Cloud Certification Process Validation Using Formal Methods

The importance of cloud-based systems is increasing constantly as they become crucial for completing tasks in an effective and affordable manner. Yet, their use is affected by concerns about the security of the data and applications provisioned through them. Security certification provides a means of increasing confidence in such systems, by establishing that they fulfil certain security properties of interest. Certification processes involve security property assessments against specific threat models. These processes may be based on self-assessment, testing, inspection or runtime monitoring of security properties, and/or combinations of such methods (hybrid certification). One important question for all such processes is whether they actually deliver what they promise. This question is open at the moment and is the focus of our work. To address it, we have developed an approach that formalises certification processes, by translating them in the language of the Prism model-checker and uses Prism to verify properties of interest on the model of the certification process, under specific environmental assumptions.

[1]  Peng Liu,et al.  MyCloud: supporting user-configured privacy protection in cloud computing , 2013, ACSAC.

[2]  Murray Shanahan,et al.  The Event Calculus Explained , 1999, Artificial Intelligence Today.

[3]  George Spanoudakis,et al.  Advanced service monitoring configurations with SLA decomposition and selection , 2011, SAC '11.

[4]  George Spanoudakis,et al.  Towards Hybrid Cloud Service Certification Models , 2014, 2014 IEEE International Conference on Services Computing.

[5]  Ernesto Damiani,et al.  Open Source Systems Security Certification , 2008 .

[6]  Gethin Norman,et al.  Model checking for probabilistic timed automata , 2012, Formal Methods in System Design.

[7]  Marco Anisetti,et al.  ASSERT4SOA: Toward Security Certification of Service-Oriented Applications , 2010, OTM Workshops.

[8]  George Spanoudakis,et al.  SMaRT: a workbench for reporting the monitorability of services from SLAs , 2011, PESOS '11.

[9]  Antonio Maña,et al.  Bridging the GAP between Software Certification and Trusted Computing for Securing Cloud Computing , 2013, 2013 IEEE Ninth World Congress on Services.

[10]  E. Kosta,et al.  Security certification practice in the EU : Information security management systems, a case study , 2013 .

[11]  Khaled Mahbub,et al.  Incremental certification of cloud services , 2013, SECURWARE 2013.

[12]  Grigore Rosu,et al.  An overview of the K semantic framework , 2010, J. Log. Algebraic Methods Program..

[13]  Marta Z. Kwiatkowska,et al.  PRISM 4.0: Verification of Probabilistic Real-Time Systems , 2011, CAV.

[14]  Ernesto Damiani,et al.  Defining and Matching Test-Based Certificates in Open SOA , 2011, 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops.

[15]  George Spanoudakis,et al.  The SERENITY Runtime Monitoring Framework , 2009, Security and Dependability for Ambient Intelligence.