CCSW’12: Automated Verification of Virtualized Infrastructures
-
Upload
thomas-gross -
Category
Technology
-
view
434 -
download
1
Transcript of CCSW’12: Automated Verification of Virtualized Infrastructures
Automated Verification
of Virtualized Infrastructures
Sren Bleikertz (IBM Research Zurich)
Thomas Gro (University of Newcastle upon Tyne)
Sebastian Mdersheim (DTU Informatics)
[Work partially done while at IBM Research - Zurich]
The Challenge
Bank offloads IT to (private) cloud
[Photo:http://www.flickr.com/photos/teegardin/5737823348/]
The Challenge
Bank offloads IT to (private) cloud
Isolation of security zones
Network: VLAN isolation
Storage: Different storage volumes
Compute: Covert-channels unconsidered
HighSecurityLowSecurityBackupZone[Photo:http://www.flickr.com/photos/teegardin/5737823348/]
What can go wrong?
Days of a startup
http://www.flickr.com/photos/tangysd/
Complexity
error-proneness
Amplified by virtualization
Multi-tenancy and shared resources Isolation essential
IBM Confidential
1,300 VMs
25,000 Nodes
30,000 Edges
[Data from a customer case study with a global financial institution]
We need automated tools!
How to specify security goals?
A Virtualization Assurance Language for Isolation and Deployment; POLICY'11
Policy Specification: Zone Isolation
section types: MA, MB : machine ZA, ZB : zone
section goals: goal isolationBreach (info; ZA, ZB, MA, MB) := contains (ZA, MA).contains (ZB, MB) .connected (MA, MB) & not(equal(ZA, ZB))
Variety of Security Goals
Single Point of Failure
Zoning Breach
Deployment Breach
How to determine information flow?
Automated Information Flow Analysis of Virtualized Infrastructures; ESORICS'11
SourceSink
How to validate a policy?
Automated Verification of Virtualized Infrastructures; CCSW'11
Graph Encoding
eabcd
a,b,c,d,e : Node
edge(a,d).edge(b,d).edge(d,e).edge(c,e)
Graph Simplification
Detailed modeling of the infrastructure many vertexes and edges
For connectivity not all vertexes/edges need to be considered simplification i.e. vertex with degree < 3 and vertexes of types not used in policy
simplify
Graph Connectivity Modeling
Transitions
Horn Clauses
Intruder Knowledge
Zone Isolation
The Challengethree security zones Test, Base, High
Multiple VMs in each zone (contains(zone, vm))
Network isolation realized using VLANs
Input: Policy and information flow graph
Output: Isolation breach
Dynamic Problems
Static problems: Analysis of snapshot of virtualized infrastructure e.g. Zone isolation
Dynamic problems: Intruder can actively modify the virtualized infrastructure e.g. Migration of VMs
Initial study of dynamic problems
in the paper
Problem Solvers
Dynamic Problem Solvers: AVANTSSAR platformInput: ASLan/IF (basis of VALID)
OFMC
SAT-MC
Cl-AtSe
Static Problem Solvers:Input: proprietary language for first-order logic
SPASS
ProVerif
SuccintSolver
Conclusion & Future Work
Virtualized infrastructures are complex We need automated tools!
Integrate previous work: Formal language for expressing a variety of security goals
Discovery, modeling and information flow of virtualized infrastructures
Employ problem solvers for automated verification
Future work: Further study of dynamic problems and their efficient large-scale analysis
Get in Touch!
Thomas Gross
http://www.cs.ncl.ac.uk
[email protected]
http://www.thomasgross.net
Computing Science@
http://cccs.ncl.ac.uk
Click to edit the title text format
2009 IBM Corporation
Click to edit the title text format
Click to edit the outline text formatSecond Outline LevelThird Outline Level
2011 IBM Corporation
2010 IBM Corporation