Obfuscation and Diversification for Securing Cloud Computing

  • Shohreh Hosseinzadeh
  • Samuel Laurén
  • Sampsa Rauti
  • Sami Hyrynsalmi
  • Mauro Conti
  • Ville Leppänen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10131)

Abstract

The evolution of cloud computing and advancement of its services has motivated the organizations and enterprises to move towards the cloud, in order to provide their services to their customers, with greater ease and higher efficiency. Utilizing the cloud-based services, on one hand has brought along numerous compelling benefits and, on the other hand, has raised concerns regarding the security and privacy of the data on the cloud, which is still an ongoing challenge. In this regard, there has been a large body of research on improving the security and privacy in cloud computing. In this chapter, we first study the status of security and privacy in cloud computing. Then among all the existing security techniques, we narrow our focus on obfuscation and diversification techniques. We present the state-of-the-art review in this field of study, how these two techniques have been used in cloud computing to improve security. Finally, we propose an approach that uses these two techniques with the aim of improving the security in cloud computing environment and preserve the privacy of its users.

Keywords

Cloud computing Enterprise security Security Privacy Obfuscation Diversification 

References

  1. Browserify (2016). http://browserify.org. Accessed 08 Apr 2016
  2. Cloud Security Alliance (CSA) (2016). https://cloudsecurityalliance.org/. Accessed 08 Apr 2016
  3. Free JavaScript obfuscator Protect JavaScript code from stealing and shrink size (2016). https://javascriptobfuscator.com. Accessed 08 Apr 2016
  4. Getting started–Less.js (2016). http://lesscss.org. Accessed 08 Apr 2016
  5. Gulp-js-obfuscator (2016a). https://www.npmjs.com/package/gulp-js-obfuscator. Accessed 08 Apr 2016
  6. Gulp.js The streaming build system (2016b). http://gulpjs.com. Accessed 08 Apr 2016
  7. js-obfuscator (2016). https://www.npmjs.com/package/js-obfuscator. Accessed 08 Apr 2016
  8. Laverna Keep your notes private (2016). https://laverna.cc. Accessed 08 Apr 2016
  9. NMP (2016). https://www.npmjs.com. Accessed 08 Apr 2016
  10. Source Map Revision 3 Proposal (2016). https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-2gc6fAH0KY0k. Accessed 08 Apr 2016
  11. The International Information Systems Security Certification Consortium (ISC)2 (2016). https://www.isc2.org/. Accessed 08 Apr 2016
  12. Agir, B., Papaioannou, T., Narendula, R., Aberer, K., Hubaux, J.-P.: User-side adaptive protection of location privacy in participatory sensing. GeoInformatica 18(1), 165–191 (2014)CrossRefGoogle Scholar
  13. Arockiam, L., Monikandan, S.: Efficient cloud storage confidentiality to ensure data security. In: 2014 International Conference on Computer Communication and Informatics (ICCCI), pp. 1–5 (2014)Google Scholar
  14. Baudry, B., Monperrus, M.: The multiple facets of software diversity: recent developments in year 2000 and beyond. ACM Comput. Surv, 48(1), 16:1–16:26 (2015)Google Scholar
  15. Bertholon, B., Varrette, S., Bouvry, P.: JShadObf: a JavaScript obfuscator based on multi-objective optimization algorithms. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 336–349. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38631-2_25 CrossRefGoogle Scholar
  16. Bertholon, B., Varrette, S., Bouvry, P.: Comparison of multi-objective optimization algorithms for the Jshadobf JavaScript obfuscator. In: 2014 IEEE International, Parallel Distributed Processing Symposium Workshops (IPDPSW), pp. 489–496 (2014)Google Scholar
  17. Bertholon, B., Varrette, S., Martinez, S.: Shadobf: A c-source obfuscator based on multi-objective optimization algorithms. In: 2013 IEEE 27th International Parallel and Distributed Processing Symposium Workshops PhD Forum (IPDPSW), pp. 435–444 (2013b)Google Scholar
  18. Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: Proceedings of the 8th Annual International Conference on Privacy, Security and Trust (PST), pp. 31–38. IEEE (2010)Google Scholar
  19. Celesti, A., Fazio, M., Villari, M., Puliafito, A.: Adding long-term availability, obfuscation, and encryption to multi-cloud storage systems. J. Netw. Comput. Appl. (2014)Google Scholar
  20. Chang, V.: Towards a big data system disaster recovery in a private cloud. Ad Hoc Netw. 35, 65–82 (2015). Special Issue on Big Data Inspired Data Sensing, Processing and Networking TechnologiesCrossRefGoogle Scholar
  21. Chang, V., Kuo, Y.-H., Ramachandran, M.: Cloud computing adoption framework: a security framework for business clouds. Future Gener. Comput. Syst. 57, 24–41 (2016)CrossRefGoogle Scholar
  22. Chang, V., Ramachandran, M.: Towards achieving data securCloud computing adoption framework: a security framework for business cloudsity with the cloud computing adoption framework. IEEE Trans. Serv. Comput. 9(1), 138–151 (2016)CrossRefGoogle Scholar
  23. Chen, T.M., Abu-Nimeh, S.: Lessons from stuxnet. Computer 44(4), 91–93 (2011)CrossRefGoogle Scholar
  24. Cohen, F.B.: Operating system protection through program evolution. Comput. Secur. 12(6), 565–584 (1993)CrossRefGoogle Scholar
  25. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report, Department of Computer Science, The University of Auckland, New Zealand (1997)Google Scholar
  26. Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1998, pp. 184–196. ACM, New York (1998)Google Scholar
  27. Dierks, T.: The Transport Layer Security (TLS) protocol version 1.2 (2008)Google Scholar
  28. Drape, S., Majumdar, A.: Design and evaluation of slicing obfuscation. Technical report, Department of Computer Science, The University of Auckland, New Zealand (2007)Google Scholar
  29. Furukawa, R., Takenouchi, T., Mori, T.: Behavioral tendency obfuscation framework for personalization services. In: Decker, H., Lhotská, L., Link, S., Basl, J., Tjoa, A.M. (eds.) DEXA 2013. LNCS, vol. 8056, pp. 289–303. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40173-2_24 CrossRefGoogle Scholar
  30. Gao-xiang, G., Zheng, Y., Xiao, F.: The homomorphic encryption scheme of security obfuscation. In: Tan, T., Ruan, Q., Chen, X., Ma, H., Wang, L. (eds.) IGTA 2013. CCIS, vol. 363, pp. 127–135. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37149-3_16 CrossRefGoogle Scholar
  31. Govinda, K., Sathiyamoorthy, E.: Agent based security for cloud computing using obfuscation. Procedia Eng. 38, 125–129 (2012)CrossRefGoogle Scholar
  32. Gühring, P.: Concepts against Man-in-the-Browser Attacks (2006). www.cacert.at/svn/sourcerer/CAcert/SecureClient.pdf
  33. Guo, M., Bhattacharya, P.: Diverse virtual replicas for improving intrusion tolerance in cloud. In: Proceedings of the 9th Annual Cyber and Information Security Research Conference, CISR 2014, pp. 41–44. ACM, New York (2014)Google Scholar
  34. Hataba, M., El-Mahdy, A.: Cloud protection by obfuscation: techniques and metrics. In: 2012 Seventh International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), pp. 369–372 (2012)Google Scholar
  35. Hosseinzadeh, S., Hyrynsalmi, S., Conti, M., Leppänen, V.: Security and privacy in cloud computing via obfuscation and diversification: a survey. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 529–535 (2015)Google Scholar
  36. Kansal, K., Mohanty, M., Atrey, Pradeep, K.: Scaling and cropping of wavelet-based compressed images in hidden domain. In: He, X., Luo, S., Tao, D., Xu, C., Yang, J., Hasan, M.A. (eds.) MMM 2015. LNCS, vol. 8935, pp. 430–441. Springer, Heidelberg (2015). doi:10.1007/978-3-319-14445-0_37 Google Scholar
  37. Karuppanan, K., AparnaMeenaa, K., Radhika, K., Suchitra, R.: Privacy adaptation for secured associations in a social cloud. In: 2012 International Conference on Advances in Computing and Communications (ICACC), pp. 194–198 (2012)Google Scholar
  38. Kuzu, M., Islam, M. S., Kantarcioglu, M.: Efficient privacy-aware search over encrypted databases. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY 2014, pp. 249–256. ACM, New York (2014)Google Scholar
  39. Lamanna, D.D., Lodi, G., Baldoni, R.: How not to be seen in the cloud: a progressive privacy solution for desktop-as-a-service. In: Meersman, R., Panetto, H., Dillon, T., Rinderle-Ma, S., Dadam, P., Zhou, X., Pearson, S., Ferscha, A., Bergamaschi, S., Cruz, I.F. (eds.) OTM 2012. LNCS, vol. 7566, pp. 492–510. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33615-7_4 CrossRefGoogle Scholar
  40. Laperdrix, P., Rudametkin, W., Baudry, B.: Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification. In: 2015 IEEE/ACM 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), pp. 98–108 (2015)Google Scholar
  41. Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: SoK: automated software diversity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 276–291 (2014)Google Scholar
  42. Laurén, S., Mäki, P., Rauti, S., Hosseinzadeh, S., Hyrynsalmi, S., Leppänen, V.: Symbol diversification of Linux binaries. In: Proceedings of World Congress on Internet Security (WorldCIS-2014) (2014)Google Scholar
  43. Li, L., Li, Q., Shi, Y., Zhang, K.: A new privacy-preserving scheme DOSPA for SaaS. In: Gong, Z., Luo, X., Chen, J., Lei, J., Wang, F. (eds.) Web Information Systems and Mining. LNCS, vol. 6987, pp. 328–335. Springer, Berlin Heidelberg (2011)CrossRefGoogle Scholar
  44. Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 290–299. ACM, New York (2003)Google Scholar
  45. Liu, X., Yuan, D., Zhang, G., Li, W., Cao, D., He, Q., Chen, J., Yang, Y.: Cloud workow system quality of service. In: The Design of Cloud Workow Systems, Springer Briefs in Computer Science, pp. 27–50. Springer, New York (2012)Google Scholar
  46. Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance Theory in Practice. O’Reilly Media Inc., Sebastopol (2009)Google Scholar
  47. Mell, P., Grance, T.: The NIST definition of cloud computing. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (2011)Google Scholar
  48. Mowbray, M., Pearson, S.: A client-based privacy manager for cloud computing. In: Proceedings of the Fourth International ICST Conference on Communication System software and middleware, COMSWARE 2009, pp. 5:1–5:8. ACM, New York (2009)Google Scholar
  49. Mowbray, M., Pearson, S., Shen, Y.: Enhancing privacy in cloud computing via policy-based obfuscation. J. Supercomput. 61(2), 267–291 (2012)CrossRefGoogle Scholar
  50. Nagra, J., Collberg, C.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Pearson Education, Upper Saddle River (2009)Google Scholar
  51. Omar, R., El-Mahdy, A., Rohou, E.: Arbitrary control-ow embedding into multiple threads for obfuscation: a preliminary complexity and performance analysis. In: Proceedings of the 2nd International Workshop on Security in Cloud Computing, SCC 2014, pp. 51–58. ACM, New York (2014)Google Scholar
  52. Padilha, R., Pedone, F.: Confidentiality in the cloud. Secur. Privacy IEEE 13(1), 57–60 (2015)CrossRefGoogle Scholar
  53. Palanques, M., DiPietro, R., del Ojo, C., Malet, M., Marino, M., Felguera, T.: Secure cloud browser: model and architecture to support secure web navigation. In: 2012 IEEE 31st Symposium on Reliable Distributed Systems (SRDS), pp. 402–403 (2012)Google Scholar
  54. Patibandla, R.,S.,M.,Lakshmi, Kurra, S.S., Mundukur, N.B.: A study on scalability of services and privacy issues in cloud computing. In: Ramanujam, R., Ramaswamy, S. (eds.) ICDCIT 2012. LNCS, vol. 7154, pp. 212–230. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28073-3_19 CrossRefGoogle Scholar
  55. Pearson, S., Shen, Y., Mowbray, M.: A privacy manager for cloud computing. In: Jaatun, M.G., Zhao, G., Rong, C. (eds.) CloudCom 2009. LNCS, vol. 5931, pp. 90–106. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10665-1_9 CrossRefGoogle Scholar
  56. Popov, I.V., Debray, S.K., Andrews, G.R.: Binary obfuscation using signals. In: USENIX Security (2007)Google Scholar
  57. Prasadreddy, P., Rao, T., Venkat, S.: A threat free architecture for privacy assurance in cloud computing. In: 2011 IEEE World Congress on Services (SERVICES), pp. 564–568 (2011)Google Scholar
  58. Qin, Y., Shen, S., Kong, J., Dai, H.: Cloud-oriented SAT solver based on obfuscating CNF formula. In: Han, W., Huang, Z., Hu, C., Zhang, H., Guo, L. (eds.) APWeb 2014. LNCS, vol. 8710, pp. 188–199. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11119-3_18 Google Scholar
  59. Rauti, S., Laurén, S., Hosseinzadeh, S., Mäkelä, J.-M., Hyrynsalmi, S., Leppänen, V.: Diversification of system calls in Linux binaries. In: Proceedings of the 6th International Conference on Trustworthy Systems (In Trust 2014) (2014)Google Scholar
  60. Reiss, C., Wilkes, J., Hellerstein, J.: Obfuscatory obscanturism: making workload traces of commercially-sensitive systems safe to release. In: 2012 IEEE Network Operations and Management Symposium (NOMS), pp. 1279–1286 (2012)Google Scholar
  61. Rhoton, J., de Clercq, J., Graves, D.: Cloud Computing Protected: Security Assessment Handbook. Recursive Limited, London (2013)Google Scholar
  62. Ryan, P., Falvey, S.: Trust in the clouds. Comput. Law Secur. Rev. 28(5), 513–521 (2012)CrossRefGoogle Scholar
  63. Skoudis, E.: Malware: Fighting Malicious Code. Prentice Hall Professional, ‎Upper Saddle River (2004)Google Scholar
  64. Skvortsov, P., Dürr, F., Rothermel, K.: Map-aware position sharing for location privacy in non-trusted systems. In: Kay, J., Lukowicz, P., Tokuda, H., Olivier, P., Krüger, A. (eds.) Pervasive 2012. LNCS, vol. 7319, pp. 388–405. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31205-2_24 CrossRefGoogle Scholar
  65. Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)CrossRefGoogle Scholar
  66. Tapiador, J., Hernandez-Castro, J., Peris-Lopez, P.: Online randomization strategies to obfuscate user behavioral patterns. J. Netw. Syst. Manag. 20(4), 561–578 (2012)CrossRefGoogle Scholar
  67. Tian, Y., Song, B., Huh, E.-N.: Towards the development of personal cloud computing for mobile thin-clients. In: International Conference Information Science and Applications (ICISA), pp. 1–5 (2011)Google Scholar
  68. Top Threats Working Group: The notorious nine: cloud computing top threats in 2013. Cloud Security Alliance (2013)Google Scholar
  69. Tunc, C., Fargo, F., Al-Nashif, Y., Hariri, S., Hughes, J.: Autonomic resilient cloud management (ARCM) design and evaluation. In: 2014 International Conference on Cloud and Autonomic Computing (ICCAC), pp. 44–49 (2014)Google Scholar
  70. Varadharajan, V., Tupakula, U.: Security as a service model for cloud environment. IEEE Trans. Netw. Serv. Manag. 11(1), 60–75 (2014)CrossRefGoogle Scholar
  71. Villari, M., Celesti, A., Tusa, F., Puliafito, A.: Data reliability in multi-provider cloud storage service with RRNS. In: Canal, C., Villari, M. (eds.) Advances in Service-Oriented and Cloud Computing. Communications in Computer and Information Science, vol. 393, pp. 83–93. Springer, Heidelberg (2013)Google Scholar
  72. Vleju, M.B.: A client-centric ASM-based approach to identity management in cloud computing. In: Castano, S., Vassiliadis, P., Lakshmanan, Laks, V., Lee, M.L. (eds.) ER 2012. LNCS, vol. 7518, pp. 34–43. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33999-8_5 CrossRefGoogle Scholar
  73. Yang, P., Gui, X., Tian, F., Yao, J., Lin, J.: A privacy-preserving data obfuscation scheme used in data statistics and data mining. In: High Performance Computing and Communications 2013 IEEE International Conference on Embedded and Ubiquitous Computing (HPCC-EUC), pp. 881–887 (2013)Google Scholar
  74. Yang, Q., Cheng, C., Che, X.: A cost-aware method of privacy protection for multiple cloud service requests. In: 2014 IEEE 17th International Conference on Computational Science and Engineering (CSE), pp. 583–590 (2014)Google Scholar
  75. Yau, S.S., An, H.G.: Protection of users’ data confidentiality in cloud computing. In: Proceedings of the Second Asia-Pacific Symposium on Internetware, Internetware 2010, pp. 11:1–11:6. ACM, New York (2010)Google Scholar
  76. Zhang, G., Liu, X., Yang, Y.: Time-series pattern based effective noise generation for privacy protection on cloud. IEEE Trans. Comput. 64(5), 1456–1469 (2015)MathSciNetCrossRefGoogle Scholar
  77. Zhang, G., Yang, Y., Chen, J.: A historical probability based noise generation strategy for privacy protection in cloud computing. J. Comput. Syst. Sci. 78(5), 1374–1381 (2012a). {JCSS} Special Issue: Cloud Computing 2011CrossRefGoogle Scholar
  78. Zhang, G., Yang, Y., Chen, J.: A privacy-leakage-tolerance based noise enhancing strategy for privacy protection in cloud computing. In: 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1–8 (2013)Google Scholar
  79. Zhang, G., Yang, Y., Liu, X., Chen, J.: A time-series pattern based noise generation strategy for privacy protection in cloud computing. In: 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGrid), pp. 458–465 (2012b)Google Scholar
  80. Zhang, G., Yang, Y., Yuan, D., Chen, J.: A trust-based noise injection strategy for privacy protection in cloud. Softw.: Pract. Exp., 42(4), 431–445 (2012c)Google Scholar
  81. Zhang, G., Zhang, X., Yang, Y., Liu, C., Chen, J.: An association probability based noise generation strategy for privacy protection in cloud computing. In: Liu, C., Ludwig, H., Toumani, F., Yu, Q. (eds.) ICSOC 2012. LNCS, vol. 7636, pp. 639–647. Springer, Heidelberg (2012b). doi:10.1007/978-3-642-34321-6_50 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Shohreh Hosseinzadeh
    • 1
  • Samuel Laurén
    • 1
  • Sampsa Rauti
    • 1
  • Sami Hyrynsalmi
    • 1
  • Mauro Conti
    • 2
  • Ville Leppänen
    • 1
  1. 1.Department of Future TechnologiesUniversity of TurkuTurkuFinland
  2. 2.Department of MathematicsUniversity of PaduaPaduaItaly

Personalised recommendations