VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
Cloud as Gift
1. Team:
Surya Prakash Singh (2014H112186p)
Nishant kumar (2014H112193p)
Cloud as a Gift: Effectively Exploiting Personal Cloud
Free Accounts via Rest APIs
2. Introduction
Problem
Storage Leeching Problem
Rest Architecture in cloud
Problem Motivation
Simple Cost Model
Boxleech
Possible Solutions
Conclusion
References
Contents
3. Personal Clouds, such as DropBox and Box, provide open REST APIs
for developers to create clever applications that make their service
even more attractive.
These APIs are a powerful abstraction that makes it possible for
applications to transparently manage data from user accounts,
blurring the lines between a Personal Cloud service and storage IaaS.
Personal Clouds also offer free accounts to lure new users, that
normally include reduced storage space and unlimited transfers
Introduction
4. 5 GB free
account
5 GB free
account
DropBoxDropBox
REST APIsREST APIs
Personal Clouds offer free accounts to lure new customers and gain
market share
Provide open REST APIs for developers to create clever applications
that make their service even more attractive. From a functional
viewpoint, these APIs enable an application to upload/download files
to/from user account
10. Provide Software interface to connect and consume
services in various ways.
Interface multiple systems.
Service offering to third party clients and allow to build
application. Ex: Login By Facebook, Twitter, Sharing on
Social Media
Provide support in heterogeneous ecosystems
Abstract away business logic so that ecosystems of
services can easily connect and work.
Why REST in the cloud??
13. Step 1: Client Application Originate Request For Resources
Step 2: Redirect to “Server” for authorization
Step 3: Response is from server domain asking resources owner to
authenticate ( Enter credential Username and Password)
Step 4: Resources owner authenticate
Step 5: Server issue token to client
Step 6: Client confirms access and access services through issued token
OAuth2.0
14. Entities OAuth 2.0
User Agent
Web Browser
Authorization
Request
Application
Token Request
Access Request
Authorization Server
Resources Server
16. User arrive to the system and start using a certain abusive
application that benefits from storage leeching.
Consider discrete time intervals (denoted by n) of duration
∆ .
Let λdenotes the average rate of new user arrivals per
time interval.
μDenotes the average rate at which user permanently
leaves the system
Simple Cost Model
17. Number of alive user abusing the system at time n will
given as
N(n) = N(0) + nλ − nμ, where λ ≥ μ
Where N(0) represents the initial number of users which are
already in the system.
18. The fraction of users that creates storage accounts of size
a when they arrive to the system is defined by fs [0,1]∈
We assumes that once user creates an account, he does
not cancel it after he leaves the system.
So the maximum amount of available storage (Sa) at time
n is
Sa(n)=n·λ·fs ·a
19. Storage consumption at time n will be given as:
Where s is the average storage consumption per user at
every time interval.
Sc(n) = N(i) ∗ si=0
n
∑
20. Download traffic is given by:
Where d is the average amount of consumed download
traffic per time-slot n by every user .
D(n) = N(i) ∗ di=0
n
∑
21. So overall monetary cost :
C(n)=Sc(n)*cs +D(n)*cd
Where cs represent the monetary cost per storage unit
and time interval, and cd the price of downloading a unit
of data.
22. The number of user arrivals, namely λ,
is one of the most important factors
re- garding the monetary costs of
storage leeching
We observe that a small number of
active users (4, 500) illicitly consume
an amount of resources equivalent
to $2,670 after 90 days
In case of a large-scale abuse, these
costs may reach dramatic numbers
at short or medium term (e.g.
$0.81M)
23.
24. Boxleech is a proof-of-concept file-sharing application able to disseminate illegal
or copyrighted content by abusing Personal Clouds.
It aggregates free accounts from multiple Personal Clouds into a single storage
unit that can be freely accessed by users interested in a certain content
Boxleech :an abusive file sharing
application
25. The design of Boxleech can be
divided into three main blocks: data
management, metadata and, chunk
assignment.
26. Boxleech splits every file into chunks of up to 100MB in size
There were three good reasons for this:
To surpass the file size limitations commonly imposed in the REST
API access to free accounts
To exploit storage diversity by allocating chunks of the same file
to different Personal Clouds and
To make it impossible for a single provider to store an entire copy
of an illicit content.
Locally Boxleech maintain an index.
Data Management
28. The objective of Boxleech metadata files (.boxleech) is to map a set
of chunks corresponding to the same content to their location in
diverse Personal Cloud accounts.
A metadata file is formed by a set of rows .
Metadata
chunk id order provider access credentials
31. Enforce accountable user identities
Introduce filters in the creation of free account such as phone number, Human Intervention
Expiration time for developer applications
To discourage malicious users to exploit open APIs as a durable storage substrate, we believe that
introducing expiration mechanisms to both developer applications and the related free accounts
could be an effective countermeasure.
Identify anomalous workloads
Personal Clouds could benefit from research efforts focused on identifying fraudulent resource
consumption to detect abuse in storage accounts related to developer applications
Possible Solutions
32. To lure customers and developers, Personal Clouds provide open REST APIs to
create new applications that make their service even more attractive. However,
the unintended consequence of this strategy is that it is very easy for a user to
abuse the service by aggregating free accounts, from one or several providers, to
obtain a high-quality storage service, what we term as the storage leeching
problem.
Conclusions
33. [1] F. Research, “The personal cloud: Transforming personal
computing, mobile, and web markets,” 2011. [Online]. Available:
http://www.forrester.com/rb/Research/personal cloud transforming personal computing%2C mobile
%2C and/q/id/57403/t/2
[2] [Online]. Available: http://en.wikipedia.org/wiki/Dropbox (service)
[3] M. Jensen, N. Gruschka, and R. Herkenh¨oner, “A survey of attacks on web services,” Computer
Science - Research and Development, vol. 24, pp. 185–197, 2009.
[4] “A survey on security issues in service delivery models of cloud computing,” Journal of Network and
Computer Applications, vol. 34, no. 1, pp. 1–11, 2011.
[5] J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, and L. Lo Iacono, “All your clouds
are belong to us: security analysis of cloud management interfaces,” in ACM CCSW’11, 2011, pp. 3–14.
[6] L. Vaquero, L. Rodero-Merino, and D. Mor´an, “Locking the sky: asurvey on iaas cloud security,”
Computing, vol. 91, pp. 93–118, 2011.
[7] J. Idziorek and M. Tannian, “Exploiting cloud utility models for profit and ruin,” in IEEE CLOUD’11, july
2011, pp. 33–40.
[8] J. Idziorek, M. Tannian, and D. Jacobson, “Attribution of fraudulent resource consumption in the
cloud,” in IEEE CLOUD’12, 2012, pp. 99–106.
References:
34. [9] M. Mulazzani, S. Schrittwieser, M. Leithner, M. Huber, and E.Weippl., “Dark clouds on the horizon:
Using cloud storage as attack vector and online slack space,” in USENIX Security, 2011, pp. 5–8.
[10] J. Srinivasan, W. Wei, X. Ma, and T. Yu, “Emfs: Email-based personal cloud storage,” in NAS’11,
2011, pp. 248–257.
[11] A. Traeger, N. Joukov, J. Sipek, and E. Zadok, “Using free web storage for data backup,” in
StorageSS’06, 2006, pp. 73–78.
[12] H.-C. Chao, T.-J. Liu, K.-H. Chen, and C.-R. Dow, “A seamless and reliable distributed network file
system utilizing webspace,” in WSE’08, 2008, pp. 65–68.
[13] E. Hammer-Lahav, “The OAuth 1.0 Protocol,” http://tools.ietf.org/html/ rfc5849, 2010.
[14] J. R. Douceur, “The sybil attack,” in IPTPS’01, 2002, pp. 251–260.
[15] R. Gracia-Tinedo, M. S´anchez-Artigas, A. Moreno-Mart´ınez, and P. Garc´ıa-L´opez, “FRIENDBOX:
A Hybrid F2F Personal Storage Application,” in IEEE CLOUD’12, 2012, pp. 131–138.
[16] B. Cohen, “Incentives build robustness in bittorrent,” in Workshop on
Economics of Peer-to-Peer systems, vol. 6, 2003, pp. 68–72.
[17] D. Karger, E. Lehman, T. Leighton, R. Panigrahy, M. Levine, and D. Lewin, “Consistent hashing and
random trees: distributed caching protocols for relieving hot spots on the world wide web,” in ACM
STOC’97, 1997, pp. 654–663.
References: