A Flow Sensitive Security Model for Cloud Computing Systems

The extent and importance of cloud computing is rapidly increasing due to the ever increasing demand for internet services and communications. Instead of building individual information technology infrastructure to host databases or software, a third party can host them in its large server clouds. Large organizations may wish to keep sensitive information on their more restricted servers rather than in the public cloud. This has led to the introduction of federated cloud computing (FCC) in which both public and private cloud computing resources are used.

💡 Research Summary

The paper addresses the growing need for secure information flow management in federated cloud computing (FCC), where public and private cloud resources are combined to meet business requirements while preserving data confidentiality. Existing approaches, such as applying the Bell‑LaPadula model or partitioning workflows across clouds, fail to consider concurrency, flow‑sensitivity, and the risk of covert channels arising from observable behavior across distributed services.

To fill these gaps, the authors make three principal contributions. First, they introduce security lattices for both individual cloud components (servers, databases, services) and for whole clouds. Each lattice defines a partial order of security levels, allowing the system to enforce that data may only flow from higher to lower levels according to well‑defined transition rules. This creates a uniform security hierarchy across heterogeneous cloud domains.

Second, they develop a Flow‑Sensitive Security Model (FSSM) that captures dynamic information flow as state transitions. The model is formalized using Colored Petri Nets (CPNs), where tokens carry attributes such as security level, owner, and access rights. By representing workflow execution, data replication, user requests, and inter‑cloud interactions as transitions, the CPN enables automatic verification of several security properties: non‑interference (high‑level actions do not affect low‑level observations), Bell‑LaPadula read‑down/write‑up constraints, and any user‑specified policies. The use of CPNs also leverages existing analysis tools for reachability, deadlock detection, and simulation, making the approach practical for designers.

Third, the paper introduces opacity as a quantitative measure of information hiding. A predicate (e.g., “User A accessed secret file X”) is opaque if an external observer cannot determine its truth value from the observable run of the system. Opacity thus captures the ability of the system to prevent covert channels that could be built from observed timing, network traffic, or other side‑channel data. By integrating opacity analysis with the FSSM, the authors provide a unified framework that simultaneously checks traditional confidentiality/integrity constraints and the more subtle property of information concealment.

The authors argue that their model can be used to track and control secure information flow, evaluate the impact of different resource allocation strategies, and assess the exposure risk of services to other tenants or adversaries. They claim that the combination of flow‑sensitivity, concurrency handling, and opacity analysis offers a more comprehensive security assurance than prior static models.

However, the paper has notable limitations. It focuses on formal definitions and theoretical verification without presenting an implementation on a real cloud platform or empirical performance results. Consequently, questions about scalability (state‑space explosion when modeling thousands of services and hundreds of clouds) and runtime overhead remain unanswered. The security lattices are defined statically; the paper does not discuss how to adapt them when trust relationships between clouds evolve dynamically, nor the cost of re‑configuring the lattice. Opacity analysis assumes a specific observer model; in practice, attackers may exploit side‑channels beyond those modeled, such as timing or power consumption, which could undermine the claimed guarantees.

In summary, the paper proposes a novel, formally grounded framework for analyzing information flow in federated cloud systems. By integrating security lattices, a flow‑sensitive Colored Petri‑Net model, and opacity‑based secrecy metrics, it advances the state of the art beyond static, non‑concurrent approaches. Future work should concentrate on prototype implementation, scalability testing, dynamic trust management, and extending the observer model to cover realistic side‑channel attacks, thereby bridging the gap between theoretical assurance and practical deployment.