ISSN:2229-6093
Hardeep Kaur et al, Int.J.Computer Technology & Applications,Vol 5 (6),2040-2044
TO ISOLATE THE VIRTUAL SIDE CHANNEL ATTACK IN CLOUD
ENVIRONMENT
Hardeep Kaur
Department of Computer Science Engineering
Lovely Professional University Jalandhar,
Punjab, India
Email: hardeepkaurkahlon@yahoo.in
Richa Sapra
Assistant Professor, Department of Computer
Science Engineering
Lovely Professional University Jalandhar,
Punjab, India
Email: richa.16859@lpu.co.in
Abstract
Security and privacy of user’s data is a big concern
in cloud computing. Though cloud computing has
many advantages, it still faces many security and
privacy issues. A user may loss his data due to
malware attack or network outage. Cloud gives
provider an opportunity to analyse user data for a
long period. Also the outside attacker can analyse
and access the data and violate the user privacy by
managing to get access to the cloud. As cloud
computing allow virtual resource sharing, and
sharing of resources among potential untrusted
tenants can result in an increased risk of
information leakage due to vulnerability of virtual
resources causing side channel attacks. An access
control policy such as RBAC can be used to control
the data sharing among cloud customers. But, an
unintelligent cloud
resources management
mechanism can significantly increase the risk of
data leakage among roles. An attacker place a
virtual machine and all the traffic of the legitimate
user will directed to the attackers virtual machine.
The attacker will hijack all the credentials of the
legitimate user, and present it to server on the
behalf of the legitimate user. A novel technique is
proposed to isolate the side channel attack in RoleBased Multi-Tenancy Access Control Scheme.
1. Introduction
Cloud computing is a biggest-scale computing
paradigm which is focused by economies of
scale. It is a pool of managed computing
power, dynamically scalable, virtualized,
abstracted, platforms, pool of storage and
services are delivered on request of customers
through internet. Cloud computing is internetbased computing, where different services as
servers, storage and applications are provided
to an organization or individual customers.
Cloud computing allow their customers to put
and get their information and data into cloud.
The customer got all types of services from
cloud through internet. When users use a
cloud service, they saw virtual view. In cloud
IJCTA | Nov-Dec 2014
Available online@www.ijcta.com
data and services are distributed at different
locations. As the cloud is based on the web
service and web service is based on the
internet. Internet has its own security
weakness. As it is open and it has many
attacks and threats. Cloud computing focuses
on
sharing the
information
and
computations over network of nodes which
is scalable. E.g. the nodes include end user
and Web Service, data-center. Theses network
of nodes form a cloud. The main idea is to use
the infrastructure in order to bring all feasible
services to the cloud and to make it possible
to access those services irrespective of
time and location [1].
A. Basic cloud computing Architecture
Cloud computing Service models
Software as a service: applications are
developed and hosted on clouds. Without the
need of installing any program or software on
user’s computer, it supports user interaction
with the applications. E.g. salesforce.com.
Platform as a service: It allows the users to
build applications by delivering the services
like development tools, platforms where user
can also run their applications. E.g. Google
app engine, windows Azure.
Infrastructure as a Service: It provides
storage and computing capabilities as
standardized services. In IaaS storage systems
and servers are integrated or pooled together
E.g. amazon web services [2].
Cloud computing Deployment models
Public cloud: Public cloud can be accessed
by any subscriber with an internet connection
and access to the cloud space.
2040
ISSN:2229-6093
Hardeep Kaur et al, Int.J.Computer Technology & Applications,Vol 5 (6),2040-2044
Private cloud:
Private cloud can be
established for a specific group or organization
and limits access to just that group.
Hybrid cloud: In Hybrid cloud environment,
organization consumes resources from both
private and public clouds.
Community cloud: A community cloud is
shared among two or more organizations that
have similar cloud requirements [3].
B. Virtual side channel attack
An attacker compromised the cloud system
through placing his malicious virtual machine
to target system server. Attacker first map
where the virtual machine is resides on the
cloud and then attack by placing his virtual
machine on target machine. Then attacker
extracts the information from targeted virtual
machine known as virtual side channel attacks.
It has two steps:
1) Placement:
machine.
placing
malicious
virtual
2) Extraction: getting information of user’s
data.
C. Access Control, Authentication and
ID Management
The many techniques have been proposed for
the access control. . Cloud needs a user based
access control method, where every customer
can request to any service provider. User is
bounded with the user id and entitlement data
information. Role based access control is the
efficient and reliable technique for access
control methods. In the role based access
control method, the user can prove its identity
to cloud service provider through the secure
authentication procedure. User id will have
attributes or identifiers that find and define the
user. There should be a strong Identity
Management and authentications for the client
and the cloud provider.
D. Role based access control
Role based access control model has two
phases, which are used to assign a privilege to
users. In the first part, many-to-many user-role
assignments are provided. In second part,
many-to-many permission to role assignment
is given. Roles can have role hierarchies which
affect the authority and responsibilities of an
organization [4].
IJCTA | Nov-Dec 2014
Available online@www.ijcta.com
Users are the members of roles and all
authorizations to users are given through roles.
Users get the roles authorization to access
objects. The access to an object is controlled
by roles.
According to allocated roles, a user can
perform
certain
operations
through
permissions. When a user want to perform
some actions, certain type of authority is
required. For this authority of proper role has
to be granted to a user to perform some
actions.
Password
Login
Role Tables
Policies
User id Role based
assignment
role RBAC
Fig.1 Role based access control model
2. Literature Review
Shin-Jer Yang, et.al (2013), proposed a
cloud service model ,using identity
management and Role-Based Access Control,
under a multi –tenant architecture (MTA), to
propose and design a Role-Based MultiTenancy Access Control (RB-MTAC). This
model combines identity management and
role based access control of multi tenancy in
cloud environment ,to manage privileges for
providing protect of the security of application
and data privacy. Each tenant can build an
independent database or multi-tenants can
share the same database. Data of different
tenants could be stored in same place and that
can prevent other tenants using data and
system of that tenant. User login with an
account no and system authenticates the user
accounts through identity management. For
valid users, a role assignment capture roles
corresponding to user from database and
assign the role and access right which belong
to the user[5].
Ravi S. Sandhu, et.al (1996), discuss about
the family of models for role base access
control. In
RBAC permissions are associated with roles
and users are the members of roles. The role
brings together a set of permissions on one
side and a set of users on another side. The
2041
ISSN:2229-6093
Hardeep Kaur et al, Int.J.Computer Technology & Applications,Vol 5 (6),2040-2044
author describes a framework of reference
models to address the components of RBAC,
and their interactions. The author defined four
reference models: base model (RBAC0),
advanced models (RBAC1 and RBAC2),
consolidate model (RBAC3). The base model,
defines the minimum requirements for any
system that support RBAC. RBAC1 add
concept of role hierarchy.
RBAC2 add
constraints and consolidated model, RBAC3,
includes RBAC1 and RBAC2 and RBAC0. A
management model is also specified to manage
the RBAC itself [6].
Karsten Sohr, et.al (2008), Discuss nontemporal and history-based authorization
constraints in the Object Constraint Language
(OCL) and first-order linear temporal logic
(LTL). Author also verify role-based access
control policies with the help of a theorem
prover and validate policies with the USE
system tool, a validation tool for OCL
constraints. UML/OCL system is used in use
case to formulate RBAC policies. USE is
employed to validate authorization constraints.
Various conflicts b/w authorization constraints
and missing conflicts detected with the help of
USE.RBAC policies is a hierarchical RBAC
and set of authorization constraints defined for
organization. An authorization engine is also
described for enforcement of authorization
constraints. Authorization constraint are used
to design architect polices and express higher
level organization rules [7].
Xiao-Yong Li, et.al (2010), proposed a multi
tenancy based access control (MTACM)
model to embed the security duty separation
principle in cloud. This model has a two
granule level access control mechanism, i.e. a
tenant granule level access control for CSP to
compartmentalize different customers, and
application granule for customers to control
the access to their own application. MTACM
based system can be deployed at application
perimeter, defining different management
domain for CSP and customers, providing
different security function management
interface at tenant and application granule. The
author described model for the application
security in public cloud. The basic rule related
to tenant and application i.e. tenant rule and
application rule are defined. A prototype of
MTACM is also implemented for high
performance and compatibility [8].
IJCTA | Nov-Dec 2014
Available online@www.ijcta.com
Shin-Jer Yang, et.al (2007), authors proposed
a new approach ISPWAP, to integrate security
and performance aspects for web based
applications. ISPWAP combines SWAP and
RBAC frameworks. This approach is proposed
to fix the security holes and improve the
processing performance during in designing
the web- based applications. Authors proposed
ISPWAP framework design its algorithm and
defined how to implement the secure web
based application with tuning performance.
The approach provides a solution for
eliminating security risk and improving system
throughput in designing web based
applications. Various design issue for security
like access control, SQL injection, session
hijacking,
information
disclosure
and
performance related issues like time for
accessing web pages and manipulating
database are defined [9].
3. Existing technique
A role based multi-tenancy access control
(RB-MTAC) using identity management and
role based access control under multitenant
architecture combines the concept of multiple
tenants and the characteristics of RBAC. In
RB-MTAC each user is assigned one to many
roles while each role is assigned to many
privileges. This model manage privileges for
providing protect of the security of application
and data privacy .This model also block a nontenant user accessing using identity
management and access control prevent tenant
users to viewing and accessing application
and database without specific privilege .This
method use a mechanism to manage user
privilege using role based view point , and
administrator only need to modify role
privileges to change user privileges and thus
reduce the potential errors from constant
modification. Each tenant can build an
independent database or multi-tenants can
share the same database. Data of different
tenants could be stored in same place and that
can prevent other tenants using data and
system of that tenant.
Every tenant/user log in with id and password
and identity management system authenticates
the user account. If user is valid, the role
assignment will capture the role corresponding
to the user from RB-MTAC database and
assign the roles and access rights to the users.
The user account then integrate the functional
2042
ISSN:2229-6093
Hardeep Kaur et al, Int.J.Computer Technology & Applications,Vol 5 (6),2040-2044
privilege within role set through functionbased access control, generating the access
control list and
provide encryption and
privacy security services.
4. Problem formulation
The many techniques have been proposed for
the access control. Among the entire
techniques role based access control is the
efficient and reliable technique for access
control. In role based access control technique
legitimate user can prove its identity to cloud
service provider through the secure
authentication procedure. According to user
rights, the access is provided to the user. The
main problem in such technique is security.
Many security attacks are possible in role
based access control technique. The new
technique is developed which is based on the
identification and role based access control
modals. This technique is the hybrid type of
technique. In this technique the side channel
attack is possible, In which attacker place the
virtual machine and all the traffic of the
legitimate user will directed to the attackers
virtual machine. The attacker will hijack all
the credentials of the legitimate user, and
present it to server on the behalf of the
legitimate user. To prevent the side channel
attack, we will enhance the “Role-Based
Multi-Tenancy Access Control”.
5. Research methodology
Access control methods, allows, denies or
restricts access to a system. It monitors and
record all attempts made to access a system.
Access Control may also identify unauthorized
users attempting to access a system. It is a
mechanism which is very much important for
protection in computer security. Various
access control models like Mandatory Access
Control (MAC), Discretionary Access Control
(DAC) and Role Based Access Control
(RBAC) are in use. All these models are
known as identity based access control
models. In all these access control models,
user (subjects) and resources (objects) are
identified by unique names. Identification may
be done directly or through roles assigned to
the subjects. These access control methods are
effective in unchangeable distributed system,
where there are only a set of Users with a
known set of services. The side channel attack
is possible in RB-MTAC and it will reduce the
IJCTA | Nov-Dec 2014
Available online@www.ijcta.com
network reliability and security of the network
will be compromised. To prevent the side
channel attack, novel technique will be
proposed which is based on the server
identification. Before present its credentials to
the server, legitimate client will ask sever for
its credentials.
START
Deploy the cloud architecture with fixed number
of users, third party and cloud services provider
Apply role based technique to assign roles to users
Trigger virtual side channel attack in the cloud
architecture and analyze the network performance
Apply KAMAN protocol for user
and virtual machine authentication
V.M are
authenticated
successfully
no
yes
EXIT
Fig. 2 flow chart for proposed technique
If the sever credentials are verified by the
client then further process will proceed
otherwise algorithm will halt.
6. Conclusion
As cloud computing is accepted widely all
around the world, it has many benefits like
large storage space, easy access to system
anytime and anywhere, cost effective etc. With
these benefits of cloud computing some
security issues needs to be spotted that assure
safe, reliable internet service. As multi-
2043
ISSN:2229-6093
Hardeep Kaur et al, Int.J.Computer Technology & Applications,Vol 5 (6),2040-2044
tenancy and virtualization features of cloud
computing enhanced the resource utilization.
However cloud computing has many security
challenges that are
exacerbated by virtual
resource sharing. The sharing of resources
among potential untrusted tenants can result in
an increased risk of information leakage due to
vulnerability of virtual resources causing side
channel attacks or VM escape. For big data
application, an access control policy such as
RBAC can be used to control the data sharing
among cloud customers. In this technique the
side channel attack is possible. “Role-Based
Multi-Tenancy Access Control Scheme”, will
be enhanced to prevent the side channel attack.
engineering(CISE),pp. 1-4, Wuhan, China,
December 10-12-2010.
[9] Shin-jer Yang Jia-Shin Chen, Kuei- Chin
Chen, “ A study of security and performance
issues in designing Web based applications,”
in proc. Of IEEE international conference on
e-business engineering (ICEBE),pp.81-88,
October 24-26,2007.
References
[1] Torry Haarris “cloud computing – an
overview”.
[2] K.shirisha reddy, Dr. M.Balaraju“An
integrated approach of data storage and
security in cloud computing” international
journal of application or innovation in
engineering & management (IJAIEM) volume
1, Issue4, December 2012.
[3] K.shirisha reddy, dr. M.Balaraju“An
integrated approach of data storage and
security in cloud computing” international
journal of application or innovation in
engineering & management (IJAIEM)volume
1,Issue4, december 2012.
[4] Gitanjali (2013)” Policy Specification in
Role based Access Control on Clouds”
International
Journal
of
Computer
Applications (0975 – 8887) Volume 75– No.1.
[5] Shin-jer,Yang pei-ci Lai, Jyhjong Lin
“Design role-based Multi-Tenancy Access
control
scheme
for
cloud
services”
international symposium on biometrics and
security technologies, IEEE 2013.
[6] Ravi S.Sandhu, Edward. Coynek, Hal
L.Feinsteink and Charles E. Youmank “Role
Based access control Models”IEE computer
volume 29, no.-2, pages 38-47, February 1996.
[7] Karsten Sohr, Michel Drouineaud, gailJoon Ahn “Analysing and managing Rolebased access control policies,” IEE transaction
on knowledge and data engineering (TKDE),
vol.20, no 7,pp. 924-939, july 2008.
[8] Xiao-Yyong Li,Yong Shi,Yu Guo, Wei
Ma, “ Multi-Tenancy based access control in
cloud,” in proc. Of international conference on
computing
intelligence
and
software
IJCTA | Nov-Dec 2014
Available online@www.ijcta.com
2044