ABSTRACT
Virtualized infrastructures and clouds present new challenges for security analysis and formal verification: they are complex environments that continuously change their shape, and that give rise to non-trivial security goals such as isolation and failure resilience requirements. We present a platform that connects declarative and expressive description languages with state-of-the art verification methods. The languages integrate homogeneously descriptions of virtualized infrastructures, their transformations, their desired goals, and evaluation strategies. The different verification tools range from model checking to theorem proving; this allows us to exploit the complementary strengths of methods, and also to understand how to best represent the analysis problems in different contexts. We consider first the static case where the topology of the virtual infrastructure is fixed and demonstrate that our platform allows for the declarative specification of a large class of properties. Even though tools that are specialized to checking particular properties perform better than our generic approach, we show with a real-world case study that our approach is practically feasible. We finally consider also the dynamic case where the intruder can actively change the topology (by migrating machines). The combination of a complex topology and changes to it by an intruder is a problem that lies beyond the scope of previous analysis tools and to which we can give first positive verification results.
- Armando, A., and Compagna, L. Sat-based model-checking for security protocols analysis. International Journal of Information Security 7 (2008), 3--32. Google ScholarDigital Library
- AVANTSSAR. ASLan final version with dynamic service and policy composition. Deliverable D2.3, Automated Validation of Trust and Security of Service-oriented Architectures (AVANTSSAR), 2010. http://www.avantssar.eu/pdf/deliverables/avantssar-d2-3.pdf.Google Scholar
- AVISPA. The Intermediate Format. Deliverable D2.3, Automated Validation of Internet Security Protocols and Applications (AVISPA), 2003. http://www.avispa-project.org/delivs/2.3/d2-3.pdf.Google Scholar
- Basin, D. A., Mödersheim, S., and Viganò, L. OFMC: A symbolic model checker for security protocols. Int. J. Inf. Sec. 4, 3 (2005), 181--208.Google ScholarDigital Library
- Blanchet, B. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14) (Cape Breton, Nova Scotia, Canada, June 2001), IEEE Computer Society, pp. 82--96. Google ScholarDigital Library
- Bleikertz, S., and Groß, T. A Virtualization Assurance Language for Isolation and Deployment. In Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY 2011) (2011). to appear. Google ScholarDigital Library
- Bleikertz, S., Groß, T., Schunter, M., and Eriksson, K. Automated information flow analysis of virtualized infrastructures. In 16th European Symposium on Research in Computer Security (ESORICS'11) (Sep 2011), Springer. Google ScholarDigital Library
- Bleikertz, S., Schunter, M., Probst, C. W., Pendarakis, D., and Eriksson, K. Security audits of multi-tier virtual infrastructures in public infrastructure clouds. In Proceedings of the 2010 ACM workshop on Cloud computing security workshop (New York, NY, USA, 2010), CCSW '10, ACM, pp. 93--102. Google ScholarDigital Library
- Garfinkel, T., and Rosenblum, M. When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. In HOTOS'05: Proceedings of the 10th conference on Hot Topics in Operating Systems (Berkeley, CA, USA, 2005), USENIX Association, pp. 20--20. Google ScholarDigital Library
- Huth, M., and Ryan, M. D. Logic in computer science - modelling and reasoning about systems (2. ed.). Cambridge University Press, 2004. Google ScholarDigital Library
- Krothapalli, S. D., Sun, X., Sung, Y.-W. E., Yeo, S. A., and Rao, S. G. A toolkit for automating and visualizing vlan configuration. In SafeConfig '09: Proceedings of the 2nd ACM workshop on Assurable and usable security configuration (New York, NY, USA, 2009), ACM, pp. 63--70. Google ScholarDigital Library
- Narain, S. Network configuration management via model finding. In Proceedings of the 19th conference on Large Installation System Administration Conference - Volume 19 (Berkeley, CA, USA, 2005), LISA '05, USENIX Association, pp. 15--15. Google ScholarDigital Library
- Narain, S., Cheng, Y.-H. A., Poylisher, A., and Talpade, R. Network single point of failure analysis via model finding. In Proceedings of First Alloy Workshop (2006).Google Scholar
- Nielson, F., Nielson, H. R., and Seidl, H. A succinct solver for ALFP. Nordic J. of Computing 9 (December 2002), 335--372. Google ScholarDigital Library
- Oberheide, J., Cooke, E., and Jahanian, F. Exploiting Live Virtual Machine Migration. In BlackHat DC Briefings (Washington DC, February 2008).Google Scholar
- Ritchey, R. W., and Ammann, P. Using Model Checking to Analyze Network Vulnerabilities. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2000), IEEE Computer Society, pp. 156--. Google ScholarDigital Library
- Rocha, F., and Correia, M. Lucy in the sky without diamonds: Stealing confidential data in the cloud. In Proceedings of the 1st International Workshop on Dependability of Clouds, Data Centers and Virtual Computing Environments (DCDV, with DSN'11) (June 2011). Google ScholarDigital Library
- Turuani, M. The CL-Atse Protocol Analyser. In Term Rewriting and Applications, F. Pfenning, Ed., vol. 4098 of Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2006, pp. 277--286. Google ScholarDigital Library
- Weidenbach, C., Dimova, D., Fietzke, A., Kumar, R., Suda, M., and Wischnewski, P. SPASS Version 3.5. In Automated Deduction CADE-22 (2009), R. Schmidt, Ed., vol. 5663 of Lecture Notes in Computer Science, Springer Berlin / Heidelberg, pp. 140--145. Google ScholarDigital Library
- Xie, G. G., Zhan, J., Maltz, D. A., Zhang, H., Greenberg, A., Hjalmtysson, G., and Rexford, J. On Static Reachability Analysis of IP Networks, 2004.Google Scholar
Index Terms
- Automated verification of virtualized infrastructures
Recommendations
Isolating commodity hosted hypervisors with HyperLock
EuroSys '12: Proceedings of the 7th ACM european conference on Computer SystemsHosted hypervisors (e.g., KVM) are being widely deployed. One key reason is that they can effectively take advantage of the mature features and broad user bases of commodity operating systems. However, they are not immune to exploitable software bugs. ...
Transparently bridging semantic gap in CPU management for virtualized environments
Consolidated environments are progressively accommodating diverse and unpredictable workloads in conjunction with virtual desktop infrastructure and cloud computing. Unpredictable workloads, however, aggravate the semantic gap between the virtual ...
I/o paravirtualization at the device file boundary
ASPLOS '14Paravirtualization is an important I/O virtualization technology since it uniquely provides all of the following benefits: the ability to share the device between multiple VMs, support for legacy devices without virtualization hardware, and high ...
Comments