ning,isitdoingwhatitissupposedto?(C3)Performanceanddependability.Howe - PDF document

ning,isitdoingwhatitissupposedto?(C3)Performanceanddependability.Howecientistheservice?Isitreliableandavailable?(C4)Security.Doestheservicecomplywithsecuritypoli-cies,ifany?Stateoftheartresearchhasstartedtotackletheseissuesindividually.However,wefeelthatcloudusersmaybenetfromunderstandinginbreadth,ratherthanonlyindepth,whethertheycouldverifyserviceprovisionsinthecloud.AnsweringconcernssuchasC1-C4canraiseawarenessandleadthewaytomoretoolsthatempowercloudusers.Inthispaper,weattempttoidentifyexistinggapsinto-day'scloudtechnologieswithrespecttoconcernsC1-C4.Wediscussrecentresearchadvances,andproposedirectionsforfutureresearchtohelpandbridgethosegaps.Oursurveyisrelatedtoseveralothersinthearea[23,66].However,inthiscasewegobeyondafewrandomexamplesandpro-videarstattemptatbettersystematizingpotentialclientconcernsandrelatedsolutions.Weconsidertwomaintypesofcloudcustomers{serviceprovidersdeployingtheirsoftwareforexecutioninthecloud(withPlatform-as-a-ServiceorInfrastructure-as-a-Service),andcloudusers,whouseasoftwareorstorageserviceexe-cutinginthecloud,beitprovidedbyathirdpartysoftwareproviderorbythecloudprovider.Next,webrie yintroducethedierentresearchareascoveredintheremainderofthepaper.VericationofStrongServiceIdentities.Today,serviceprovidershavenoguaranteesthattheser-vicesbeingdeliveredtotheirusersmatchtheimplemen-tationdeployedtothecloud.Theriskofcloudmisman-agementstemmingfromcloudadministrationmistakesorfromabusebyothercloudtenantscouldresultincorruptionormiscongurationoftheserviceimplementation.Conse-quently,theservicecoulddeviatefromthebehaviororigi-nallyintendedbytheserviceprovider.Forexample,previ-ouswork[74]manipulatedtheidentitiesofvirtualmachineimagestodemonstrateanattackontheconsumersofAma-zonEC2.InSection2,wediscussapossiblepathtowardsenablingserviceproviderstoattestthedeployedservicesandcheckforcompliancewiththeiroriginalserviceimplemen-tation.Theideaistobindastrongserviceidentitytotheserviceinstancesonthecloudsuchthatthisuniqueassocia-tionispreservedthroughouttheentireservicelifecycle,fromdeploymenttodecommissioning.WefocusonapromisingimplementationofthisideabasedonTrustedComputing.Cloudnodesrunspecialsoftwarestacks{trustedsoftwaresystems{thatcanhosttheserviceinstancesinspecialen-vironments,isolatedfromboththeadministratorandothertenants.Cloudnodesarealsoequippedwithcommoditytrustedcomputinghardware,whichvalidatestheintegrityofthesoftwarestackuponbootandenablesserviceproviderstoverifythatthenodesarerunningatrustedsoftwaresys-tem;ifthisisthecase,serviceidentityispreserved.InSec-tion2,weintroducethisgeneralapproach,discussexistingrelatedwork,andhighlightthemainchallengesinrealizingthisvision.VerifyingFunctionalPropertiesofCloudServices.Userscanbenetfromgainingassurancethatthebehav-iorofacloudservicecomplieswithitsadvertisedfunctionalspecication.InSection3,weproposeanewapproachal-lowingtheuserstoverifyserviceintegrityinascalablefash-ionwithoutrelyingoneitheracentralizedcerticationau-thorityoraccesstotheactualimplementationcode.Ourapproachisbasedondecompositionoftheverica-tionprocessintothreephases:testsuitegeneration,testsuiteexecution,andvalidationoftheresults,whereeachphasecanbeperformedatadierentlocationtomaximizeperformanceandexhaustivenessofthevericationprocess.Ourproposalforimplementingthetestsuitegenerationisbasedonblack-boxtestingtechniquesthatgeneratetestsuitescoveringallinterestingbehaviorsdescribedbythespecication.Sinceinourframework,thespecicationisde-scribedasastatemachine,atestsuitewouldproduceinputstogenerateallpossibletraversalsofthestatemachine.Testsuiteexecutionisdoneinthecloud,andtheresultingtracesarestoredinthecloudforfuturecompliancetesting.Thelatterisdoneontheend-userinfrastructureusingsamplingtechniques,suchaspropertytesting.Samplingimprovesef-ciencyandscalabilityofourapproach,whileguaranteeingspecicationcompliancewithhighprobability.VericationofCloudStorageServices.Whilegenericvericationmethodssuchasthosewepro-poseinSections2and3may,inthefuture,allowverifyingfunctionalpropertiesofcloudservices,theyhavenotyetma-tured.Multiplerecentworkshavetackledspecicconcernsthatariseinthecontextofcloudstorage,andpromisingtechniqueshaveemerged.InSection4wesurveysuchde-sirablestoragepropertiesandstateoftheartvericationtechniques.PerformanceandDependabilityNon-FunctionalProp-ertiesVerication.Verifyingnon-functionalpropertieslikeperformance,de-pendability,energyconsumptionandeconomicalcostsofcloudsischallengingtodayduetoad-hocmanagementintermsofquality-of-service(QoS)andservicelevelagree-ment(SLA).Webelievethatadierentiatingelementbe-tweencloudcomputingenvironmentswillbetheQoSandtheSLAprovidedbythecloud.InSection5,wecallforthedenitionofanewcloudmodelthatintegratesservicelevelsandSLAintothecloudinasystematicway.Theproposedapproachaimstocombineandguaranteemultiplecloudservicelevelobjectivesinaconsistentand exibleway.Italsoallowstoprovidebetterthanbest-eortcloudQoSthroughacontrol-theoreticapproachformodelingandcon-trollingSLA-orientedcloudservices.WealsodiscusshowtohelpsystemdesignersbuildSLA-orientedcloudsthatarecontrollablebyconstruction,andhowtoassesscloudserviceQoSguarantees.Security-OrientedNon-FunctionalPropertiesVerica-tion.Serviceprovidersmayrequestthatthedeploymentoftheirserviceinthecloudadherestocertainsecurityconstraints.Forexample,aserviceprovidermightaskthattheirde-ployedserviceshouldonlyreplytoauthorizedrequestscom-ingfromtheUS,between2and6pm,orthatitshouldneverdivulgesensitivedatatoasetofendusers,orthatitshoulddestroyorbackupdataatperiodicintervalsandinacertainway.Thesebehavioralconstraintsareoftenindependentoftheapplicationthatisbeingprovided.Itisdicultto guaranteeadherencetosuchconstraints,becauseofthedy-namicandmulti-tenantnatureofthecloudenvironment.Forbothusersandserviceproviders,itcanbebenecialtohavetoolsthatmonitorthehigh-levelsystembehaviorandraise`alarms'whensecuritypoliciesofthistypeareviolated.Suchmonitoringtoolshavenotyetmatured.Section6ex-plainstheconnectedissuesandadvancesinmoredetail.Inwhatfollowsweexaminethesetopicsinmoredetail.2.VERIFYINGSTRONGSERVICEIDEN-TITYAserviceproviderincursrisksofcloudmismanagementwhenmakinguseofacloudprovider'sinfrastructureforhostingservices.Ifthesoftwarethattheserviceproviderde-ploystothecloudistamperedwithorreplacedforadierentversion,theserviceinproductioncoulddeviatefromthein-tendedimplementationanddistresstheserviceproviderandusers.Thequestionweaddressis:Howcancloudprovidersguaranteeastrongidentitybetweenthesoftwarerunningonthecloudnodesandtheserviceimplementation?2.1DenitionsandApproachWefocusonenforcingthepropertyofstrongserviceiden-tityonacloudplatform.IfSdenotestheservicesoftwareimplementationproducedbytheserviceproviderandS0aninstanceofthesoftwareserviceShostedinthecloud,strongserviceidentityissatisedifandonlyiftheinvari-antS=S0holdsfortheentirelifecycleofSandinallthenodeswhereSisinstantiated.Thelifecycleofaser-vicespanstheperiodbetweenitsdeploymentuntilitsde-commissioning.Throughoutthislengthoftime,theservicemightbereplicatedormigratedacrossvariouscloudnodes.InInfrastructure-as-a-Service(IaaS)theserviceisdeployedasavirtualmachineimageandinstantiatedinvirtualma-chines(VMs).InPlatform-as-a-Service(PaaS)theserviceisshippedasanapplicationpackageandinstantiatedintoobjectsinapplicationcontainers.Toenforcestrongserviceidentity,acloudplatformcouldprovidetrustedcontainers.Atrustedcontainerhoststhestateofaserviceinstanceinisolationfromothertenantsandfromthecloudadministrator.Thisprotectionisen-forcedthroughouttheservicelifecycle.Whenmigratingorreplicatingserviceinstancestoothernodes,thetrustedcon-tainerveriesthatthesinkisalsoatrustedcontainerandtransmitsanyrelevantservicecodeanddatatothesinkoveranencryptedchannel.Theserviceprovidercanalsoverifythatthetargethostoerstrustedcontainerprotec-tionsbeforedeployingtheservice.Asaresult,insofarastheserviceisinstantiatedintrustedcontainers,thestrongserviceidentityissatised.Theimplementationofthetrustedcontainersemanticsonthecloudnodescouldbecarriedoutbyaprivilegedsoftwaresystem.Atrustedsoftwaresystemoersaspecichostingabstractionandiscraftedsothatneithertheadministratornorothertenantshaveaccesstoserviceinstances'state.Ex-amplesofsuchsystemsincludeCloudVisor[86],whichlever-agesnestedvirtualizationtoprotectthecondentialityandintegrityofguestvirtualmachinesinXen.Othertrustedsoftwaresystemsexist,forexample,oeringisolationattheprocessgranularity[77].Thesesystemscouldbeusednotonlytoprotectthestateoftheserviceinstances,butalsotoprotecttheback-endcloudsystems(e.g.,databaseservers).ThequestionthenishowcanremotepartiesverifythatthecloudnodesexecuteatrustedsoftwaresystemratherthananinsecureOSorhypervisor.Toprovidesuchavalidationcapability,weleveragecom-modityTrustedPlatformModule[40](TPMs)chipsde-ployedonthecloudnodes.TPMenablesremoteattestationofacloudnode.Duringbootstrap,acloudnodeexecutesasequenceofprogramsandstoresthehashesofthesepro-gramsintheTPM'sinternalregisters.Sincetheseregisterscannotberewrittenunlessthemachinereboots,theircon-tentrevealsthebootstrapstateofanodeandtheTPMenablestosecurelyconveythestateoftheseregisterstoaremotepartyusinganattestationprotocol.Topreventman-in-the-middleattacks,theTPMsignstheregisters'contentwiththeprivatepartofacryptographickeypairthatneverleavestheTPMinplaintext.TheremotepartycanthenverifythesignatureandthecontentoftheTPMregistersusingapublickeycerticategivenbythecloudprovider:ifthetrustedsoftwaresystembootsonthecloudnode,itsrespectivehashwillshowupintheTPM'sregisters.ByrootingtrustinTPMsandontrustedsoftwaresys-temswerequirethatboththesecomponentsarecorrect.Underthisassumption,strongserviceidentitycouldbeen-forcedinthepresenceofpowerfuladversaries.TheTPMcanprotectthecontentofitsregistersfromamaliciousad-ministratorwithprivilegestomanagethecloudnodesfromaremotesite:hecanrebootthenodes,accesstheirlocaldisks,installarbitrarysoftware,andeavesdropthenetwork.TPMs,however,cannotdefendagainstphysicalattacks.Weassumethatthehardwareisprotectedbycomplementarymechanismsdeployedwithinthecloudprovider'spremises.Insummary,byimplementingthetrustedcontainerab-straction,acloudplatformarchitecturebasedonatrustedsoftwaresystemandTPMsdeployedonthenodescoulden-forcethestrongsoftwareidentity.Throughtheuseofattes-tation,thisarchitectureenablesserviceprovidersanduserstoobtaintangibleevidenceofcompliancewiththestrongsoftwareidentityproperty.Next,weexamineexistingworkthatmaterializessomeoftheseconceptsinconcretesystems.2.2ExistingWorkWebrie ysurveytheexistingworkon1)enforcingstrongidentityinIaaS,2)leveragingTPMsinthecloud,and3)implementingtrustedcontainersonthecloudnodes.Tothebestofourknowledge,nosystemtodayimplementsstrongserviceidentityinPaaSplatforms.StrongsoftwareidentityinIaaS.InIaaS,servicesaretypicallydispatchedtothecloudproviderinavirtualma-chineimage.Enforcingstrongidentity,then,requiresdevis-ingahardenedhypervisorthatcanoertrustedcontainersemanticsatthegranularityofVMs.Thehardenedhyper-visormustenforceVMstateisolationfromthecloudad-ministrator.ToensureconnementofVMsonlytocloudnodesrunningthehardenedhypervisor,cloudnodesareat-testedbasedontheTPMslocatedonthenodeslocally.Togiveusersandserviceprovidersguaranteesofserviceiden-tity(i.e.,thattheVMimageoftheVMexecutingonthenodesistheVMimageuploadedbytheserviceproviderandinstantiatedonthecloud)attestationcanalsobedonefromoutsidethecloud.ThisarchitecturewasrstproposedbySantosetal.[70].Toimplementtheroleofthehardenedhypervisor,CloudVisor[86]couldbeused. SystemsforleveragingTPMsinthecloud.Somesys-temshavebeendevelopedthat,whilenotoeringdirectlythepropertyofstrongsoftwareidentity,provideabuildingblockfordoingso.Schimanetal.[72]proposedasystemthatallowsfortheremoteattestationofcloudnode'shy-pervisorandVMimagefromoutsidethecloud.AmoreadvancedversionofthissystemisExcalibur[71].ExcaliburpreventsperformancebottlenecksduetoTPMineciencyandoersanabstractionforsealingdatabasedonpolicysuchthatonlythenodesthatsatisfythatpolicycanunsealandinterpretthedata.Forexample,bysealingaVMimagetoapolicydesignatingCloudVisorasthetrustedhypervi-sor,theserviceproviderisguaranteedthatonlythenodesrunningCloudVisorcouldinstantiatetheVMimagetherebyabidingbythestrongidentityproperty.Excaliburcansup-portothersoftwarestacks,notonlyhypervisors,afeaturethatmightberelevantinPaaS.Excaliburalsosupportsre-strictionsbasedonthenodelocation,whichgivesserviceprovidersadditionalcontroloverVMplacement.Systemsforimplementingtrustedcontainers.WhileVMshavebeenthepreferablehostingabstractioninthecontextofcloudcomputing[86,20],othersystemscanoeralternativeabstractionsthatcouldbemoresuitableforcer-tainusecases.SystemslikeNexus[77]providetrustedcon-tainerabstractionsattheprocesslevel.ThiscouldbemoreappropriateforcloudplatformsthatdonotrunVMMsontheircloudnodes.Maniatisetal.[56]proposetrustedcon-tainerabstractionsasapplicationsandboxes,whichcanbemoresuitableforisolationofwebapplications.Considerableamountofresearchwasalsogearedtowardoeringtrustedcontainerabstractionswhiledependingonasmalltrustedcomputingbasesoastoreducethechanceofvulnerabilitiesinthecodethatcouldleadtosecuritybreaches[86,77].2.3ChallengesandScienticDirectionsWhiletheexistingworkhasfocusedonsupportingstrongserviceidentityforIaaSanddesigningspecializedbuildingblocksforcloudattestationandtrustedcontainersupport,aconsiderablegapexistsbetweenwhatthesemechanismscanoerandwhatisnecessarytoenforcestrongserviceidentityinPaaS.Wehighlightthreemainchallenges.High-levelPaaScontainerabstractions.PaaSplat-formstypicallyoeritsusersprogrammingabstractionsthatenablethemtoimplementserviceapplicationswithhighlevellanguageslikeJavaorPython.Theserviceimplemen-tationtypicallyconsistsofasetofclasseswhichmakeuseofanAPIdenedbythePaaSprovider.Theseclassesarethenpackaged,dispatchedtothecloud,andinstantiatedbythePaaSplatforminisolatedcontainers.ContainerstypicallydependonasoftwarestackthatincludestheOS,aruntimeengine(e.g.,JVM),libraries,andback-endservices(e.g.,databases).InexistingPaaSplatforms,however,contain-ersdonotyetoerthepropertyofstrongserviceidentity.Toenforcethisproperty,onedirectionistoenhanceexist-ingcontainersaccordingtothetrustedcontainersemantics.Thistask,however,ischallengingusingtheknownmech-anisms.Ontheonehand,trustedcontainerabstractionsbasedonVM[86]orprocess[77]aretoolowleveltobeuse-fulforthePaaSusers.Ontheotherhand,trustedcontainerabstractionsoeringapplicationsandboxes[56]dependonaverylargetrustedcomputingbase(TCB);withthisap-proachitwouldbenecessarytotrusttheentirePaaSstackthereforeincurringTCBbloating.Howtoprovidehigh-levelPaaSabstractionswithasmallTCBisanopenquestion.IntegrationwithPaaSback-end.WheninstantiatedinaPaaScontainer,aserviceinstancewillnormallymakeuseofadditionalPaaSback-endservices,whichincludeforex-ampledatabasesandtransactionmonitors.WhendevisingtrustedcontainersforPaaS,itisnecessarytoaccountforthefactthattheintegrityoftheserviceinstancehostedbythecontainercouldbecompromisedbyaback-endservice.Infact,byyieldingerroneousresults,aback-endservicecouldtaintthecodeordataofaPaaSuser'sserviceinstance,andintroducecorruptionthatcouldviolatethestrongserviceidentitythatwewishfor.Thisdangerraisesseveralques-tions:HowcanPaaSusersknowifaback-endserviceisreliableandthereforeknowifitcanbeusedsafely?Howtohandletheheterogeneityofback-endservices,eachofthemfeaturingparticularcapabilitiesthatraisevariouscondencelevelswiththeirusers?Howtodealwithsoftwareupdatesoftheback-endservicesanddeterminewhetherupdatesaresecure?Whatimplicationswilltheseissueshavetothepro-grammingmodeloeredtoPaaSusers?DistributionandmigrationofPaaSserviceinstances.Ingeneral,thePaaS-hostedservicescanbeexpectedtobebothmulti-tieredandclustered.Asaresult,aservicecom-prisesmultiplecomponentswhichcanbedistributedacrossseveralcloudnodes.Thesecomponentsarehostedinin-dependentcontainersandcommunicateamongthemselvesoversecurechannels.Itisalsocommonthat,forresourcemanagementreasons,aPaaSplatformmightmigratecom-ponentsaroundacrossdierenthostingcontainers,e.g.,forbalancingload.Componentsmightalsoneedtobeinstan-tiatedinoreliminatedfromcontainersinordertoaccom-modatetheelasticvariationsintheservicedemand.Toac-countforallthesescenarioswhenimplementingthetrustedcontainersemantics,itisthennecessarytoalwaysattestahostingcloudnodebeforecreatingacomponentinstanceandtoprovidethatthedistributedcomponentinstancescanauthenticateandcommunicatesecurely.ExistingsystemsthatsupportattestationinthecloudhavebeenusedonlyinthecontextofIaaSforattestinghypervisorsandVMs[72,71].InIaaS,however,thenumberofVMsthatneedattesta-tionissignicantlysmallerthanapotentiallylargenumberofPaaSservicecomponents.Itisunclearifexistingsystemscouldwithstandsuchalargeattestationdemandwithoutincurringscalabilitybottlenecks.3.VERIFYINGFUNCTIONALPROPERTIESOFCLOUDSERVICESThetechniquesdescribedintheprevioussectionallowthePaaSservicestobeassociatedwithastrongidentity,whichisbeingpreservedthroughouttheentiresoftwarelife-timewithstandingadministrationmistakes,andtamperingattempts.Inthissection,wefocusonacomplementaryquestion,namely,givenauniquelyidentiedserviceinstancedeployedandrunningonthetrustedPaaSplatform,howcanweecientlyverifythatitsbehaviorcomplieswiththefunctionalpropertiesadvertisedbyitsprovider?OurapproachtoverifyingfunctionalpropertiesofthePaaSservicesisbasedonthesoftwaretestingparadigm.Conceptually,thesoftwaretestingprocesscanbeviewedasconsistingofthefollowingthreephases(whichcanbeinter- Figure1:SpecicationoftheCheckoutFlowofanOn-LineShoppingSite.Thespecicationismod-elledasanite-stateautomatonconsistingof7states,5ofwhichbelongtotheinteractiveportionofthecheckoutprocess.Eachofthese5statesallowsthecustomertoreturntoanyoneoftheprecedingstatestorevisethedataenteredatthatstate.Inad-dition,another3statesintheinteractivegrouphaveself-cyclesallowingthecustomertocorrecterrorsinthesuppliedinformation.Thetotalnumberofcy-clesintheautomatongraphistherefore,equal17,andgrowsquadraticallywiththenumberofstates.leavedtoimproveperformance):Testsuitegeneration:thespecicationandtestedsoft-wareareanalyzedtoextracteectivetestcaseswhicharethenassembledintoatestsuite.Testsuiteexecution:thesoftwareissubjectedtothetestsuiteproducedatthepreviousstage.Resultvalidation:thetracesgeneratedbyrunningthetestsuitearecomparedagainstthoseprescribedbythespecication,producing\pass"or\fail"outputsforeachcompliantandnon-complianttrace,respectively.InordertomaketheaboveprocessamenablefortestingPaaSserviceshostedinthecloud,thefollowingchallengesmustbeaddressed.First,sincethecloudsoftwareistypicallydevelopedanddistributedbyathirdpartySoftware-as-a-Service(SaaS)provider,theserviceimplementationcodecannotbeas-sumedtobeavailabletotheendusers.Thisprecludesthetestsuitegeneratorfromusingwhite-boxtestingtechniques(suchassymbolicexecution[47,24,28]),whichutilizetheknowledgeofthecodestructuretoachievehighqualitycov-erageofpossibleexecutionpaths.InSection3.2,wedis-cussalternativeapproachestoimplementingthetestsuitegenerator,andproposeseveralsolutionsbasedonblack-boxtesting.Second,thecloud-basedservicesaretypicallyinteractive(seeFigure1):i.e.,theyarebeingdrivenbyon-lineuserinputs(e.g.,suppliedthroughaweb-basedinterface),whichareforwardedtotheremoteserviceimplementationviaanRPC-styleprotocol(suchas,e.g.,REST[38],orSOAP[2]).Consequently,executingtheservicetestsuiteontheuserpremisesmightresultinhighcommunicationcosts,andslowdowntheentiretestingprocess.Instead,thecloudprovidermustoersupportforexecutingthetestsuiteonthecloudinfrastructurewhileminimizingtheinteractionwiththeuser Figure2:VericationFrameworkforServicesinaCloud.tothelargestpossibleextent.Theusersmust,howeverbeoeredtoolstoecientlyvalidatethetestexecutionresultstoguardagainstthepossibilityofthembeingfakedbyapotentiallydishonestcloudprovider.Third,theservicelogiccanbefairlycomplexasitmustbeabletoaccommodateawide-rangeofon-lineinteractionscenariossuchas,e.g.,undoingtheeectsofpreviouslyex-ecutedstepsofanon-linetransaction(e.g.,resultingfromtheuserpressingthe\back"buttoninthebrowser),ortime-outsfollowinglongperiodsofinactivity.Asaresult,evenaservicewithasmallnumberofinteractionstepsmayendupexhibitinglargenumbersofacceptablebehaviorsresultingfromrepeatedtraversalsthroughtheinteractionwork owcycles(seeFigure1).Exhaustivetestingofalltheresultingbehaviorsmayendupproducinglargevolumesoflengthyoutputtraceswhosevalidationmaybetoocostlytoconductonalesspowerfulenduserinfrastructure.Toaddresstheabovechallenges,weproposeanewdis-tributedtestingframeworkenablinganecientvericationofserviceshostedonaremotecloud.Below,wediscusstheframeworkarchitecture,andsomeofthechallengesassoci-atedwithitsimplementation.3.1TestingFrameworkArchitectureThearchitectureofourtestingframeworkisdepictedinFigure2.Unliketheexistingtestingsolutions,inourframe-work,thetestsuiteexecutionandresultvalidationphasesaredisjointfromeachother,withtheformerbeingassignedtotheTestingHarnesscomponenthostedinthecloud,andthelatterbeingexecutedbyResultVerierinstalledontheuserpremises.TheserviceimplementationisprovidedbytheSoftware-as-a-Service(SaaS)provider,whichisalsoresponsibleforadvertisingitsspecication.Theuserinspectstheadver-tisedspecicationstoselecttheservice,whosespecicationistheclosestmatchtotheuserrequirements.Tostream-linetheserviceselectionprocess,thespecicationmustbeexpressedinastandardizedspecicationlanguage,suchas,e.g.,WebServiceDenitionLanguage(WSDL)[1].Here,weomitthedetailsoftheservicespecicationframework,whichisthesubjectoffuturework.Next,thespecicationisanalyzedbyTestSuiteGenera-tortoproduceatestsuiteusingtheblack-boxtestingtech-niques[65](Section3.2).TheresultingtestsuiteisthensubmittedtoTestingHarness,whichdeploystheservicein-stanceonthecloud-basedexecutionplatform,subjectsthedeployedinstancetothesubmittedtestsuite,andstorestheresultsonthecloudstoragefacilities.TheResultVerier expecttobethenumberofstates,requiredforthepropertytestingbasedanalysisinpractice.4.VERIFYINGPROPERTIESOFCLOUDSTORAGEUsersincreasinglyrelyonthecloudforstorage,instantlyuploadingtheirphotos,documents,scheduledsystemback-upsandmore.Inthissection,weexploresomeoftheprop-ertiesexpectedbyusersfromacloudstorageserviceandsurveyrecentworkonthevericationoftheseproperties.4.1ProtectingAgainstaByzantineProviderWestartbydescribingpropertiesforwhichtheknownver-icationmethodscanovercomeanyadversarialcloudprovider,evenafullymaliciousone.Integrity.Oneofthebasicpropertiesexpectedfromastoragesystemisdataintegrity.Usersmustbecondentthattheirdataisnotalteredwhilebeingstoredortrans-ferredtoandfromthestorageservice.Asimplewaytoguaranteethisistouseerrordetecting(orerrorcorrect-ing)codes.Toprotectagainstintentionaltemperingofthedata,aclientmayuseacryptographichashfunctionandseparatelymaintainthekey.Forlargevolumeofdata,hash-trees[61]arecommonlyusedtoverifydataintegritywithoutrecomputingahashoftheentiredataforthepurposeofver-ication.Theleavesofahash-treearehashesofdatablocks,whereasitsinternalnodesarehashesoftheirchildreninthetree.Auseristhenabletoverifyanydatablockbystoringonlytheroothashofthetreeandperformingalogarithmicnumberofcryptographichashoperations.Whenmultipleuserssharedatausingaremotestorageservice,digitalsig-naturesallowtheclientstoverifydataintegrity.Consistency.Althoughthesemethodsguaranteethatthestoragewillnotbeabletocorruptorforgethedata,itdoesnotpreventastorageservicefromsimplyhidingup-datesperformedbyoneclientfromtheothers,orshowingupdatestoclientsindierentorders.Infact,thiswouldbeimpossibletodetectwithoutadditionaltrustassump-tions(suchasTPM)oralternativelytheclientsbeingabletojointlyaudittheserver'sresponses.Severalsolutionsusingtrustedcomponentswereproposed[31,84],guaran-teeingstrongconsistency(i.e.,linearizability[42])eveniftheserviceismalicious.Adierentapproach,notassum-inganytrustedcomponents,waspioneeredbyMazieresandShasha[58,51],introducinguntrustedstorageprotocolsandthenotionoffork-consistency.Intuitively,traditionalstrongconsistencyguaranteesthatallclientshavethesameviewoftheexecutionhistory.Ontheotherhand,fork-consistencyguaranteesthatclientviewsformatree,whereforksinthetreearecausedbyafaultyserverhidingoperationsofoneclientfromanother.Todate,thisisthestrongestknownconsistencynotionthatcanbeachievedwithapossiblyByzantineremotestorageserverwherenotrustedcompo-nentsareassumedandwhentheclientsdonotcommunicatewithoneanother(onceclientscancommunicatedirectly,theyareabledetectthattheirviewswereforkedbytheserver).Multiplesystemswerebasedonthisidea,startingwithSUNDR[51],anetworklesystemdesignedtoworkwitharemoteandpotentiallyByzantineserver.Cachinetal.[21]implementanSVNsystemhostedonapoten-tiallyByzantineserver.InFAUST[22],authorsstudyfork-consistencymoreformally,includingaproofthatguaran-teeingthisnotioncomeswithapriceonserviceavailability,evenwhentheserveriscorrect,andproposeanewconsis-tencynotion(weak-forklinearizability)thatovercomesthislimitation.Venus[76],avericationsystembuiltwithAma-zonS3,usesaweak-forklinearizableprotocolasabuildingblockbutprovidesmoretraditionalconsistencysemanticstoitsclients.Whentheserveriscorrect,weak-forklinearizabil-ityallowsVenustoguaranteeastrongnotionofliveness(i.e.,serviceavailability),whereclientsarenotaectedbyfailuresofotherclients.Venususesdirectautomatedemailsamongtheclientstoupholdstrongconsistencysemanticsandtoprovideeventualdetectionofstoragefailures.Feldmanetal.introducedSPORC[36],asystemwhichlikewiseguar-anteesavariationoffork-consistency,butforthersttimeallowsnotonlytodetectstoragefaultsbutalsotorecoverfromthembyleveragingthecon ictresolutionmechanismofOperationalTransformation.Finally,wenotethatasimilarconsistencynotion[63]wasrecentlyusedinanon-Byzantinesettingtomodelconsistencyinthecontextofmobileclientsperformingdisconnectedoperations[30],suggestingayettobeexploredconnectionbetweenuntrustedstorageanddis-connectedoperationsor,moregenerally,withthetraditionalmodelofmessagepassingwithomissionfaults.Similarlytostoragefailuredetectionusingdirectcommu-nicationamongclients,ifaglobaltraceofclientoperationsandstorageresponsesisavailable,manyinconsistenciescanbeeasilydetected[11,85,81].Finally,systemssuchasIntercloudStorage[13]andDep-Sky[15]replicatedataovermultiplecloudsinordertomit-igateintegrityorconsistencyviolationsandpotentialun-availabilitycausedbyaproviderfailure.Retrievability.Howcanclientsassurethattheirdataisstillstoredsomewhereinthecloudandnotlostbyaprovidertryingtocutstoragecosts?Astheamountofuploadedinformationgrows,itisofteninfeasibleforclientstocheckdataavailabilitybyperiodicallydownloadingallthedata.Thischallengewasaddressedintheformofnewvericationschemes:ProofsofRetrievability(PORs)[46]andProofsofDataPossession(PDP)[12].Theseprotocolsguaranteewithhighprobabilitythatthecloudisinpossessionofthedatausingchallengessubmittedbytheclient.Thebasicideaisthataclientsubmitsrequestsforasmallsampleofdatablocks,andveriesserverresponses(usingsmalladditionalinformationencodedineachblockorbyaskingforspecialblockswhosevalueisknowninadvancetotheclient).Recently,theseschemesweregeneralizedandimproved,andprototypesystemshavebeenimplemented[75,18,17].Thislineofworkhasalsoleadtothedevelopmentofschemesforvericationofotherproperties,aswedescribenext.4.2ProtectingAgainstanEconomicallyRa-tionalCloudProviderInwhatfollows,thevericationmethodsassumeaneco-nomicallyrationaladversary.Suchcloudprovidermaycheatbutwillnotdosoifitrequiresspendingmoremoneyorotherresourcescomparedtocorrectbehavior.Condentiality.Topreventinformationleakageandprovidedatacondentiality,itisusuallyexpectedthatstoreddataisencrypted.Clientscanencrypttheinformationwiththeirownkeysbeforestoringittothecloud.However,thisisoftennotdesiredasaccesstotheunencrypteddataallowstheprovidertooerarichersetoffunctionality,beyondstorage,suchassearchingthedataorsharingitwithother SLOsherequires,andtoagreeonthepenaltiesincaseofSLAviolation.TheSLOscanbeexpressedasthresholdstomeet,orasQoSmetricstominimizeormaximize.Toprovidebetterthanbest-eortcloudQoS,acontrol-theoreticapproachshouldbefollowedtodesignfullyau-tonomiccloudservices.First,autilityfunctionshouldbedenedtopreciselydescribethesetofSLOsasspeciedintheSLA,theweightsassignedtotheseSLOsifany,andthepossibletrade-osandprioritiesbetweentheSLOs.Thecloudserviceconguration(i.e.combinationofresources)withthehighestutilityisthebestregardingSLAguar-antees.Thus,howtondsuchacloudservicecongura-tion?Controltheorytechniquesthroughmodellingcloudservicebehavior,andproposingcontrollawsandalgorithmsaregoodcandidatesforfullyautonomicSLA-orientedcloudservices[55].Thechallengesformodellingcloudservicesaretobuildaccuratemodelsthatareabletocapturethenon-linearbehaviorofcloudservices,andthatareabletoself-calibratetorenderthevariationsofserviceworkloads.Thechallengeforcontrollingcloudservicesistoproposeaccurateandecientalgorithmsandcontrollawsthatcal-culatethebestserviceconguration,andrapidlyreacttochangesincloudserviceusage.Largelydistributedcloudserviceswouldrequireecientdistributedcontrolbasedonscalabledistributedprotocols.TohelpbuildSLA-orientedclouds,cloudservicesshouldbedesignedtobecontrollablebyconstruction.Theservicesshouldallowtoobservetheirbehavioronline,tomonitortheirchangingQoS,andtoapplychangesonservicecong-uration(i.e.resourceset)whiletheserviceisrunning.TohelpsystemdesignersassesscloudserviceQoSguarantees,benchmarkingtoolsarenecessarytoinjectrealisticwork-loads,dataloads,faultloads,andattackloadsintoacloudservice,andtomeasuretheirimpactontheactualperfor-mance,dependabilityandsecurityoftheservice[8,50,69].6.VERIFYINGSECURITYPOLICIESFormanyyearsnow,SLAshavebeenstandardpracticewhensettingupthetermsofQoSforaserviceprovision.However,SLAsnormallysteerclearofanyexplicitsecuritycommitments,possiblysincecloudprovidersarereservedaboutthesecurityguaranteesoftheirservices.Thispointisprovedbysourcessuchaslastyear'sreportofCATechnologiesandPonemonInstitute[44],whereitwasfoundoutthat,outof127cloudserviceprovidersintheUSandEurope,over80%donotbelievethatsecuringtheirservicesgivesthemacompetitiveadvantage.Then,howcanconsumersprotecttheirdataandapplications?6.1Requirements,PoliciesandComplianceInordertosecurecloudservices,providersemploysecu-ritymeasuresthatdependonasetofrequirements.Theserequirementsstemfromtwosources:externalsources(e.g.,lawsandregulations),andparticularrequirementsthatuserscouldrequest.Securitypoliciesexpressaccuratelybothkindsofrequirements.Tomakesurethatsuchpoliciesarere-spected,therearetoolstoenforcepoliciesorverifycompli-ancewithpolicies.Externalsecurityrequirements.Toprotectcloudusers,ocialsecurityrequirementsstemfromtwomainsources:lawsandregulations,andstandardsthatprovidersshouldabideby.SensitivedataprotectionhasbeenthetargetofEUandUSlawsforseveralyearsnow,beitinhealthcareortelecommunications.InEurope,forexample,directive95/46/ECprotectspersonaldata(amongothers,itforbidsthecollectionanddisclosureofsuchdatawith-outthesubject'sconsent);intheUS,theHealthInsuranceandPortabilityAct[79]aimstorestrictaccesstocomputersystemsthatcontainsensitivepatientdata,aswellastopreventinterceptionordeletionofsuchdatabyunautho-risedparties.Intermsofsecuritystandardsandguidelines,themostactivesectorsarehealthcareandbanking,withexamplesrangingfromHealthLevel7toPCI'sDataSecu-rityStandards[34].Thefocusofsuchstandardsissecuringhealthcareandpaymenttransactions.Inall,suchexternalrequirementsaectcloudconsumerswithinasingledomainorcountry,aswellasacrossmultiplejurisdictions.Itisanopenproblem,outsidethescopeofregulations,whattoolstouseandhowtoemploytheminordertosatisfysuchre-quirements,forbothcloudprovidersandusers.Securitypolicies.Unlikeregulationsandlawsthatcanspecifygeneralsecurityconstraintsinatextform,secu-ritypoliciesarethemachine-understandablespecicationofwhatauserconsiderstobeacceptedorallowedsystembe-havior.Asecuritypolicyofacloudconsumercanspecify,forinstance,thatcustomer-identiabledatashouldnotbepropagatedtootherservices;orthattheownershouldbenotiedofanybackupsorrecongurationsdonetotheirservice.Securitypoliciescanimposerestrictionson:howtoaccessandusesystemresourcesortheprovidedservice;useraccountability;keymanagement;congurationoftheback-endsystem(e.g.,whentoeraseapplicationdata,whentodobackups,connectionstosecurityservices).Manyen-terpriseshavesuchpoliciesalreadyinplaceeitherasagoodpractice,orforauditingorcerticationpurposes.Toolstoenforceorverifycompliance.Enforcingasecuritypolicymeansperformingtheactionstoensurethattheapplicationcomplieswiththatpolicy.ExamplesofsecurityenforcementtoolsareAxiomaticsXACMLPolicyServer,IBM'sTivoliSecurityManager,orXMLgatewayssuchasVordel.Inacloudsetting,userscaneither:(1)setuptheirownenforcers,whentheyhavecontroloversomepartoftheinfrastructure,or(2)relyonanotherpartytoenforcetheirpolicies,andthenverifythattheenforcementisdonecorrectly.Anafter-the-factvericationusuallyin-volvesanalyzingexecutionlogsprovidedareportingserviceisinplaceanditsoutputisprovidedtotheuser;atrun-timeclientscanrandomlyprobetheapplicationtodiscoverpolicyviolations(fastbutimprecise),oractivelymonitorapplicationorserviceoutput(whichcanbeaperformanceburdenandinvolvesananalysisarchitectureandprocess).6.2ExistingworkExpressingsecurityconstraints.Surprisingly,itisonlyveryrecentlythatthenotionofsecurityservice-levelagreementshasbeenproposedinthecloudcontext:oneoftherstisanHPreport[62]suggestingthatclientsshouldnegotiatethosesecurityneedsthattheycanunderstand,predictandmeasurebythemselves.Examplesinclude:95%ofserioussecurityincidentsshouldbesolvedwithinonehourfromdetection;anup-to-dateantivirustoscanthesystemeveryday;minimumnetworkavailabilityincaseofanat-tack;thepercentageofunpatchedorunmanagedmachines.Inasimilarvein,Jaatunetal.[45]suggestthatasecu-ritySLAshouldinclude:thesecurityrequirementsthattheproviderwillenforce,theprocessofmonitoringsecuritypa- lateranalysis.Intermsoftrustmodel,itisimportanttodeterminetowhatextenttheconsumerandtheprovidershouldtrusteachotherinreportingtruthfully.Toolsforen-suringtimestampingandlogtamper-resistancearealreadyinplace.Intermsofprivacy,reportingshouldbesucienttodetectfaultsandatthesametimeshouldnotexposeprivateuserdata.7.CONCLUSIONSThispapersurveysthetoolsandmethodsthatcloudusersandserviceproviderscanemploytoverifythatcloudser-vicesbehaveasexpected.Wefocusonthevericationofseveralproperties:theidentityoftheserviceandofthenodestheservicerunson;functionalcorrectnessofaservice;SLA-imposedparameterslikeperformanceanddependabil-ity;andlastlythecomplianceoftheservicewithsecurityrequirementsasspeciedbyasecuritypolicy.Wediscussedstateoftheartintheseareasandidentiedgapsandchal-lenges,whichexplainthelackofsucienttoolsformonitor-ingandevaluationofcloudservices.Ineachoftheseareaswehighlightednewandpromisingdirectionsthatwebelievetobeinstrumentalindevelopingsuchtoolsinthefuture.Wehopethatourpaperwillencouragefutureresearchinthisarea.AcknowledgementTheauthorswouldliketothankRudigerKapitzaandtheotherorganisersoftheDagstuhlseminar12281"SecurityandDependabilityforFederatedCloudPlatforms"(July2012),whohavebolsteredthiscollaboration.8.REFERENCES[1]WebServicesDescriptionLanguage(WSDL)1.1.http://www.w3.org/TR/wsdl,2001.[2]SOAPVersion1.2Part1:MessagingFramework(SecondEdition).http://www.w3.org/TR/soap12-part1,2007.[3]AmazonEC2SLA.https://aws.amazon.com/ec2-sla/,2012.[4]AmazonS3SLA.https://aws.amazon.com/simpledb/,2012.[5]RackspaceSLA.http://www.rackspace.com/cloud/legal/sla/,2012.[6]WindowsAzureComputeSLA.https://www.microsoft.com/download/en/details.aspx?displaylang=en\&id=24434,2012.[7]WindowsAzureStorageSLA.https://www.microsoft.com/windowsazure/features/storage/,2012.[8]D.AgarwalandS.K.Prasad.Azurebench:Benchmarkingthestorageservicesoftheazurecloudplatform.InIPDPSWorkshops,pages1048{1057.IEEEComputerSociety,2012.[9]N.Alon,M.Krivelevich,I.Newman,andM.Szegedy.Regularlanguagesaretestablewithaconstantnumberofqueries.InProc.40thIEEESymposiumonFoundationsofComputerScience,pages645{655,1999.[10]AmericanExpressmayhavefailedtoencryptdata.http://www.scmagazine.com/american-express-may-have-failed-to-encrypt-data/article/170997/.[11]E.Anderson,X.Li,M.Shah,J.Tucek,andJ.Wylie.Whatconsistencydoesyourkey-valuestoreactuallyprovide.InProceedingsoftheSixthinternationalconferenceonHottopicsinsystemdependability,pages1{16.USENIXAssociation,2010.[12]G.Ateniese,R.Burns,R.Curtmola,J.Herring,L.Kissner,Z.Peterson,andD.Song.Provabledatapossessionatuntrustedstores.InProceedingsofthe14thACMconferenceonComputerandcommunicationssecurity,pages598{609.ACM,2007.[13]C.Basescu,C.Cachin,I.Eyal,R.Haas,A.Sorniotti,M.Vukolic,andI.Zachevsky.Robustdatasharingwithkey-valuestores.InProc.Intl.ConferenceonDependableSystemsandNetworks(DSN),June2012.[14]S.A.Baset.CloudSLAs:presentandfuture.SIGOPSOper.Syst.Rev.,46(2):57{66,July2012.[15]A.Bessani,M.Correia,B.Quaresma,F.Andre,andP.Sousa.DepSky:Dependableandsecurestorageinacloud-of-clouds.InProc.6thEuropeanConferenceonComputerSystems(EuroSys),pages31{46,2011.[16]S.Bleikertz,A.Kurmus,Z.A.Nagy,andM.Schunter.Securecloudmaintenance{protectingworkloadsagainstinsiderattacks.InASIACCSACMSymposiumonInformation,ComputerandCommunicationsSecurity,2012.toappear.[17]K.Bowers,A.Juels,andA.Oprea.Hail:ahigh-availabilityandintegritylayerforcloudstorage.InProceedingsofthe16thACMconferenceonComputerandcommunicationssecurity,pages187{198.ACM,2009.[18]K.Bowers,A.Juels,andA.Oprea.Proofsofretrievability:Theoryandimplementation.InProceedingsofthe2009ACMworkshoponCloudcomputingsecurity,pages43{54.ACM,2009.[19]K.Bowers,M.vanDijk,A.Juels,A.Oprea,andR.Rivest.Howtotellifyourcloudlesarevulnerabletodrivecrashes.InProceedingsofthe18thACMconferenceonComputerandcommunicationssecurity,pages501{514.ACM,2011.[20]S.Butt,H.A.Lagar-Cavilla,A.Srivastava,andV.Ganapathy.Self-serviceCloudComputing.InCCS,2012.[21]C.CachinandM.Geisler.Integrityprotectionforrevisioncontrol.InAppliedCryptographyandNetworkSecurity,pages382{399.Springer,2009.[22]C.Cachin,I.Keidar,andA.Shraer.Fail-awareuntrustedstorage.SIAMJournalonComputing,40(2):493{533,2011.[23]C.CachinandM.Schunter.ACloudYouCanTrust.http://spectrum.ieee.org/computing/networks/a-cloud-you-can-trust,2011.[24]C.Cadar,D.Dunbar,andD.Engler.Klee:unassistedandautomaticgenerationofhigh-coveragetestsforcomplexsystemsprograms.InProceedingsofthe8thUSENIXconferenceonOperatingsystemsdesignandimplementation,OSDI'08,pages209{224,Berkeley,CA,USA,2008.USENIXAssociation.[25]R.Cellan-Jones.TheSidekickCloudDisaster.http://www.bbc.co.uk/blogs/technology/2009/10/the_sidekick_cloud_disaster.html,2009.[26]M.B.Chhetri,Q.B.Vo,andR.Kowalczyk.Policy-BasedAutomationofSLAEstablishmentforCloudComputingServices.InThe201212thIEEE/ACMInternationalSymposiumonCluster,CloudandGridComputing(CCGrid2012),pages164{171,Washington,DC,USA,2012.[27]V.Chipounov,V.Kuznetsov,andG.Candea.S2e:aplatformforin-vivomulti-pathanalysisofsoftwaresystems.InProceedingsofthesixteenthinternationalconferenceonArchitecturalsupportforprogramminglanguagesandoperatingsystems,ASPLOS'11,pages265{278,NewYork,NY,USA,2011.ACM.[28]V.Chipounov,V.Kuznetsov,andG.Candea.Thes2eplatform:Design,implementation,andapplications.ACMTrans.Comput.Syst.,30(1):2:1{2:49,Feb.2012.[29]H.ChocklerandO.Kupferman.!-regularlanguagesaretestablewithaconstantnumberofqueries.Theor.Comput.Sci.,329(1-3):71{92,2004. TrustedCloudComputing.InHotCloud,2009.[71]N.Santos,R.Rodrigues,K.Gummadi,andS.Saroiu.Policy-SealedData:ANewAbstractionForBuildingTrustedCloudServices.InUSENIXSecurity,2012.[72]J.Schiman,T.Moyer,H.Vijayakumar,T.Jaeger,andP.McDaniel.SeedingCloudswithTrustAnchors.InWCCS,2010.[73]V.SekarandP.Maniatis.Veriableresourceaccountingforcloudcomputingservices.InProceedingsofthe3rdACMworkshoponCloudcomputingsecurityworkshop,CCSW'11,pages21{26,NewYork,NY,USA,2011.ACM.[74]SensePostBlog,DEFCON17Conference.ClobberingtheCloud,2009.http://www.sensepost.com/blog/3706.html.[75]H.ShachamandB.Waters.Compactproofsofretrievability.AdvancesinCryptology-ASIACRYPT2008,pages90{107,2008.[76]A.Shraer,C.Cachin,A.Cidon,I.Keidar,Y.Michalevsky,andD.Shaket.Venus:Vericationforuntrustedcloudstorage.InProceedingsofthe2010ACMworkshoponCloudcomputingsecurityworkshop,pages19{30.ACM,2010.[77]E.G.Sirer,W.deBruijn,P.Reynolds,A.Shieh,K.Walsh,D.Williams,andF.B.Schneider.LogicalAttestation:AnAuthorizationArchitectureforTrustworthyComputing.InSOSP,2011.[78]TheGuardian.PlayStationNetworkhack:whyittookSonysevendaystotelltheworld.http://www.guardian.co.uk/technology/gamesblog/2011/apr/27/playstation-network-hack-sony,2011.[79]UnitedStatesCongress.HealthInsurancePortabilityAct.http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/html/PLAW-104publ191.htm,1996.[80]M.vanDijk,A.Juels,A.Oprea,R.Rivest,E.Stefanov,andN.Triandopoulos.Hourglassschemes:howtoprovethatcloudlesareencrypted.InProceedingsofthe2012ACMconferenceonComputerandcommunicationssecurity,pages265{280.ACM,2012.[81]C.WangandY.Zhou.Acollaborativemonitoringmechanismformakingamultitenantplatformaccountable.InProceedingsofthe2ndUSENIXconferenceonHottopicsincloudcomputing,HotCloud'10,pages18{18,Berkeley,CA,USA,2010.USENIXAssociation.[82]G.Watson,R.Safavi-Naini,M.Alimomeni,M.Locasto,andS.Narayan.Lost:locationbasedstorage.InProceedingsofthe2012ACMWorkshoponCloudcomputingsecurityworkshop,pages59{70.ACM,2012.[83]J.Yao,S.Chen,C.Wang,D.Levy,andJ.Zic.AccountabilityasaServicefortheCloud.ServicesComputing,IEEEInternationalConferenceon,0:81{88,2010.[84]A.YumerefendiandJ.Chase.Strongaccountabilityfornetworkstorage.ACMTransactionsonStorage(TOS),3(3):11,2007.[85]K.ZellagandB.Kemme.Howconsistentisyourcloudapplication?InProceedingsoftheThirdACMSymposiumonCloudComputing,page6.ACM,2012.[86]F.Zhang,J.Chen,H.Chen,andB.Zang.CloudVisor:RetrottingProtectionofVirtualMachinesinMulti-tenantCloudwithNestedVirtualization.InSOSP,2011.[87]F.Zhou,M.Goel,P.Desnoyers,andR.Sundaram.Schedulervulnerabilitiesandattacksincloudcomputing.IEEEInternationalSymposiumonNetworkingComputingandApplications,2011.