Secure Mobile Cloud Computing and Security Issues

Chapter

Abstract

The proliferation of mobile devices, coupled by the increase in their capabilities, have enabled the establishment of a rich mobile computing platform that can be utilized in conjunction with cloud services. In this chapter, we overview the latest mobile computing models and architectures focusing on their security properties. In particular, we study a wide range of threats against the availability, privacy and integrity of mobile cloud computing architectures in which the mobile devices and the cloud jointly perform computation. We then present defense mechanisms that ensure the security of mobile cloud computing architectures and their applications. Throughout the chapter, we identify potential threats as well as possible opportunities for defenses.

Keywords

Migration Lost 

Notes

Acknowledgements

This material is based upon work partially supported by the One-Time Research Support Program at Texas State University-San Marcos, the National Science Foundation (NSF) grant CNS-1149397, the Air Force Office of Scientific Research (AFOSR)/the Air Force Research Laboratory (AFRL) Visiting Faculty Research Program (VFRP) extension grant LRIR 11RI01COR.

References

  1. 1.
    Baliga, A., Chen, X., Coskun, B., de los Reyes, G., Lee, S., Mathur, S., Van der Merwe, J.E.: VPMN: virtual private mobile network towards mobility-as-a-service. In: Proceedings of the 2nd International Workshop on Mobile Cloud Computing and Services, MCS’11, Washington, DC, pp. 7–12. ACM, New York (2011). doi:10.1145/1999732.1999735Google Scholar
  2. 2.
    Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS’10, Chicago, pp. 73–84. ACM, New York (2010). doi:10.1145/1866307.1866317. http://doi.acm.org/10.1145/1866307.1866317
  3. 3.
    Barrera, D., Clark, J., McCarney, D., van Oorschot, P.C.: Understanding and improving app installation security mechanisms through empirical analysis of Android. In: Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM’12, Raleigh, pp. 81–92. ACM, New York (2012). doi:10.1145/2381934.2381949Google Scholar
  4. 4.
    Becher, M., Freiling, F.C., Hoffmann, J., Holz, T., Uellenbeck, S., Wolf, C.: Mobile security catching up? Revealing the nuts and bolts of the security of mobile devices. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP’11, Oakland, pp. 96–111. IEEE Computer Society, Washington, DC (2011). doi:10.1109/SP.2011.29Google Scholar
  5. 5.
    Bellissimo, A., Burgess, J., Fu, K.: Secure software updates: disappointments and new challenges. In: Proceedings of the 1st USENIX Workshop on Hot Topics in Security, HOTSEC’06, Vancouver, pp. 37–43. USENIX Association, Berkeley (2006)Google Scholar
  6. 6.
    Bleikertz, S., Schunter, M., Probst, C.W., Pendarakis, D., Eriksson, K.: Security audits of multi-tier virtual infrastructures in public infrastructure clouds. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop, CCSW’10, Chicago, pp. 93–102. ACM, New York (2010). doi:10.1145/1866835.1866853Google Scholar
  7. 7.
    Chaudhuri, A.: Language-based security on Android. In: Proceedings of the ACM SIGPLAN 4th Workshop on Programming Languages and Analysis for Security, PLAS’09, Dublin, pp. 1–7. ACM, New York (2009). doi:10.1145/1554339.1554341Google Scholar
  8. 8.
    Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications via automatic partitioning. SIGOPS Oper. Syst. Rev. 41(6), 31–44 (2007). doi:10.1145/1323293.1294265CrossRefGoogle Scholar
  9. 9.
    Chow, R., Jakobsson, M., Masuoka, R., Molina, J., Niu, Y., Shi, E., Song, Z.: Authentication in the clouds: a framework and its application to mobile users. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop, CCSW’10, Chicago, pp. 1–6. ACM, New York (2010). doi:10.1145/1866835.1866837Google Scholar
  10. 10.
    Christensen, J.H.: Using RESTful web-services and cloud computing to create next generation mobile applications. In: Proceedings of the 24th ACM SIGPLAN Conference Companion on Object Oriented Programming Systems Languages and Applications, OOPSLA’09, Orlando, pp. 627–634. ACM, New York (2009). doi:10.1145/1639950.1639958Google Scholar
  11. 11.
    Christodorescu, M., Sailer, R., Schales, D.L., Sgandurra, D., Zamboni, D.: Cloud security is not (just) virtualization security: a short paper. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW’09, Chicago, pp. 97–102. ACM, New York (2009). doi:10.1145/1655008.1655022Google Scholar
  12. 12.
    Chun, B.G., Maniatis, P.: Augmented smartphone applications through clone cloud execution. In: Proceedings of the 12th Conference on Hot Topics in Operating Systems, HotOS’09, Monte Verita, pp. 1–5. USENIX Association, Berkeley (2009)Google Scholar
  13. 13.
    Chun, B.G., Maniatis, P.: Dynamically partitioning applications between weak devices and clouds. In: Proceedings of the 1st ACM Workshop on Mobile Cloud Computing & Services: Social Networks and Beyond, MCS’10, San Francisco, pp. 7:1–7:5. ACM, New York (2010). doi:10.1145/1810931.1810938Google Scholar
  14. 14.
    Cuervo, E., Balasubramanian, A., Cho, D.k., Wolman, A., Saroiu, S., Chandra, R., Bahl, P.: MAUI: making smartphones last longer with code offload. In: Proceedings of the 8th International Conference on Mobile Systems, Applications, and Services, MobiSys’10, San Francisco, pp. 49–62. ACM, New York (2010). doi:10.1145/1814433.1814441Google Scholar
  15. 15.
    Danezis, G., Livshits, B.: Towards ensuring client-side computational integrity. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW’11, Chicago, pp. 125–130. ACM, New York (2011). doi:10.1145/2046660.2046683Google Scholar
  16. 16.
    Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP’08, Oakland, pp. 281–295. IEEE Computer Society, Washington, DC (2008). doi:10.1109/SP.2008.16Google Scholar
  17. 17.
    Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09, Chicago, pp. 235–245. ACM, New York (2009). doi:10.1145/1653662.1653691Google Scholar
  18. 18.
    Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI’10, Vancouver, pp. 1–6. USENIX Association, Berkeley (2010)Google Scholar
  19. 19.
    Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love Android: an analysis of Android SSL (in)security. In: Proceedings of the 19th ACM Conference on Computer and Communications Security, CCS’12, Raleigh, pp. 50–61. ACM, New York (2012). doi:10.1145/2382196.2382205Google Scholar
  20. 20.
    Florio, E.: symantec.com, when malware meets rootkits. http://goo.gl/WdznF
  21. 21.
    forbes.com: Phone rootkit maker carrier IQ may have violated wiretap law in millions of cases. http://goo.gl/P3NJg
  22. 22.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the 10th Network and Distributed Systems Security Symposium, NDSS’03, San Diego, pp. 191–206 (2003)Google Scholar
  23. 23.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC’09, Bethesda, pp. 169–178. ACM, New York (2009). doi:10.1145/1536414.1536440Google Scholar
  24. 24.
    Gentry, C.: Computing arbitrary functions of encrypted data. Commun. ACM 53(3), 97–105 (2010). doi:10.1145/1666420.1666444CrossRefGoogle Scholar
  25. 25.
    Gilbert, P., Chun, B.G., Cox, L.P., Jung, J.: Vision: automated security validation of mobile apps at app markets. In: Proceedings of the 2nd International Workshop on Mobile Cloud Computing and Services, MCS’11, Bethesda, pp. 21–26. ACM, New York (2011). doi:10.1145/1999732.1999740Google Scholar
  26. 26.
    Giurgiu, I., Riva, O., Juric, D., Krivulev, I., Alonso, G.: Calling the cloud: enabling mobile phones as interfaces to cloud applications. In: Proceedings of the 10th ACM/IFIP/USENIX International Conference on Middleware, Middleware’09, Urbana, vol. 5, pp. 5:1–5:20. Springer, New York (2009)Google Scholar
  27. 27.
    He, S., Guo, L., Guo, Y.: Elastic application container. In: Proceedings of the 12th IEEE/ACM International Conference on Grid Computing, GRID’11, Lyon, pp. 216–217. IEEE Computer Society, Washington, DC (2011). doi:10.1109/Grid.2011.35Google Scholar
  28. 28.
    Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting Android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS’11, Chicago, pp. 639–652. ACM, New York (2011). doi:10.1145/2046707.2046780Google Scholar
  29. 29.
    Huang, D., Zhang, X., Kang, M., Luo, J.: MobiCloud: building secure cloud framework for mobile computing and communication. In: Proceedings of 5th IEEE International Symposium on Service Oriented System Engineering, SOSE’10, Nanjing, pp. 27–34. IEEE Computer Society, Washington, DC (2010). doi:10.1109/SOSE.2010.20Google Scholar
  30. 30.
    Huang, D., Zhou, Z., Xu, L., Xing, T., Zhong, Y.: Secure data processing framework for mobile cloud computing. In: Proceedings of the IEEE Conference on Computer Communications Workshop, Shanghai, pp. 614–618 (2011). doi:10.1109/INFCOMW.2011.5928886Google Scholar
  31. 31.
    Huerta-Canepa, G., Lee, D.: A virtual cloud computing provider for mobile devices. In: Proceedings of the 1st ACM Workshop on Mobile Cloud Computing & Services: Social Networks and Beyond, MCS’10, San Francisco, pp. 6:1–6:5. ACM, New York (2010). doi:10.1145/1810931.1810937Google Scholar
  32. 32.
    Jack, B.: blackhat.com, exploiting embedded systems. http://goo.gl/oz7Vs (2006)
  33. 33.
    Jiang, X.: ncsu.edu, GingerMaster: first Android malware utilizing a root exploit on Android 2.3 (Gingerbread). http://goo.gl/uvTFT
  34. 34.
    Jiang, X.: ncsu.edu, security alert: new RootSmart Android malware utilizes the GingerBreak root exploit. http://goo.gl/ZTxpg
  35. 35.
    Ko, S.Y., Jeon, K., Morales, R.: The HybrEx model for confidentiality and privacy in cloud computing. In: Proceedings of the 3rd USENIX Conference on Hot Topics in Cloud Computing, HotCloud’11, Portland, pp. 1–5. USENIX Association, Berkeley (2011)Google Scholar
  36. 36.
    Kupsch, J.A., Miller, B.P., Heymann, E., César, E.: First principles vulnerability assessment. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security, CCSW’10, Chicago, pp. 87–92. ACM, New York (2010). doi:10.1145/1866835.1866852Google Scholar
  37. 37.
    Law, Y.W., Palaniswami, M., Hoesel, L.V., Doumen, J., Hartel, P., Havinga, P.: Energy-efficient link-layer jamming attacks against wireless sensor network MAC protocols. Trans. Sens. Netw. 5(1), 6:1–6:38 (2009). doi:10.1145/1464420.1464426Google Scholar
  38. 38.
    Lee, W., Rotoloni, B.: Emerging cyber threats report 2013. Technical report, Georgia Institute of Technology (2012)Google Scholar
  39. 39.
    Lessard, J., Kessler, G.: Android forensics: simplifying cell phone examinations. Small Scale Digit. Device Forensics J. 4(1), 1–12 (2010)Google Scholar
  40. 40.
    linuxsleuthing.blogspot.com, Linux Sleuthing: iPhone forensics tools. http://goo.gl/Wc31M
  41. 41.
    Liu, H.: A new form of DoS attack in a cloud and its avoidance mechanism. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security, CCSW’10, Chicago, pp. 65–76. ACM, New York (2010). doi:10.1145/1866835.1866849Google Scholar
  42. 42.
    Marforio, C., Francillon, A., Capkun, S.: osti.gov, application collusion attack on the permission-based security model and its implications for modern smartphone systems. http://goo.gl/0Csm2
  43. 43.
    Micciancio, D.: A first glimpse of cryptography’s holy grail. Commun. ACM 53(3), 96–96 (2010). doi:10.1145/1666420.1666445CrossRefGoogle Scholar
  44. 44.
    omtp.org: OMTP advanced trusted environment. http://goo.gl/Nzf6p (2009)
  45. 45.
    Ongtang, M., Butler, K., McDaniel, P.: Porscha: policy oriented secure content handling in Android. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC’10, Austin, pp. 221–230. ACM, New York (2010). doi:10.1145/1920261.1920295Google Scholar
  46. 46.
    Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in Android. Secur. Commun. Netw. 5(6), 658–673 (2012). doi:10.1002/sec.360CrossRefGoogle Scholar
  47. 47.
    Pelechrinis, K., Iliofotou, M., Krishnamurthy, V.: Denial of service attacks in wireless networks: the case of jammers. IEEE Commun. Surv. Tutor. 13(2) (2011). doi:10.1109/SURV.2011.041110.00022Google Scholar
  48. 48.
    Portnoy, A.: tippingpoint.com, Pwn2POwn 2010. http://goo.gl/XLJN
  49. 49.
    Quynh, N.A., Takefuji, Y.: Towards a tamper-resistant Kernel rootkit detector. In: Proceedings of the 2007 ACM Symposium on Applied Computing, SAC’07, Seoul, pp. 276–283. ACM, New York (2007). doi:10.1145/1244002.1244070Google Scholar
  50. 50.
    Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Proceedings of the Information Security, Valparaíso, pp. 1–18 (2007)Google Scholar
  51. 51.
    Raj, H., Nathuji, R., Singh, A., England, P.: Resource management for isolation enhanced cloud services. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW’09, Chicago, pp. 77–84. ACM, New York (2009). doi:10.1145/1655008.1655019Google Scholar
  52. 52.
    Ramsey, R.: tmcnet.com, as users shift to mobile and cloud, so will attackers: cybercrime in 2013. http://goo.gl/MLeuk (2012)
  53. 53.
    Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of Kernel rootkits with VMM-based memory shadowing. In: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, RAID’08, Cambridge, pp. 1–20. Springer, Berlin/Heidelberg (2008). doi:10.1007/978-3-540-87403-4_1Google Scholar
  54. 54.
    Rosenfeld, K., Karri, R.: Attacks and defenses for JTAG. IEEE Des. Test 27(1), 36–47 (2010). doi:10.1109/MDT.2010.9CrossRefGoogle Scholar
  55. 55.
    Sang, L., Arora, A.: Capabilities of low-power wireless jammers. In: Proceedings of INFOCOM, Rio de Janeiro (2009). doi:10.1109/INFCOM. 2009.5062185Google Scholar
  56. 56.
    Satyanarayanan, M.: Mobile computing: the next decade. SIGMOBILE Mobile Comput. Commun. Rev. 15(2), 2–10 (2011). doi:10.1145/ 2016598.2016600CrossRefGoogle Scholar
  57. 57.
    Satyanarayanan, M., Bahl, P., Caceres, R., Davies, N.: The case for VM-based cloudlets in mobile computing. IEEE Pervasive Comput. 8(4), 14–23 (2009). doi:10.1109/MPRV.2009.82CrossRefGoogle Scholar
  58. 58.
    Sekar, V., Maniatis, P.: Verifiable resource accounting for cloud computing services. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, CCSW’11, Chicago, pp. 21–26. ACM, New York (2011). doi:10.1145/2046660.2046666Google Scholar
  59. 59.
    Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N., Lo Iacono, L.: All your clouds are belong to us: security analysis of cloud management interfaces. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security, CCSW’11, Chicago, pp. 3–14. ACM, New York (2011). doi:10.1145/2046660.2046664Google Scholar
  60. 60.
    Song, Z., Molina, J., Lee, S., Lee, H., Kotani, S., Masuoka, R.: Trustcube: an infrastructure that builds trust in client. In: Proceedings of the 1st International Conference Future of Trust in Computing, Berlin, pp. 68–79. Vieweg+Teubner (2009). doi:10.1007/978-3-8348-9324-6_8Google Scholar
  61. 61.
    symantec.com: W32.Fanbot.A@mm. http://goo.gl/NkX5h
  62. 62.
    Szeliski, R.: Image alignment and stitching: a tutorial. Found. Trends Comput. Graph. Vis. 2(1), 1–104 (2006). doi:10.1561/0600000009CrossRefGoogle Scholar
  63. 63.
    Thuente, D.J., Acharya, M.: Intelligent jamming in wireless networks with applications to 802.11b and other networks. In: Proceedings of the 2006 IEEE Conference on Military Communications, MILCOM’06, Washington, DC, pp. 1075–1081. IEEE Press, Piscataway (2006)Google Scholar
  64. 64.
    Verbelen, T., Simoens, P., De Turck, F., Dhoedt, B.: Cloudlets: bringing the cloud to the mobile user. In: Proceedings of the 3rd ACM Workshop on Mobile Cloud Computing and Services, MCS’12, Low Wood Bay, pp. 29–36. ACM, New York (2012). doi:10.1145/2307849.2307858Google Scholar
  65. 65.
    Walls, R.J., Learned-Miller, E., Levine, B.N.: Forensic triage for mobile phones with DEC0DE. In: Proceedings of the 20th USENIX Conference on Security, SEC’11, San Francisco, pp. 1–14. USENIX Association, Berkeley (2011)Google Scholar
  66. 66.
    Wei, J., Zhang, X., Ammons, G., Bala, V., Ning, P.: Managing security of virtual machine images in a cloud environment. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW’09, Chicago, pp. 91–96. ACM, New York (2009). doi:10.1145/1655008.1655021Google Scholar
  67. 67.
    Wilhelm, M., Martinovic, I., Schmitt, J.B., Lenders, V.: Short paper: reactive jamming in wireless networks: how realistic is the threat? In: Proceedings of the 4th ACM Conference on Wireless Network Security, WiSec’11, Hamburg, pp. 47–52. ACM, New York (2011). doi:10.1145/ 1998412.1998422Google Scholar
  68. 68.
    Xu, W., Ma, K., Trappe, W., Zhang, Y.: Jamming sensor networks: attack and defense strategies. Netw. Mag. Glob. Internetwkg. 20(3), 41–47 (2006). doi:10.1109/MNET.2006.1637931Google Scholar
  69. 69.
    Zhang, X., Schiffman, J., Gibbs, S., Kunjithapatham, A., Jeong, S.: Securing elastic applications on mobile devices for cloud computing. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW’09, Chicago, pp. 127–134. ACM, New York (2009). doi:10.1145/1655008.1655026Google Scholar
  70. 70.
    Zhang, K., Zhou, X., Chen, Y., Wang, X., Ruan, Y.: Sedic: privacy-aware data intensive computing on hybrid clouds. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS’11, Chicago, pp. 515–526. ACM, New York (2011). doi:10.1145/2046707. 2046767Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.Texas State University-San MarcosSan MarcosUSA

Personalised recommendations