Automated Security Analysis of Virtualized Infrastructures

Virtualization enables the increasing efficiency and elasticity of modern IT infrastructures, including Infrastructure as a Service. However, the operational complexity of virtualized infrastructures is high, due to their dynamics, multi-tenancy, and size. Misconfigurations and insider attacks carry significant operational and security risks, such as breaches in tenant isolation, which put both the infrastructure provider and tenants at risk. In this thesis we study the question if it is possible to model and analyze complex, scalable, and dynamic virtualized infrastructures with regard to user-defined security and operational policies in an automated way. We establish a new practical and automated security analysis framework for virtualized infrastructures. First, we propose a novel tool that automatically extracts the configuration of heterogeneous environments and builds up a unified graph model of the configuration and topology. The tool is further extended with a monitoring component and a set of algorithms that translates system changes to graph model changes. The benefits of maintaining such a dynamic model are time reduction for model population and closing the gap for transient security violations. Our analysis is the first that lifts static information flow analysis to the entire virtualized infrastructure, in order to detect isolation failures between tenants on all resources. The analysis is configurable using customized rules to reflect the different trust assumptions of the users. We apply and evaluate our analysis system on the production infrastructure of a global financial institution. For the information flow analysis of dynamic infrastructures we propose the concept of dynamic rule-based information flow graphs and develop a set of algorithms that maintain such information flow graphs for dynamic system models. We generalize the analysis of isolation properties and establish a new generic analysis platform for virtualized infrastructures that allows to express a diverse set of security and operational policies in a formal language. The policy requirements are studied in a case-study with a cloud service provider. We are the first to employ a variety of theorem provers and model checkers to verify the state of a virtualized infrastructure against its policies. Additionally, we analyze dynamic behavior such as VM migrations. For the analysis of dynamic infrastructures we pursue both a reactive as well as a proactive approach. A reactive analysis system is developed that reduces the time between system change and analysis result. The system monitors the infrastructure for changes and employs dynamic information flow graphs to verify, for instance, tenant isolation. For the proactive analysis we propose a new model, the Operations Transition Model, which captures the changes of operations in the virtualized infrastructure as graph transformations. We build a novel analysis system using this model that performs automated run-time analysis of operations and also offers change planning. The operations transition model forms the basis for further research in model checking of virtualized infrastructures

Automated Verification of Virtualized Infrastructures

Virtualized infrastructures and clouds present new challenges for security analysis and formal verification: they are complex environments that continuously change their shape, and that give rise to non-trivial security goals such as isolation and failure resilience requirements. We present a platform that connects declarative and expressive description languages with state-of-the art verification methods. The languages integrate homogeneously descriptions of virtualized infras-tructures, their transformations, their desired goals, and evaluation strategies. The different verification tools range from model checking to theorem proving; this allows us to exploit the complementary strengths of methods, and also to understand how to best represent the analysis problems in different contexts. We consider first the static case where the topology of the virtual infrastructure is fixed and demonstrate that our platform allows for the declarative specification of a large class of properties. Even though tools that are special-ized to checking particular properties perform better than our generic approach, we show with a real-world case study that our approach is practically feasible. We finally consider also the dynamic case where the intruder can actively change the topology (by migrating machines). The combination of a complex topology and changes to it by an intruder is a problem that lies beyond the scope of previous analysis tools and to which we can give first positive verification results

Automated Security Analysis of Virtualized Infrastructures

Virtualization enables the increasing efficiency and elasticity of modern IT infrastructures, including Infrastructure as a Service. However, the operational complexity of virtualized infrastructures is high, due to their dynamics, multi-tenancy, and size. Misconfigurations and insider attacks carry significant operational and security risks, such as breaches in tenant isolation, which put both the infrastructure provider and tenants at risk. In this thesis we study the question if it is possible to model and analyze complex, scalable, and dynamic virtualized infrastructures with regard to user-defined security and operational policies in an automated way. We establish a new practical and automated security analysis framework for virtualized infrastructures. First, we propose a novel tool that automatically extracts the configuration of heterogeneous environments and builds up a unified graph model of the configuration and topology. The tool is further extended with a monitoring component and a set of algorithms that translates system changes to graph model changes. The benefits of maintaining such a dynamic model are time reduction for model population and closing the gap for transient security violations. Our analysis is the first that lifts static information flow analysis to the entire virtualized infrastructure, in order to detect isolation failures between tenants on all resources. The analysis is configurable using customized rules to reflect the different trust assumptions of the users. We apply and evaluate our analysis system on the production infrastructure of a global financial institution. For the information flow analysis of dynamic infrastructures we propose the concept of dynamic rule-based information flow graphs and develop a set of algorithms that maintain such information flow graphs for dynamic system models. We generalize the analysis of isolation properties and establish a new generic analysis platform for virtualized infrastructures that allows to express a diverse set of security and operational policies in a formal language. The policy requirements are studied in a case-study with a cloud service provider. We are the first to employ a variety of theorem provers and model checkers to verify the state of a virtualized infrastructure against its policies. Additionally, we analyze dynamic behavior such as VM migrations. For the analysis of dynamic infrastructures we pursue both a reactive as well as a proactive approach. A reactive analysis system is developed that reduces the time between system change and analysis result. The system monitors the infrastructure for changes and employs dynamic information flow graphs to verify, for instance, tenant isolation. For the proactive analysis we propose a new model, the Operations Transition Model, which captures the changes of operations in the virtualized infrastructure as graph transformations. We build a novel analysis system using this model that performs automated run-time analysis of operations and also offers change planning. The operations transition model forms the basis for further research in model checking of virtualized infrastructures

Automated Security Analysis of Infrastructure Clouds

Cloud computing has gained remarkable popularity in the recent years by a wide spectrum of consumers, ranging from small start-ups to governments. However, its benefits in terms of flexibility, scalability, and low upfront investments, are shadowed by security challenges which inhibit its adoption. In particular, these highly flexible but complex cloud computing environments are prone to misconfigurations leading to security incidents, eg, erroneous exposure of services due to faulty network security configurations. In this thesis we present a novel approach in the security assessment of multi-tier architectures deployed on infrastructure clouds such as Amazon EC2. In order to perform this assessment for the currently deployed configuration, we automated the process of extracting the configuration using the Amazon API and translating it into a generic data model for later analysis. In the assessment we focused on the reachability and vulnerability of services in the virtual infrastructure, and presented a way for the visualization andautomated analysis based on reachability and attack graphs. We proposed a query and policy language for the analysis which can be used to obtain insights into the configuration and to specify desired and undesired configurations. We have implemented the security assessment in a prototype and evaluated it for practical andtheoretical scenarios. Furthermore, a framework is presented which allows the evaluation of configuration changes in the agile and dynamic cloud environments with regard to properties like vulnerabilities or expected availability. In case of a vulnerability perspective, this evaluation can be used to monitor the securitylevels of the configuration over its lifetime and to indicate degradations

Automated Security Analysis of Infrastructure Clouds

Cloud computing has gained remarkable popularity in the recent years by a wide spectrum of consumers, ranging from small start-ups to governments. However, its benefits in terms of flexibility, scalability, and low upfront investments, are shadowed by security challenges which inhibit its adoption. In particular, these highly flexible but complex cloud computing environments are prone to misconfigurations leading to security incidents, eg, erroneous exposure of services due to faulty network security configurations. In this thesis we present a novel approach in the security assessment of multi-tier architectures deployed on infrastructure clouds such as Amazon EC2. In order to perform this assessment for the currently deployed configuration, we automated the process of extracting the configuration using the Amazon API and translating it into a generic data model for later analysis. In the assessment we focused on the reachability and vulnerability of services in the virtual infrastructure, and presented a way for the visualization andautomated analysis based on reachability and attack graphs. We proposed a query and policy language for the analysis which can be used to obtain insights into the configuration and to specify desired and undesired configurations. We have implemented the security assessment in a prototype and evaluated it for practical andtheoretical scenarios. Furthermore, a framework is presented which allows the evaluation of configuration changes in the agile and dynamic cloud environments with regard to properties like vulnerabilities or expected availability. In case of a vulnerability perspective, this evaluation can be used to monitor the securitylevels of the configuration over its lifetime and to indicate degradations

Automated security analysis of virtualized infrastructures

Virtualisierung ermöglicht eine höhere Effizienz und Elastizität von modernen IT Infrastrukturen, ein- schließlich Infrastructure as a Service. Jedoch ist die operationale Komplexität von virtualisierten Infrastrukturen aufgrund ihrer Dynamik, “Multi-Tenancy” und ihrer Größe sehr hoch. Fehlkonfigurationen und Angriffe von Insidern tragen zu erheblichen operationalen und Sicherheitsrisiken bei. Beispielsweise führen Verletzungen in der Tenant-Isolierung zu Risiken sowohl für den Infrastrukturbetreiber als auch für den Nutzer. In dieser Dissertation untersuchen wir die Frage, ob es möglich ist komplexe, skalierbare und dynamische virtualisierte Umgebungen zu modellieren und hinsichtlich benutzerdefinierter operationaler und sicherheitsrelevanter Richtlinien in einem automatischen Verfahren zu überprüfen. Wir etablieren ein neues praktisches und automatisches Framework für die Sicherheitsanalysen von virtualisierten Infrastrukturen. Zuerst stellen wir ein System vor, welches die Konfiguration von heterogenen Umgebungen automatisch extrahieren kann und ein einheitliches Graphenmodell der Konfiguration und der Topologie aufbaut. Zusätzlich wird das System mit einer Komponente zur Überwachung der Umgebung sowie Algorithmen ausgebaut, welche es erlauben, Änderungen in der Umgebung in Änderungen im Graphenmodell zu über- setzen. Die Vorteile eines solchen dynamischen Modells sind zum einen Zeiteinsparungen im Aufbau des Modells, als auch das Schliessen der Lücke im Erkennen von vorübergehenden Sicherheitsverletzungen. Unsere Analyse ist die erste, welche statische Informationsflussanalyse auf die gesamte virtualisierte Umgebung überträgt, somit können Verletzungen in der Tenant-Isolierung in allen Ressourcen entdeckt werden. Die Analyse ist mittels benutzerdefinierter Regeln konfigurierbar, welche die unterschiedlichen Sicherheitsannahmen der Benutzer widerspiegeln. Wir verwenden und evaluieren unser System in der Produktionsumgebung eines globalen Finanzinstitutes. Im Rahmen der Informationsflussanalyse von dynamischen Infrastrukturen stellen wir das Konzept der dynamischen, regelbasierten Informationsflussgraphen vor und entwickeln Algorithmen, welche Informationsflussgraphen für dynamische Systemmodelle verwalten. Wir generalisieren die Analyse von Isolationseigenschaften und etablieren eine generische Analyseplattform für virtualisierte Infrastrukturen, welche es erlaubt eine breite Menge von operationalen und sicherheitsrelevanten Richtlinien in einer formalen Sprache auszudrücken. Die Anforderungen an die aus- zudrückenden Richtlinien werden in einer Fallstudie mit einem Cloud-Provider untersucht. Erstmals wird eine Reihe von etablierten automatischen Theorembeweisern sowie Modellprüfern für die Analyse von virtualisierten Infrastrukturen gegenüber spezifizierten Richtlinien angewendet. Außerdem überprüfen wir dynamisches Verhalten, wie zum Beispiel die Migration von VMs. Im Falle der Analyse von dynamischen Infrastrukturen verfolgen wir sowohl einen reaktiven als auch einen proaktiven Ansatz. Unser neu entwickeltes reaktives Analysesystem reduziert die Zeit zwischen Systemänderung und Analyseergebnis. Das System überwacht die Infrastruktur auf Änderungen und verwendet einen dynamischen Informationsflussgraphen unter anderem zur Überprüfung von Tenant-Isolierung. Im Rahmen des proaktiven Ansatzes entsteht ein neuartiges Modell, das Operations Transition Model, welches durch Operationen verursachte Änderungen in virtualisierten Infrastrukturen mittels Graphtransformationen abbildet. Ein neues auf dem Modell aufbauendes Analysesystem überprüft automatisch Operationen zur Laufzeit und ermöglicht es außerdem, Änderungen in virtualisierten Umgebungen zu planen. Das Operations Transition Model bildet die Basis für weitere Forschungen im Bereich der Modellüberprüfung von virtualisierten Infrastrukturen

Cloud Radar: Near Real-Time Detection of Security Failures in Dynamic Virtualized Infrastructures

Cloud infrastructures are designed to share physical resources among many different tenants while ensuring overall security and tenant isolation. The complexity of dynamically changing and growing cloud environments, as well as insider attacks, can lead to misconfigurations that ultimately result in security failures. The detection of these misconfigurations and subsequent failures is a crucial challenge for cloud providers - an insurmountable challenge without tools.\ud We establish an automated security analysis of dynamic virtualized infrastructures that detects misconfigurations and security failures in near real-time. The key is a systematic, differential approach that detects changes in the infrastructure and uses those changes to update its analysis, rather than performing one from scratch. Our system, called Cloud Radar, monitors virtualized infrastructures for changes, updates a graph model representation of the infrastructure, and also maintains a dynamic information flow graph to determine isolation properties. Whereas existing research in this area performs analyses on static snapshots of such infrastructures, our change-based approach yields significant performance improvements as demonstrated with our prototype for VMware environments