Las tachas a los testimonios de Javier Carrasco y Héctor Díaz En el proceso se decretaron y practicaron los testimonios de los señores Julio

The compliant allocation of hardware resources for hosting virtual resources requires the con- sideration of security bindings of hardware resources and virtual resources and the allowed information flow between them. This has a major impact on resource allocation and man- agement since the allowed embeddings of virtual resources on hardware resources are limited by security constraints. For practical implementation, it is necessary to provide measures to establish whether an embedding is compliant with the security constraints, and for optimal resource utilisation, the degree of over-provisioned hardware resources in respect of security constraints of virtual resources has to be quantified. Based on the qualitative observations in Section5.3.4.3, a quantitative approach to validating the resource embedding and its integration into existing resource allocation strategies are discussed in this section. First, a brief overview of the resource allocation problem and the importance of metrics on optimisations criteria is given. Then, possible approaches to and application of quantitative metrics based on security classes are discussed.

In general, resource allocation is an NP-hard optimisation problem which corresponds to the multi-dimensional bin packing problem (e.g., finding an embedding of all virtual resources [214]), to the knapsack problem (e.g., maximising the economic profit and SLA fulfilment [210]), and to the min-max optimisation problem generally (e.g., minimising required hard- ware resources and maximising the use of hardware resources [133]). In the context of virtual network embedding, a comprehensive classification of the resource allocation problem and its possible solutions is provided byFischer et al.[73]. In the survey, it is observed that possible solutions for virtual network embedding can be classified into accurate and heuristic solutions. Moreover, the quality of the heuristic solutions is evaluated by using metrics based on opti- misation criteria like QoS-compliance, economic profit, and resilience. These observations also apply to resource allocation in clouds where existing approaches address similar optimisa- tion criteria (e.g., performance, costs, locality, and reliability) on recource allocation [132, pp. 12–16]. Consequently, metrics on optimisation criteria are an important input for resource allo- cation strategies and their evaluation. This is also true when implementing resource allocation based on security bindings and allowed information flow. Metrics with respect to confidential- ity, integrity, availability, and location are required to evaluate resource allocation according to the constraints of information flow control.

A good candidate for defining metrics are the distances between the partially ordered se- curity classes. By comparing the required security class with the assigned security class, it is then possible to measure the quality of the embedding. Because of the partial order, there are four cases that have to be considered when comparing the required security class SCreq∈SC

Case 1 (SCreq= SCass): If both security classes are equal there is a perfect match and the

distance is defined as zero.

Case 2 (SCreq7→SCass): If information flow is allowed from the required security class to

the assigned security class then there is a valid match. If the two security classes are not the same there is over-provisioning and, assuming the security classes are ordered equidistantly, the distance between two security classes is measured by counting the number of edges on the path between the two security classes within the lattice of security classes.1

Case 3 (SCass7→SCreq): If information flow is allowed from the assigned security class to

the required security class then there is an invalid match, if the two security classes are not the same. Then, there is under-provisioning and the distance is defined by the negative distance of both security classes analogously to case 2.

Case 4 (No information allowed): If there is no information flow allowed between re- quired and assigned security classes then there is an invalid match. Since there is no infor- mation flow allowed, the distance cannot be measured by the distance between both security classes. However, the greatest lower bound of both security classes defines the smallest secu- rity class to where information is allowed to flow from both security classes and a valid match would have been possible. This makes the greatest lower bound of both security classes a good candidate to specify the distance of both security classes. Thus, the distance is defined (analo- gously to case 2 and 3) by the negative distance from the required security classes to the least upper bound of both security classes.

Figure5.5exemplifies the paths in the lattice of security classes for a single required se- curity class SCreq∈SC and three assigned security classes SCass1, SCass2, SCass3 ∈SC. The

information flow is allowed from bottom to top. The information flow from SCreqto SCass1and

SCass2is not allowed. Therefore, the distance is calculated by the path from SCreqto the corre-

sponding greatest lower bound which is SCGLB1= SCreq⊕SCass1and SCGLB2= SCreq⊕SCass2,

respectively. The calculated path has a length of 2 for SCGLB1 and of 1 for SCGLB2, respec-

tively. Since the information flow is not allowed, the corresponding distance calculated by the metric is negative. Further, the information flow from SCreqto SCass3is allowed and the calcu-

lated path has a length of 1. Since the information flow is allowed, the corresponding distance calculated by the metric is positive.

Figure 5.5: Example of paths and their lengths in the lattice of six security classes for a single required and three assigned security classes. Information flow is allowed from bottom to top.

SCGLB1 SCass1 SCGLB2 SCreq SCass2 SCass3 Edge Path to SCGLB1 Path to SCGLB2 Path to SCass3 1 1 2

1_{Edge and path are used in the context of the graph theory, i.e., an edge is a link between two vertexes (i.e., security} classes) and a path is a sequence of edges which connects a sequence of vertices.

According to the previous considerations, the metric dSC(SCreq, SCass) measuring the dis-

tance between required security class SCreq and assigned security class SCass is defined as

follows. dSC(SCreq, SCass) =                            0 : SCreq= SCass  SC ∈SC\{SCreq} : SCreq7→SC∧ SC7→SCass   : SC_req7→SC_ass ∧ SCreq6= SCass −SC ∈SC\{SCreq} : SCass7→SC∧ SC7→SCreq   : SC_ass7→SC_req∧ SCreq6= SCass − SC ∈SC\{SCreq} :

(SCreq⊕SCass)7→SC∧ SC7→SCreq

 : else

where SCreq, SCass∈SCsecurity classes. (5.1)

The number of edges in the lattice is equal to the number of security classes on the path minus one. Therefore, the security classes on the path are counted without starting security class (or ending security class, respectively) SCreq. If the required and the assigned security classes are

not equal, the number of security classes in SC\{SCreq} where information flow is allowed

as specified in Equation5.1are counted, which is equal to the number of security classes on the path minus one. This can be made plausible when looking at Figure 5.5. For example, the path from SCreqto SCGLB1has the length 2. The security classes SC ∈SC\{SCreq} where

information flow is allowed to flow from SCGLB2 to SC are {SCGLB1, SCGLB2}. Further, the

security classes SC ∈SC\{SCreq} where information flow is allowed to flow from SC to SCreq

are {SCGLB1, SCGLB2, SCass3}. The intersection of both results is {SCGLB1, SCGLB2} which has a

cardinality of 2.

Figure5.6illustrates the application of the metric dSC for the quantitative evaluation on an

example1 of virtual resource embedding. In the example, the metric is applied on confiden- tiality classes, integrity classes, availability classes and location classes individually for each hardware resource. The assignment of VIRTUAL RESOURCE 1 to HARDWARE RESOURCE A.1 returns a perfect match for the distance of the confidentiality classes, integrity classes, and availability classes, since required and assigned security classes are equal. For location, the required security class is SCEU and the assigned security class is SCDE. Here, case 2 of the

metric applies since information flow is allowed. The calculated distance is 1 since SCEU and

SCDE are directly connected in the lattice (cf. location classes illustrated in Figure5.3). The

assignment of VIRTUALRESOURCE1 to HARDWARERESOURCEC.1 has a negative distance for location classes since case 4 of the metric applies and the greatest lower bound SCGlobal is

used for calculating the path length resulting in a negative distance -1.

The metric dSC can be used in resource allocation strategies to find optimal embeddings

having a distance close to zero. To compare embeddings on the basis of different dimensions, summing up non-negative values provides good results. However, considering negative values is more complex, since summing up can result in distances close to zero, while the distance on 1_{The presented example corresponds to the example used in Figure5.4. The corresponding security classes of the}

Figure 5.6: Example for quantitative evaluation of virtual resource embedding.

Hardware Provider A (Germany)

Hardware Resource A.1

Secret High

99.9% DE

Hardware Resource A.2 Low

99.9% DE

Hardware Provider B (France)

Hardware Resource B.1 Secret Low 99.99% FR Hardware Resource B.2 Secret High 99.99% FR Public Hardware Provider C (United States of America)

Hardware Resource C.1 Secret High 99.95% US Virtual Resource 1 Secret High 99.9% EU Virtual Resource 1 Secret High 99.9% EU Virtual Resource 1 Secret High 99.9% EU Virtual Resource 1 Secret High 99.9% EU Virtual Resource 1 Secret High 99.9% EU Information Flow Is allowed Is forbidden Embedding 0 0 0 1 -1 -1 0 1 0 -1 2 1 0 0 2 1 0 0 1 -1 a b c d a: confidentiality rating b: integrity rating c: availability rating d: location rating

each dimension can be high but positive and negative distances annihilate each other. A possi- ble solution is to sum up the absolute values, and if negative values (due to under-provisioning) should be avoided then it is possible to sum up positive and negative values separately. The lat- ter allows the optimisation for the embedding explicitly in respect to avoiding negative values. Further, the metric dSC is based on the assumption that all security classes are equidistant.

This is not necessarily always true. For example, embedding virtual resources with required location class SCEU on a hardware resource with assigned security class SCU Scan have a more

severe impact on legal compliance than embedding virtual resources with required location class SCDE on a hardware resource with assigned security class SCFR. This results from the

fact that Germany and France are both in the legislation of theEU/EEA, which is an area with harmonised legislation, while theUSAand theEU/EEAdo not have harmonised legislation. For that reason, a weighted distance model can be more suitable in providing more accurate results for the evaluation of embedding quality. In addition, every edge in the lattice is weighted with a factor ρ ∈ R+and the length of a path in the lattice is calculated by summing all weights of the path’s edges.

Figure5.7illustrates an example of weighted distances of location classes. It is assumed that location classes corresponding to a country are on the same level. Based on that, the edges from location classes corresponding to a country to the maximum location class SCLocal

is weighted highest, with 5 since placement in the cloud or locally considered the decision with the most severe impact. The edges between location classes corresponding to a country and the minimum location class SCGlobal is weighted with 3 since it is still a severe decision

to place virtual resources within a specific country or globally. The edges between location classes corresponding to a member state of theEU/EEAand the location class corresponding to theEU/EEAare weighted with 1 and the edge between location classes corresponding to the

EU/EEAand SCGlobal is weighted with 2. Then, the sum of weights on the path from location

classes corresponding to a member state to SCGlobal is 3, which corresponds to the weight of

edges between location classes corresponding to a country and SCGlobal. Further, the placement

within theEU/EEAis considered to have less severe impact than the placement outside of the

EU/EEA.

Figure 5.7: Example of weighted distances of location classes.

Global US EU DE FR Local 5 5 5 3 1 1 2

The weights can be assigned for each edge in the lattice individually and with respect to applicable security requirements. It is also possible to use weights to compare security classes of different security requirements. For example, edges of location classes are weighted at ten times the upper bound of distances between integrity classes to ensure that location has a higher priority than integrity when embedding virtual resources.

To conclude, the lattice-based model for information flow control also supports the defi- nition of metrics which can be used for evaluating the quality of resource allocation in clouds with respect to confidentiality, integrity, availability, and location. The metrics are defined based on the length of paths between security classes in the lattices. The distance of incompa- rable security classes can be described by the distance to the greatest upper bound. Moreover, distances can be measured either based on equidistant security classes or on weighted edges in the lattice.