In the following we discuss our research questions from Section 1.2 and how these have been addressed in this dissertation.
Q1How to model virtualized infrastructures with their configuration and topology? How to populate such a model in an automated way? What is the scope of the model?
We model a virtualized infrastructure as a graph model that contains infrastructure elements, such as VMs, hypervisors, storage, network, as graph nodes with attributes that capture their configuration, and graph edges that represent the topology of the infrastructure. We populate such a model in an automated way by extracting the configuration of different virtualization systems, such as Xen, VMware, KVM, and PowerVM, and translating the different configuration formats into our unified graph model. In terms of scope, we focus our modeling on the topology and configuration of the virtualized infrastructure, and we treat VMs as “black boxes”. We do not discover nor model the configuration or state of the operating system or applications that are running inside a VM.
Q2What is a suitable isolation and information flow model? How to determine isolation among tenants in the infrastructure?
We propose a static information flow analysis based on the graph model representation of a virtualized infrastructure and build an automated analysis framework. The approach takes explicitly specified trust assumptions as well as security zoning of infrastructure elements, and performs a graph traversal to determine potential information flows between elements of different zones. We propose the notion of structural information control for a static infrastructure topology with respect to a set of trust and information flow assumptions when there does not exists inter-zone information flow unless mediated by a trusted guardian. The objective of our analysis is to reduce the complexity for a human administrator to the specification a few of those trust assumptions and let the tool extrapolate those to the entire infrastructure topology. From that and the zoning information, the tool diagnoses isolation breaches and provides refinement for a root causes analysis.
Q3How to express operational and security requirements? What requirements need to be expressed? What kind of formal foundations are suitable that enable an automated analysis?
We propose a formal security assurance language for virtualized infrastructure topologies. For our language, we study the areas deployment correctness, failure resilience, and isolation, and propose exemplary definitions for security requirements in these areas. We consider in particular operations requirements, for instance, provisioning and de-provisioning of machines or establishing dependencies, as well as security requirements, such as sufficient redundancy or isolation of tenants. We embed our assurance language in the tool-independent Intermediate Format (IF), which is well suited for automated reasoning. The language’s formal foundations lie in a set-rewriting approach, commonly used in automated analysis of security protocols, with an extension to graph analysis functions.
Q4How to verify that the infrastructure — given as a model — fulfills the security requirements? What are existing analysis tools? How suitable, expressive, and efficient are they?
We built an analysis system that applies general-purpose model-checking to verify if a virtualized in- frastructure satisfies security requirements given in our formal policy language. In our approach we consider both static and dynamic analysis cases, where in the static case the infrastructure is fixed and matched against given policies, and in the dynamic case where an potential attacker could modify the infrastructure. This allows us to analyze a virtualized infrastructure with regard to a variety of complex security requirements. We employ a versatile portfolio of existing problem solvers, and evaluate different analysis strategies based on Horn clauses and transition rules. We are able to analyze the infrastructure of a financial institution in a case-study using our approach with optimizations.
Q5How to cope with the infrastructure’s dynamic behavior? How can we keep the infrastructure model up to date? Can we efficiently analyze changes happening in the infrastructure with regard to their security impact?
We design and implement an automated security monitoring and analysis system for dynamic virtualized infrastructures. In our approach we monitor the infrastructure for changes and update a graph model representation of the infrastructure by translating those changes into graph deltas. Furthermore, with regard to isolation security goals, we establish a static information flow analysis for dynamic system models based on dynamic information flow graphs. Compared to analysis systems that operate on static snapshots of virtualized infrastructures, our change-based approach yields significant performance improvements.
Q6Is it possible to prevent misconfigurations in the first place? How can we model configuration and topology changes in a virtualized infrastructure? How can we analyze them?
We model the effect of management operations on the infrastructure using graph transformations. Each operation is represented as a transformation rule that takes a graph, i.e., our graph model of the virtualized infrastructure, as an input and produces a modified graph as an output. The output graph can then be analyzed with regard to security policies that are expressed as graph matches. We built an automated system that intercepts management operations from administrators before they reach the central management host. The intercepted operations are translated into our operations model and then applied to the current state of our graph model. In case the resulting graph does violate any security policies, the operations are rejected. Otherwise, the operations are safe and forwarded to the management host, where they will actually be deployed.