CamFlow: Managed Data-sharing for Cloud Services

A model of cloud services is emerging whereby a few trusted providers manage the underlying hardware and communications whereas many companies build on this infrastructure to offer higher level, cloud-hosted PaaS services and/or SaaS applications. From the start, strong isolation between cloud tenants was seen to be of paramount importance, provided first by virtual machines (VM) and later by containers, which share the operating system (OS) kernel. Increasingly it is the case that applications also require facilities to effect isolation and protection of data managed by those applications. They also require flexible data sharing with other applications, often across the traditional cloud-isolation boundaries; for example, when government provides many related services for its citizens on a common platform. Similar considerations apply to the end-users of applications. But in particular, the incorporation of cloud services within `Internet of Things’ architectures is driving the requirements for both protection and cross-application data sharing. These concerns relate to the management of data. Traditional access control is application and principal/role specific, applied at policy enforcement points, after which there is no subsequent control over where data flows; a crucial issue once data has left its owner’s control by cloud-hosted applications and within cloud-services. Information Flow Control (IFC), in addition, offers system-wide, end-to-end, flow control based on the properties of the data. We discuss the potential of cloud-deployed IFC for enforcing owners’ dataflow policy with regard to protection and sharing, as well as safeguarding against malicious or buggy software. In addition, the audit log associated with IFC provides transparency, giving configurable system-wide visibility over data flows. […]

💡 Research Summary

The paper “CamFlow: Managed Data‑sharing for Cloud Services” presents a practical approach to enforce system‑wide information‑flow control (IFC) in cloud environments. Recognizing that traditional access‑control mechanisms (ACLs, role‑based policies) only protect data at the point of entry and cannot govern subsequent data propagation across virtual machines, containers, or services, the authors propose embedding IFC directly into the operating system kernel as a Linux Security Module (LSM).

Core Concepts
CamFlow introduces two orthogonal label types – secrecy and integrity – each consisting of a set of tags that represent security concerns (e.g., “medical”, “research”, “anonymized”). Every kernel object (process, file, socket, etc.) carries a label. When data moves from a source entity to a destination entity, the kernel checks that the source’s secrecy label is a subset of the destination’s secrecy label and that the destination’s integrity label is a subset of the source’s integrity label. If both conditions hold, the flow is permitted; otherwise it is blocked. This subset‑based rule implements the classic “no‑read‑up, no‑write‑down” (Bell‑LaPadula) and “no‑read‑down, no‑write‑up” (Biba) policies in a decentralized fashion.

Implementation

1. Kernel‑level enforcement – By hooking into LSM entry points for key system calls (read, write, fork, exec, etc.), CamFlow performs label checks before any data exchange occurs. The implementation is deliberately lightweight to keep the trusted computing base (TCB) small.
2. Middleware integration – For distributed services, CamFlow extends the enforcement to user‑space messaging middleware. Labels are serialized into messages, transmitted, and deserialized on the receiving side where the same subset test is applied. This enables end‑to‑end flow control across PaaS‑hosted web services, databases, and storage components without requiring each application to be rewritten.
3. Auditing – Every flow attempt, whether allowed or denied, is logged in a structured format containing timestamps, subject and object identifiers, their labels, and the decision. These logs can be fed into big‑data analytics pipelines to provide provenance, compliance evidence, and forensic capabilities.

Policy Expressiveness
The tag‑based labeling scheme can encode simple “binary share/not‑share” decisions as well as complex purpose‑based policies such as “medical data may be used for research only after anonymisation”. The authors demonstrate how higher‑level “sticky policies” can be expressed as combinations of tags, offering a lighter‑weight alternative to encrypt‑and‑attach‑policy approaches that suffer from key‑management overhead.

Performance Evaluation
Micro‑benchmarks show that the additional latency introduced by label checks on system calls is typically 5‑10 % compared with an unmodified kernel. In network‑centric workloads, the cost of serializing and deserializing labels adds less than 2 % to overall message latency. End‑to‑end experiments with a prototype web‑service stack confirm that the overhead remains within acceptable bounds for production cloud platforms, while providing strong guarantees against accidental or malicious data leakage.

Comparison with Related Techniques
The paper contrasts CamFlow with dynamic taint tracking (TT) and sticky‑policy frameworks. TT uses a single taint tag and enforces checks only at designated sinks, which can allow violations to propagate widely before detection. Sticky policies bind policies to encrypted data but require heavyweight cryptographic operations and trusted authorities. CamFlow’s continuous, kernel‑enforced IFC offers finer‑grained, real‑time protection with comparable overhead to TT while avoiding the complexity of cryptographic policy enforcement.

Limitations and Future Work
Current CamFlow prototypes assume static label assignments; dynamic label updates and revocation are not fully addressed. Multi‑cloud interoperability would require standardized label exchange formats and federation mechanisms. The authors suggest extending the framework with policy‑distribution services, richer label hierarchies, and integration with emerging container orchestration platforms (e.g., Kubernetes).

Conclusion
CamFlow demonstrates that embedding IFC into the OS layer of a PaaS environment is feasible and practical. It delivers five key benefits: (1) non‑interference between co‑located applications, (2) flexible, policy‑driven data sharing across isolation boundaries, (3) mitigation of data leaks caused by buggy or mis‑configured software, (4) augmentation of traditional access control with system‑wide flow constraints, and (5) transparent audit trails for compliance and provenance. By providing a low‑overhead, universally applicable enforcement point, CamFlow offers cloud providers and tenants a stronger, more auditable trust model for managing sensitive data in increasingly interconnected cloud‑IoT ecosystems.