Reference : CertiCloud and JShadObf. Towards Integrity and Software Protection in Cloud Computing...
Dissertations and theses : Doctoral thesis
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/17919
CertiCloud and JShadObf. Towards Integrity and Software Protection in Cloud Computing Platforms
English
Bertholon, Benoit [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
20-Dec-2013
University of Luxembourg, ​Luxembourg, ​​Luxembourg
Docteur en Informatique
185
Bouvry, Pascal mailto
Varrette, Sébastien mailto
[en] A simple concept that has emerged out of the notion of heterogeneous distributed computing is that of Cloud Computing (CC) where customers do not own any part of the infrastructure; they simply use the available services and pay for what they use. This approach is often viewed as the next ICT revolution, similar to the birth of the Web or the e-commerce. Indeed, since its advent in the middle of the 2000's, the CC paradigm arouse enthusiasm and interest from the industry and the private sector, probably because it formalizes a concept that reduces computing cost at a time where computing power is key to reach competitiveness. Despite the initiative of several major vendors to propose CC services (Amazon, Google, Microsoft etc.), several security research questions remain open to transform the current euphoria into a wide acceptance. Moreover, these questions are not always tackled from the user's point of view. In this context, the purpose of this thesis is to investigate and design novel mechanisms to cover the following domains:
- Integrity and confidentiality of Infrastructure-as-a-Service (IaaS) infrastructures, to provide guarantees on programs and data running in a virtualised environment, either before, during or after a deployment on the CC platform.
- Software protection on Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) architectures, using code obfuscation techniques.
This dissertation details thus two main contributions. The first one is the development and implementation of CertiCloud, a CC framework which relies on the concepts developed in the Trusted Computing Group (TCG) together with hardware elements, i.e., Trusted Platform Module (TPM) to offer a secured and reassuring environment within IaaS platforms. At the heart of CertiCloud reside two protocols: TCRR and VerifyMyVM. When the first one asserts the integrity of a remote resource and permits to exchange a private symmetric key, the second authorizes the user to detect trustfully and on demand any tampering attempt on its running VM. These protocols being key components in the proposed framework, their analysis against known cryptanalytic attacks has been deeply analysed and testified by their successful validation by AVISPA [1] and Scyther [66], two reference tools for the automatic verification of security protocols.
The second major contribution proposed in this manuscript is an obfuscation framework named JShadObf, designed to improve the protection of Javascript-based software running typically on SaaS and PaaS platforms. This framework combines obfuscation transformations, code complexity measurements and Multi-Objective Evolutionary Algorithms (MOEAs) to protect Javascript code, the most ubiquitous programming language at the heart of most modern web services deployed over those CC infrastructures such as Google Office Apps, Dropbox or Doodle.
Fonds National de la Recherche - FnR (PHD-09-142)
http://hdl.handle.net/10993/17919

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
Bertholon - Thesis.pdfAuthor postprint3.5 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.