Download to read offline
![ The fraction of users that creates storage accounts of size
a when they arrive to the system is defined by fs ∈ [0,1]
We assumes that once user creates an account, he does
not cancel it after he leaves the system.
So the maximum amount of available storage (Sa) at time
n is
Sa(n)=n·λ·fs ·a](https://image.slidesharecdn.com/cloud-141123210538-conversion-gate02/85/Cloud-as-a-GIFT-Exploiting-Personal-Cloud-Free-Accounts-via-Rest-APIs-18-320.jpg)
![References:
[1] F. Research, “The personal cloud: Transforming personal
computing, mobile, and web markets,” 2011. [Online]. Available:
http://www.forrester.com/rb/Research/personal cloud transforming personal computing%2C mobile
%2C and/q/id/57403/t/2
[2] [Online]. Available: http://en.wikipedia.org/wiki/Dropbox (service)
[3] M. Jensen, N. Gruschka, and R. Herkenh¨oner, “A survey of attacks on web services,” Computer
Science - Research and Development, vol. 24, pp. 185–197, 2009.
[4] “A survey on security issues in service delivery models of cloud computing,” Journal of Network and
Computer Applications, vol. 34, no. 1, pp. 1–11, 2011.
[5] J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, and L. Lo Iacono, “All your clouds
are belong to us: security analysis of cloud management interfaces,” in ACM CCSW’11, 2011, pp. 3–14.
[6] L. Vaquero, L. Rodero-Merino, and D. Mor´an, “Locking the sky: asurvey on iaas cloud security,”
Computing, vol. 91, pp. 93–118, 2011.
[7] J. Idziorek and M. Tannian, “Exploiting cloud utility models for profit and ruin,” in IEEE CLOUD’11, july
2011, pp. 33–40.
[8] J. Idziorek, M. Tannian, and D. Jacobson, “Attribution of fraudulent resource consumption in the
cloud,” in IEEE CLOUD’12, 2012, pp. 99–106.](https://image.slidesharecdn.com/cloud-141123210538-conversion-gate02/85/Cloud-as-a-GIFT-Exploiting-Personal-Cloud-Free-Accounts-via-Rest-APIs-33-320.jpg)
![References:
[9] M. Mulazzani, S. Schrittwieser, M. Leithner, M. Huber, and E.Weippl., “Dark clouds on the horizon:
Using cloud storage as attack vector and online slack space,” in USENIX Security, 2011, pp. 5–8.
[10] J. Srinivasan, W. Wei, X. Ma, and T. Yu, “Emfs: Email-based personal cloud storage,” in NAS’11,
2011, pp. 248–257.
[11] A. Traeger, N. Joukov, J. Sipek, and E. Zadok, “Using free web storage for data backup,” in
StorageSS’06, 2006, pp. 73–78.
[12] H.-C. Chao, T.-J. Liu, K.-H. Chen, and C.-R. Dow, “A seamless and reliable distributed network file
system utilizing webspace,” in WSE’08, 2008, pp. 65–68.
[13] E. Hammer-Lahav, “The OAuth 1.0 Protocol,” http://tools.ietf.org/html/ rfc5849, 2010.
[14] J. R. Douceur, “The sybil attack,” in IPTPS’01, 2002, pp. 251–260.
[15] R. Gracia-Tinedo, M. S´anchez-Artigas, A. Moreno-Mart´ınez, and P. Garc´ıa-L´opez, “FRIENDBOX:
A Hybrid F2F Personal Storage Application,” in IEEE CLOUD’12, 2012, pp. 131–138.
[16] B. Cohen, “Incentives build robustness in bittorrent,” in Workshop on
Economics of Peer-to-Peer systems, vol. 6, 2003, pp. 68–72.
[17] D. Karger, E. Lehman, T. Leighton, R. Panigrahy, M. Levine, and D. Lewin, “Consistent hashing and
random trees: distributed caching protocols for relieving hot spots on the world wide web,” in ACM
STOC’97, 1997, pp. 654–663.](https://image.slidesharecdn.com/cloud-141123210538-conversion-gate02/85/Cloud-as-a-GIFT-Exploiting-Personal-Cloud-Free-Accounts-via-Rest-APIs-34-320.jpg)
Uploaded byNishant Kumar
Cloud as a GIFT: Exploiting Personal Cloud Free Accounts via Rest APIs
The document discusses the concept of 'storage leeching' in personal cloud services, where users exploit free accounts to gain extensive storage by utilizing open REST APIs. It presents a proof-of-concept application called Boxleech, which aggregates free storage from multiple platforms, and outlines potential solutions to mitigate abuse such as account verification and implementation of expiration mechanisms. The paper highlights the unintended consequences of personal cloud services' strategies to attract new users through free accounts and ease of API access.
More Related Content
Similar to Cloud as a GIFT: Exploiting Personal Cloud Free Accounts via Rest APIs
Cloud as a GIFT: Exploiting Personal Cloud Free Accounts via Rest APIs
- 1. Cloud as aGift: Effectively Exploiting Personal Cloud Free Accounts via Rest APIs Team: Surya Prakash Singh (2014H112186p) Nishant kumar (2014H112193p)
- 2. Contents Introduction Problem Storage Leeching Problem Rest Architecture in cloud Problem Motivation Simple Cost Model Boxleech Possible Solutions Conclusion References
- 3. Introduction PersonalClouds, such as DropBox and Box, provide open REST APIs for developers to create clever applications that make their service even more attractive. These APIs are a powerful abstraction that makes it possible for applications to transparently manage data from user accounts, blurring the lines between a Personal Cloud service and storage IaaS. Personal Clouds also offer free accounts to lure new users, that normally include reduced storage space and unlimited transfers
- 4. Personal Cloudsoffer free accounts to lure new customers and gain market share Provide open REST APIs for developers to create clever applications that make their service even more attractive. From a functional viewpoint, these APIs enable an application to upload/download files to/from user account 5 GB free account RREESSTT AAPPIIss DDrrooppBBooxx
- 5. 5 GB free account RREESSTT AAPPIIss 5 GB free account DDrrooppBBooxx 5 GB free account
- 6. 5 GB free account RREESSTT AAPPIIss 5 GB free account DDrrooppBBooxx 5 GB free account 5 GB free account RREESSTT AAPPIIss 5 GB free account BBooxx 5 GB free account
- 7. 5 GB free account RREESSTT AAPPIIss 5 GB free account DDrrooppBBooxx 5 GB free account 5 GB free account RREESSTT AAPPIIss 5 GB free account BBooxx 5 GB free account 5 GB free account RREESSTT AAPPIIss 5 GB free account SSuuggaarrSSyynncc 5 GB free account
- 8. Problem 5 GBfree account DDrrooppBBooxx 4455 GGbb RREESSTT AAPPIIss 5 GB free account 5 GB free account 5 GB free account RREESSTT AAPPIIss 5 GB free account BBooxx 5 GB free account 5 GB free account RREESSTT AAPPIIss 5 GB free account SSuuggaarrSSyynncc 5 GB free account Abusive Application
- 9.
- 10. Why REST inthe cloud?? Provide Software interface to connect and consume services in various ways. Interface multiple systems. Service offering to third party clients and allow to build application. Ex: Login By Facebook, Twitter, Sharing on Social Media Provide support in heterogeneous ecosystems Abstract away business logic so that ecosystems of services can easily connect and work.
- 11. REST Architecture incloud
- 12. Example: Google RESTServices
- 13. OAuth2.0 Step 1:Client Application Originate Request For Resources Step 2: Redirect to “Server” for authorization Step 3: Response is from server domain asking resources owner to authenticate ( Enter credential Username and Password) Step 4: Resources owner authenticate Step 5: Server issue token to client Step 6: Client confirms access and access services through issued token
- 14. Entities OAuth 2.0 User Agent Web Browser Authorization Request Application Token Request Access Request Authorization Server Resources Server
- 15. Problem Motivation Economic Impact of Storage Leeching
- 16. Simple Cost Model User arrive to the system and start using a certain abusive application that benefits from storage leeching. Consider discrete time intervals (denoted by n) of duration Δ . Let λdenotes the average rate of new user arrivals per time interval. μDenotes the average rate at which user permanently leaves the system
- 17. Number of aliveuser abusing the system at time n will given as N(n) = N(0) + nλ − nμ, where λ ≥ μ Where N(0) represents the initial number of users which are already in the system.
- 18. The fractionof users that creates storage accounts of size a when they arrive to the system is defined by fs ∈ [0,1] We assumes that once user creates an account, he does not cancel it after he leaves the system. So the maximum amount of available storage (Sa) at time n is Sa(n)=n·λ·fs ·a
- 19. Storage consumptionat time n will be given as: n Σ Sc(n) = N(i) ∗ s i=0 Where s is the average storage consumption per user at every time interval.
- 20. Download traffic isgiven by: n Σ D(n) = N(i) ∗ d i=0 Where d is the average amount of consumed download traffic per time-slot n by every user .
- 21. So overallmonetary cost : C(n)=Sc(n)*cs +D(n)*cd Where cs represent the monetary cost per storage unit and time interval, and cd the price of downloading a unit of data.
- 22. The numberof user arrivals, namely λ, is one of the most important factors re- garding the monetary costs of storage leeching We observe that a small number of active users (4, 500) illicitly consume an amount of resources equivalent to $2,670 after 90 days In case of a large-scale abuse, these costs may reach dramatic numbers at short or medium term (e.g. $0.81M)
- 24. Boxleech :an abusivefile sharing application Boxleech is a proof-of-concept file-sharing application able to disseminate illegal or copyrighted content by abusing Personal Clouds. It aggregates free accounts from multiple Personal Clouds into a single storage unit that can be freely accessed by users interested in a certain content
- 25. The designof Boxleech can be divided into three main blocks: data management, metadata and, chunk assignment.
- 26. Data Management Boxleech splits every file into chunks of up to 100MB in size There were three good reasons for this: To surpass the file size limitations commonly imposed in the REST API access to free accounts To exploit storage diversity by allocating chunks of the same file to different Personal Clouds and To make it impossible for a single provider to store an entire copy of an illicit content. Locally Boxleech maintain an index.
- 27. CChhuunnkk__11 11 CChhuunnkk__2211 index table FFiillee 1 id Storage Provider 1 Storage Provider 2 CChhuunnkk__11 22 CChhuunnkk__22 22 Storage Provider 3 … File 1 Chunk_11, Chunk_1 2 -------- ------ File 2 ------- Chunk_2 1 Chunk_2 2 Storage Provider 1 Storage Provider 2 Storage Provider 3 FFiillee 22
- 28. Metadata Theobjective of Boxleech metadata files (.boxleech) is to map a set of chunks corresponding to the same content to their location in diverse Personal Cloud accounts. A metadata file is formed by a set of rows . chunk id order provider access credentials
- 29. Chunk Assignment Round Robin (RR) Upload/Download Proportional (UP, DP)
- 31. Possible Solutions Enforce accountable user identities Introduce filters in the creation of free account such as phone number, Human Intervention Expiration time for developer applications To discourage malicious users to exploit open APIs as a durable storage substrate, we believe that introducing expiration mechanisms to both developer applications and the related free accounts could be an effective countermeasure. Identify anomalous workloads Personal Clouds could benefit from research efforts focused on identifying fraudulent resource consumption to detect abuse in storage accounts related to developer applications
- 32. Conclusions To lurecustomers and developers, Personal Clouds provide open REST APIs to create new applications that make their service even more attractive. However, the unintended consequence of this strategy is that it is very easy for a user to abuse the service by aggregating free accounts, from one or several providers, to obtain a high-quality storage service, what we term as the storage leeching problem.
- 33. References: [1]F. Research, “The personal cloud: Transforming personal computing, mobile, and web markets,” 2011. [Online]. Available: http://www.forrester.com/rb/Research/personal cloud transforming personal computing%2C mobile %2C and/q/id/57403/t/2 [2] [Online]. Available: http://en.wikipedia.org/wiki/Dropbox (service) [3] M. Jensen, N. Gruschka, and R. Herkenh¨oner, “A survey of attacks on web services,” Computer Science - Research and Development, vol. 24, pp. 185–197, 2009. [4] “A survey on security issues in service delivery models of cloud computing,” Journal of Network and Computer Applications, vol. 34, no. 1, pp. 1–11, 2011. [5] J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, and L. Lo Iacono, “All your clouds are belong to us: security analysis of cloud management interfaces,” in ACM CCSW’11, 2011, pp. 3–14. [6] L. Vaquero, L. Rodero-Merino, and D. Mor´an, “Locking the sky: asurvey on iaas cloud security,” Computing, vol. 91, pp. 93–118, 2011. [7] J. Idziorek and M. Tannian, “Exploiting cloud utility models for profit and ruin,” in IEEE CLOUD’11, july 2011, pp. 33–40. [8] J. Idziorek, M. Tannian, and D. Jacobson, “Attribution of fraudulent resource consumption in the cloud,” in IEEE CLOUD’12, 2012, pp. 99–106.
- 34. References: [9]M. Mulazzani, S. Schrittwieser, M. Leithner, M. Huber, and E.Weippl., “Dark clouds on the horizon: Using cloud storage as attack vector and online slack space,” in USENIX Security, 2011, pp. 5–8. [10] J. Srinivasan, W. Wei, X. Ma, and T. Yu, “Emfs: Email-based personal cloud storage,” in NAS’11, 2011, pp. 248–257. [11] A. Traeger, N. Joukov, J. Sipek, and E. Zadok, “Using free web storage for data backup,” in StorageSS’06, 2006, pp. 73–78. [12] H.-C. Chao, T.-J. Liu, K.-H. Chen, and C.-R. Dow, “A seamless and reliable distributed network file system utilizing webspace,” in WSE’08, 2008, pp. 65–68. [13] E. Hammer-Lahav, “The OAuth 1.0 Protocol,” http://tools.ietf.org/html/ rfc5849, 2010. [14] J. R. Douceur, “The sybil attack,” in IPTPS’01, 2002, pp. 251–260. [15] R. Gracia-Tinedo, M. S´anchez-Artigas, A. Moreno-Mart´ınez, and P. Garc´ıa-L´opez, “FRIENDBOX: A Hybrid F2F Personal Storage Application,” in IEEE CLOUD’12, 2012, pp. 131–138. [16] B. Cohen, “Incentives build robustness in bittorrent,” in Workshop on Economics of Peer-to-Peer systems, vol. 6, 2003, pp. 68–72. [17] D. Karger, E. Lehman, T. Leighton, R. Panigrahy, M. Levine, and D. Lewin, “Consistent hashing and random trees: distributed caching protocols for relieving hot spots on the world wide web,” in ACM STOC’97, 1997, pp. 654–663.
- 35.