TRUST FRAMEWORK FOR THE CLOUD USING A MODEL OF TRUST, DATA MOVEMENT POLICIES, AND DECENTRALIZATION USING BLOCKCHAIN TECHNOLOGY By STEPHEN SEAN˜ KIRKMAN A DISSERTATION PRESENTED TO THE GRADUATE SCHOOL OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY UNIVERSITY OF FLORIDA 2019 ⃝c 2019 Stephen Se˜an Kirkman To my mom, Norma, who passed in early 2013 before I started my PhD, but knew I was going for it. ACKNOWLEDGMENTS I first and foremost thank my wife and son, Eva and William, for their patience and support during this awesome opportunity. The path to computer science began with my papa, Robin, who passed in 2010 and who was the first computer programmer in the Kirkman family; he worked with punch cards and COBOL. I remember looking at his greenbar printouts he brought home to debug when I was a boy. I thank my chair and advisor, Dr. Richard Newman for his patience and friendship. I wish to thank Dr. Manuel Bermudez (who is also on my committee) for his friendship, stories on his travels, and thoughts about a career in academia. I thank my PhD Committee members Dr. Daniela Oliveira, and Dr. Swarup Bhunia for their advice and support. I would like to thank a close family friend, Dr. Sandy Miarecki, who has guided and mentored me for the last 20 years. Sandy was one of my wife’s bridesmaids and close military friend. Since I have known her, she has provided an invaluable resource in life and pursuing higher education as I decided to get my PhD. I would like to thank Dr. Sumi Helal for encouraging me to apply to the University of Florida. From the University of Illinois at Springfield, I would like to thank Dr Kamyar Dezhgosha for supporting me to publish my first paper and the Department Chair Ted Mimms for his support. I would lastly like to thank the following individuals at the University of Florida for their assistance in conducting my survey: Florida Institute for Cyber Security (FICS) Research Coor- dinator Lesly Galiana for forwarding my survey to both faculty and students, Dr Curtis Taylor from the UF College of Engineering for including my survey in the bi-monthly newsletter to the UF College of Engineering Undergraduates, and finally Mr. Brian Roberts who coordinated to send my survey to the Warrington College of Business. 4 TABLE OF CONTENTS page ACKNOWLEDGMENTS ................................... 4 LIST OF TABLES ...................................... 11 LIST OF FIGURES ..................................... 13 ABSTRACT ......................................... 16 CHAPTER 1 INTRODUCTION ................................... 17 1.1 Efforts to Improve Trust ............................. 18 1.2 Dissertation Statement ............................. 19 1.3 Organization ................................... 20 2 LITERATURE REVIEW - ACHIEVING TRUST IN TECHNOLOGY ......... 21 2.1 Trusted Hardware ................................ 21 2.1.1 Trusted Platform Module and vTPM (2009) .............. 22 2.1.2 Intel Software Guard Extensions (2015) ................. 23 2.1.3 Trusted System on Chip Research (2017) ................ 25 2.2 Social Networks and Trusted Third Parties ................... 25 2.2.1 Social Networks to Improve Trust .................... 25 2.2.2 Cloud Security Alliance - STAR Registry ................. 26 2.2.3 Trusted Computing Group ........................ 26 2.3 Data Focused - Data Provenance and Trust ................... 26 2.4 Encryption .................................... 27 2.4.1 Homomorphic Encryption ........................ 27 2.4.2 Blockchains to Enhance Trust ...................... 28 2.5 Summary ..................................... 28 3 BLOCKCHAINS .................................... 30 3.1 Distributed Consensus .............................. 30 3.1.1 Byzantine Agreement Problem ...................... 31 3.1.2 FLP Impossibility Result ......................... 32 3.2 Blockchains - Bitcoin .............................. 33 3.2.1 Blockchain Fundamentals ........................ 33 3.2.2 Proof of Work - Mining ......................... 35 3.2.3 Storage - Merkle Trees .......................... 36 3.2.4 Forks ................................... 38 3.2.5 51% Attack ................................ 38 3.3 Ethereum Blockchain .............................. 39 3.3.1 Smart Contracts ............................. 40 5 3.3.2 Paying for Space and Computation ................... 40 3.3.2.1 Example 1 ........................... 42 3.3.2.2 Example 2 ........................... 43 3.3.3 Transactions ............................... 43 3.3.4 Data on the Ethereum Blockchain .................... 44 3.3.5 Proof of Stake .............................. 45 3.4 Multichain .................................... 46 3.5 Systems Based on Blockchains ......................... 47 3.5.1 Storj, 2014 ................................ 47 3.5.2 MedRec, 2016 .............................. 48 3.5.3 Blockstack, 2017 ............................. 50 3.5.4 Systems Summary ............................ 52 3.6 Chapter Summary ................................ 52 4 SYSTEMS REVIEW .................................. 54 4.1 Trust Systems .................................. 54 4.1.1 Excalibur: Policy Sealed Data, 2012 ................... 54 4.1.2 CloudMonatt, 2015 ............................ 56 4.1.3 Verifiable Confidential Cloud Computing, 2015 ............. 58 4.1.4 Trustworthy Multi-Cloud Services Communities, 2015 .......... 59 4.1.5 Cloud Trust Protocol, 2015 ....................... 62 4.1.6 Cloud Armor, 2016 ............................ 62 4.1.7 Tenant Attested Trusted Cloud, 2016 .................. 64 4.1.8 Trust Systems Summary ......................... 66 4.2 Data Movement Systems ............................ 68 4.2.1 CloudFence, 2013 ............................ 68 4.2.2 S2 Logger, 2013 ............................. 70 4.2.3 Data Location Control Model, 2014 ................... 73 4.2.4 Stratus Project, 2015 ........................... 75 4.2.5 VeriMetrix Framework, 2015 ....................... 76 4.2.6 Data Movement Systems Summary ................... 77 4.3 Chapter Summary ................................ 78 5 GOAL 1 - CLOUD TRUST MODEL AND VALIDATION ............... 80 5.1 Quantitative Trust Models ............................ 80 5.2 Probabilistic Models ............................... 83 5.3 A Trust Model for the Cloud ........................... 85 5.3.1 Five Degrees of Recommendation .................... 86 5.3.2 Cloud Spiral of Trust ........................... 88 5.4 Trust Model Effectiveness and Validation .................... 90 5.4.1 Industry Surveys and Academic Survey Research ............ 90 5.4.2 Power Analysis for Surveys ........................ 92 5.4.2.1 Effect size ........................... 93 5.4.2.2 Test that a proportion is .50 effect index g .......... 94 6 5.4.2.3 Difference between proportion effect index h ......... 94 5.4.2.4 Our statistical power ...................... 95 5.5 Survey Mechanics and Distribution ....................... 95 5.5.1 UF Institutional Review Board and Distribution Information ...... 96 5.5.2 Survey Respondents and Demographics ................. 97 5.5.3 Selected Result Charts .......................... 98 5.5.4 Survey Summary ............................. 101 5.6 Hypotheses for Cloud Trust Model ....................... 102 5.6.1 Hypothesis Test Plan ........................... 102 5.6.2 Hypothesis 1 ............................... 104 5.6.3 Hypothesis 2 ............................... 105 5.6.4 Hypothesis 3 ............................... 106 5.6.5 Hypothesis 4 ............................... 107 5.7 Summary ..................................... 109 6 GOAL 2 - ORCON CONSUMER POLICY MODEL FOR DATA MOVEMENT .... 110 6.1 ORCON Policy Model Overview ......................... 110 6.2 Model ...................................... 111 6.2.1 Elements of State: Clouds, Consumers, Datasets, Policies, and Tags .. 111 6.2.2 Functions ................................. 112 6.2.2.1 Tag function of a dataset ................... 112 6.2.2.2 Location function of a dataset ................. 112 6.2.2.3 Owner function of a dataset .................. 113 6.2.2.4 Mapping of consumer to metadata .............. 113 6.2.2.5 Mapping of consumer i to policy i .............. 113 6.2.2.6 Policy Function ........................ 113 6.2.3 State ................................... 113 6.2.4 Actions .................................. 114 6.2.4.1 Add cloud C .......................... 114 6.2.4.2 Add consumer E ........................ 114 6.2.4.3 Consumer Ei add data set D with tag TAG at cloud C ... 114 ′ 6.2.4.4 Consumer Ei modify metadata from µ to µ ......... 115 6.2.4.5 Consumer E modify policy to σ′ ............... 115 ′ 6.2.4.6 Move dataset Dij from C to C ................ 115 6.2.5 Valid State ................................ 116 6.2.6 Model Summary ............................. 116 6.3 Specific Policies ................................. 116 6.4 Authorizations, Attestations, and Audit ..................... 117 6.5 Summary ..................................... 118 7 GOAL 3 - CYCLOPS DECENTRALIZED APPLICATION WITH WHITELIST, DATA TRACKING, AND ATTESTATION .......................... 119 7.1 Overview - How Does the System Work? .................... 120 7.2 Pilot Decentralized Application ......................... 122 7 7.2.1 Decentralized Application GUI Design .................. 123 7.2.2 Smart Contract Design .......................... 123 7.2.2.1 Clouds and consumers ..................... 124 7.2.2.2 Policies ............................. 124 7.2.2.3 Consumer