Fog computing security and privacy issues, open challenges, and blockchain solution: An overview

Due to the expansion growth of the IoT devices, Fog computing was proposed to enhance the low latency IoT applications and meet the distribution nature of these devices. However, Fog computing was criticized for several privacy and security vulnerabilities. This paper aims to identify and discuss the security challenges for Fog computing. It also discusses blockchain technology as a complementary mechanism associated with Fog computing to mitigate the impact of these issues. The findings of this paper reveal that blockchain can meet the privacy and security requirements of fog computing; however, there are several limitations of blockchain that should be further investigated in the context of Fog computing.


INTRODUCTION
IoT is a technology that is used in the interconnectivity of several types of physical devices with embedded software such as PDAs, smartphones, smart vehicles, smart meters, and sensors. On the other hand, Cloud computing is a technology that provides on-demand computing resources [1]. IoT devices depend on the Cloud to improve flexibility, system stability, fault tolerance, cost-effective, innovative business models, and better communications [2], [3]. Due to the expansion growth of the number of IoT devices [4], the Cloud has to deal with a massive amount of data that include confidential and sensitive data. Therefore, it requires security mechanisms to protect confidentiality, privacy, data integrity and to eliminate security threats. Likewise, Cloud computing architecture when used with IoT devices may suffer from a critical challenge related to delay-sensitive applications such as online games and emergency services which might be ruined when unexpected delays occur. Consequently, fog computing (FC) has been proposed to overcome these drawbacks of Cloud computing traditional drawbacks [5], [6].
FC is "an end-to-end horizontal architecture that distributes computing, storage, control, and networking functions closer to users along the Cloud-to-thing continuum" [7]. FC can help to address several security concerns related to Cloud and IoT generated data security. FC facilitates the on-site data storage and analysis of time-sensitive heterogeneous data by reducing the amount of confidential data stored and transmitted to the Cloud. Moreover, FC can help to mitigate latency issues, unavailability of location awareness, mobility support, and bandwidth obstacles [8], [9]. Approximately, 45% of IoT-generated data will use FC that can be installed within the close range of IoT sensors and devices for local processing and data storage [10], [11].
Despite the above-mentioned benefits, FC compromises several issues. These issues due to the distributed and homogeneous nature of FC, its extension of the Cloud which inherits several issues from the Cloud, and its proximity to IoT devices [12]. The most challenging issues that have been reported in the literature were privacy and security issues. Fortunately, many studies have recently reported that security and privacy issues in FC can be mitigated by adopting the blockchain (BC) technology [13]- [16]. BC has originally used in Bitcoin; however, recently many applications have adopted BC to enhance privacy and security online transactions [17]. Accordingly, this research is conducted to improve the general understanding of the FC security challenges for future digital infrastructure and how BC can mitigate the effect of these challenges. Hence, this paper aims to answer the following research questions: RQ1 : What are the security and privacy issues that face FC? RQ2 : How BC can mitigate the impact of FC security and privacy issues?
The main contributions of this study are: i) identify and analyze the security challenges along with their existing solutions and respective limitations, ii) study the complementary relationship between BC and FC by exploring BC-based solutions to cater a Fog-enabled IoT's privacy and security concerns. The rest of this paper is organized as follows. Section 2 presents the background of FC. Section 3 discusses the state-ofthe-art privacy and security challenges due to the use of FC. Section 4 discusses how BC can mitigate the open challenges of security and privacy in FC. Section 5 concludes this paper. Figure 1 provides a holistic view of the FC-IoT architecture. In this architecture, each IoT device can be connected to one Fog node through wired or wireless access media such as ZigBee and WiFi. Fog nodes communicate with each other through wireless or wired media as well. Virtualization technologies such as software-defined network and network functions virtualization are used to achieve network virtualization and traffic engineering [6], [18]. In this architecture, three layers can be identified; IoT device layer (i.e., end-user's devices such as smartphone, smartwatches, and so on), Fog layer (i.e., routers, switches, computers, and so on), and Cloud layer (i.e., the central storage and control devices and systems) [19]- [21].

FOG COMPUTING BACKGROUND
A typical BC and smart contract implementation also illustrated in Figure 1. The data sent from IoT devices to the Fog node for data aggregation and further analysis [22]. Fog nodes enforce predefined security policies to manage connected IoT devices and services and also play an intermediate role of interaction between the Cloud and the public BC which enable indexing of authentication for data query [23]. The diagram explains real-time indexing, BC enabled authentication and secure data transfer. The data transferred is encrypted using an encryption algorithm such as AES and RSA which provides a short key establishment time and protects against network attacks [23]. In short, BC enables an indexing authentication approach that represents a scalable, decentralized, and protected data sharing in FC.

SECURITY AND PRIVACY ISSUES OF FOG COMPUTING
Due to the nature of the FC of distribution, heterogeneity, closeness to IoT devices, and extension of Cloud computing many security and privacy issues were reported in the literature. This makes FC vulnerable to many attacks such as Man-in-the-Middle, Denial-of-Service, Rogue Fog Node, and Sybil attacks [24]. Some of these challenges have been provided some solutions as shown in Table 1 Several solutions were provided in the literature such as attribute-based encryption (ABE) access control [25], fine-grained access control [26], policy-driven management framework [27], leakage-resilient functional encryption schemes, device management, and key management [28], [29]. Packet Forwarding It should be ensured that the features of the sent packet are maintained to guarantee the privacy of the packet sent between two Fog nodes or between Fog and IoT devices. End-to-end connectivity requires the cooperation of other nodes to enable message delivery and privacy-preserving packet forwarding should be used [28]. Virtualization A lack of security countermeasures may result in enabling VM to manipulate the services of the Fog or taking control of the underlying operating system and hardware. Several solutions have been proposed such as implementing isolation policies, network abstraction, VM monitoring, multi-factor authentication, installation of detection systems at host and network, user-based permissions model, and hardening the hypervisor [25], [30], [31]. Fault Tolerance Attackers may take control over or disable Fog nodes or the entire structure, due to misconfigurations, out-of-date software, weaknesses, and other faults. Therefore, participating in various policies and mechanisms as well as the deployment of a proactive fault-tolerance method is vital [25], [32]. Data Management Data identification, aggregation, search, analysis, sharing, and distribution represent another issue for FC. Several mechanisms were proposed to ensure data integrity such as Trusted Platform Module (TPM), homomorphic encryption, one-way entrance permutation, key distribution, searchable, symmetric, and asymmetric encryption, data encryption schema used for single keyword search, and key-aggregate encryptions [6], [28], [33].

Light-weight Protocol Design
Lightweight protocols should support real-time service performance by reducing the communication between the IoT devices and Fog nodes. Various lightweight cryptographic schemes and techniques were anticipated to address this issue including elliptic curve cryptosystem [28], has functions, masking techniques, and stream chippers for secure end-to-end communication [6].

Malicious Fog Node
In order to avoid this issue, it was suggested to deploy fake node detection systems and trust-based routing mechanisms [6], creating and deleting virtual machine instances in a dynamic way complicates the process of maintaining a blacklist of rogue nodes [34].
The security and privacy solutions of FC proposed by literature oversimplified the real ecosystem nature of FC assuming FC as a single Cloud provider. FC compromises numerous cooperating service providers, services, and infrastructures related to diverse trust domains [35]. Therefore, state-of-the-art solutions are essential to encounter the security and privacy requirements for the FC. These solutions should ease the collaboration between different components in this complex environment. Table 2 summarizes the open questions and research challenges in this context.  [25]. In spite of the new authentication techniques that have been proposed such as identity, Decoy, anonymous, and cooperative, single-domain, cross-domain, and handover authentication [28], authentication represents one of the major worries in FC [4].

Detection Systems
Although several detection systems were proposed such as signature-based and neural network-based, fuzzy logic, lightweight countermeasure utilizing bloom filters, and distributed detection systems [23]- [25], there is a vital need for new systems that can integrate the different detection components which are distributed in the Fog network [24]. Trust Management Trust, in FC, must be enabled by the Fog nodes. Moreover, Fog nodes that are delegated with data and processing requests by the IoT devices are mandatory to create consistent communications with the Fog nodes. This two-way challenge makes the creation of the trust a challenging task, despite several trust models that have been proposed such as trusted execution environment (TEE), region-based trust-aware (RBTA), and trusted distributed platform over the edge devices [25], [28]. Join/Leave Node There is a vital need to create an authentication structure whenever an IoT device leaves one Fog node and join another or when a Fog node leaves the Fog layer. This structure should be of low complexity. Moreover, the system should be able to identify the misbehaved IoT device [24], [36].

Forensics
There is a big number of log records FC. This hardens the acquirement of the log data from Fog nodes [37]. Some proposed solutions were by keeping tracking of changes in data location among regions using mobility service (MS) and location register database (LRD) [25]. However, Fog forensics are questioned to some boundaries like the need for international regulation and application-level logging [38]. Furthermore, more resources and computational processing power to store trusted evidence in a distributed ecosystem with multiple trust domains [21].

Privacy Preservation
Comparing to Cloud computing, FC is more vulnerable than Cloud computing in terms of privacy risks (i.e., data, identity, location, and usage privacy). The vulnerability is observed due to the closeness of Fog nodes to the customer, which allows gathering more sensitive information from them and computing the customer data is outsourced to the Fog node, which might collect data from IoT services and relate them to the real identities of the clients [39]. Several solutions have been suggested in the literature to preserve the privacy of data in Fog environment like masking technique or lightweight encryption algorithms, Home-Area Network (HAN), identity obstruction techniques, differential and homomorphic techniques, identity-based and attribute-based encryptions, and proxy re-encryption [1], [40].

CONCLUSION AND FUTURE DIRECTIONS
IoT devices are vulnerable to different security attacks due to the lack in hardware and software security designs. This paper discusses potential security and privacy challenges observed from Fog-enabled IoT literatures. It also discussed BC as an emerging security and privacy solution for Fog-enabled IoT domain. This paper, provides an overview of the open challenges of FC security and privacy issues. It also provides an overview of how BC can mitigate most of these challenges. The BC characteristics such as decentralization can provide a mechanism that enhance security, authentication, and integrity of data sent by IoT devices. It also ensures anonymity of the IoT devices.
Despite the above-mentioned characteristics and benefits of BC if used in FC, not all Fog applications are supported by all BC consensus mechanisms. For instance, proof of work (PoW) cannot be hosted on Fog devices as it demands enormous resources such as power and computing to execute transactions. Moreover, bitcoin BC poses response time latency in transaction validation process which make it not the best choice for real-time applications. In addition, due to the tremendous rate of growth in the number of IoT devices, BC in FC may face an issue in scalability. Therefore, more research is yet to be accompanied in this era. The findings of this paper guide academics and industries to investigate new answers to the open questions of the FC security and privacy issues. Reduce security threats: BC can be used to create secured virtual zones that help in mitigating the effect and protecting the system against several threat attacks, such as cache poisoning, ARP spoofing, and denial of service attacks [56]. Well-structured: BC is based on a clear well-defined structure that takes into consideration all security aspects such as authentication, authorization, and data protection [57]. Enhance security: BC encrypt the data exchanged within the architecture, which in return enhances the security of the system [58]. Enhance IoT security: BC enrich the security in the IoT devices by overcoming the limitation of the devices when applying security policies [59]. Prevent from a single point of failure: Being decentralized made the BC architecture not having such a weak point as a single point of failure [56]. Preservation Enhance Data integrity: BC protects efficiently the data from unintended and incomplete changes due to the solid trust verification process for any transaction types [60]. Protect users and device identity: BC protects the identity of the IoT devices by supporting anonymous communication methods [60] Enhance independency: BC reduce the need to have a third-party to verify entities or processes which minimizes the sharing of data with external bodies [58]. Enhance confidentiality: BC architecture enable the user to control his data in term of locations to save the entities to participate in the trust verification process [61]. Enhance authentication: BC uses immune verification and validation processes that make identity theft extremely difficult if not impossible [62]. Performance Enhance performance: BC uses Software-Defined Networks (SDN), which may enhance certain functions in the applied architecture, such as authentication and logging [59].
Reduce delay: Distribution of processes in the BC will reduce the delay in delivering the required response from the system [63]. Reduce Overhead: Distribution of processes in the BC will reduce the overhead that were on a single machine [64]. Scalability Scalability: BC doesn't have any restriction on the type of devices nor the process scenario. For instance, BC can be implemented using any IoT device, any Fog node structure, and any decentralized process [63]. Flexibility Improve Flexibility: BC has different implementation models that go beyond the classical implementation. This will help BC in meeting various needs and requirements. For instance, security requirements can be fulfilled by using centralized and decentralized components in the architecture, for example, the use of a centralized ledger, instead of a centralized ledger, while using a distributed trust can help to solve satisfies certain security requests [53]. Efficiency Enhance geographical data use: BC uses the geographical data to prove and verify the process and devices while keeping the geographical data protected [64]. Support concurrency: BC enables multiple processes to be executed at the same time, which in return will enhance the efficiency, power usage and reduce the resources needed [65]. Energy saving Save energy: BC enhances the power usage efficiency as it distributes the tasks and reduces the overhead on the IoT devices [59]. Auditability Enhance auditability: BC processes are transparent and logged in all the participants of the architecture [6].