News‎ > ‎

Weak Data Validation in Cloud Providers Raises an Alert: What is Really Being Stored in the Cloud?

posted Feb 24, 2014, 6:32 AM by Guilherme Sperb Machado   [ updated Jul 21, 2014, 7:43 AM by Corinna Schmitt ]
Is it possible to store any kind of data in Cloud providers, even in those that present data upload restrictions (i.e., Software-as-a-Service applications just accepting images, audio, text, video, etc.)? The paper entitled Bypassing Cloud Providers' Data Validation to Store Arbitrary Data shows that this is not only possible, but that ill-defined data validation rules of Software-as-a-Service applications also bring negative impacts to security, accounting, and charging.

By developing specific encoders which inject data inside well-known file formats (e.g., JPG, PNG, MP3, text, etc), and consequently bypassing the data validation process, the results highlight that Cloud providers become not fully aware of what they store in their own servers, raising legal implications if malicious users would persist and share illegal content. In the scope of accounting and charging impacts, one of the analyzed Cloud providers showed that using the developed data encoders it was possible to store 180 GByte of arbitrary data in a free account which was supposed to store only 105 MByte of audio data.

The PiCsMu system explores the weak data validation of Cloud providers in order to (1) aggregate multiple Cloud providers' storage despite of the accepted data type, (2) provide enhanced privacy (encrypting and hiding data in multiple Clouds), and (3) enable a file sharing network relying on Cloud providers' storage instead of end users' storage. A demo of the PiCsMu system will be presented at NOMS 2014 conference.

For further information please visit:

Comments