More Web Proxy on the site http://driver.im/

research-article

Auditing Security Compliance of the Virtualized Infrastructure in the Cloud: Application to OpenStack

Authors:

Suryadipta Majumdar,

Makan Pourzandi,

Lingyu WangAuthors Info & Claims

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 195 - 206

https://doi.org/10.1145/2857705.2857721

Published: 09 March 2016 Publication History

Abstract

Cloud service providers typically adopt the multi-tenancy model to optimize resources usage and achieve the promised cost-effectiveness. Sharing resources between different tenants and the underlying complex technology increase the necessity of transparency and accountability. In this regard, auditing security compliance of the provider's infrastructure against standards, regulations and customers' policies takes on an increasing importance in the cloud to boost the trust between the stakeholders. However, virtualization and scalability make compliance verification challenging. In this work, we propose an automated framework that allows auditing the cloud infrastructure from the structural point of view while focusing on virtualization-related security properties and consistency between multiple control layers. Furthermore, to show the feasibility of our approach, we integrate our auditing system into OpenStack, one of the most used cloud infrastructure management systems. To show the scalability and validity of our framework, we present our experimental results on assessing several properties related to auditing inter-layer consistency, virtual machines co-residence, and virtual resources isolation.

References

[1]

Open vswitch. Available at: http://openvswitch.org/.

[2]

Policy as a service ("congress"). Available at: http://wiki.openstack.org/wiki/Congress.

[3]

Federal data protection act. http://www.gesetze-im-internet.de/englisch\_bdsg/federal\_data\_protection\_act.pdf, August 2009.

[4]

IBM Corporation. Ibm point of view: Security and cloud computing, 2009.

[5]

C. S. Alliance. Security guidance for critical areas of focus in cloud computing v 3.0, 2011.

[6]

C. S. Alliance. The notorious nine cloud computing top threats in 2013, February 2013.

[7]

M. Bellare and B. Yee. Forward integrity for secure audit logs. Technical report, Citeseer, 1997.

[8]

M. Ben-Ari. Mathematical logic for computer science. Springer Science & Business Media, 2012.

Digital Library

[9]

S. Bleikertz. Automated security analysis of infrastructure clouds. Master's thesis, Technical University of Denmark and Norwegian University of Science and Technology, 2010.

[10]

S. Bleikertz and T. Gross. A virtualization assurance language for isolation and deployment. In POLICY, 2011 IEEE International Symposium on, pages 33--40, June 2011.

Digital Library

[11]

S. Bleikertz, T. Groß, and S. Mödersheim. Automated verification of virtualized infrastructures. In Proceedings of CCSW, pages 47--58. ACM, 2011.

Digital Library

[12]

S. Bleikertz, C. Vogel, and T. Groß. Cloud radar: near real-time detection of security failures in dynamic virtualized infrastructures. In Proceedings of the 30th Annual Computer Security Applications Conference, pages 26--35. ACM, 2014.

Digital Library

[13]

S. Butt, H. A. Lagar-Cavilla, A. Srivastava, and V. Ganapathy. Self-service cloud computing. CCS '12, pages 253--264, New York, NY, USA, 2012. ACM.

Digital Library

[14]

Cloud Security Alliance. Top ten big data security and privacy challenges, 2012.

[15]

Cloud Security Alliance. Cloud control matrix CCM v3.0.1, 2014. Available at: https://cloudsecurityalliance.org/research/ccm/.

[16]

datacenterknowledge.com. Survey: One-third of cloud users' clouds are private, heavily OpenStack, 2015. Available at: http://www.datacenterknowledge.com.

[17]

M. Dhawan, R. Poddar, K. Mahajan, and V. Mann. Sphinx: Detecting security attacks in software-defined networks. In NDSS Symposium, 2015.

[18]

F. Doelitzscher, C. Reich, M. Knahl, A. Passfall, and N. Clarke. An agent based business aware incident detection system for cloud environments. Journal of Cloud Computing, 1(1), 2012.

[19]

F. H.-U. Doelitzscher. Security Audit Compliance For Cloud Computing. PhD thesis, Plymouth University, February 2014.

[20]

ISO Std IEC. ISO 27002:2005. Information Technology-Security Techniques, 2005.

[21]

ISO Std IEC. ISO 27017. Information technology- Security techniques (DRAFT), 2012.

[22]

T. E. Network, and I. S. Agency. Cloud computing benefits, risks and recommendations for information security, December 2012.

[23]

NIST, SP. NIST SP 800--53. Recommended Security Controls for Federal Information Systems, pages 800--53, 2003.

[24]

Opendaylight. The OpenDaylight platform, 2015. Available at: https://www.opendaylight.org/.

[25]

OpenStack. Ossa-2014-008: Routers can be cross plugged by other tenants. Available at: https://security.openstack.org/ossa/OSSA-2014-008.html.

[26]

OpenStack. Nova network configuration allows guest vms to connect to host services, 2015. Available at: https://wiki.openstack.org/wiki/OSSN/OSSN-0018.

[27]

OpenStack. OpenStack open source cloud computing software, 2015. Available at: http://www.openstack.org.

[28]

D. Perez-Botero, J. Szefer, and R. B. Lee. Characterizing hypervisor vulnerabilities in cloud computing servers. Cloud Computing '13, pages 3--10, New York, NY, USA, 2013. ACM.

Digital Library

[29]

T. Probst, E. Alata, M. Kaâniche, and V. Nicomette. An approach for the automated analysis of network access controls in cloud computing infrastructures. In Network and System Security, pages 1--14. Springer, 2014.

[30]

T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. CCS '09, pages 199--212, New York, NY, USA, 2009. ACM.

Digital Library

[31]

N. Tamura and M. Banbara. Sugar: A CSP to SAT translator based on order encoding. Proceedings of the Second International CSP Solver Competition, pages 65--69, 2008.

[32]

TechNet. Nova network configuration allows guest vms to connect to host services cloud services foundation reference architecture - reference model, 2013.

[33]

Y. Xu, Y. Liu, R. Singh, and S. Tao. Identifying sdn state inconsistency in openstack. SOSR '15, pages 11:1--11:7, New York, NY, USA, 2015. ACM.

Digital Library

[34]

H. Zeng, S. Zhang, F. Ye, V. Jeyakumar, M. Ju, J. Liu, N. McKeown, and A. Vahdat. Libra: Divide and conquer to verify forwarding tables in huge networks. In (NSDI 14). Seattle, WA: USENIX Association, pages 87--99, 2014.

Digital Library

[35]

S. Zhang and S. Malik. Sat based verification of network data planes. In D. Van Hung and M. Ogawa, editors, Automated Technology for Verification and Analysis, volume 8172 of Lecture Notes in Computer Science, pages 496--505. Springer International Publishing, 2013.

[36]

Y. Zhang, A. Juels, A. Oprea, and M. K. Reiter. Homealone: Co-residency detection in the cloud via side-channel analysis. SP '11, pages 313--328, Washington, DC, USA, 2011. IEEE Computer Society.

Digital Library

Cited By

Svenningsson JPaladi NVahidi A(2021)Faster enclave transitions for IO-intensive network applicationsProceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable network INfrastructure10.1145/3472873.3472879(1-8)Online publication date: 27-Aug-2021
https://dl.acm.org/doi/10.1145/3472873.3472879
Cao PWu YBanerjee SAzoff JWithers AKalbarczyk ZIyer RLorch JYu M(2019)CAUDITProceedings of the 16th USENIX Conference on Networked Systems Design and Implementation10.5555/3323234.3323288(667-682)Online publication date: 26-Feb-2019
https://dl.acm.org/doi/10.5555/3323234.3323288
Huy AHung P(2019)Security and Cost Optimization Auditing for Amazon Web ServicesProceedings of the 2nd International Conference on Software Engineering and Information Management10.1145/3305160.3305181(44-48)Online publication date: 10-Jan-2019
https://dl.acm.org/doi/10.1145/3305160.3305181
Show More Cited By

Index Terms

Recommendations

Enabling large-scale testing of IaaS cloud platforms on the grid'5000 testbed
TTC 2013: Proceedings of the 2013 International Workshop on Testing the Cloud

Almost ten years after its premises, the Grid'5000 platform has become one of the most complete testbeds for designing or evaluating large-scale distributed systems. Initially dedicated to the study of High Performance Computing, the infrastructure has ...
Harnessing Cloud Technologies for a Virtualized Distributed Computing Infrastructure

The InterGrid system aims to provide an execution environment for running applications on top of interconnected infrastructures. The system uses virtual machines as building blocks to construct execution environments that span multiple computing sites. ...
Metrics and techniques for quantifying performance isolation in cloud environments
QoSA '12: Proceedings of the 8th international ACM SIGSOFT conference on Quality of Software Architectures

The cloud computing paradigm enables the provision of costefficient IT-services by leveraging economies of scale and sharing data center resources efficiently among multiple independent applications and customers. However, the sharing of resources leads ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

March 2016

340 pages

ISBN:9781450339353

DOI:10.1145/2857705

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY'16

Sponsor:

SIGSAC

CODASPY'16: Sixth ACM Conference on Data and Application Security and Privacy

March 9 - 11, 2016

Louisiana, New Orleans, USA

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
556
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Svenningsson JPaladi NVahidi A(2021)Faster enclave transitions for IO-intensive network applicationsProceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable network INfrastructure10.1145/3472873.3472879(1-8)Online publication date: 27-Aug-2021
https://dl.acm.org/doi/10.1145/3472873.3472879
Cao PWu YBanerjee SAzoff JWithers AKalbarczyk ZIyer RLorch JYu M(2019)CAUDITProceedings of the 16th USENIX Conference on Networked Systems Design and Implementation10.5555/3323234.3323288(667-682)Online publication date: 26-Feb-2019
https://dl.acm.org/doi/10.5555/3323234.3323288
Huy AHung P(2019)Security and Cost Optimization Auditing for Amazon Web ServicesProceedings of the 2nd International Conference on Software Engineering and Information Management10.1145/3305160.3305181(44-48)Online publication date: 10-Jan-2019
https://dl.acm.org/doi/10.1145/3305160.3305181
Madi TJarraya YAlimohammadifar AMajumdar SWang YPourzandi MWang LDebbabi M(2018)ISOTOPACM Transactions on Privacy and Security10.1145/326733922:1(1-35)Online publication date: 23-Oct-2018
https://dl.acm.org/doi/10.1145/3267339
Majumdar SMadi TWang YJarraya YPourzandi MWang LDebbabi M(2018)User-Level Runtime Security Auditing for the CloudIEEE Transactions on Information Forensics and Security10.1109/TIFS.2017.277944413:5(1185-1199)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.1109/TIFS.2017.2779444
Baek HSrivastava AVan der Merwe J(2017)CloudSightProceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing10.1109/CCGRID.2017.97(268-273)Online publication date: 14-May-2017
https://dl.acm.org/doi/10.1109/CCGRID.2017.97

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents