Provided herein are systems and methods to facilitate computational security. While conventional security mechanisms focus on device centric security, the subject innovation pertains to securing network based cloud services. These services can be analyzed and action taken to constrain behavior. In one instance, a service can be limited to employment of particular resources. Additionally or alternatively, mechanisms can be employed to assure that the service does not engage in malicious activity.
The aforementioned functionality can be performed at least in part by a security component. This component can be embodied in a number of different systems that alone or in combination contribute to the security of cloud service applications. For instance, the security component can be a service itself, embodied within an execution environment and/or employed in an application development system, among other things.
Various aspects of the subject innovation are now described with reference to the annexed drawings, wherein like numerals refer to like or corresponding elements throughout. It should be understood, however, that the drawings and detailed description relating thereto are not intended to limit the claimed subject matter to the particular form disclosed. Rather, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope of the claimed subject matter.
Referring initially to
The network services component(s) 110 are communicatively coupled to interface component(s) 120, which are similarly coupled to security component 130. The interface component(s) 120 facilitate communication between the network services component(s) 110 and the security component 130. In one embodiment, the interface component(s) 120 can correspond to application programming interfaces, wherein the interface component(s) 120 implement program calls for both the network service component(s) 110 and the security component 130 and provided translations between them. For instance, the security component 130 can request and receive data from a network application via the interface component 120, which can perform translation between protocols. Note also that while illustrated separately, the interface component(s) 120 can form part of one or both of the network service component(s) 110 and the security component 130.
The security component 130 interacts with the network service component(s) 110 to ensure safe and/or appropriate programmatic behavior. More specifically, the security component 130 includes an analyzer component 132 that analyzes the network service 110 to detect or infer unsafe or inappropriate activity. For example, the analyzer component 132 can detect malicious activity such as a virus by comparing code or actions thereof to virus patterns or signatures as described in further detail hereinafter. Additionally or alternatively, the analyzer component 132 can scrutinize the manner and/or usage of particular resources to identify proper or improper utilization in accordance an execution policy and/or trust metric, inter alia.
The analyzer component 134 is communicatively coupled to action component 136 to facilitate response to a condition identified by the analyzer component 134. The response taken can seek to remedy the condition and/or preemptively prevent an act from occurring. By way of example, the analyzer component 132 can detect a virus in the network service 110 via a match to a known virus signature and relay a message to action component 134 for response. The action component 134 can then remove the virus. Similarly, the analyzer component 132 can determine the network service 110 includes malicious code capable of taking over or corrupting a data center and the action component 134 can prevent such action by disallowing connection to the data center. Note also that actions need to be confined to remedying conditions. They can also be associated with notification of appropriate authorities, groups and/or developers, among other things.
Turning attention to
The analysis can seek to ensure that applications safely and/or securely interact with resources. The analysis can be embodied in a set of logic rules or procedures. Here, for instance, the analyzer component 132 can interact with signature component 330, which supplies or otherwise makes accessible patterns or signatures indicative of insecure and/or secure behavior. The analyzer component 132 can then identify, infer or predict improper activity based on the data from one or more of the interface components 310 and 320 in conjunction with signature information from component 330. Information can be sent from the analyzer component 132 to the action component 134 to initiate performance of some action to ensure safe and/or secure operation.
By way of example, the action component 134 can act as a gateway and prohibit access to particular resources. Alternatively, if the action is determined or inferred to be safe or free from malicious behavior, the action component 134 can allow or facilitate provisioning of resources via the machine interface component 320 and the application interface component 310. For instance, a code segment can be loaded and remotely processed by cloud resources and results provided back to a cloud service application. In another instance, a data store can be made accessible to a cloud service for interaction.
Note that concepts described thus far generally provide one level of security defense. For example, code cannot be executed that does not match a known good signature or alternatively matches a bad signature. However, there can still be issues where nominally “good” code can take over a system (e.g., via a denial of service type attack by consuming too many resources either intentionally or unintentionally). These scenarios are a grey zone between purely evil or bad code and purely good code. This is where otherwise good code is tricked to doing something unintended. One approach to dealing with this problem is to introduce a quota system executed by one or more of the analysis and action components 132 and 134, respectively. More particularly, any code that runs is associated with some amount of resources it is allowed to use. This limit can be static, or it can be dynamic (e.g., set by an auction pricing model). The amount of resources utilized and/or requested can be monitored and action taken to prevent employment of resources in excess of a designated amount. As a result, one can be confident that an associated system executes only code known to be good, and it is contained within some known constraints so that even if it does go haywire in some unintended way, it will be bounded within some overall limits.
A representative action component 134 is depicted by
Locator component 630 locates a remedy or associated actions for a particular malicious behavior, for instance as determined by the analyzer component 132 (
The implementation component 640 implements or executes actions specified by a provided or otherwise acquired remedy. By way of example, the implementation component 640 can execute actions that prevent access to resources (e.g., data store, processors . . . ) and/or remove malicious code. Additionally or alternatively, notifications can be generated and provided to responsible individuals.
The security component 130 is communicatively coupled to the execution component 710 and the resources 210. In this manner, the security component 130 can control access to the resources by network service components 110. The security component 110 can thus protect the resources by acting as a proxy for the execution component 710 such that requests for resources can be made through the security component 130. Requests can be analyzed and if safe, the resources can be made available for use by the execution component 710, for instance directly or indirectly via security component 130. However, if use is suspicious or otherwise determined to be unsafe and/or insecure, the security component 710 can inject itself and prevent usage of the resources as desired. For instance, if it is determined that a malicious service is attempting to take control of processing resources or inject a virus into the system, the security component 130 can deny the service access to the resources.
Furthermore, the security component 130 can create a security sandbox, wherein access to particular resources is restricted. For instance, the security component 130 can ensure that network service component(s) 110 are only able to access the resources 210 of the execution environment 700. While this can be beneficial for program testing, use thereof is not restricted to that purpose. Such functionality can also be utilized to limit the effects of programs on resources outside the execution environment and thereby mitigate dangers to other resources.
Still further yet, the security component 130 can execute a quota system to restrict that amount of resources accessible to network service components in accordance with an associated limit. This limit can be static, or it can be dynamic (e.g., set by an auction pricing model). Consequently, the execution environment can ensure that only code known to be good is executed and it is restrained by some constraints so that even if it does behave badly in some unintended way, it will be bounded within some overall limits.
In accordance with one embodiment, the execution component 710 can throttle or regulate resource usage alone or in conjunction with the security component 130. More specifically, the execution component 710 can be responsive to and/or respective of requests by the security component 130, application/system context and/or or any policy or rights associated with an application. It should be appreciated that unlike a personal computer, cloud computations compete with many other computations of other users on the same system. Thus, in one instance, the execution component 710 can perform exponential back off where a long running or resource hungry computation is scheduled to execute at ever increasing intervals such that it can do less harm (e.g., with respect to denial of service attacks). Furthermore, it should be appreciated that resource rights can be required for execution. Allocation of resources can thus be controlled by price, such as progressively increasing the price for resources or allocating resources to the highest bidder. Dually, certain users can decide to sell resources rights (e.g., cycles and other resources) to higher bidders, for instance.
It is also to be noted that code can be proof carrying. In other words, the code can provide some evidence (e.g., formal) that it is secure. Proof carrying code can be scrutinized by the security component 130 to ensure it has an appropriate proof or evidence prior to execution. If not, the execution can be prevented.
Referring to
The security component 130 is communicatively coupled to both the development component 810 as well as the network service component 110 and is operable to assist in service development and deployment. More specifically, the security component 130 can analyze the network service component 110 and provide security feedback to the development component. By way of example, the security component can detect attempted use of a restricted behavior and notify a programmer of this problem via the development component 810. The notification can take the form of a squiggly line under the code segment and/or tool tip that provides specific information about the security violation, for example. Moreover, the security component 130 can interact with the development component 810 to prohibit generation of a service with security violations, for instance by not providing tools that assist and/or allow a user to code a service that violates a security policy, inter alia. Likewise, the security component 130 can monitor code generation with respect to malicious code signatures and communicate such information to the developer component 810, prohibit specification malicious code and/or comment out malicious code. In this way, code including viruses and the like can be detected and eliminated at the development level, prior to execution.
In accordance with one embodiment, the security component 130 can facilitate design of proof carrying code. In addition to or as an alternative to checking applications for potential bad behavior, a burden can be placed on applications to prove that they are well behaved. That is, an execution system can engage in a formal verifiable contract with an application that requires the application to satisfy a given precondition(s) that when met the system can guarantee a post-condition to be established (i.e., instead of a bank performing a credit check on someone that wants a loan, the person that requests the loan must provide the credit record to the bank; the bank then only needs to verify that the record is correct). Here, the security component 130 can be utilized in conjunction with the development component to generate a proof associated with generated code.
It should be noted that employment of the development system 880 does not exclude use of other security mechanisms such as those that involve analyzing code execution. In fact, such mechanisms can be combined to generate useful and innovative features. For example, runtime security monitoring and/or analysis can be based on a metric of trustworthiness. In other words, a runtime security component or system and monitor applications differently depending on the level of trustworthiness associated with the application. While trustworthiness can be associated with an individual developer or company, it can also be based on other factors such as the development environment from which the service is generated. In particular, a service developed utilizing a secure system such as system 800 can be deemed more trustworthy than applications that do not employ such a system. Accordingly, execution analysis can be looser in that actions that would otherwise trigger a response need not. In this scenario, the development environment can embed a code in the application that is identifies the environment and/or provides a means to certify that the program was developed and/or analyzed by a particular secure system. Similar and/or additional mechanisms can also be utilized to base trustworthiness on developer identity and application authentication. In this manner, trustworthiness can be increased based on identifiable and responsible parties.
Furthermore, note that the provided systems and/or components associated with secure computation can be made extensible. More particularly, these systems and/or components can allow users to also upload their own analyzer components, action components, signature components, security components or the like. This allows for a higher-order cloud (e.g., a cloud parameterized by a cloud) as opposed to a first-order cloud. By way of example, the system can host services of a company that wants to enforce their own security policies. Further, the system can be modified to be able to host different execution components (e.g., CLR, unmanaged code, JVM, AS400 . . . ). Still further yet, the system can allow and enable plug in of third-party virus scanners. In this case, the security component 130 can act as a meta-security component that will ensure the secure execution of downloaded components.
The aforementioned systems, architectures and the like have been described with respect to interaction between several components. It should be appreciated that such systems and components can include those components or sub-components specified therein, some of the specified components or sub-components, and/or additional components. Sub-components could also be implemented as components communicatively coupled to other components rather than included within parent components. Further yet, one or more components and/or sub-components may be combined into a single component to provide aggregate functionality. The components may also interact with one or more other components not specifically described herein for the sake of brevity, but known by those of skill in the art.
Furthermore, as will be appreciated, various portions of the disclosed systems and methods may include or consist of artificial intelligence, machine learning, or knowledge or rule based components, sub-components, processes, means, methodologies, or mechanisms (e.g., support vector machines, neural networks, expert systems, Bayesian belief networks, fuzzy logic, data fusion engines, classifiers . . . ). Such components, inter alia, can automate certain mechanisms or processes performed thereby to make portions of the systems and methods more adaptive as well as efficient and intelligent.
By way of example and not limitation, the security component 130 can utilize such mechanisms to infer potential security issues based on characteristics of a plurality signatures of known security problems. In this manner, the security component 130 can automatically identify new security threats and/or potential security vulnerabilities. Similarly, the security component 130 can employ such techniques to locate or even generate responses that remedy identified or inferred security issues. For instance, if malicious code is discovered which attempts to corrupt and/or delete data from a store, the security component can infer that it should block access to the store to prevent damage.
In view of the exemplary systems described supra, methodologies that may be implemented in accordance with the disclosed subject matter will be better appreciated with reference to the flow charts of
Referring to
Turning attention to
Applications may be allowed to implement disparate levels of functionality based on the level of trust associated with an application. For instance, suspicious activity need not be regarded as such for a trustworthy application generated by a secure development environment. At reference numeral 1020, prohibited behavior can be identified in view of the determined trustworthiness. There can be an inverse relationship here—the greater the level of trust the less activity should be prohibited. Stated differently, the lower the trust associated with a service application, the greater the restrictions.
At reference numeral 1030, the cloud service application is analyzed. The analysis can be based on the identified prohibited behavior as determined at 1020. A determinate can then be made with respect to the analysis as to whether prohibited behavior exists, at numeral 1040. A comparison can be made with respected to identified prohibited behavior and application specified activity. If there is a match, then prohibited behavior has been detected. Alternatively, no prohibited behavior is detected is there is no match. It should also be appreciated that inference can be employed to facilitate identification of prohibited behavior. In such a scenario, additional prohibited activities can be derived from those already provided. Matches can then be determined based on inferred prohibited behaviors. If prohibited behaviors are detected, method 1000 can continue at 1050. Otherwise, the method 1000 can simply terminate or alternatively continue to analyze an application at 1030 (not shown).
At reference numeral 1050, action can be initiated to prevent the identified behavior. Actions are dependent upon application state, among other things. If prohibited behavior is identified in an application during development, then the behavior can be removed or modified to eliminate the security risk. However, if the application is running, then action can relate to blocking the prohibited behavior, for example by not allowing use of resources.
As used herein, the terms “component,” “system,” “service” and the like are intended to refer to a computer-related entity, either hardware, a combination of hardware and software, software, or software in execution. For example, a component may be, but is not limited to being, a process running on a processor, a processor, an object, an instance, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a computer and the computer can be a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers.
The term “entity” is intended to include one or more individuals/users. These users may be associated formally or informally, for instance as a member of a group, organization or enterprise. Alternatively, entities and/or users can be completely unrelated.
A “cloud” is intended to refer to a collection of resources (e.g., hardware and/or software) provided and maintained by an off-site party (e.g., third party), wherein the collection of resources can be accessed by an identified user over a network (e.g., Internet, WAN . . . ). The resources provide services including, without limitation, data storage services, security services, and/or many other services or applications that are conventionally associated with personal computers and/or local servers.
The word “exemplary” is used herein to mean serving as an example, instance or illustration. Any aspect or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects or designs. Furthermore, examples are provided solely for purposes of clarity and understanding and are not meant to limit the subject innovation or relevant portion thereof in any manner. It is to be appreciated that a myriad of additional or alternate examples could have been presented, but have been omitted for purposes of brevity.
Furthermore, all or portions of the subject innovation may be implemented as a method, apparatus or article of manufacture using standard programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof to control a computer to implement the disclosed innovation. The term “article of manufacture” as used herein is intended to encompass a computer program accessible from any computer-readable device or media. For example, computer readable media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips . . . ), optical disks (e.g., compact disk (CD), digital versatile disk (DVD) . . . ), smart cards, and flash memory devices (e.g., card, stick, key drive . . . ). Additionally it should be appreciated that a carrier wave can be employed to carry computer-readable electronic data such as those used in transmitting and receiving electronic mail or in accessing a network such as the Internet or a local area network (LAN). Of course, those skilled in the art will recognize many modifications may be made to this configuration without departing from the scope or spirit of the claimed subject matter.
In order to provide a context for the various aspects of the disclosed subject matter,
With reference to
The system memory 1116 includes volatile and nonvolatile memory. The basic input/output system (BIOS), containing the basic routines to transfer information between elements within the computer 1112, such as during start-up, is stored in nonvolatile memory. By way of illustration, and not limitation, nonvolatile memory can include read only memory (ROM). Volatile memory includes random access memory (RAM), which can act as external cache memory to facilitate processing.
Computer 1112 also includes removable/non-removable, volatile/non-volatile computer storage media.
The computer 1112 also includes one or more interface components 1126 that are communicatively coupled to the bus 1118 and facilitate interaction with the computer 1112. By way of example, the interface component 1126 can be a port (e.g., serial, parallel, PCMCIA, USB, FireWire . . . ) or an interface card (e.g., sound, video, network . . . ) or the like. The interface component 1126 can receive input and provide output (wired or wirelessly). For instance, input can be received from devices including but not limited to, a pointing device such as a mouse, trackball, stylus, touch pad, keyboard, microphone, joystick, game pad, satellite dish, scanner, camera, other computer and the like. Output can also be supplied by the computer 1112 to output device(s) via interface component 1126. Output devices can include displays (e.g., CRT, LCD, plasma . . . ), speakers, printers and other computers, among other things.
The system 1200 includes a communication framework 1250 that can be employed to facilitate communications between the client(s) 1210 and the server(s) 1230. Here, the client(s) can correspond to network computing devices and the server(s) can form at least a portion of the cloud. The client(s) 1210 are operatively connected to one or more client data store(s) 1260 that can be employed to store information local to the client(s) 1210. Similarly, the server(s) 1230 are operatively connected to one or more server data store(s) 1240 that can be employed to store information local to the servers 1230. Here, the server(s) 1230 and associated data store(s) 1240 can provide the resources for execution of network or cloud service applications. The client(s) 1210 are related store(s) 1260 can be representative of client devices (e.g., thin clients) that interact with the cloud service applications.
What has been described above includes examples of aspects of the claimed subject matter. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the claimed subject matter, but one of ordinary skill in the art may recognize that many further combinations and permutations of the disclosed subject matter are possible. Accordingly, the disclosed subject matter is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims. Furthermore, to the extent that the terms “includes,” “has” or “having” or variations in form thereof are used in either the detailed description or the claims, such terms are intended to be inclusive in a manner similar to the term “comprising” as “comprising” is interpreted when employed as a transitional word in a claim.
This application is a continuation-in-part of U.S. patent application Ser. No. 11/536,595, filed Sep. 28, 2006 and entitled SECURE SERVICE COMPUTATION, incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
Parent | 11536595 | Sep 2006 | US |
Child | 11613925 | US |