/Information Technologies (including Software)

Description Microsoft, as cloud providers, are being made aware of IFC through supporting further research on technology support for Cloud Law.
First Year Of Impact 2014
Sector Digital/Communication/Information Technologies (including Software)
Impact Types Economic,Policy & public services

Title CamFlow flow control and audit 
Description Two Linux Security Modules (LSMs) for Information Flow Control and Audit as open source software under a GPL-3.0 license 
IP Reference  
Protection Protection not required
Year Protection Granted 2016
Licensed Yes
Impact Thomas Pasquier is using the CamFlow audit LSM as a postdoc on a project on data provenance at Harvard University.