research-article

Auditing Security Compliance of the Virtualized Infrastructure in the Cloud: Application to OpenStack

Authors:

Suryadipta Majumdar,

Makan Pourzandi,

Lingyu WangAuthors Info & Claims

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 195 - 206

https://doi.org/10.1145/2857705.2857721

Published: 09 March 2016 Publication History

Abstract

Cloud service providers typically adopt the multi-tenancy model to optimize resources usage and achieve the promised cost-effectiveness. Sharing resources between different tenants and the underlying complex technology increase the necessity of transparency and accountability. In this regard, auditing security compliance of the provider's infrastructure against standards, regulations and customers' policies takes on an increasing importance in the cloud to boost the trust between the stakeholders. However, virtualization and scalability make compliance verification challenging. In this work, we propose an automated framework that allows auditing the cloud infrastructure from the structural point of view while focusing on virtualization-related security properties and consistency between multiple control layers. Furthermore, to show the feasibility of our approach, we integrate our auditing system into OpenStack, one of the most used cloud infrastructure management systems. To show the scalability and validity of our framework, we present our experimental results on assessing several properties related to auditing inter-layer consistency, virtual machines co-residence, and virtual resources isolation.

References

[1]

Open vswitch. Available at: http://openvswitch.org/.

[2]

Policy as a service ("congress"). Available at: http://wiki.openstack.org/wiki/Congress.

[3]

Federal data protection act. http://www.gesetze-im-internet.de/englisch\_bdsg/federal\_data\_protection\_act.pdf, August 2009.

[4]

IBM Corporation. Ibm point of view: Security and cloud computing, 2009.

[5]

C. S. Alliance. Security guidance for critical areas of focus in cloud computing v 3.0, 2011.

[6]

C. S. Alliance. The notorious nine cloud computing top threats in 2013, February 2013.

[7]

M. Bellare and B. Yee. Forward integrity for secure audit logs. Technical report, Citeseer, 1997.

[8]

M. Ben-Ari. Mathematical logic for computer science. Springer Science & Business Media, 2012.

Digital Library

[9]

S. Bleikertz. Automated security analysis of infrastructure clouds. Master's thesis, Technical University of Denmark and Norwegian University of Science and Technology, 2010.

[10]

S. Bleikertz and T. Gross. A virtualization assurance language for isolation and deployment. In POLICY, 2011 IEEE International Symposium on, pages 33--40, June 2011.

Digital Library

[11]

S. Bleikertz, T. Groß, and S. Mödersheim. Automated verification of virtualized infrastructures. In Proceedings of CCSW, pages 47--58. ACM, 2011.

Digital Library

[12]

S. Bleikertz, C. Vogel, and T. Groß. Cloud radar: near real-time detection of security failures in dynamic virtualized infrastructures. In Proceedings of the 30th Annual Computer Security Applications Conference, pages 26--35. ACM, 2014.

Digital Library

[13]

S. Butt, H. A. Lagar-Cavilla, A. Srivastava, and V. Ganapathy. Self-service cloud computing. CCS '12, pages 253--264, New York, NY, USA, 2012. ACM.

Digital Library

[14]

Cloud Security Alliance. Top ten big data security and privacy challenges, 2012.

[15]

Cloud Security Alliance. Cloud control matrix CCM v3.0.1, 2014. Available at: https://cloudsecurityalliance.org/research/ccm/.

[16]

datacenterknowledge.com. Survey: One-third of cloud users' clouds are private, heavily OpenStack, 2015. Available at: http://www.datacenterknowledge.com.

[17]

M. Dhawan, R. Poddar, K. Mahajan, and V. Mann. Sphinx: Detecting security attacks in software-defined networks. In NDSS Symposium, 2015.

[18]

F. Doelitzscher, C. Reich, M. Knahl, A. Passfall, and N. Clarke. An agent based business aware incident detection system for cloud environments. Journal of Cloud Computing, 1(1), 2012.

[19]

F. H.-U. Doelitzscher. Security Audit Compliance For Cloud Computing. PhD thesis, Plymouth University, February 2014.

[20]

ISO Std IEC. ISO 27002:2005. Information Technology-Security Techniques, 2005.

[21]

ISO Std IEC. ISO 27017. Information technology- Security techniques (DRAFT), 2012.

[22]

T. E. Network, and I. S. Agency. Cloud computing benefits, risks and recommendations for information security, December 2012.

[23]

NIST, SP. NIST SP 800--53. Recommended Security Controls for Federal Information Systems, pages 800--53, 2003.

[24]

Opendaylight. The OpenDaylight platform, 2015. Available at: https://www.opendaylight.org/.

[25]

OpenStack. Ossa-2014-008: Routers can be cross plugged by other tenants. Available at: https://security.openstack.org/ossa/OSSA-2014-008.html.

[26]

OpenStack. Nova network configuration allows guest vms to connect to host services, 2015. Available at: https://wiki.openstack.org/wiki/OSSN/OSSN-0018.

[27]

OpenStack. OpenStack open source cloud computing software, 2015. Available at: http://www.openstack.org.

[28]

D. Perez-Botero, J. Szefer, and R. B. Lee. Characterizing hypervisor vulnerabilities in cloud computing servers. Cloud Computing '13, pages 3--10, New York, NY, USA, 2013. ACM.

Digital Library

[29]

T. Probst, E. Alata, M. Kaâniche, and V. Nicomette. An approach for the automated analysis of network access controls in cloud computing infrastructures. In Network and System Security, pages 1--14. Springer, 2014.

[30]

T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. CCS '09, pages 199--212, New York, NY, USA, 2009. ACM.

Digital Library

[31]

N. Tamura and M. Banbara. Sugar: A CSP to SAT translator based on order encoding. Proceedings of the Second International CSP Solver Competition, pages 65--69, 2008.

[32]

TechNet. Nova network configuration allows guest vms to connect to host services cloud services foundation reference architecture - reference model, 2013.

[33]

Y. Xu, Y. Liu, R. Singh, and S. Tao. Identifying sdn state inconsistency in openstack. SOSR '15, pages 11:1--11:7, New York, NY, USA, 2015. ACM.

Digital Library

[34]

H. Zeng, S. Zhang, F. Ye, V. Jeyakumar, M. Ju, J. Liu, N. McKeown, and A. Vahdat. Libra: Divide and conquer to verify forwarding tables in huge networks. In (NSDI 14). Seattle, WA: USENIX Association, pages 87--99, 2014.

Digital Library

[35]

S. Zhang and S. Malik. Sat based verification of network data planes. In D. Van Hung and M. Ogawa, editors, Automated Technology for Verification and Analysis, volume 8172 of Lecture Notes in Computer Science, pages 496--505. Springer International Publishing, 2013.

[36]

Y. Zhang, A. Juels, A. Oprea, and M. K. Reiter. Homealone: Co-residency detection in the cloud via side-channel analysis. SP '11, pages 313--328, Washington, DC, USA, 2011. IEEE Computer Society.

Digital Library

Cited By

Shuvo MHoq MMajumdar SShirani P(2023)On Reducing Underutilization of Security Standards by Deriving Actionable Rules: An Application to IoTSecurity Standardisation Research10.1007/978-3-031-30731-7_5(103-128)Online publication date: 22-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30731-7_5
Majumdar SChawla GAlimohammadifar AMadi TJarraya YPourzandi MWang LDebbabi M(2022) ProSAS : Proactive Security Auditing System for Clouds IEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.306220419:4(2517-2534)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2021.3062204
S KGupta R(2022)An Investigation on Fat Tree Topology ARP Spoof Detection Using Software Defined Networking2022 Fourth International Conference on Emerging Research in Electronics, Computer Science and Technology (ICERECT)10.1109/ICERECT56837.2022.10060657(1-5)Online publication date: 26-Dec-2022
https://doi.org/10.1109/ICERECT56837.2022.10060657
Show More Cited By

Index Terms

Recommendations

Enabling large-scale testing of IaaS cloud platforms on the grid'5000 testbed
TTC 2013: Proceedings of the 2013 International Workshop on Testing the Cloud

Almost ten years after its premises, the Grid'5000 platform has become one of the most complete testbeds for designing or evaluating large-scale distributed systems. Initially dedicated to the study of High Performance Computing, the infrastructure has ...
Harnessing Cloud Technologies for a Virtualized Distributed Computing Infrastructure

The InterGrid system aims to provide an execution environment for running applications on top of interconnected infrastructures. The system uses virtual machines as building blocks to construct execution environments that span multiple computing sites. ...
Metrics and techniques for quantifying performance isolation in cloud environments
QoSA '12: Proceedings of the 8th international ACM SIGSOFT conference on Quality of Software Architectures

The cloud computing paradigm enables the provision of costefficient IT-services by leveraging economies of scale and sharing data center resources efficiently among multiple independent applications and customers. However, the sharing of resources leads ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

March 2016

340 pages

ISBN:9781450339353

DOI:10.1145/2857705

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY'16

Sponsor:

SIGSAC

CODASPY'16: Sixth ACM Conference on Data and Application Security and Privacy

March 9 - 11, 2016

Louisiana, New Orleans, USA

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
559
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)3

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shuvo MHoq MMajumdar SShirani P(2023)On Reducing Underutilization of Security Standards by Deriving Actionable Rules: An Application to IoTSecurity Standardisation Research10.1007/978-3-031-30731-7_5(103-128)Online publication date: 22-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30731-7_5
Majumdar SChawla GAlimohammadifar AMadi TJarraya YPourzandi MWang LDebbabi M(2022) ProSAS : Proactive Security Auditing System for Clouds IEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.306220419:4(2517-2534)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2021.3062204
S KGupta R(2022)An Investigation on Fat Tree Topology ARP Spoof Detection Using Software Defined Networking2022 Fourth International Conference on Emerging Research in Electronics, Computer Science and Technology (ICERECT)10.1109/ICERECT56837.2022.10060657(1-5)Online publication date: 26-Dec-2022
https://doi.org/10.1109/ICERECT56837.2022.10060657
Svenningsson JPaladi NVahidi A(2022)SGX-Bundler: speeding up enclave transitions for IO-intensive applications2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid54584.2022.00036(269-278)Online publication date: May-2022
https://doi.org/10.1109/CCGrid54584.2022.00036
Oqaily AJarraya YWang LPourzandi MMajumdar S(2022)MLFM: Machine Learning Meets Formal Method for Faster Identification of Security Breaches in Network Functions Virtualization (NFV)Computer Security – ESORICS 202210.1007/978-3-031-17143-7_23(466-489)Online publication date: 26-Sep-2022
https://dl.acm.org/doi/10.1007/978-3-031-17143-7_23
Svenningsson JPaladi NVahidi A(2021)Faster enclave transitions for IO-intensive network applicationsProceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable network INfrastructure10.1145/3472873.3472879(1-8)Online publication date: 27-Aug-2021
https://dl.acm.org/doi/10.1145/3472873.3472879
Majumdar SBastos DSinghal A(2021)SECURITY AUDITING OF INTERNET OF THINGS DEVICES IN A SMART HOMEAdvances in Digital Forensics XVII10.1007/978-3-030-88381-2_11(213-234)Online publication date: 15-Oct-2021
https://doi.org/10.1007/978-3-030-88381-2_11
Tissir NElKafhali SAboutabit N(2021)How Much Your Cloud Management Platform Is Secure? OpenStack Use CaseInnovations in Smart Cities Applications Volume 410.1007/978-3-030-66840-2_85(1117-1129)Online publication date: 13-Feb-2021
https://doi.org/10.1007/978-3-030-66840-2_85
Oqaily AT SJarraya YMajumdar SZhang MPourzandi MWang LDebbabi M(2020)NFVGuard: Verifying the Security of Multilevel Network Functions Virtualization (NFV) Stack2020 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)10.1109/CloudCom49646.2020.00003(33-40)Online publication date: Dec-2020
https://doi.org/10.1109/CloudCom49646.2020.00003
Majumdar S(2020)A multi-level proactive security auditing framework for clouds through automated dependency buildingCCF Transactions on Networking10.1007/s42045-020-00028-93:2(112-127)Online publication date: 9-Jun-2020
https://doi.org/10.1007/s42045-020-00028-9
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten