PERMON: An OpenStack Middleware for Runtime Security Policy Enforcement in Clouds

To ensure the accountability of a cloud environment, security policies may be provided as a set of properties to be enforced by cloud providers. However, due to the sheer size of clouds, it can be challenging to provide timely responses to all the requests coming from cloud users at runtime. In this paper, we design and implement a middleware, PERMON, as a pluggable interface to OpenStack for intercepting and verifying the legitimacy of user requests at runtime, while leveraging our previous work on proactive security verification to improve the efficiency. We describe detailed implementation of the middleware and demonstrate its usefulness through a use case.

[1]  Debojyoti Dutta,et al.  Detecting fraudulent activity in a cloud using privacy-friendly data aggregates , 2014, ArXiv.

[2]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[3]  Stephen S. Yau,et al.  Protecting Critical Cloud Infrastructures with Predictive Capability , 2015, 2015 IEEE 8th International Conference on Cloud Computing.

[4]  Jukka Ylitalo,et al.  Towards Building an Automated Security Compliance Tool for the Cloud , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[5]  Dana Petcu,et al.  Towards a Security SLA-based Cloud Monitoring Service , 2014, CLOSER.

[6]  Keke Gai,et al.  Proactive user-centric secure data scheme using attribute-based semantic access controls for mobile clouds in financial industry , 2018, Future Gener. Comput. Syst..

[7]  Sebastian Mödersheim,et al.  Proactive Security Analysis of Changes in Virtualized Infrastructures , 2015, ACSAC.

[8]  Jiankun Hu,et al.  Identity-Based Data Outsourcing With Comprehensive Auditing in Clouds , 2017, IEEE Transactions on Information Forensics and Security.

[9]  Martin Knahl,et al.  Validating Cloud Infrastructure Changes by Cloud Audits , 2012, 2012 IEEE Eighth World Congress on Services.

[10]  Salve Bhagyashri Salve Bhagyashri,et al.  Privacy-Preserving Public Auditing For Secure Cloud Storage , 2014 .

[11]  Cong Wang,et al.  Security Challenges for the Public Cloud , 2012, IEEE Internet Computing.

[12]  Zhonghai Wu,et al.  OpenStack Security Modules: A Least-Invasive Access Control Framework for the Cloud , 2016, 2016 IEEE 9th International Conference on Cloud Computing (CLOUD).

[13]  Mohamed Almorsy,et al.  CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model , 2011, 2011 5th International Conference on Network and System Security.

[14]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[15]  Thomas Groß,et al.  Cloud radar: near real-time detection of security failures in dynamic virtualized infrastructures , 2014, ACSAC.

[16]  Lingyu Wang,et al.  Proactive Verification of Security Compliance for Clouds Through Pre-computation: Application to OpenStack , 2016, ESORICS.

[17]  Lingyu Wang,et al.  Auditing Security Compliance of the Virtualized Infrastructure in the Cloud: Application to OpenStack , 2016, CODASPY.

[18]  Lingyu Wang,et al.  Security Compliance Auditing of Identity and Access Management in the Cloud: Application to OpenStack , 2015, 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom).

[19]  Matthias Schunter,et al.  Automated Information Flow Analysis of Virtualized Infrastructures , 2011, ESORICS.

[20]  Ruby B. Lee,et al.  CloudMonatt: An architecture for security health monitoring and attestation of virtual machines in cloud computing , 2015, 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA).

[21]  Lingyu Wang,et al.  LeaPS: Learning-Based Proactive Security Auditing for Clouds , 2017, ESORICS.

[22]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .