Automated Information Flow Analysis of Virtualized Infrastructures

The use of server virtualization has been growing steadily, but many enterprises still are reluctant to migrate critical workloads to such infrastructures. One key inhibitor is the complexity of correctly configuring virtualized infrastructures, and in particular, of isolating workloads or subscribers across all potentially shared physical and virtual resources. Imagine analyzing systems with half a dozen virtualization platforms, thousands of virtual machines and hundreds of thousands of inter-resource connections by hand: large topologies demand tool support. We study the automated information flow analysis of heterogeneous virtualized infrastructures. We propose an analysis system that performs a static information flow analysis based on graph traversal. The system discovers the actual configurations of diverse virtualization environments and unifies them in a graph representation. It computes the transitive closure of information flow and isolation rules over the graph and diagnoses isolation breaches from that. The system effectively reduces the analysis complexity for humans from checking the entire infrastructure to checking a few well-designed trust rules on components' information flow.

[1]  Rafal Wojtczuk,et al.  Adventures with a certain Xen vulnerability (in the PVFB backend) , 2008 .

[2]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[3]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[4]  Xin Sun,et al.  A toolkit for automating and visualizing VLAN configuration , 2009, SafeConfig '09.

[5]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[6]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[7]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[8]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[9]  Thomas Groß,et al.  A Virtualization Assurance Language for Isolation and Deployment , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[10]  Peng Ning,et al.  Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, Saint-Malo, France, September 21-23, 2009. Proceedings , 2009, ESORICS.

[11]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[12]  John M. Rushby,et al.  Proof of separability: A verification technique for a class of a security kernels , 1982, Symposium on Programming.

[13]  Ugo Montanari,et al.  International Symposium on Programming , 1982, Lecture Notes in Computer Science.

[14]  Amir R. Khakpour,et al.  Quarnet : A Tool for Quantifying Static Network Reachability , 2009 .

[15]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[16]  Richard J. Feiertag,et al.  A separation model for virtual machine monitors , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[17]  Dimitrios Pendarakis,et al.  Security audits of multi-tier virtual infrastructures in public infrastructure clouds , 2010, CCSW '10.

[18]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  Tal Garfinkel,et al.  When Virtual Is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments , 2005, HotOS.

[20]  Robert M. Marmorstein,et al.  A Tool for Automated iptables Firewall Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[21]  Junfeng Yang,et al.  Using model checking to find serious file system errors , 2004, TOCS.

[22]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[23]  José Nuno Oliveira,et al.  FME 2001: Formal Methods for Increasing Software Productivity , 2001, Lecture Notes in Computer Science.

[24]  Onur Aciiçmez,et al.  Yet another MicroArchitectural Attack:: exploiting I-Cache , 2007, CSAW '07.

[25]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[26]  J. Thomas Haigh,et al.  Extending the Non-Interference Version of MLS for SAT , 1986, IEEE Symposium on Security and Privacy.

[27]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[28]  Ehab Al-Shaer,et al.  Global Verification and Analysis of Network Access Control Configuration , 2008 .

[29]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[30]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[31]  Jeremy L. Jacob,et al.  Separability and the Detection of Hidden Channels , 1990, Inf. Process. Lett..

[32]  Sebastian Mödersheim,et al.  Secure Pseudonymous Channels , 2009, ESORICS.

[33]  Heiko Mantel,et al.  Information Flow Control and Applications - Bridging a Gap , 2001, FME.