Team: Surya Prakash Singh (2014H112186p) Nishant kumar (2014H112193p) Cloud as a Gift: Effectively Exploiting Personal Cloud Free Accounts via Rest APIs
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Team:
Surya Prakash Singh (2014H112186p)
Nishant kumar (2014H112193p)
Cloud as a Gift: Effectively Exploiting Personal
Cloud Free Accounts via Rest APIs
Introduction Problem Storage Leeching Problem Rest Architecture in cloud Problem Motivation Simple Cost Model Boxleech Possible Solutions Conclusion References
Contents
Personal Clouds, such as DropBox and Box, provide open REST APIs
for developers to create clever applications that make their service
even more attractive.
These APIs are a powerful abstraction that makes it possible for
applications to transparently manage data from user accounts,
blurring the lines between a Personal Cloud service and storage
IaaS.
Personal Clouds also offer free accounts to lure new users, that
normally include reduced storage space and unlimited transfers
Introduction
5 GB free account
5 GB free account
DropBoxDropBox
REST APIsREST APIs
Personal Clouds offer free accounts to lure new customers and gain market share
Provide open REST APIs for developers to create clever applications that make their service even more attractive. From a functional viewpoint, these APIs enable an application to upload/download files to/from user account
5 GB free account
5 GB free account
DropBoxDropBox
REST APIsREST APIs
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
DropBoxDropBox
REST APIsREST APIs
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
BoxBox
REST APIsREST APIs
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
DropBoxDropBox
REST APIsREST APIs
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
BoxBox
REST APIsREST APIs
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
SugarSyncSugarSync
REST APIsREST APIs
5 GB free account
5 GB free account
5 GB free account
5 GB free account
Problem
5 GB free account
5 GB free account
DropBoxDropBox
45 Gb45 Gb
REST APIsREST APIs
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
BoxBox
REST APIsREST APIs
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
5 GB free account
SugarSyncSugarSync
REST APIsREST APIs
5 GB free account
5 GB free account
5 GB free account
5 GB free account
Abusive Application
Abusive Application
Storage Leeching Problem
Provide Software interface to connect and consume services in various ways.
Interface multiple systems.Service offering to third party clients and allow to build
application. Ex: Login By Facebook, Twitter, Sharing on Social Media
Provide support in heterogeneous ecosystems Abstract away business logic so that ecosystems of
services can easily connect and work.
Why REST in the cloud??
REST Architecture in cloud
Example: Google REST Services
Step 1: Client Application Originate Request For Resources
Step 2: Redirect to “Server” for authorization
Step 3: Response is from server domain asking resources owner to
authenticate ( Enter credential Username and Password)
Step 4: Resources owner authenticate
Step 5: Server issue token to client
Step 6: Client confirms access and access services through issued token
OAuth2.0
Entities OAuth 2.0
User AgentWeb Browser
Authorization
Request
Application
Token Request
Access Request
Authorization Server
Resources Server
Economic Impact of Storage Leeching
Problem Motivation
User arrive to the system and start using a certain abusive application that benefits from storage leeching.
Consider discrete time intervals (denoted by n) of duration ∆ .
Let λdenotes the average rate of new user arrivals per time interval.
μDenotes the average rate at which user permanently leaves the system
Simple Cost Model
Number of alive user abusing the system at time n will given as
N(n) = N(0) + nλ − nμ, where λ ≥ μ Where N(0) represents the initial number of users which
are already in the system.
The fraction of users that creates storage accounts of size a when they arrive to the system is defined by fs ∈ [0,1]
We assumes that once user creates an account, he does not cancel it after he leaves the system.
So the maximum amount of available storage (Sa) at time n is
Sa(n)=n·λ·fs ·a
Storage consumption at time n will be given as:
Where s is the average storage consumption per user at every time interval.
€
Sc(n) = N(i)∗si=0
n
∑
Download traffic is given by:
Where d is the average amount of consumed download traffic per time-slot n by every user .
€
D(n) = N(i)∗di=0
n
∑
So overall monetary cost : C(n)=Sc(n)*cs +D(n)*cd Where cs represent the monetary cost per storage unit
and time interval, and cd the price of downloading a unit of data.
The number of user arrivals,
namely λ, is one of the most
important factors re- garding the
monetary costs of storage leeching
We observe that a small number of
active users (4, 500) illicitly
consume an amount of resources
equivalent to $2,670 after 90 days
In case of a large-scale abuse,
these costs may reach dramatic
numbers at short or medium term
(e.g. $0.81M)
Boxleech is a proof-of-concept file-sharing application able to disseminate
illegal or copyrighted content by abusing Personal Clouds.
It aggregates free accounts from multiple Personal Clouds into a single
storage unit that can be freely accessed by users interested in a certain
content
Boxleech :an abusive file sharing application
The design of Boxleech can be
divided into three main blocks: data
management, metadata and, chunk
assignment.
Boxleech splits every file into chunks of up to 100MB in size
There were three good reasons for this: To surpass the file size limitations commonly imposed in the
REST API access to free accounts To exploit storage diversity by allocating chunks of the same
file to different Personal Clouds and To make it impossible for a single provider to store an entire
copy of an illicit content.
Locally Boxleech maintain an index.
Data Management
index table
id Storage Provider 1
Storage Provider 2
Storage Provider 3
…
File 1 Chunk_11,Chunk_1 2
-------- ------
File 2 ------- Chunk_2 1 Chunk_2 2
File 1File 1
Chunk_1 1Chunk_1 1
Chunk_2 2Chunk_2 2
Chunk_1 2Chunk_1 2
Chunk_2 1Chunk_2 1
Storage Provider
1
Storage Provider
1
Storage Provider 2Storage
Provider 2
Storage Provider 3Storage
Provider 3
File 2File 2
The objective of Boxleech metadata files (.boxleech) is to map a set of chunks corresponding to the same content to their location in diverse Personal Cloud accounts.
A metadata file is formed by a set of rows .
Metadata
chunk id order provider access credentials
Round Robin (RR)
Upload/Download Proportional (UP, DP)
Chunk Assignment
Enforce accountable user identitiesIntroduce filters in the creation of free account such as phone number, Human Intervention
Expiration time for developer applicationsTo discourage malicious users to exploit open APIs as a durable storage substrate, we believe
that introducing expiration mechanisms to both developer applications and the related free
accounts could be an effective countermeasure.
Identify anomalous workloadsPersonal Clouds could benefit from research efforts focused on identifying fraudulent resource
consumption to detect abuse in storage accounts related to developer applications
Possible Solutions
To lure customers and developers, Personal Clouds provide open REST APIs to
create new applications that make their service even more attractive. However,
the unintended consequence of this strategy is that it is very easy for a user to
abuse the service by aggregating free accounts, from one or several providers,
to obtain a high-quality storage service, what we term as the storage leeching
problem.
Conclusions
[1] F. Research, “The personal cloud: Transforming personal computing, mobile, and web markets,” 2011. [Online]. Available: http://www.forrester.com/rb/Research/personal cloud transforming personal computing\%2C
mobile\%2C and/q/id/57403/t/2 [2] [Online]. Available: http://en.wikipedia.org/wiki/Dropbox (service) [3] M. Jensen, N. Gruschka, and R. Herkenh¨oner, “A survey of attacks on web services,” Computer
Science - Research and Development, vol. 24, pp. 185–197, 2009. [4] “A survey on security issues in service delivery models of cloud computing,” Journal of Network
and Computer Applications, vol. 34, no. 1, pp. 1–11, 2011. [5] J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, and L. Lo Iacono, “All your
clouds are belong to us: security analysis of cloud management interfaces,” in ACM CCSW’11, 2011, pp. 3–14.
[6] L. Vaquero, L. Rodero-Merino, and D. Mor´an, “Locking the sky: asurvey on iaas cloud security,” Computing, vol. 91, pp. 93–118, 2011.
[7] J. Idziorek and M. Tannian, “Exploiting cloud utility models for profit and ruin,” in IEEE CLOUD’11, july 2011, pp. 33–40.
[8] J. Idziorek, M. Tannian, and D. Jacobson, “Attribution of fraudulent resource consumption in the cloud,” in IEEE CLOUD’12, 2012, pp. 99–106.
References:
[9] M. Mulazzani, S. Schrittwieser, M. Leithner, M. Huber, and E.Weippl., “Dark clouds on the horizon: Using cloud storage as attack vector and online slack space,” in USENIX Security, 2011, pp. 5–8.
[10] J. Srinivasan, W. Wei, X. Ma, and T. Yu, “Emfs: Email-based personal cloud storage,” in NAS’11, 2011, pp. 248–257.
[11] A. Traeger, N. Joukov, J. Sipek, and E. Zadok, “Using free web storage for data backup,” in StorageSS’06, 2006, pp. 73–78.
[12] H.-C. Chao, T.-J. Liu, K.-H. Chen, and C.-R. Dow, “A seamless and reliable distributed network file system utilizing webspace,” in WSE’08, 2008, pp. 65–68.
[13] E. Hammer-Lahav, “The OAuth 1.0 Protocol,” http://tools.ietf.org/html/ rfc5849, 2010. [14] J. R. Douceur, “The sybil attack,” in IPTPS’01, 2002, pp. 251–260. [15] R. Gracia-Tinedo, M. S´anchez-Artigas, A. Moreno-Mart´ınez, and P. Garc´ıa-L´opez,
“FRIENDBOX: A Hybrid F2F Personal Storage Application,” in IEEE CLOUD’12, 2012, pp. 131–138. [16] B. Cohen, “Incentives build robustness in bittorrent,” in Workshop on Economics of Peer-to-Peer systems, vol. 6, 2003, pp. 68–72. [17] D. Karger, E. Lehman, T. Leighton, R. Panigrahy, M. Levine, and D. Lewin, “Consistent hashing
and random trees: distributed caching protocols for relieving hot spots on the world wide web,” in ACM
STOC’97, 1997, pp. 654–663.
References:
Thank You
Related Documents
