Practical runtime security mechanisms for an aPaaS cloud

An emerging concept of today´s cloud is aPaaS (application PaaS), which combines the ready-to-use software services of SaaS, application serving and development functionality of PaaS, and a convenient marketplace for the developed applications. The integrated development environment of an aPaaS usually provides drag-and-drop application creation and script embedding user interfaces to develop software that will be marketed and served within the same cloud. Yet, enabling application developers embed scripts or instantiate objects brings up security issues as deliberate or accidental actions may threat any cloud stakeholder during development or execution. The paper presents practical solutions to inspect tenants´ software in the runtime in terms of object instantiation, method calls and CPU load generation. In the prototype implementation, object instantiation and method calls are managed to regulate access to critical file system or socket resources. Also, CPU load generated by each tenant is monitored to detect possible malicious or erroneous activity, which allows to free the CPU resources when necessary. According to the simulation results based on the prototype implementation, running the mentioned security mechanisms adds an overhead up to 20%, which is an acceptable absolute value around 2 ms, to the web applications served in the cloud in idle and normal load conditions. The mechanisms are scalable as the overhead relatively decreases with the increasing number of concurrent users.