An Efficient Approach for Software Protection in Cloud Computing

2014 Fourth International Conference on Communication Systems and Network Technologies

An Efficient Approach for Software Protection in Cloud Computing

Navneet Singh

Shailendra Singh Member IEEE

NITTTR Bhopal, India [email protected]


Abstract—Cloud computing is a nascent trend for its multi tenancy based accessing of software’s, but with the proliferation in trend of drifting from dedicated IT infrastructure to using the services of a cloud provider makes the issue of security more scathing. Many solutions are provided for security of a code when it is accessed over a network but still the cloud provider are facing the threat of protecting the application from obfuscation, manipulation & tampering. Solutions like watermarking a code for protecting from illegal accessing has been proposed as a solution for a network based accessing of applications in which the applications will only be accessed, using key provided during encryption of code. Our aim is to provide a mechanism that will protect a code while using it on a cloud environment i.e. on cloud application servers by implementing a framework for code security in cloud environment based on the concepts of Kerberos protocol that forms a realm of authentication server & ticket granting server with back end database connectivity for managing user’s passwords & using the custom Class loader for legitimate user who needs access to the application. Keywords-Cloud subtractive attacks.

I.

security;

software


geographically dispersed cloud platforms and that too is not in control of that particular organization. The protection of software rights is an issue to be concerned, this aims to seek an interest in protecting the intellectual property of software and also gives a secure access to legitimate users on a cloud environment [10, 11]. II.

OVERVIEW OF CLOUD COMPUTING

In keeping with the analysis about cloud environment a cloud is explicit as a cloud may be a combination of infrastructure, services and also software’s that are either remote to the user [6]. The data is stored in the cloud data centers or an infrastructure outside one’s domain and can be accessed using the web interface, used as resource for deployment of various business solutions and providing robust hosting with resource rich scalable platforms. A cloud service provider must have some essential attributes: (1) Broad network access: Resources that can be accessed over a network widely, migrating from one place to another must not reflect the access of a service, (2) Rapid elasticity: According to the usage, it must be able to scale up as much as possible for the service provider with constant sustainability, for instance, it must be able to scale its services from 1000 users to 10000 users with various resource allocations and load balancing algorithms available, (3) Measured services: The amount of services used will be the total cost of services for instance the Amazon web services offer the instances according to the usage M1 is the medium instance which allows some amount of storage capacity, processing power, provided by (amazon elastic cloud compute) and Amazon elastic map reduce that uses the Hadoop framework for data analysis and development for process massive data, (4) On demand self-service: Any service must be available as needed, (5) Resource pooling: A concept of multi tenancy (group of users) e.g. various groups of banks, to minimize the cost of infrastructure takes the cloud services in collaboration. Basic service models for cloud: (1) SAAS: (software as a service): using provider’s applications over a network. (CRM, email, social collaboration), (2) PAAS (platform as a

protection;

INTRODUCTION

The ubiquitous distribution of resources over the internet raises the issue of protecting the data as well as the applications that are used on cloud servers. The technology of cloud computing is increasing day by day so the services to the customer must be provided with an ease providing secure remote access. Though the concept of cloud computing has emerged from the old architecture of distributed computing with addition of some more feature and combining with virtualization [8]. The resources are moving more and more to cloud storage rather than storing into local storages. As the technology rapidly increases the demand for deploying various applications makes diversity in the functionality for virtualization but, increases the issue of security as the data is transmitted over the network [1]. The concern is for security in cloud computing environment when passing on any organizations perturb information to 978-1-4799-3070-8/14 $31.00 © 2014 IEEE DOI 10.1109/CSNT.2014.116

Swapnamukta Agarwal

550

service): deploying customer’s created application over cloud (middleware, database), (3) IAAS (cloud infrastructure as a service): rent processing power i.e. computational capabilities, storage capacity, computing resources (compute, storage, network, and desktop).There are 4 deployment models: (1) Community cloud: Shared infrastructure for specific community, (2) Private cloud: enterprise owned or leased (single tenant), (3) Public cloud: sold to public, mega sale infrastructure (multi-tenant), (4) Hybrid cloud: It is a composition of two or more cloud (special purpose/group). III.

Figure 1. Code protection by embedding key

IMPORTANCE OF SOFTWARE SECURITY

IV.

Software security means protection of software from illegal use. Software protection in multi tenancy environment should lay on the relative support of various algorithms that is more suited rather than non-secured code on cloud application servers. Software theft, known as piracy of software is an act of copying a legitimate application and illegally distributing the code, either free or for profit [2]. Mainly the illegal distribution is done in order to achieve higher profits. Code protection involves embedding a unique identifier within a software code known as a watermark or a digital signature. The digital signatures do not prevent theft but instead discourages software thieves by providing a means to identify the owner of a piece of software and the origin of the stolen software. A manual signature is inserted by the programmer of the application, rather than a using a third party automated tool. Some semiautomatic watermarking systems also exist for java based applications, where a programmer inserts markers into a program during development and the finished software is then augmented by a software protection tool. Watermarks can be classified as either visible [4], where watermark is in public knowledge or invisible where the watermark, or some component such as an encryption key, is not in public knowledge. Visible watermarks can act as a deterrent but also show an adversary the location of a watermark making the task of removing the watermark easier, in other words a watermark recognition or extraction algorithm may also been broadly briefed as blind, in which code as well as signature is absent and original code watermark is available.

NEED FOR SOFTWARE SECURITY IN CLOUD APPLICATION SERVERS

Software security is a key concern when entrusting any organization’s critical information to geographically dispersed cloud platforms. Various system security procedures, designing security principles embeds into cloud software during the software development life cycle, greatly reduces attacking the cloud surface. Confidentiality is the prevention of intentional or unintentional unauthorized disclosure of information [3]. Confidentiality in cloud systems is related to: (1) Covert channels: It is an unauthorized & unintended communication path that enables the exchange of information. These channels can be accomplished through timing of messages or inappropriate use of storage mechanisms, (2) Traffic analysis: It takes a form of confidentiality breach that is accomplished by analyzing volume of data, data rate, source, and destination of data traffic, high amount of message activity, and bursts of traffic indicating that a major activity is in process, (3) Encryption: It involves scrambling messages so that they cannot be read by an intruding entity, even if the intruder gains the access. Total effort required to decrypt the message is a function of the strength of the encryption key also the robustness and quality of the encryption algorithm. V. SECURITY THREAT FOR APPLICATIONS IN CLOUD SERVERS Software’s from different service providers sharing same “platform as a service” model provided by cloud systems. This shared infrastructure inevitably introduces new security threats [5]. (1) Cloud provider: They shoulder the risk that the cloud infrastructure can be misused by malicious software external malicious software may invade the cloud and also attackers may pretend as a service provider to corrupt the cloud from inside [13].

551

period of time by logging into system and entering the credentials. The credentials will be verified by authentication server that stores information for various users with their credentials in database. If the credentials match the users request with verification server’s database entry then the java virtual machine that resides on client’s machine will be replaced by a customized java virtual machine that will read the encrypted code for application that resides on cloud application server. Now after interacting with verification server the client needs a session ticket for accessing the application over cloud for that a ticket generating server will generate a ticket for session based usage of the services, the packet will contain a session key with a ticket having user name, name of TG server and IP address of client. All this is encrypted with private key of ticket generating server that is known only to TG server, so the user will unable to decrypt the packet.

Figure 2. Security Threats to cloud servers

In figure 2, bob who is an attacker deploys his software on cloud, he has the possibility to violate the cloud security, even more he could monitor the activities in the cloud, utilize side channels and covert channels for reverse engineering, infiltration, exfiltration, certain kind of encryption cracking and various other attacks, (2) Service provider: When a service provider deploys his software over cloud the only expense is on leasing the resource of cloud provider. But if malicious software pretends as legitimate software running on same hardware platform with a service provider’s software, it would get the chance to invade into service provider access environment, (3) Service users: Services on cloud shares to public, the sensitive information would increase amazingly with growth of service users in that the users have to submit their information to service for applying it [7]. Coming back to figure 2, a user applies to services provided by eve in a cloud, submits her sensitive information to the service [9]. The information would be transferred to the cloud. If bob’s service impersonates eve’s service, certainly an encrypted message sent from user to service provider “eve”, so then bob may intrude the message and then he can send improper reply to user. VI.

FRAMEWORK

Using Kerberos as a base for the framework makes password management more easy, more secure and reliable management of services for the requested client. It also provides secure authentication with centrally storing keys on a key distribution server [12]. When a client makes request with its normal user login and password to the key distribution server, the packet transmitted from client to server requesting for ticket granting ticket because it proves the identity of user on key distribution server, a ticket always expire so it comes with a time stamp. Here the client machine will send the request for particular software over cloud application server for which he has paid certain amount for certain

Figure 3. Framework for software security

This complete packet having a ticket, a session key will be encrypted with user’s private key so the ticket will not be opened but the session key will be decrypted with user’s private key from whom he has logged on. Now client will create an authenticator for secure access having the information of user name, client’s ip address and a timestamp, as the user has the customized java virtual machine so the next step is to take a session based resource access. The authenticator is encrypted with the session key that it received from last interaction. As the user has encrypted the authenticator packet with a session key

552

so the TG server will know that the packet is received from legitimate ip address. The TG server will decrypt the packet and matches the information and if the information is correct then it will create a new packet having a service ticket containing name of the software to be accessed, ip address of client address, name of client’s machine with a new session key and encrypting with a private key of cloud service provider and this whole packet is encrypted with session key shared between first interaction of client and TG server. Client decrypt the packet and uses the new session key to encrypt the whole packet and send it to cloud service provider where the cloud service provider will decrypt the service ticket using its own private key to authenticate that the correct user has requested for the software access. It then sends acknowledgment to the client machine by using the ip address that was available in service ticket. The cloud service after verifying the client will provide the access to the user. VII.

Figure 4. Graph plotting of encrypted class files

B. Result Comparison

EXPERIMENTAL EVALUATION

We have tested our output on class files of different sizes and on the basis of random key tgs key generation. We have compared the time complexity in case of different class files for encrypted as well as non-encrypted class files. Though the non- encrypted class files takes less time as depicted in the figure 4 but it is more likely to be less secure than class files that are executed after authentication process. We have also taken the data for various class files generated over various time slots for making a comparison between the actual differences among both the files.

Figure 5. Comparison between encrypted and non-encrypted class files

C. Size Overhead In this experiment we have calculated the size of different class files for secure access and with the increase in size the time taken to execute a single class file increases with a factor load depending on the calculations involved in class file and number of methods to be executed in a particular class file.

TABLE I GENERATED OUTPUT OF CLASS FILES Size of class file

392 bytes

452bytes

202bytes

865bytes

761bytes

Non encrypted

16ms

26ms

10ms

61ms

49ms

Encrypted

19ms

31ms

13ms

66ms

D. Performance overhead The experimental results shows the extra effort in execution time taken a by class file to be executed when encryption key is attached to it.

52ms

A. Result analysis

E. Resilience The framework is resilient against various attacks a) Subtractive attacks: If any intruder somehow manages to access the authentication server with the credentials of users then also it will not be possible for him to gain access to the class file because the class loader present in its Java Virtual Machine won’t respond to the code of the class file. b) Gaining Session Key: If any intruder gains the access to the Session keys then also it will not be possible to gain access to cloud server as the key is

Figure 3. Graph plotting of non-encrypted class files

553

[4]

generated with the IP address of requested server and with the Time Stamp so it has the tendency to expire after some time. c) At cloud Servers Level: In this framework the cloud servers periodically manages the credentials of various users with the authentication servers, so making the servers synchronized with the authentication servers.

[5]

[6]

F. Cost We have evaluated the time and space cost of the framework by testing the security of class files of different sizes having different functions to perform with random session key generation policy. We have also evaluated the cost overhead due to the encryption policy applied at application server level due to that some percentage increase is incurred in our framework providing the security in response to that. On average our framework provides a secure mechanism to access the application and class files with an overhead of 10% in executing a class file i.e. total time it takes to execute the encrypted class file. VIII.

[7]

[8]

[9]

[10]

[11]

CONCLUSION

In this paper we have raised the issue of software protection in cloud based accessing of applications though there are various parameters through which we can secure the cloud platforms but still various means to intrude the integrity of the software. We have developed a new framework for securing the code that is java based & by securing the class files we can achieve an authentication based mechanism for a network based accessing of code over cloud application servers. The future possibility in this work is to implement this framework on a very large scale based systems for real time analysis of software security.

[12]

[13]

ACKNOWLEDGMENT This work is a combined effort of me and my guide professor Shailendra singh who helped me in this work by giving his deep knowledge about the security issue of cloud. Without his dedication it won’t be possible for me to succeed in this implementation. REFERENCES [1]

[2]

[3]

Amandeep Verma, Sakshi Kaul, “Cloud Computing Security Issues & Challenges: A Survey”, Springer Verlag Berlin Heidelberg, part IV, ccis 193, 2011, pp.445-454. Jianmin Wang,” A Novel Watermarking Method for Software Protection in Cloud”, Software Practice & Experience, John Wiley 2011, pp.1-23. Mohemed Almorsy, “Collaboration Based Cloud Computing Security Management Framework”, 2011 IEEE 4th International Conference on Cloud Computing, 978-0-76954460-1/11, IEEE Computer Society, pp.364-371.

554

Clark Thomborson, “Watermarking, Tamper Proofing & Obfuscation, Tools for Software Protection”, IEEE Transactions on Software Engineering, Volume 28, no.8, pp.735-746. XU Jin-Chao, “Software Services Protection Security Protocol Based on Software Watermarking in Cloud Environment”, Journals on Communication, volume 33, no.Z2, pp.176-181. Kazuhide Fukushima, “Towards Secure Cloud Computing Architecture a Solution based on Software Protection Mechanism”, Journal of Internet Services & Information Security, Volume 1, no.1, pp.4-17. Ashwini Deshpande, “Enhancing Data Security in Cloud Computing using 3D Framework & Digital Signature with Encryption”, International Journal of Engineering Research & Technology, Volume 1, Issue 8, October 2012, pp. 1-8. Ayesha Malik, “Security Framework for Cloud Computing Environment: A Review”, Journals of Emerging Trends in Computing & Information Science, Volume 3, no.3 March 2012, pp.390-394. Thomborson C, “A Framework for System Security. Handbook of Information & Communication Security”, Stamp M, Stavroulakis P (Eds.). Springer, 2010, doi 10.1007/978-3-642-04117-4 1, pp.3–20. D. Grover, “Program Identification the Protection of Computer Software: Its Technology & applications”, The British Computer Society Monographs in Informatics. Russell Dean Vines, “Cloud Computing Software Security Fundamentals”, Cloud Information Security Objectives, Indianapolis, Indiana, 2010, chapter 3, section 1, pp.91-92. Jennifer G Steiner, “Kerberos: An Authentication Service for Open Network Systems”, Project Athena, Massachusetts Institute of Technology, pp.1-15. Pengfei Dai, “A Software Watermark Based Architecture for Cloud Security” 14th Asia Pacific Web Conference, AP Web 2012, Kunming, China, April 11-13, 2012, 978-3-642-292521,pp.270-281.