Automated Verification
of Virtualized Infrastructures

Sren Bleikertz (IBM Research Zurich)
Thomas Gro (University of Newcastle upon Tyne)
Sebastian Mdersheim (DTU Informatics)

[Work partially done while at IBM Research - Zurich]

The Challenge

Bank offloads IT to (private) cloud

[Photo:http://www.flickr.com/photos/teegardin/5737823348/]

The Challenge

Bank offloads IT to (private) cloud

Isolation of security zones

Network: VLAN isolation

Storage: Different storage volumes

Compute: Covert-channels unconsidered

HighSecurityLowSecurityBackupZone[Photo:http://www.flickr.com/photos/teegardin/5737823348/]

What can go wrong?

Days of a startup
http://www.flickr.com/photos/tangysd/

Complexity
error-proneness

Amplified by virtualization

Multi-tenancy and shared resources Isolation essential

IBM Confidential

1,300 VMs
25,000 Nodes
30,000 Edges

[Data from a customer case study with a global financial institution]

We need automated tools!

How to specify security goals?

A Virtualization Assurance Language for Isolation and Deployment; POLICY'11

Policy Specification: Zone Isolation

section types: MA, MB : machine ZA, ZB : zone

section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))

Variety of Security Goals

Single Point of Failure

Zoning Breach

Deployment Breach

How to determine information flow?

Automated Information Flow Analysis of Virtualized Infrastructures; ESORICS'11

SourceSink

How to validate a policy?

Automated Verification of Virtualized Infrastructures; CCSW'11

Graph Encoding

eabcd

a,b,c,d,e : Node

edge(a,d).edge(b,d).edge(d,e).edge(c,e)

Graph Simplification

Detailed modeling of the infrastructure many vertexes and edges

For connectivity not all vertexes/edges need to be considered simplification i.e. vertex with degree < 3 and vertexes of types not used in policy

simplify

Graph Connectivity Modeling

Transitions

Horn Clauses

Intruder Knowledge

Zone Isolation

The Challengethree security zones Test, Base, High

Multiple VMs in each zone (contains(zone, vm))

Network isolation realized using VLANs

Input: Policy and information flow graph

Output: Isolation breach

Dynamic Problems

Static problems: Analysis of snapshot of virtualized infrastructure e.g. Zone isolation

Dynamic problems: Intruder can actively modify the virtualized infrastructure e.g. Migration of VMs

Initial study of dynamic problems
in the paper

Problem Solvers

Dynamic Problem Solvers: AVANTSSAR platformInput: ASLan/IF (basis of VALID)

OFMC

SAT-MC

Cl-AtSe

Static Problem Solvers:Input: proprietary language for first-order logic

SPASS

ProVerif

SuccintSolver

Conclusion & Future Work

Virtualized infrastructures are complex We need automated tools!

Integrate previous work: Formal language for expressing a variety of security goals

Discovery, modeling and information flow of virtualized infrastructures

Employ problem solvers for automated verification

Future work: Further study of dynamic problems and their efficient large-scale analysis

Get in Touch!

Thomas Gross

http://www.cs.ncl.ac.uk

thomas.gross@ncl.ac.uk
http://www.thomasgross.net

Computing Science@

http://cccs.ncl.ac.uk

Click to edit the title text format

2009 IBM Corporation

Click to edit the title text format

Click to edit the outline text formatSecond Outline LevelThird Outline Level

2011 IBM Corporation

2010 IBM Corporation