Virtualization enables the increasing efficiency and elasticity of modern IT infrastructures, including
Infrastructure as a Service. However, the operational complexity of virtualized infrastructures is high,
due to their dynamics, multi-tenancy, and size. Misconfigurations and insider attacks carry significant
operational and security risks, such as breaches in tenant isolation, which put both the infrastructure
provider and tenants at risk.
In this thesis we study the question if it is possible to model and analyze complex, scalable, and dynamic
virtualized infrastructures with regard to user-defined security and operational policies in an automated
way. We establish a new practical and automated security analysis framework for virtualized infrastructures. First, we propose a novel tool that automatically extracts the configuration of heterogeneous
environments and builds up a unified graph model of the configuration and topology. The tool is further extended with a monitoring component and a set of algorithms that translates system changes to
graph model changes. The benefits of maintaining such a dynamic model are time reduction for model
population and closing the gap for transient security violations.
Our analysis is the first that lifts static information flow analysis to the entire virtualized infrastructure,
in order to detect isolation failures between tenants on all resources. The analysis is configurable using
customized rules to reflect the different trust assumptions of the users. We apply and evaluate our analysis
system on the production infrastructure of a global financial institution. For the information flow analysis
of dynamic infrastructures we propose the concept of dynamic rule-based information flow graphs and
develop a set of algorithms that maintain such information flow graphs for dynamic system models.
We generalize the analysis of isolation properties and establish a new generic analysis platform for
virtualized infrastructures that allows to express a diverse set of security and operational policies in a
formal language. The policy requirements are studied in a case-study with a cloud service provider. We
are the first to employ a variety of theorem provers and model checkers to verify the state of a virtualized
infrastructure against its policies. Additionally, we analyze dynamic behavior such as VM migrations.
For the analysis of dynamic infrastructures we pursue both a reactive as well as a proactive approach. A
reactive analysis system is developed that reduces the time between system change and analysis result.
The system monitors the infrastructure for changes and employs dynamic information flow graphs to
verify, for instance, tenant isolation. For the proactive analysis we propose a new model, the Operations
Transition Model, which captures the changes of operations in the virtualized infrastructure as graph
transformations. We build a novel analysis system using this model that performs automated run-time
analysis of operations and also offers change planning. The operations transition model forms the basis
for further research in model checking of virtualized infrastructures
