valid rules - a language for cloud verification (eu csp\’12)
TRANSCRIPT
VALID Rules - A Language for Cloud Security
VALID Rules
A Language for Cloud Security
Dr. Thomas Grossjoint work with
Sren Bleikertz, IBM ResearchSebastian Mdersheim, DTU
Informatics
[Work partially done while at IBM Research - Zurich]
What's our challenge?
[Automated Information Flow Analysis of Virtualized Infrastructures; ESORICS'11]
A Tale of a Bank's Private Cloud
Bank offloads IT to (private) cloud
Isolation of security zones
Network:
VLAN isolation
Storage:
Different storage volumes
Compute:
Covert-channels
unconsidered
HighSecurityLowSecurityBackupZone[Photo:http://www.flickr.com/photos/teegardin/5737823348/]
The Ideal World: Cloud Topology
HWXenD0VM1VM2vSwitchpSwitchHWVMWareD0VM1VM2vSwitchHWSystem pD0VM1VM2vSwitchS2S1
WAN
VMs
Hypervisors
Virtual Net
Physical Net
Storage
Global Net
1,300 VMs
25,000 Nodes
30,000 Edges
[Data from a customer case study with a global financial institution]
The Real World
Combat Against Complexity
Our OpponentComplex Topology
Multi-tenancy
Changing System
Days of a startup
http://www.flickr.com/photos/tangysd/
Our Battle PlanVersatile Tool Chain
Free Specification
of Security Goals
How to specify security goals?
[A Virtualization Assurance Language for Isolation and Deployment; POLICY'11]
Basis: Graph Model (e.g., Info Flows)
SinkSource
Trust Assumptions: Traversal Rules
Behavior ofComponents
Storage connections
Network connections
Isolation
Tailored
by administrator
Exchange format
section types: MA, MB : machine ZA, ZB : zone
section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))
Example Goal: Zone Isolation
[VALID is based on ASLan, proposed by the EU FP7 project AVANTSSAR]
Example Goal: Zone Isolation
Declaration of Variables
section types: MA, MB : machine ZA, ZB : zone
section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))
Example Goal: Zone Isolation
Declaration of Alarm State
section types: MA, MB : machine ZA, ZB : zone
section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))
Pattern Matching Facts
Example Goal: Zone Isolation
section types: MA, MB : machine ZA, ZB : zone
section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))
Zone Membership Fact
Example Goal: Zone Isolation
section types: MA, MB : machine ZA, ZB : zone
section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))
Example Goal: Zone Isolation
Connectivity Fact
section types: MA, MB : machine ZA, ZB : zone
section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))
Example Goal: Zone Isolation
Logical Constraints
section types: MA, MB : machine ZA, ZB : zone
section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))
ZoningBreach
DeploymentBreach
Library of Alarm States
How to verify the security of an infrastructure?
[Automated Verification of Virtualized Infrastructures; CCSW'11]
TEST
HIGH SECURITY
TEST
HIGH SECURITY
IsolationBreach? contains (ZA, MA). contains (ZB, MB). connected (MA, MB) & not(equal(ZA, ZB))
ZA,ZB
MA
MB
vlan1
vlan1
IsolationBreach? contains (ZA, MA). contains (ZB, MB). connected (MA, MB) & not(equal(ZA, ZB))
TEST
HIGH SECURITY
ZA
MB
MA
ZB
vlan1
vlan2
IsolationBreach? contains (ZA, MA). contains (ZB, MB). connected (MA, MB) & not(equal(ZA, ZB))
TEST
HIGH SECURITY
ZA,ZB
MA
MB
TEST
HIGH SECURITY
contains (ZA, MA). contains (ZB, MB). connected (MA, MB) & not(equal(ZA, ZB))
IsolationBreach
ZA
MA
MB
ZB
vlan3
vlan3
Verification Tool Chain
[Contribution to EU FP7 project TCLOUDS]
Problem Solvers
Dynamic Problem Solvers: AVANTSSAR platformInput: ASLan/IF (basis of VALID)
OFMC
SAT-MC
Cl-AtSe
Static Problem Solvers:Input: proprietary language for first-order logic
SPASS
ProVerif
SuccintSolver
Verification of Zone Isolation
The ChallengeThree security zones Test, Base, High
Multiple VMs in each zone (contains(zone, vm))
Network isolation realized using VLANs
Input: Policy and information flow graph
Output: Isolation breach
Performance
Test EnvironmentCluster 1: isolation breach 15386 nodes, 17817 edgesCluster 2: safe 6218 nodes, 7543 edges
Experiments1: Simplified graph, attack2: Simplified graph, safe3: Non-simplified graph, attack4: Non-simplified graph, safe
4h
VALID Rules for Goal Specification
Expressive Policy LanguagePattern matching on positive facts
Logical predicates as constraints
Efficient Verification with Versatile Tool Chain
Next Big Step: Dynamic Problems
Get in Touch!
Thomas Gross
http://www.cs.ncl.ac.uk
[email protected]
http://www.thomasgross.net
Computing Science@
http://cccs.ncl.ac.uk
Click to edit the title text formatClick to edit Master title style
25/04/12
Click to edit the title text formatClick to edit Master title style
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline Level
Ninth Outline LevelClick to edit Master text styles
Second level
Third level
Fourth level
Fifth level
25/04/12