Bypassing Cloud Providers' Data Validation to Store Arbitrary Data
This work addresses security and accounting vulnerabilities in cloud computing, but it is incremental as it builds on known issues with data validation.
The paper investigated data validation processes of popular cloud providers, demonstrating that ill-defined validation can be bypassed to store arbitrary data, which was shown through a proof-of-concept system that allowed unaccounted data storage.
A fundamental Software-as-a-Service (SaaS) characteristic in Cloud Computing is to be application-specific; depending on the application, Cloud Providers (CPs) restrict data formats and attributes allowed into their servers via a data validation process. An ill-defined data validation process may directly impact both security (e.g. application failure, legal issues) and accounting and charging (e.g. trusting metadata in file headers). Therefore, this paper investigates, evaluates (by means of tests), and discusses data validation processes of popular CPs. A proof of concept system was thus built, implementing encoders carefully crafted to circumvent data validation processes, ultimately demonstrating how large amounts of unaccounted, arbitrary data can be stored into CPs.