Cloud is providing 3 types of services IaaS, PaaS and SaaS. Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Interne. However, due to their sharing nature, SaaS clouds are vulnerable to malicious attacks SaaS cloud systems enable application service providers to deliver their applications via massive cloud computing infrastructures.. In this paper, we present IntTest, a scalable and effective service integrity attestation framework for SaaS clouds. IntTest provides a novel integrated attestation graph analysis scheme that can provide stronger attacker pinpointing power than previous schemes. Moreover, IntTest can automatically enhance result quality by replacing bad results produced by malicious attackers with good results produced by benign service providers. We have implemented a prototype of the IntTest system and tested it on a production cloud computing infrastructure using IBM System S stream processing applications. Our experimental results show that IntTest can achieve higher attacker pinpointing accuracy than existing approaches. IntTest does not require any special hardware or secure kernel support and imposes little performance impact to the application, which makes it practical for large-scale cloud systems.

Amazon Web Services, http://aws.amazon.com/, 2013.

Google App Engine, http://code.google.com/appengine/, 2013.

Software as a Service, http://en.wikipedia.org/wiki/Software as a Service, 2013.

G. Alonso, F. Casati, H. Kuno, and V. Machiraju, Web Services Concepts, Architectures and Applications (Data-Centric Systems and Applications). Addison-Wesley Professional, 2002.

T. Erl, Service-Oriented Architecture (SOA): Concepts, Technology, and Design. Prentice Hall, 2005.

T.S. Group, “STREAM: The Stanford Stream Data Manager,” IEEE Data Eng. Bull., vol. 26, no. 1, pp. 19-26, Mar. 2003.

D.J. Abadi et al., “The Design of the Borealis Stream Processing Engine,” Proc. Second Biennial Conf. Innovative Data Systems Research (CIDR ’05), 2005.

B. Gedik et al., “SPADE: The System S Declarative Stream Processing Engine,” Proc. ACM SIGMOD Int’l Conf. Management Of Data (SIGMOD ’08), Apr. 2008.

S. Berger et al., “TVDc: Managing Security in the Trusted Virtual Datacenter,” ACM SIGOPS Operating Systems Rev., vol. 42, no. 1, pp. 40-47, 2008.

T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, You Get Off My Cloud! Exploring Information Leakage in Third-Party Compute Clouds,” Proc. 16th ACM Conf. Computer and Communications Security (CCS), 2009.

W. Xu, V.N. Venkatakrishnan, R. Sekar, and I.V. Ramakrishnan,“A Framework for Building Privacy-Conscious Composite Web Services,” Proc. IEEE Int’l Conf. Web Services, pp. 655-662, Sept. 2006.

P.C.K. Hung, E. Ferrari, and B. Carminati, “Towards Standardized Web Services Privacy Technologies,” IEEE Int’l Conf. Web Services, pp. 174-183, June 2004.

L. Alchaal, V. Roca, and M. Habert, “Managing and Securing Web Services with VPNs,” Proc. IEEE Int’l Conf. Web Services, pp. 236- 243, June 2004.

H. Zhang, M. Savoie, S. Campbell, S. Figuerola, G. von Bochmann, and B.S. Arnaud, “Service-Oriented Virtual Private Networks for Grid Applications,” Proc. IEEE Int’l Conf. Web Services, pp. 944-951, July 2007.

M. Burnside and A.D. Keromytis, “F3ildCrypt: End-to-End Protection of Sensitive Information in Web Services,” Proc. 12th Int’l Conf. Information Security (ISC), pp. 491-506, 2009.

I. Roy et al., “Airavat: Security and Privacy for MapReduce,” Proc. Seventh USENIX Conf. Networked Systems Design and Implementation (NSDI), Apr. 2010.