With rapid adoption of the concepts
of Software as a Service (SaaS) and Service Oriented Architecture
(SOA), Information Technology (IT) industry has shifted its focus from
sales of hardware and software toward providing value-added IT services
through the Internet. Open computing platforms such as cloud
infrastructures have recently emerged as promising platforms to provide
multi-tenant resource sharing on a common physical infrastructure.
Thus, service providers can lease a set of resources from cloud
infrastructures to provide their software as services in an economical
way without maintaining their own physical computing infrastructures.
However, for many security sensitive applications such as critical data
processing, we must provide necessary security protection mechanisms
before we can migrate those critical application services into shared
open computing infrastructures. Existing research on SOA mainly focuses
on resource and performance management issues, which usually assumes
all service components provided by different service providers are
trusted. However, in open SOA infrastructure such as multi-tenant
cloud systems, we can no longer assume all service components are
trustworthy. In particular, besides confidentiality and privacy
concerns that have been addressed by previous research, it is
challenging to ensure service integrity when some service components
might be malicious. Although previous work has provided software
integrity attestation solutions, those techniques require trusted
hardware or secure kernel to be co-existed with the remote software
platform, which is difficult to be applied in large-scale open SOA
systems where service components are often offered as black-box
elements.
The overall objective of this project is to advance the state of the
art of SOA security and develop a suite of techniques for service
integrity assurance. We aim at achieving a practical integrity
assurance framework for large-scale open SOA systems without requiring
application modifications or assuming trusted entities at third-party
service providers. One central goal of this project is to look into the
future of SOA, and focus on techniques that are not only suitable for
today's service-oriented environments, but for future open computing
platforms built on top of
them. The proposed research will develop the following novel integrity
assurance mechanisms for open SOA systems:
- Runtime service integrity verification, which performs randomized
consistency checking to detect service integrity violation with low
overhead;
- Graph-based malicious service component pinpointing, which
identifies exactly which service components are compromised based on
aggregated consistency checking results;
- Challenge-based service integrity assurance, which issues
indistinguishable challenging data to attest the service integrity.
Particularly, we will focus on data-intensive applications such as
MapReduce and dataflow processing that have been widely adopted by many
real world applications.This project will also investigate how to
integrate the above techniques with other privacy and confidentiality
protection techniques to offer a comprehensive set of security
mechanisms for the full life cycle of service provisioning.