VALID Rules - A Language for Cloud Security

VALID Rules
A Language for Cloud Security

Dr. Thomas Grossjoint work with
Sren Bleikertz, IBM ResearchSebastian Mdersheim, DTU Informatics

[Work partially done while at IBM Research - Zurich]

What's our challenge?

[Automated Information Flow Analysis of Virtualized Infrastructures; ESORICS'11]

A Tale of a Bank's Private Cloud

Bank offloads IT to (private) cloud

Isolation of security zones

Network:
VLAN isolation

Storage:
Different storage volumes

Compute:
Covert-channels
unconsidered

HighSecurityLowSecurityBackupZone[Photo:http://www.flickr.com/photos/teegardin/5737823348/]

The Ideal World: Cloud Topology

HWXenD0VM1VM2vSwitchpSwitchHWVMWareD0VM1VM2vSwitchHWSystem pD0VM1VM2vSwitchS2S1

WAN

VMs

Hypervisors

Virtual Net

Physical Net

Storage

Global Net

1,300 VMs
25,000 Nodes
30,000 Edges

[Data from a customer case study with a global financial institution]

The Real World

Combat Against Complexity

Our OpponentComplex Topology

Multi-tenancy

Changing System

Days of a startup
http://www.flickr.com/photos/tangysd/

Our Battle PlanVersatile Tool Chain

Free Specification
of Security Goals

How to specify security goals?

[A Virtualization Assurance Language for Isolation and Deployment; POLICY'11]

Basis: Graph Model (e.g., Info Flows)

SinkSource

Trust Assumptions: Traversal Rules

Behavior ofComponents

Storage connections

Network connections

Isolation

Tailored
by administrator

Exchange format

section types: MA, MB : machine ZA, ZB : zone

section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))

Example Goal: Zone Isolation

[VALID is based on ASLan, proposed by the EU FP7 project AVANTSSAR]

Example Goal: Zone Isolation

Declaration of Variables

section types: MA, MB : machine ZA, ZB : zone

section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))

Example Goal: Zone Isolation

Declaration of Alarm State

section types: MA, MB : machine ZA, ZB : zone

section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))

Pattern Matching Facts

Example Goal: Zone Isolation

section types: MA, MB : machine ZA, ZB : zone

section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))

Zone Membership Fact

Example Goal: Zone Isolation

section types: MA, MB : machine ZA, ZB : zone

section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))

Example Goal: Zone Isolation

Connectivity Fact

section types: MA, MB : machine ZA, ZB : zone

section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))

Example Goal: Zone Isolation

Logical Constraints

section types: MA, MB : machine ZA, ZB : zone

section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))

ZoningBreach

DeploymentBreach

Library of Alarm States

How to verify the security of an infrastructure?

[Automated Verification of Virtualized Infrastructures; CCSW'11]

TEST

HIGH SECURITY

TEST

HIGH SECURITY

IsolationBreach? contains (ZA, MA). contains (ZB, MB). connected (MA, MB) & not(equal(ZA, ZB))

ZA,ZB

MA

MB

vlan1

vlan1

IsolationBreach? contains (ZA, MA). contains (ZB, MB). connected (MA, MB) & not(equal(ZA, ZB))

TEST

HIGH SECURITY

ZA

MB

MA

ZB

vlan1

vlan2

IsolationBreach? contains (ZA, MA). contains (ZB, MB). connected (MA, MB) & not(equal(ZA, ZB))

TEST

HIGH SECURITY

ZA,ZB

MA

MB

TEST

HIGH SECURITY

contains (ZA, MA). contains (ZB, MB). connected (MA, MB) & not(equal(ZA, ZB))

IsolationBreach

ZA

MA

MB

ZB

vlan3

vlan3

Verification Tool Chain

[Contribution to EU FP7 project TCLOUDS]

Problem Solvers

Dynamic Problem Solvers: AVANTSSAR platformInput: ASLan/IF (basis of VALID)

OFMC

SAT-MC

Cl-AtSe

Static Problem Solvers:Input: proprietary language for first-order logic

SPASS

ProVerif

SuccintSolver

Verification of Zone Isolation

The ChallengeThree security zones Test, Base, High

Multiple VMs in each zone (contains(zone, vm))

Network isolation realized using VLANs

Input: Policy and information flow graph

Output: Isolation breach

Performance

Test EnvironmentCluster 1: isolation breach 15386 nodes, 17817 edgesCluster 2: safe 6218 nodes, 7543 edges

Experiments1: Simplified graph, attack2: Simplified graph, safe3: Non-simplified graph, attack4: Non-simplified graph, safe

4h

VALID Rules for Goal Specification

Expressive Policy LanguagePattern matching on positive facts

Logical predicates as constraints

Efficient Verification with Versatile Tool Chain

Next Big Step: Dynamic Problems

Get in Touch!

Thomas Gross

http://www.cs.ncl.ac.uk

thomas.gross@ncl.ac.uk
http://www.thomasgross.net

Computing Science@

http://cccs.ncl.ac.uk

Click to edit the title text formatClick to edit Master title style

25/04/12

Click to edit the title text formatClick to edit Master title style

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline Level

Ninth Outline LevelClick to edit Master text styles

Second level

Third level

Fourth level

Fifth level

25/04/12