Upload
nishant-kumar
View
75
Download
0
Tags:
Embed Size (px)
Citation preview
Team:Surya Prakash Singh (2014H112186p)
Nishant kumar (2014H112193p)
Cloud as a Gift: Effectively Exploiting Personal Cloud
Free Accounts via Rest APIs
Introduction Problem Storage Leeching Problem Rest Architecture in cloud Problem Motivation Simple Cost Model Boxleech Possible Solutions Conclusion References
Contents
Personal Clouds, such as DropBox and Box, provide open REST APIs
for developers to create clever applications that make their service
even more attractive.
These APIs are a powerful abstraction that makes it possible for
applications to transparently manage data from user accounts,
blurring the lines between a Personal Cloud service and storage IaaS.
Personal Clouds also offer free accounts to lure new users, that
normally include reduced storage space and unlimited transfers
Introduction
5 GB free account5 GB free account
DropBoxDropBox
REST APIsREST APIs
Personal Clouds offer free accounts to lure new customers and gain market share
Provide open REST APIs for developers to create clever applications that make their service even more attractive. From a functional viewpoint, these APIs enable an application to upload/download files to/from user account
5 GB free account5 GB free account
DropBoxDropBox
REST APIsREST APIs
5 GB free account5 GB free account
5 GB free account5 GB free account
5 GB free account5 GB free account
DropBoxDropBox
REST APIsREST APIs
5 GB free account5 GB free account
5 GB free account5 GB free account
5 GB free account5 GB free account
BoxBox
REST APIsREST APIs
5 GB free account5 GB free account
5 GB free account5 GB free account
5 GB free account5 GB free account
DropBoxDropBox
REST APIsREST APIs
5 GB free account5 GB free account
5 GB free account5 GB free account
5 GB free account5 GB free account
BoxBox
REST APIsREST APIs
5 GB free account5 GB free account
5 GB free account5 GB free account
5 GB free account5 GB free account
SugarSyncSugarSync
REST APIsREST APIs
5 GB free account5 GB free account
5 GB free account5 GB free account
Problem
5 GB free account5 GB free account
DropBoxDropBox
45 Gb45 Gb
REST APIsREST APIs
5 GB free account5 GB free account
5 GB free account5 GB free account
5 GB free account5 GB free account
BoxBox
REST APIsREST APIs
5 GB free account5 GB free account
5 GB free account5 GB free account
5 GB free account5 GB free account
SugarSyncSugarSync
REST APIsREST APIs
5 GB free account5 GB free account
5 GB free account5 GB free account
Abusive Application
Abusive Application
Storage Leeching Problem
Provide Software interface to connect and consume services in various ways.
Interface multiple systems. Service offering to third party clients and allow to build
application. Ex: Login By Facebook, Twitter, Sharing on Social Media
Provide support in heterogeneous ecosystems Abstract away business logic so that ecosystems of
services can easily connect and work.
Why REST in the cloud??
REST Architecture in cloud
Example: Google REST Services
Step 1: Client Application Originate Request For Resources
Step 2: Redirect to “Server” for authorization
Step 3: Response is from server domain asking resources owner to
authenticate ( Enter credential Username and Password)
Step 4: Resources owner authenticate
Step 5: Server issue token to client
Step 6: Client confirms access and access services through issued token
OAuth2.0
Entities OAuth 2.0
User AgentWeb Browser
Authorization
Request
Application
Token Request
Access Request
Authorization Server
Resources Server
Economic Impact of Storage Leeching
Problem Motivation
User arrive to the system and start using a certain abusive application that benefits from storage leeching.
Consider discrete time intervals (denoted by n) of duration ∆ .
Let λdenotes the average rate of new user arrivals per time interval.
μDenotes the average rate at which user permanently leaves the system
Simple Cost Model
Number of alive user abusing the system at time n will given as
N(n) = N(0) + nλ − nμ, where λ ≥ μ Where N(0) represents the initial number of users which are
already in the system.
The fraction of users that creates storage accounts of size a when they arrive to the system is defined by fs [0,1]∈
We assumes that once user creates an account, he does not cancel it after he leaves the system.
So the maximum amount of available storage (Sa) at time n is
Sa(n)=n·λ·fs ·a
Storage consumption at time n will be given as:
Where s is the average storage consumption per user at every time interval.
€
Sc(n) = N(i) ∗ si=0
n∑
Download traffic is given by:
Where d is the average amount of consumed download traffic per time-slot n by every user .
€
D(n) = N(i) ∗ di=0
n∑
So overall monetary cost : C(n)=Sc(n)*cs +D(n)*cd Where cs represent the monetary cost per storage unit
and time interval, and cd the price of downloading a unit of data.
The number of user arrivals, namely λ,
is one of the most important factors
re- garding the monetary costs of
storage leeching
We observe that a small number of
active users (4, 500) illicitly consume
an amount of resources equivalent
to $2,670 after 90 days
In case of a large-scale abuse, these
costs may reach dramatic numbers
at short or medium term (e.g.
$0.81M)
Boxleech is a proof-of-concept file-sharing application able to disseminate illegal
or copyrighted content by abusing Personal Clouds.
It aggregates free accounts from multiple Personal Clouds into a single storage
unit that can be freely accessed by users interested in a certain content
Boxleech :an abusive file sharing application
The design of Boxleech can be
divided into three main blocks: data
management, metadata and, chunk
assignment.
Boxleech splits every file into chunks of up to 100MB in size There were three good reasons for this:
To surpass the file size limitations commonly imposed in the REST API access to free accounts
To exploit storage diversity by allocating chunks of the same file to different Personal Clouds and
To make it impossible for a single provider to store an entire copy of an illicit content.
Locally Boxleech maintain an index.
Data Management
index table
id Storage Provider 1
Storage Provider 2
Storage Provider 3
…
File 1 Chunk_11,Chunk_1 2
-------- ------
File 2 ------- Chunk_2 1 Chunk_2 2
File 1File 1
Chunk_1 1Chunk_1 1
Chunk_2 2Chunk_2 2
Chunk_1 2Chunk_1 2
Chunk_2 1Chunk_2 1
Storage Provider 1Storage
Provider 1
Storage Provider 2Storage
Provider 2
Storage Provider 3Storage
Provider 3
File 2File 2
The objective of Boxleech metadata files (.boxleech) is to map a set of chunks corresponding to the same content to their location in diverse Personal Cloud accounts.
A metadata file is formed by a set of rows .
Metadata
chunk id order provider access credentials
Round Robin (RR)
Upload/Download Proportional (UP, DP)
Chunk Assignment
Enforce accountable user identitiesIntroduce filters in the creation of free account such as phone number, Human Intervention
Expiration time for developer applicationsTo discourage malicious users to exploit open APIs as a durable storage substrate, we believe that
introducing expiration mechanisms to both developer applications and the related free accounts
could be an effective countermeasure.
Identify anomalous workloadsPersonal Clouds could benefit from research efforts focused on identifying fraudulent resource
consumption to detect abuse in storage accounts related to developer applications
Possible Solutions
To lure customers and developers, Personal Clouds provide open REST APIs to
create new applications that make their service even more attractive. However,
the unintended consequence of this strategy is that it is very easy for a user to
abuse the service by aggregating free accounts, from one or several providers, to
obtain a high-quality storage service, what we term as the storage leeching
problem.
Conclusions
[1] F. Research, “The personal cloud: Transforming personal computing, mobile, and web markets,” 2011. [Online]. Available: http://www.forrester.com/rb/Research/personal cloud transforming personal computing\%2C mobile\
%2C and/q/id/57403/t/2 [2] [Online]. Available: http://en.wikipedia.org/wiki/Dropbox (service) [3] M. Jensen, N. Gruschka, and R. Herkenh¨oner, “A survey of attacks on web services,” Computer
Science - Research and Development, vol. 24, pp. 185–197, 2009. [4] “A survey on security issues in service delivery models of cloud computing,” Journal of Network and
Computer Applications, vol. 34, no. 1, pp. 1–11, 2011. [5] J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, and L. Lo Iacono, “All your clouds
are belong to us: security analysis of cloud management interfaces,” in ACM CCSW’11, 2011, pp. 3–14. [6] L. Vaquero, L. Rodero-Merino, and D. Mor´an, “Locking the sky: asurvey on iaas cloud security,”
Computing, vol. 91, pp. 93–118, 2011. [7] J. Idziorek and M. Tannian, “Exploiting cloud utility models for profit and ruin,” in IEEE CLOUD’11, july
2011, pp. 33–40. [8] J. Idziorek, M. Tannian, and D. Jacobson, “Attribution of fraudulent resource consumption in the
cloud,” in IEEE CLOUD’12, 2012, pp. 99–106.
References:
[9] M. Mulazzani, S. Schrittwieser, M. Leithner, M. Huber, and E.Weippl., “Dark clouds on the horizon: Using cloud storage as attack vector and online slack space,” in USENIX Security, 2011, pp. 5–8.
[10] J. Srinivasan, W. Wei, X. Ma, and T. Yu, “Emfs: Email-based personal cloud storage,” in NAS’11, 2011, pp. 248–257.
[11] A. Traeger, N. Joukov, J. Sipek, and E. Zadok, “Using free web storage for data backup,” in StorageSS’06, 2006, pp. 73–78.
[12] H.-C. Chao, T.-J. Liu, K.-H. Chen, and C.-R. Dow, “A seamless and reliable distributed network file system utilizing webspace,” in WSE’08, 2008, pp. 65–68.
[13] E. Hammer-Lahav, “The OAuth 1.0 Protocol,” http://tools.ietf.org/html/ rfc5849, 2010. [14] J. R. Douceur, “The sybil attack,” in IPTPS’01, 2002, pp. 251–260. [15] R. Gracia-Tinedo, M. S´anchez-Artigas, A. Moreno-Mart´ınez, and P. Garc´ıa-L´opez, “FRIENDBOX:
A Hybrid F2F Personal Storage Application,” in IEEE CLOUD’12, 2012, pp. 131–138. [16] B. Cohen, “Incentives build robustness in bittorrent,” in Workshop on Economics of Peer-to-Peer systems, vol. 6, 2003, pp. 68–72. [17] D. Karger, E. Lehman, T. Leighton, R. Panigrahy, M. Levine, and D. Lewin, “Consistent hashing and
random trees: distributed caching protocols for relieving hot spots on the world wide web,” in ACM STOC’97, 1997, pp. 654–663.
References:
Thank You