| Virtualization has been widely adopted in recent years across personal, enterprise, and cloud computing environments to improve server consolidation, reduce operating costs, and help improve security through greater isolation and more transparent malware analysis and intrusion detection. Provenance, which captures the derivation history of a data product, is essential in datacenters and cloud computing infrastructures to verify the authenticity of data, support reproducibility of scientific discovery, and conduct computer forensics. Although significant research has been conducted on how to collect, store, and query provenance data, provenance security in virtualized computing infrastructures has not been well explored, leaving provenance data vulnerable to unauthorized access.;The overall goal of this dissertation is to investigate techniques to protect confidential data as well as confidential dependencies stored in the provenance, collected in virtualized computing infrastructure. Our main contributions are summarized below.;First, we present techniques to prevent users' confidential data from being leaked to unauthorized users through VM checkpoints stored in the provenance. Our techniques identify memory locations and disk contents in the checkpoints that store confidential data and exclude them from the provenance. Our preliminary results show that our techniques impose only 1%--5:3% overhead if most pages are dirty before checkpointing is performed.;Next, we present a role-based access control mechanism for protecting confidential data and confidential dependencies, other than VM checkpoints, stored in the provenance. Our techniques would relieve administrators from the tedious and error-prone process of manually specifying permissions for each role in every provenance component.;Finally, we present automated algorithms for analyzing the provenance access control policy, which help administrators understand the policy and detect potential flaws in the policy. We consider three analysis problems: (1) the provenance access control policy existence problem, which checks whether there exists an access control policy that conforms to desirable dependency constraints; (2) the dependency satisfiability problem, which checks whether a given provenance access control policy conforms to desirable dependency constraints; and (3) the provenance completion problem, which checks whether a set of users together will be able to access all the dependencies in the provenance. |
