research-article

Security audits of multi-tier virtual infrastructures in public infrastructure clouds

Authors:

Sören Bleikertz,

Matthias Schunter,

Christian W. Probst,

Dimitrios Pendarakis,

Konrad ErikssonAuthors Info & Claims

CCSW '10: Proceedings of the 2010 ACM workshop on Cloud computing security workshop

Pages 93 - 102

https://doi.org/10.1145/1866835.1866853

Published: 08 October 2010 Publication History

Abstract

Cloud computing has gained remarkable popularity in the recent years by a wide spectrum of consumers, ranging from small start-ups to governments. However, its benefits in terms of flexibility, scalability, and low upfront investments, are shadowed by security challenges which inhibit its adoption. Managed through a web-services interface, users can configure highly flexible but complex cloud computing environments. Furthermore, users misconfiguring such cloud services poses a severe security risk that can lead to security incidents, e.g., erroneous exposure of services due to faulty network security configurations.

In this article we present a novel approach in the security assessment of the end-user configuration of multi-tier architectures deployed on infrastructure clouds such as Amazon EC2. In order to perform this assessment for the currently deployed configuration, we automated the process of extracting the configuration using the Amazon API. In the assessment we focused on the reachability and vulnerability of services in the virtual infrastructure, and presented a way for the visualization and automated analysis based on reachability and attack graphs. We proposed a query and policy language for the analysis which can be used to obtain insights into the configuration and to specify desired and undesired configurations. We have implemented the security assessment in a prototype and evaluated it for practical scenarios. Our approach effectively allows to remediate today's security concerns through validation of configurations of complex cloud infrastructures.

References

[1]

}}Achçmez, O. Yet another microarchitectural attack: exploiting i-cache. In CSAW '07: Proceedings of the 2007 ACM workshop on Computer security architecture (New York, NY, USA, 2007), ACM, pp. 11--18.

Digital Library

[2]

}}Achçmez, O., Koç, c. K., and Seifert, J.-P. On the power of simple branch prediction analysis. In ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications security (New York, NY, USA, 2007), ACM, pp. 312--320.

Digital Library

[3]

}}Amazon. The Amazon Elastic Compute Cloud (EC2). Available at http://aws.amazon.com/ec2/, last accessed March 2010, 2010.

[4]

}}Amazon Web Services. Amazon Web Services: Overview of Security Processes, November 2009.

[5]

}}Bellare, M., Brakerski, Z., Naor, M., Ristenpart, T., Segev, G., Shacham, H., and Yilek, S. Hedged public-key encryption: How to protect against bad randomness. In ASIACRYPT (2009), pp. 232--249.

Digital Library

[6]

}}BOTO. boto - Python interface to Amazon Web Services. Available at http://code.google.com/p/boto/, last accessed June 2010, 2010.

[7]

}}Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., and Zamboni, D. Cloud Security Is Not (Just) Virtualization Security. In CCSW '09: Proceedings of the 2009 ACM workshop on Cloud computing security (New York, NY, USA, 2009), ACM, pp. 97--102.

Digital Library

[8]

}}Cohen, R. Announcing Enomaly ECP High Assurance Edition for Trusted Cloud Computing. Available at http://www.elasticvapor.com/2010/04/announcing-enomaly-ecp-high-assurance.html, last accessed June 2010, 2010.

[9]

}}Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., and Boneh, D. Terra: A Virtual Machine-Based Platform for Trusted Computing. SIGOPS Oper. Syst. Rev. 37, 5 (2003), 193--206.

Digital Library

[10]

}}Goodall, J. R. Introduction to Visualization for Computer Security. In VizSEC (2007), pp. 1--17.

[11]

}}Jajodia, S., Liu, P., Swarup, V., and Wang, C. Cyber Situational Awareness: Issues and Research. Springer, 2009, ch. Topological Vulnerability Analysis, pp. 139--154.

[12]

}}Jajodia, S., and Noel, S. Algorithms, Architectures, and Information Systems Security. World Scientific Press, 2007, ch. Topological Vulnerability Analysis: A Powerful New Approach for Network Attack Prevention, Detection, and Response.

[13]

}}Krautheim, F. J. Private Virtual Infrastructure for Cloud Computing. In HotCloud '09: Workshop on Hot Topics in Cloud Computing (2009), USENIX.

Digital Library

[14]

}}Lippmann, R. P., and Ingols, K. W. An Annotated Review of Past Papers on Attack Graphs, 2005.

[15]

}}Mao, W., Martin, A., Jin, H., and Zhang, H. Innovations for grid security from trusted computing. In Fourteenth International Workshop on Security Protocols (2006), LNCS, Springer-Verlag.

[16]

}}Mell, P., and Grance, T. Effectively and Securely Using the Cloud Computing Paradigm, October 2009.

[17]

}}Mell, P., Scarfone, K., and Romanosky, S. A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Available at http://www.first.org/cvss/cvss-guide.html, last accessed June 2010, June 2007.

[18]

}}NetworkX Developers. NetworkX. Available at http://networkx.lanl.gov/, last accessed June 2010, 2010.

[19]

}}Noel, S., Elder, M., Jajodia, S., Kalapa, P., O'Hare, S., and Prole, K. Advances in Topological Vulnerability Analysis. In CATCH '09: Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security (Washington, DC, USA, 2009), IEEE Computer Society, pp. 124--129.

Digital Library

[20]

}}OpenVAS. OpenVAS, Open Vulnerability Assessment System. Available at http://www.openvas.org, last accessed May 2010, 2010.

[21]

}}Percival, C. Cache missing for fun and profit, May 2005.

[22]

}}Phillips, C., and Swiler, L. P. A graph-based system for network-vulnerability analysis. In NSPW '98: Proceedings of the 1998 workshop on New security paradigms (New York, NY, USA, 1998), ACM, pp. 71--79.

Digital Library

[23]

}}Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security (New York, NY, USA, 2009), ACM, pp. 199--212.

Digital Library

[24]

}}Ristenpart, T., and Yilek, S. When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography. In Proceedings of Network and Distributed Security Symposium - NDSS '10 (2010).

[25]

}}Santos, N., Gummadi, K. P., and Rodrigues, R. Towards Trusted Cloud Computing. In HotCloud '09: Workshop on Hot Topics in Cloud Computing (2009), USENIX.

Digital Library

[26]

}}Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. M. Automated Generation and Analysis of Attack Graphs. In SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2002), IEEE Computer Society, p. 273.

Digital Library

[27]

}}Sheyner, O., and Wing, J. Tools for generating and analyzing attack graphs. In Proceedings of formal methods for components and objects (2004), LNCS, pp. 344--371.

[28]

}}Swiler, L., Phillips, C., Ellis, D., and Chakerian, S. Computer-attack graph generation tool. In DARPA Information Survivability Conference Exposition II, 2001. DISCEX '01. Proceedings (2001), vol. 2, pp. 307--321 vol.2.

[29]

}}Swiler, L. P., Phillips, C., and Gaylor, T. A Graph-Based Network-Vulnerability Analysis System. In Sandia National Laboratories, Albuquerque, New Mexico (1997), ACM Press, pp. 97--3010.

[30]

}}Tenable Network Security. Nessus, the Network Vulnerability Scanner. Available at http://www.nessus.org, last accessed March 2010, 2010.

[31]

}}Tran, T., Al-Shaer, E., and Boutaba, R. PolicyVis: Firewall Security Policy Visualization and Inspection. In LISA'07: Proceedings of the 21st conference on Large Installation System Administration Conference (Berkeley, CA, USA, 2007), USENIX Association, pp. 1--16.

Digital Library

[32]

}}Williams, L., Lippmann, R., and Ingols, K. An Interactive Attack Graph Cascade and Reachability Display. In VizSEC (2007), pp. 221--236.

[33]

}}Williams, L., Lippmann, R., and Ingols, K. GARNET: A Graphical Attack Graph and Reachability Network Evaluation Tool. In VizSec '08: Proceedings of the 5th international workshop on Visualization for Computer Security (Berlin, Heidelberg, 2008), Springer-Verlag, pp. 44--59.

Digital Library

[34]

}}Wool, A. A Quantitative Study of Firewall Configuration Errors. Computer 37, 6 (2004), 62--67.

Digital Library

Cited By

Pussewalage HOleshchuk V(2023)A Delegatable Attribute Based Encryption Scheme for a Collaborative E-Health CloudIEEE Transactions on Services Computing10.1109/TSC.2022.317490916:2(787-801)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TSC.2022.3174909
Phokela KSingi KDey KKaulgud VBurden A(2022)Framework to Assess Policy Driven Security Misconfiguration Risks in Cloud Native Application2022 IEEE Secure Development Conference (SecDev)10.1109/SecDev53368.2022.00023(63-64)Online publication date: Oct-2022
https://doi.org/10.1109/SecDev53368.2022.00023
Gunturu VPadma Priya VAbishek B EShetty SBuddhi DShukla S(2022)Role of Cloud Management in Mitigating Vulnerabilities in Wireless Data Exchange Provider2022 11th International Conference on System Modeling & Advancement in Research Trends (SMART)10.1109/SMART55829.2022.10047349(460-465)Online publication date: 16-Dec-2022
https://doi.org/10.1109/SMART55829.2022.10047349
Show More Cited By

Index Terms

Security audits of multi-tier virtual infrastructures in public infrastructure clouds
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Virtual Infrastructure Management in Private and Hybrid Clouds

One of the many definitions of "cloud" is that of an infrastructure-as-a-service (IaaS) system, in which IT infrastructure is deployed in a provider's data center as virtual machines. With IaaS clouds' growing popularity, tools and technologies are ...
Decision model for provisioning virtual resources in Amazon EC2
CNSM '12: Proceedings of the 8th International Conference on Network and Service Management

Nowadays computing resources can be acquired from IaaS cloud providers in different purchasing options. Taking Amazon Elastic Compute Cloud (EC2) for instance, there are three purchasing models, and each option has different price and yields different ...
Harnessing Cloud Technologies for a Virtualized Distributed Computing Infrastructure

The InterGrid system aims to provide an execution environment for running applications on top of interconnected infrastructures. The system uses virtual machines as building blocks to construct execution environments that span multiple computing sites. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCSW '10: Proceedings of the 2010 ACM workshop on Cloud computing security workshop

October 2010

118 pages

ISBN:9781450300896

DOI:10.1145/1866835

Program Chairs:
Adrian Perrig
Carnegie Mellon University, USA
,
Radu Sion
Stony Brook University, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 8, 2010

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 37 of 108 submissions, 34%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

56
Total Citations
View Citations
2,522
Total Downloads

Downloads (Last 12 months)31
Downloads (Last 6 weeks)2

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pussewalage HOleshchuk V(2023)A Delegatable Attribute Based Encryption Scheme for a Collaborative E-Health CloudIEEE Transactions on Services Computing10.1109/TSC.2022.317490916:2(787-801)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TSC.2022.3174909
Phokela KSingi KDey KKaulgud VBurden A(2022)Framework to Assess Policy Driven Security Misconfiguration Risks in Cloud Native Application2022 IEEE Secure Development Conference (SecDev)10.1109/SecDev53368.2022.00023(63-64)Online publication date: Oct-2022
https://doi.org/10.1109/SecDev53368.2022.00023
Gunturu VPadma Priya VAbishek B EShetty SBuddhi DShukla S(2022)Role of Cloud Management in Mitigating Vulnerabilities in Wireless Data Exchange Provider2022 11th International Conference on System Modeling & Advancement in Research Trends (SMART)10.1109/SMART55829.2022.10047349(460-465)Online publication date: 16-Dec-2022
https://doi.org/10.1109/SMART55829.2022.10047349
Bundela RDhanda NVerma R(2022)Load Balanced Web Server on AWS Cloud2022 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS)10.1109/ICCCIS56430.2022.10037657(114-118)Online publication date: 4-Nov-2022
https://doi.org/10.1109/ICCCIS56430.2022.10037657
An SLeung AHong JEom TPark J(2022)Toward Automated Security Analysis and Enforcement for Cloud Computing Using Graphical Models for SecurityIEEE Access10.1109/ACCESS.2022.319054510(75117-75134)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3190545
Abdullah SArshad JKhan MAlazab MSalah K(2022)PRISED tangle: a privacy-aware framework for smart healthcare data sharing using IOTA tangleComplex & Intelligent Systems10.1007/s40747-021-00610-89:3(3023-3041)Online publication date: 21-Jan-2022
https://doi.org/10.1007/s40747-021-00610-8
Verma DTyagi RChakraverti A(2022)Secure Data Sharing of Electronic Health Record (EHR) on the Cloud Using Blockchain in Covid-19 ScenarioProceedings of Trends in Electronics and Health Informatics10.1007/978-981-16-8826-3_15(165-175)Online publication date: 22-Mar-2022
https://doi.org/10.1007/978-981-16-8826-3_15
Patwary ANaha RGarg SBattula SPatwary MAghasian EAmin MMahanti AGong M(2021)Towards Secure Fog Computing: A Survey on Trust Management, Privacy, Authentication, Threats and Access ControlElectronics10.3390/electronics1010117110:10(1171)Online publication date: 14-May-2021
https://doi.org/10.3390/electronics10101171
Syed APurushotham KShidaganti G(2020)Cloud Storage Security Risks, Practices and Measures: A Review2020 IEEE International Conference for Innovation in Technology (INOCON)10.1109/INOCON50539.2020.9298281(1-4)Online publication date: 6-Nov-2020
https://doi.org/10.1109/INOCON50539.2020.9298281
An SEom TPark JHong JNhlabatsi AFetais NKhan KKim D(2019)CloudSafe: A Tool for an Automated Security Analysis for Cloud Computing2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)10.1109/TrustCom/BigDataSE.2019.00086(602-609)Online publication date: Aug-2019
https://doi.org/10.1109/TrustCom/BigDataSE.2019.00086
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents