Verifying policy-based security for web services
Proceedings of the 11th ACM conference on Computer and communications security
An advisor for web services security policies
Proceedings of the 2005 workshop on Secure web services
XML signature element wrapping attacks and countermeasures
Proceedings of the 2005 workshop on Secure web services
Breaking and fixing the inline approach
Proceedings of the 2007 ACM workshop on Secure web services
Man-in-the-Middle Attack to the HTTPS Protocol
IEEE Security and Privacy
Analysis of Signature Wrapping Attacks and Countermeasures
ICWS '09 Proceedings of the 2009 IEEE International Conference on Web Services
Vulnerable Cloud: SOAP Message Security Validation Revisited
ICWS '09 Proceedings of the 2009 IEEE International Conference on Web Services
Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds
Proceedings of the 16th ACM conference on Computer and communications security
The curse of namespaces in the domain of XML signature
Proceedings of the 2009 ACM workshop on Secure web services
Towards a Formal Foundation of Web Security
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
SP 800-144. Guidelines on Security and Privacy in Public Cloud Computing
SP 800-144. Guidelines on Security and Privacy in Public Cloud Computing
JustMyFriends: full SQL, full transactional amenities, and access privacy
SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference on Management of Data
Thrifty privacy: efficient support for privacy-preserving publish/subscribe
Proceedings of the 6th ACM International Conference on Distributed Event-Based Systems
On breaking SAML: be whoever you want to be
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Abusing cloud-based browsers for fun and profit
Proceedings of the 28th Annual Computer Security Applications Conference
A survey on security issues and solutions at different layers of Cloud computing
The Journal of Supercomputing
Towards verifiable resource accounting for outsourced computation
Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Trusted launch of virtual machine instances in public iaas environments
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
| Hi-index | 0.00 |
Cloud Computing resources are handled through control interfaces. It is through these interfaces that the new machine images can be added, existing ones can be modified, and instances can be started or ceased. Effectively, a successful attack on a Cloud control interface grants the attacker a complete power over the victim's account, with all the stored data included. In this paper, we provide a security analysis pertaining to the control interfaces of a large Public Cloud (Amazon) and a widely used Private Cloud software (Eucalyptus). Our research results are alarming: in regards to the Amazon EC2 and S3 services, the control interfaces could be compromised via the novel signature wrapping and advanced XSS techniques. Similarly, the Eucalyptus control interfaces were vulnerable to classical signature wrapping attacks, and had nearly no protection against XSS. As a follow up to those discoveries, we additionally describe the countermeasures against these attacks, as well as introduce a novel "black box" analysis methodology for public Cloud interfaces.