Automated Information Flow Analysis of Virtualized Infrastructures

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6879)


The use of server virtualization has been growing steadily, but many enterprises still are reluctant to migrate critical workloads to such infrastructures. One key inhibitor is the complexity of correctly configuring virtualized infrastructures, and in particular, of isolating workloads or subscribers across all potentially shared physical and virtual resources. Imagine analyzing systems with half a dozen virtualization platforms, thousands of virtual machines and hundreds of thousands of inter-resource connections by hand: large topologies demand tool support.

We study the automated information flow analysis of heterogeneous virtualized infrastructures. We propose an analysis system that performs a static information flow analysis based on graph traversal. The system discovers the actual configurations of diverse virtualization environments and unifies them in a graph representation. It computes the transitive closure of information flow and isolation rules over the graph and diagnoses isolation breaches from that. The system effectively reduces the analysis complexity for humans from checking the entire infrastructure to checking a few well-designed trust rules on components’ information flow.


Virtual Machine Transitive Closure Graph Coloring Mapping Rule Physical Machine 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aciiçmez, O.: Yet another microarchitectural attack: exploiting i-cache. In: CSAW 2007: Proceedings of the 2007 ACM Workshop on Computer Security Architecture, pp. 11–18. ACM, New York (2007)CrossRefGoogle Scholar
  2. 2.
    Al-Shaer, E., Marrero, W., El-Atawy, A., ElBadawi, K.: Global Verification and Analysis of Network Access Control Configuration. Tech. rep., DePaul University (2008)Google Scholar
  3. 3.
    Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur. 3(3), 186–205 (2000)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Bleikertz, S., Groß, T.: A virtualization assurance language for isolation and deployment. In: Proceedings of the 12th IEEE International Symposium on Policies for Distributed Systems and Networks (IEEE POLICY 2011). IEEE, Los Alamitos (2011)Google Scholar
  5. 5.
    Bleikertz, S., Schunter, M., Probst, C.W., Pendarakis, D., Eriksson, K.: Security audits of multi-tier virtual infrastructures in public infrastructure clouds. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security, CCSW 2010, pp. 93–102. ACM, New York (2010), Google Scholar
  6. 6.
    Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002), extended version in IACR Cryptology ePrint Archive 2002/059, CrossRefGoogle Scholar
  7. 7.
    Garfinkel, T., Rosenblum, M.: When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. In: HOTOS 2005: Proceedings of the 10th Conference on Hot Topics in Operating Systems, p. 20. USENIX Association, Berkeley (2005)Google Scholar
  8. 8.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20. IEEE, Los Alamitos (1982)Google Scholar
  9. 9.
    Gray III, J.W.: Toward a mathematical foundation for information flow security. In: IEEE Symposium on Security and Privacy, pp. 21–35. IEEE, Los Alamitos (1991)Google Scholar
  10. 10.
    Haigh, J.T., Young, W.D.: Extending the non-interference version of MLS for SAT. In: IEEE Symposium on Security and Privacy, p. 60. IEEE, Los Alamitos (1986)Google Scholar
  11. 11.
    Jacob, J.: Separability and the detection of hidden channels. Inf. Process. Lett. 34, 27–29 (1990), MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Kelem, N.L., Feiertag, R.J.: A Separation Model for Virtual Machine Monitors. In: IEEE Symposium on Security and Privacy, pp. 78–86. IEEE, Los Alamitos (1991)Google Scholar
  13. 13.
    Khakpour, A.R., Liu, A.: Quarnet: A Tool for Quantifying Static Network Reachability. Tech. Rep. MSU-CSE-09-2, Department of Computer Science, Michigan State University, East Lansing, Michigan (January 2009)Google Scholar
  14. 14.
    Krothapalli, S.D., Sun, X., Sung, Y.W.E., Yeo, S.A., Rao, S.G.: A toolkit for automating and visualizing VLAN configuration. In: SafeConfig 2009: Proceedings of the 2nd ACM Workshop on Assurable and Usable Security Configuration, pp. 63–70. ACM, New York (2009)CrossRefGoogle Scholar
  15. 15.
    Lampson, B.W.: A note on the confinement problem. Communications of the ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  16. 16.
    Mantel, H.: Information flow control and applications - bridging a gap -. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 153–172. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Marmorstein, R., Kearns, P.: A Tool for Automated iptables Firewall Analysis. In: ATEC 2005: Proceedings of the USENIX Annual Technical Conference, p. 44. USENIX Association, Berkeley (2005)Google Scholar
  18. 18.
    Mayer, A., Wool, A., Ziskind, E.: Fang: A Firewall Analysis Engine. In: SP 2000: Proceedings of the 2000 IEEE Symposium on Security and Privacy, p. 177. IEEE, Washington, DC, USA (2000)CrossRefGoogle Scholar
  19. 19.
    Mödersheim, S., Viganò, L.: Secure pseudonymous channels. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 337–354. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Percival, C.: Cache missing for fun and profit (May 2005),
  21. 21.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In: CCS 2009: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212. ACM, New York (2009)Google Scholar
  22. 22.
    Rushby, J.: Design and verification of secure systems. In: Proceedings of the Eighth ACM Symposium on Operating Systems Principles, SOSP 1981, pp. 12–21. ACM, New York (1981), Google Scholar
  23. 23.
    Rushby, J.: Proof of separability a verification technique for a class of security kernels. In: Dezani-Ciancaglini, M., Montanari, U. (eds.) International Symposium on Programming 1982. LNCS, vol. 137, pp. 352–367. Springer, Heidelberg (1982)CrossRefGoogle Scholar
  24. 24.
    Rushby, J.: Noninterference, transitivity, and channel-control security policies. Tech. rep., SRI International (December 1992),
  25. 25.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 2003 (2003)CrossRefGoogle Scholar
  26. 26.
    VMware: Providing LUN Security (March 2006),
  27. 27.
    Wojtczuk, R.: Adventures with a certain Xen vulnerability (in the PVFB backend) (October 2008),
  28. 28.
    Wool, A.: Architecting the Lumeta Firewall Analyzer. In: SSYM 2001: Proceedings of the 10th Conference on USENIX Security Symposium, p. 7. USENIX Association, Berkeley (2001)Google Scholar
  29. 29.
    Xie, G., Zhan, J., Maltz, D., Zhang, H., Greenberg, A., Hjalmtysson, G., Rexford, J.: On static reachability analysis of IP networks. In: INFOCOM 2005: 24th Annual Joint Conference of the IEEE Computer and Communications Societies, March 13-17, vol. 3, pp. 2170–2183. IEEE, Los Alamitos (2005)Google Scholar
  30. 30.
    Yang, J., Twohey, P., Engler, D., Musuvathi, M.: Using model checking to find serious file system errors. ACM Trans. Comput. Syst. 24, 393–423 (2006), CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  1. 1.IBM Research - ZurichSwitzerland
  2. 2.InfraSight LabsSweden

Personalised recommendations