Security for Cloud Environment through Information Flow Properties Formalization with a First-Order Temporal Logic

The main slowdown of Cloud activity comes from the lack of reliable security. The on-demand security concept aims at delivering and enforcing the client's security requirements. In this paper, we present an approach, Information Flow Past Linear Time Logic (IF-PLTL), to specify how a system can support a large range of security properties. We present in this paper how to control those information flows from lower system events. We give complete details over IF-PLTL syntax and semantics. Furthermore, that logic enables to formalize a large set of security policies. Our approach is exemplified with the Chinese Wall commercial-related policy. Finally, we discuss the extension of IF-PLTL with dynamic relabeling to encompass more realistic situations through the dynamic domains isolation policy.La principale cause de ralentissement de l'adoption du Cloud est le manque de sécurité fiable. Le concept de sécurité à la demande est de déployer et d'appliquer les demandes de sécurité d'un client. Dans ce papier, nous présentons une approche, Information Flow Past Linear Time Logic (IF-PLTL), qui permet de spécifier comment un système peut supporter un large ensemble de propriétés de sécurité. Nous présentons dans ce papier comment ces flux d'information peuvent être contrôler en utilisant les événements systèmes de bas niveau. Nous donnons une description compléte de la syntaxe de IF-PLTL ainsi que sa sémantique. De plus, cette logique permet de formaliser un large ensemble de politiques de sécurité. Notre approche est illustrée par la politique de sécurité de la muraille de Chine orienté vers le monde commercial. Finalement, nous montrons comment nous avons étendu notre langage pour supporter la relabélisation dynamique qui permet de supporter la dynamicité inhérante des systèmes. Nous illustrons cette extension par la formalisation d'une propriété de sécurité pour l'isolation dynamique de domaines

Enforcing Security and Assurance Properties in Cloud Environment

International audienceBefore deploying their infrastructure (resources, data, communications, ...) on a Cloud computing platform, companies want to be sure that it will be properly secured. At deployment time, the company provides a security policy describing its security requirements through a set of properties. Once its infrastructure deployed, the company want to be assured that this policy is applied and enforced. But describing and enforcing security properties and getting strong evidences of it is a complex task. To address this issue, in [1], we have proposed a language that can be used to express both security and assurance properties on distributed resources. Then, we have shown how these global properties can be cut into a set of properties to be enforced locally. In this paper, we show how these local properties can be used to automatically configure security mechanisms. Our language is context-based which allows it to be easily adapted to any resource naming systems e.g., Linux and Android (with SELinux) or PostgreSQL. Moreover, by abstracting low-level functionalities (e.g., deny write to a file) through capabilities, our language remains independent from the security mechanisms. These capabilities can then be combined into security and assurance properties in order to provide high-level functionalities, such as confidentiality or integrity. Furthermore, we propose a global architecture that receives these properties and automatically configures the security and assurance mechanisms accordingly. Finally, we express the security and assurance policies of an industrial environment for a commercialized product and show how its security is enforced

Formalisation et garantie de propriétés de sécurité système : application à la détection d'intrusions

In this thesis, we are interested in the guaranty of the properties of integrity and confidentiality of an information system. We first of all propose a language of description of the system activities used as a basis for the definition of a set of security properties. This language rests on a notion of causal dependence between system calls and on operators of correlation. Thanks to this language, we can define all the system security properties classically met in the literature, extend these properties and propose news of them. In order to guaranty the respect of these properties, an implementation of this language is presented. We prove that this implementation captures all the dependences perceptible by a system. This method thus makes it possible to enumerate the whole of the possible violations of the properties expressed by our language. Our solution exploits the definition of an access control policy in order to compute various graphs. These graphs contain the terminals of the language and make it possible to guaranty the respect of the properties. We then use this method to provide a system of detection of intrusions which detects the effective violations of the properties. The tool can re-use the access control policies available for various target systems DAC (Windows, Linux) or MAC such as SELinux and grsecurity. This tool was tested on a honeypot during several months and makes it possible to detect the violations of the desired properties.Dans cette thèse, nous nous intéressons à la garantie des propriétés d'intégrité et de confidentialité d'un système d'information.Nous proposons tout d'abord un langage de description des activités système servant de base à la définition d'un ensemble de propriétés de sécurité.Ce langage repose sur une notion de dépendance causale entre appels système et sur des opérateurs de corrélation.Grâce à ce langage, nous pouvons définir toutes les propriétés de sécurité système classiquement rencontrées dans la littérature, étendre ces propriétés et en proposer de nouvelles.Afin de garantir le respect de ces propriétés, une implantation de ce langage est présentée.Nous prouvons que cette implantation capture toutes les dépendances perceptibles par un système.Cette méthode permet ainsi d'énumérer l'ensemble des violations possibles des propriétés modélisables par notre langage.Notre solution exploite la définition d'une politique de contrôle d'accès afin de calculer différents graphes.Ces graphes contiennent les terminaux du langage et permettent de garantir le respect des propriétés exprimables.Nous utilisons alors cette méthode pour fournir un système de détection d'intrusion qui détecte les violations effectives des propriétés.L'outil peut réutiliser les politiques de contrôle d'accès disponibles pour différents systèmes cibles DAC (Windows, Linux) ou MAC tels que SELinux et grsecurity.Cet outil a été expérimenté sur un pot de miel durant plusieurs mois et permet de détecter les violations des propriétés souhaitées

Formation et garantie de propriétés de sécurité système (application à la détection d'intrusions)

Dans cette thèse, nous nous intéressons à la garantie des propriétés d'intégrité et de confidentialité d'un système d'information. Nous proposons tout d'abord un langage de description des activités système servant de base à la définition d'un ensemble de propriétés de sécurité. Ce langage repose sur une notion de dépendance causale entre appels système et sur des opérateurs de corrélation. Grâce à ce langage, nous pouvons définir toutes les propriétés de sécurité système classiquement rencontrées dans la littérature, étendre ces propriétés et en proposer de nouvelles. Afin de garantir le respect de ces propriétés, une implantation de ce langage est présentée. Nous prouvons que cette implantation capture toutes les dépendances perceptibles par un système. Cette méthode permet ainsi d'énumérer l'ensemble des violations possibles des propriétés modélisables par notre langage. Notre solution exploite la définition d'une politique de contrôle d'accès afin de calculer différents graphes. Ces graphes contiennent les terminaux du langage et permettent de garantir le respect des propriétés exprimables. Nous utilisons alors cette méthode pour fournir un système de détection d'intrusion qui détecte les violations effectives des propriétés. L'outil peut réutiliser les politiques de contrôle d'accès disponibles pour différents systèmes cibles DAC (Windows, Linux) ou MAC tels que SELinux et grsecurity. Cet outil a été expérimenté sur un pot de miel durant plusieurs mois et permet de détecter les violations des propriétés souhaitées.ORLEANS-BU Sciences (452342104) / SudocSudocFranceF

An Autonomic Cloud Management System for Enforcing Security and Assurance Properties

International audienceEnforcing security properties in a Cloud is a difficult task, which requires expertise. However, it is not the only security-related challenge met by a company migrating to a Cloud environment. Indeed, the tenant must also have assurance that the requested security properties have effectively been enforced. Therefore, the Cloud provider has to offer a way of monitoring the security. In this paper, we present a solution to express the assurance properties based on the security requirements of the tenant and to deploy these assurance properties. First, we introduce a language that expresses the assurance based on the tenant's security requirements. Secondly, we propose an infrastructure that deploys the assurance in a Cloud environment. This solution aims to be easy to use: the assurance directly results from the high-level expression of the tenant's security requirements, and no additional action is needed from the tenant. Consequently, we address one of the greatest drawback of security and assurance - the complexity of their configuration - while providing a complete assurance mechanism

An autonomous Cloud management system for in-depth security

International audienceSecurity has been a major concern in computer sciences for a long time. However, the definition and the enforcement of a complete security policy are difficult tasks, requiring deep knowledge of the inner workings of the security mechanisms. The management of the security is even more complex in a system such as a Cloud, which is a heterogeneous environment, with multiple applications and tenants. Nowadays, systems, and especially Cloud environments, need a simple way to express the security requirements and to enforce them. This paper describes a new solution that eases the management of the security mechanisms. The solution supports high-level security requirements that are enforced through distributed security properties. Enforcement agents are located on the heterogeneous and distributed nodes. They manage the distributed security properties and configure the heterogeneous security mechanisms. Our solution guarantees global security properties by enforcing consistent distributed properties in an autonomous manner. The autonomous agents dynamically discover the capabilities of the available security mechanisms and compute their configuration. The solution is especially appropriate to secure Clouds, viewed as autonomous distributed environments

PIGA-Cluster: a distributed architecture integrating a shared and resilient reference monitor to enforce mandatory access control in the HPC environment

International audienceModern operating systems continue to be the victims of attacks and information leaks. Emerging architectures such as cloud computing or HPC are complex to set up and face many kinds of security threats. However, they still rely on traditional access control mechanisms to protect the system and users' data, whereas these mechanisms can be misconfigured and easily defeated. In this article, we present a full architecture to enhance the protection of H P C clusters. It provides three levels of access control in order to allow the users control over their files while enforcing advanced security properties. More specifically, the integration of mandatory access control enables to control direct information flows, and a new and specific reference monitor deals with indirect information flows. In order to keep a low impact on operating system performances, we propose to centralize this second reference monitor on a dedicated node, controlling the flows on all other nodes through the low latency network. We present the whole architecture and the results of several benchmarks that indicate a low impact on performances. Then we expose how we make this architecture fault-tolerant. This study takes advantage of previous works dealing with access control on workstations or virtualisation technologies, and extends the concepts to the HPC environment

Mandatory access control with a multi-level reference monitor: PIGA-cluster

International audienceThe protection of High Performance Computing architectures is still an open research problem. Generally, current solutions only feature confinement using sandboxing but none address the problematic of information flow control. This is why a better integration of mandatory access control mechanisms is needed in the HPC environment. In this paper, we propose a global architecture to protect a whole cluster. This architecture uses the specific cluster technologies in order not to reduce the operating system performances. The protection of the cluster relies on three levels of protection and the use of two kinds of reference monitors. SELinux is installed on the computing nodes and deals with direct information flows. PIGA, only installed on a specific node, performs advanced flow control and detects advanced threats. We present the various components of our architecture called PIGA-Cluster, then the results of several benchmarks on a computing node that show a low impact on the operating system performances. We also apply various security properties in order to protect the computing nodes against simple and advanced attacks. This paper takes advantage of previous works dealing with workstations or virtualisation technologies and extends the concepts for the HPC environment

PIGA-HIPS: Protection of a shared HPC cluster

International audienceProtecting a shared High Performance Computing cluster is still an open research problem. Existing solutions deal with sand-boxing and Discretionary Access Control for controlling remote connections. Guaranteeing security properties for a shared cluster is complex since users demand an environment at the same time efficient and preventing confidentiality and integrity violations. This paper proposes two different approaches for protecting remote interactive accesses against malicious operations. Those two approaches leverage the SELinux protection. They have been successfully implemented using standard MAC from SELinux, and guarantee supplementary security properties thanks to our PIGA HIPS. The paper compares those two different approaches. It presents a real use case for the security of a shared cluster that allows interactive connections for users while preventing confidentiality and integrity violations. That paper takes advantage of previous works and goes one step further for protecting shared clusters against malicious activities. It proposes a new framework to share a cluster among partners while guaranteeing advanced security properties. This solution aims to prevent complex or indirect malicious activities that use combinations of processes and covert channels in their attempt to bypass the required properties