Cloud as a GIFT: Exploiting Personal Cloud Free Accounts via Rest APIs

Team:Surya Prakash Singh (2014H112186p)

Nishant kumar (2014H112193p)

Cloud as a Gift: Effectively Exploiting Personal Cloud

Free Accounts via Rest APIs

Introduction Problem Storage Leeching Problem Rest Architecture in cloud Problem Motivation Simple Cost Model Boxleech Possible Solutions Conclusion References

Contents

Personal Clouds, such as DropBox and Box, provide open REST APIs

for developers to create clever applications that make their service

even more attractive.

These APIs are a powerful abstraction that makes it possible for

applications to transparently manage data from user accounts,

blurring the lines between a Personal Cloud service and storage IaaS.

Personal Clouds also offer free accounts to lure new users, that

normally include reduced storage space and unlimited transfers

Introduction

5 GB free account5 GB free account

DropBoxDropBox

REST APIsREST APIs

Personal Clouds offer free accounts to lure new customers and gain market share

Provide open REST APIs for developers to create clever applications that make their service even more attractive. From a functional viewpoint, these APIs enable an application to upload/download files to/from user account

5 GB free account5 GB free account

DropBoxDropBox

REST APIsREST APIs

5 GB free account5 GB free account

5 GB free account5 GB free account

5 GB free account5 GB free account

DropBoxDropBox

REST APIsREST APIs

5 GB free account5 GB free account

5 GB free account5 GB free account

5 GB free account5 GB free account

BoxBox

REST APIsREST APIs

5 GB free account5 GB free account

5 GB free account5 GB free account

5 GB free account5 GB free account

DropBoxDropBox

REST APIsREST APIs

5 GB free account5 GB free account

5 GB free account5 GB free account

5 GB free account5 GB free account

BoxBox

REST APIsREST APIs

5 GB free account5 GB free account

5 GB free account5 GB free account

5 GB free account5 GB free account

SugarSyncSugarSync

REST APIsREST APIs

5 GB free account5 GB free account

5 GB free account5 GB free account

Problem

5 GB free account5 GB free account

DropBoxDropBox

45 Gb45 Gb

REST APIsREST APIs

5 GB free account5 GB free account

5 GB free account5 GB free account

5 GB free account5 GB free account

BoxBox

REST APIsREST APIs

5 GB free account5 GB free account

5 GB free account5 GB free account

5 GB free account5 GB free account

SugarSyncSugarSync

REST APIsREST APIs

5 GB free account5 GB free account

5 GB free account5 GB free account

Abusive Application

Abusive Application

Storage Leeching Problem

Provide Software interface to connect and consume services in various ways.

Interface multiple systems. Service offering to third party clients and allow to build

application. Ex: Login By Facebook, Twitter, Sharing on Social Media

Provide support in heterogeneous ecosystems Abstract away business logic so that ecosystems of

services can easily connect and work.

Why REST in the cloud??

REST Architecture in cloud

Example: Google REST Services

Step 1: Client Application Originate Request For Resources

Step 2: Redirect to “Server” for authorization

Step 3: Response is from server domain asking resources owner to

authenticate ( Enter credential Username and Password)

Step 4: Resources owner authenticate

Step 5: Server issue token to client

Step 6: Client confirms access and access services through issued token

OAuth2.0

Entities OAuth 2.0

User AgentWeb Browser

Authorization

Request

Application

Token Request

Access Request

Authorization Server

Resources Server

Economic Impact of Storage Leeching

Problem Motivation

User arrive to the system and start using a certain abusive application that benefits from storage leeching.

Consider discrete time intervals (denoted by n) of duration ∆ .

Let λdenotes the average rate of new user arrivals per time interval.

μDenotes the average rate at which user permanently leaves the system

Simple Cost Model

Number of alive user abusing the system at time n will given as

N(n) = N(0) + nλ − nμ, where λ ≥ μ Where N(0) represents the initial number of users which are

already in the system.

The fraction of users that creates storage accounts of size a when they arrive to the system is defined by fs [0,1]∈

We assumes that once user creates an account, he does not cancel it after he leaves the system.

So the maximum amount of available storage (Sa) at time n is

Sa(n)=n·λ·fs ·a

Storage consumption at time n will be given as:

Where s is the average storage consumption per user at every time interval.

€

Sc(n) = N(i) ∗ si=0

n∑

Download traffic is given by:

Where d is the average amount of consumed download traffic per time-slot n by every user .

€

D(n) = N(i) ∗ di=0

n∑

So overall monetary cost : C(n)=Sc(n)*cs +D(n)*cd Where cs represent the monetary cost per storage unit

and time interval, and cd the price of downloading a unit of data.

The number of user arrivals, namely λ,

is one of the most important factors

re- garding the monetary costs of

storage leeching

We observe that a small number of

active users (4, 500) illicitly consume

an amount of resources equivalent

to $2,670 after 90 days

In case of a large-scale abuse, these

costs may reach dramatic numbers

at short or medium term (e.g.

$0.81M)

Boxleech is a proof-of-concept file-sharing application able to disseminate illegal

or copyrighted content by abusing Personal Clouds.

It aggregates free accounts from multiple Personal Clouds into a single storage

unit that can be freely accessed by users interested in a certain content

Boxleech :an abusive file sharing application

The design of Boxleech can be

divided into three main blocks: data

management, metadata and, chunk

assignment.

Boxleech splits every file into chunks of up to 100MB in size There were three good reasons for this:

To surpass the file size limitations commonly imposed in the REST API access to free accounts

To exploit storage diversity by allocating chunks of the same file to different Personal Clouds and

To make it impossible for a single provider to store an entire copy of an illicit content.

Locally Boxleech maintain an index.

Data Management

index table

id Storage Provider 1

Storage Provider 2

Storage Provider 3

…

File 1 Chunk_11,Chunk_1 2

-------- ------

File 2 ------- Chunk_2 1 Chunk_2 2

File 1File 1

Chunk_1 1Chunk_1 1

Chunk_2 2Chunk_2 2

Chunk_1 2Chunk_1 2

Chunk_2 1Chunk_2 1

Storage Provider 1Storage

Provider 1

Storage Provider 2Storage

Provider 2

Storage Provider 3Storage

Provider 3

File 2File 2

The objective of Boxleech metadata files (.boxleech) is to map a set of chunks corresponding to the same content to their location in diverse Personal Cloud accounts.

A metadata file is formed by a set of rows .

Metadata

chunk id order provider access credentials

Round Robin (RR)

Upload/Download Proportional (UP, DP)

Chunk Assignment

Enforce accountable user identitiesIntroduce filters in the creation of free account such as phone number, Human Intervention

Expiration time for developer applicationsTo discourage malicious users to exploit open APIs as a durable storage substrate, we believe that

introducing expiration mechanisms to both developer applications and the related free accounts

could be an effective countermeasure.

Identify anomalous workloadsPersonal Clouds could benefit from research efforts focused on identifying fraudulent resource

consumption to detect abuse in storage accounts related to developer applications

Possible Solutions

To lure customers and developers, Personal Clouds provide open REST APIs to

create new applications that make their service even more attractive. However,

the unintended consequence of this strategy is that it is very easy for a user to

abuse the service by aggregating free accounts, from one or several providers, to

obtain a high-quality storage service, what we term as the storage leeching

problem.

Conclusions

[1] F. Research, “The personal cloud: Transforming personal computing, mobile, and web markets,” 2011. [Online]. Available: http://www.forrester.com/rb/Research/personal cloud transforming personal computing\%2C mobile\

%2C and/q/id/57403/t/2 [2] [Online]. Available: http://en.wikipedia.org/wiki/Dropbox (service) [3] M. Jensen, N. Gruschka, and R. Herkenh¨oner, “A survey of attacks on web services,” Computer

Science - Research and Development, vol. 24, pp. 185–197, 2009. [4] “A survey on security issues in service delivery models of cloud computing,” Journal of Network and

Computer Applications, vol. 34, no. 1, pp. 1–11, 2011. [5] J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, and L. Lo Iacono, “All your clouds

are belong to us: security analysis of cloud management interfaces,” in ACM CCSW’11, 2011, pp. 3–14. [6] L. Vaquero, L. Rodero-Merino, and D. Mor´an, “Locking the sky: asurvey on iaas cloud security,”

Computing, vol. 91, pp. 93–118, 2011. [7] J. Idziorek and M. Tannian, “Exploiting cloud utility models for profit and ruin,” in IEEE CLOUD’11, july

2011, pp. 33–40. [8] J. Idziorek, M. Tannian, and D. Jacobson, “Attribution of fraudulent resource consumption in the

cloud,” in IEEE CLOUD’12, 2012, pp. 99–106.

References:

[9] M. Mulazzani, S. Schrittwieser, M. Leithner, M. Huber, and E.Weippl., “Dark clouds on the horizon: Using cloud storage as attack vector and online slack space,” in USENIX Security, 2011, pp. 5–8.

[10] J. Srinivasan, W. Wei, X. Ma, and T. Yu, “Emfs: Email-based personal cloud storage,” in NAS’11, 2011, pp. 248–257.

[11] A. Traeger, N. Joukov, J. Sipek, and E. Zadok, “Using free web storage for data backup,” in StorageSS’06, 2006, pp. 73–78.

[12] H.-C. Chao, T.-J. Liu, K.-H. Chen, and C.-R. Dow, “A seamless and reliable distributed network file system utilizing webspace,” in WSE’08, 2008, pp. 65–68.

[13] E. Hammer-Lahav, “The OAuth 1.0 Protocol,” http://tools.ietf.org/html/ rfc5849, 2010. [14] J. R. Douceur, “The sybil attack,” in IPTPS’01, 2002, pp. 251–260. [15] R. Gracia-Tinedo, M. S´anchez-Artigas, A. Moreno-Mart´ınez, and P. Garc´ıa-L´opez, “FRIENDBOX:

A Hybrid F2F Personal Storage Application,” in IEEE CLOUD’12, 2012, pp. 131–138. [16] B. Cohen, “Incentives build robustness in bittorrent,” in Workshop on Economics of Peer-to-Peer systems, vol. 6, 2003, pp. 68–72. [17] D. Karger, E. Lehman, T. Leighton, R. Panigrahy, M. Levine, and D. Lewin, “Consistent hashing and

random trees: distributed caching protocols for relieving hot spots on the world wide web,” in ACM STOC’97, 1997, pp. 654–663.

References:

Thank You