Formalizing Threat Models for Virtualized Systems

We propose a framework, called FATHoM (FormAlizing THreat Models), to define threat models for virtualized systems. For each component of a virtualized system, we specify a set of security properties that defines its control responsibility, its vulnerability and protection states. Relations are used to represent how assumptions made about a component’s security state restrict the assumptions that can be made on the other components. FATHoM includes a set of rules to compute the derived security states from the assumptions and the components’ relations. A further set of relations and rules is used to define how to protect the derived vulnerable components. The resulting system is then analysed, among others, for consistency of the threat model. We have developed a tool that implements FATHoM, and have validated it with use-cases adapted from the literature.

[1]  Mathias Ekstedt,et al.  The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures , 2013, IEEE Systems Journal.

[2]  Perry Alexander,et al.  Model Checking Distributed Mandatory Access Control Policies , 2015, TSEC.

[3]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[4]  Abhinav Srivastava,et al.  Trusted VM Snapshots in Untrusted Cloud Infrastructures , 2012, RAID.

[5]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[6]  Daniele Sgandurra,et al.  Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems , 2016, ACM Comput. Surv..

[7]  Ketil Stølen,et al.  Using Dependent CORAS Diagrams to Analyse Mutual Dependency , 2007, CRITIS.

[8]  Peng Liu,et al.  MyCloud: supporting user-configured privacy protection in cloud computing , 2013, ACSAC.

[9]  Wolter Pieters,et al.  Defining the Cloud Battlefield - Supporting Security Assessments by Cloud Customers , 2013, 2013 IEEE International Conference on Cloud Engineering (IC2E).

[10]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[11]  Mahadevan Gomathisankaran,et al.  Nemesis : Automated Architecture for Threat Modeling and Risk Assessment for Cloud Computing , 2014 .

[12]  Abhinav Srivastava,et al.  Self-service cloud computing , 2012, CCS '12.

[13]  Jennifer Rexford,et al.  Eliminating the hypervisor attack surface for a more secure cloud , 2011, CCS '11.

[14]  Bruce Potter Hierarchy: IT security needs hierarchy , 2005 .

[15]  Donghai Tian,et al.  Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions , 2011, NDSS.

[16]  Krishna P. Gummadi,et al.  Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services , 2012, USENIX Security Symposium.