Abstract
Security verification plays a vital role in providing users the needed security assurance in many applications. However, applying existing verification tools for runtime security enforcement may suffer from a common limitation, i.e., causing significant delay to user requests. The key reason to this limitation is that these tools are not specifically designed for runtime enforcement, especially in a dynamic and large-scale environment like clouds. In this paper, we address this issue by proposing a proactive framework, namely, Proactivizer, to transform existing verification tools into efficient solutions for runtime security enforcement. Our main idea is to leverage existing verification tools as black boxes and to proactively trigger the verification process based on dependency relationships among the events. As a proof of concept, we apply Proactivizer to several existing verification tools and integrate it with OpenStack, a popular cloud platform. We perform extensive experiments in both simulated and real cloud environments and the results demonstrate the effectiveness of Proactivizer in reducing the response time significantly (e.g., within 9 ms to verify a cloud of 100,000 VMs and up to 99.9% reduction in response time).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Aikat, J., et al.: Rethinking security in the era of cloud computing. IEEE Secur. Priv. 15(3), 60–69 (2017)
Amazon. Amazon virtual private cloud. https://aws.amazon.com/vpc. Accessed 14 Feb 2018
Bellare, M., Yee, B.: Forward integrity for secure audit logs. Technical report, Citeseer (1997)
Bleikertz, S., Groß, T., Schunter, M., Eriksson, K.: Automated information flow analysis of virtualized infrastructures. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 392–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_22
Bleikertz, S., Vogel, C., Groß, T.: Cloud radar: near real-time detection of security failures in dynamic virtualized infrastructures. In: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC), pp. 26–35. ACM (2014)
Bleikertz, S., Vogel, C., Groß, T., Mödersheim, S.: Proactive security analysis of changes in virtualized infrastructures. In: Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC), pp. 51–60. ACM (2015)
Celik, Z.B., Tan, G., McDaniel, P.: IoTGuard: dynamic enforcement of security and safety policy in commodity IoT. In: Proceedings of 2019 Annual Network and Distributed System Security Symposium (NDSS 2019), February 2019
Doelitzscher, F., Fischer, C., Moskal, D., Reich, C., Knahl, M., Clarke, N.: Validating cloud infrastructure changes by cloud audits. In: Eighth World Congress on Services (SERVICES), pp. 377–384. IEEE (2012)
Dolzhenko, E., Ligatti, J., Reddy, S.: Modeling runtime enforcement with mandatory results automata. Int. J. Inf. Secur. 14(1), 47–60 (2015)
Elasticsearch. Logstash. https://www.elastic.co/products/logstash. Accessed 14 Feb 2018
Foley, S.N., Neville, U.: A firewall algebra for OpenStack. In: Conference on Communications and Network Security (CNS), pp. 541–549. IEEE (2015)
Google. Google cloud platform. https://cloud.google.com. Accessed 14 Feb 2018
Hamed, H., Al-Shaer, E., Marrero, W.: Modeling and verification of IPSEC and VPN security policies. In: 13th IEEE International Conference on Network Protocols (ICNP 2005), pp. 10–pp. IEEE (2005)
Hamilton, J.D.: Time series analysis. Economic Theory. II, pp. 625–630. Princeton University Press, USA (1995)
Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Proceedings of 2015 Annual Network and Distributed System Security Symposium (NDSS 2015), February 2015
Li, M., Zang, W., Bai, K., Yu, M., Liu, P.: Mycloud: supporting user-configured privacy protection in cloud computing. In: Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC), pp. 59–68. ACM (2013)
Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 12(3), 19 (2009)
Ligatti, J., Reddy, S.: A theory of runtime enforcement, with results. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 87–100. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_6
Lopes, N.P., Bjørner, N., Godefroid, P., Jayaraman, K., Varghese, G.: Checking beliefs in dynamic networks. In: 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2015), pp. 499–512 (2015)
Luo, Y., Luo, W., Puyang, T., Shen, Q., Ruan, A., Wu, Z.: OpenStack security modules: a least-invasive access control framework for the cloud. In: IEEE 9th International Conference on Cloud Computing (CLOUD) (2016)
Madi, T., et al.: ISOTOP: auditing virtual networks isolation across cloud layers in OpenStack. ACM Trans. Priv. Secur. (TOPS) 22(1), 1 (2018)
Madi, T., Majumdar, S., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L.: Auditing security compliance of the virtualized infrastructure in the cloud: application to OpenStack. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 195–206. ACM (2016)
Majumdar, S., et al.: Proactive verification of security compliance for clouds through pre-computation: application to OpenStack. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 47–66. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_3
Majumdar, S., et al.: LeaPS: learning-based proactive security auditing for clouds. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 265–285. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_15
Majumdar, S., et al.: Security compliance auditing of identity and access management in the cloud: application to OpenStack. In: 7th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 58–65. IEEE (2015)
Majumdar, S., et al.: User-level runtime security auditing for the cloud. IEEE Trans. Inf. Forensics Secur. 13(5), 1185–1199 (2018)
Majumdar, S., et al.: Learning probabilistic dependencies among events for proactive security auditing in clouds. J. Comput. Secur. 27(2), 165–202 (2019)
Microsoft. Microsoft Azure virtual network. https://azure.microsoft.com. Accessed 14 Feb 2018
Nitta, N., Takata, Y., Seki, H.: An efficient security verification method for programs with stack inspection. In: Proceedings of the 8th ACM Conference on Computer and Communications Security, pp. 68–77. ACM (2001)
OpenStack. OpenStack Congress (2015). https://wiki.openstack.org/wiki/Congress. Accessed 14 Feb 2018
OpenStack. OpenStack open source cloud computing software (2015). http://www.openstack.org. Accessed 14 Feb 2018
OpenStack. OpenStack user survey (2018). https://www.openstack.org/user-survey/2018-user-survey-report/. Accessed 24 Apr 2019
Ren, K., Wang, C., Wang, Q.: Security challenges for the public cloud. IEEE Internet Comput. 16(1), 69–73 (2012)
Schear, N., Cable II, P.T., Moyer, T.M., Richard, B., Rudd, R.: Bootstrapping and maintaining trust in the cloud. In: Proceedings of the 32nd Annual Conference on Computer Security Applications. ACM (2016)
Schneider, F.B.: Enforceable security policies. Trans. Inf. Syst. Secur. (TISSEC) 3(1), 30–50 (2000)
Skowyra, R., et al.: Effective topology tampering attacks and defenses in software-defined networks. In: Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2018), June 2018
Tabiban, A., Majumdar, S., Wang, L., Debbabi, M.: Permon: an openstack middleware for runtime security policy enforcement in clouds. In: Proceedings of the 4th IEEE Workshop on Security and Privacy in the Cloud (SPC 2018), June 2018
Tamura, N., Banbara, M.: Sugar: a CSP to SAT translator based on order encoding. In: Proceedings of the Second International CSP Solver Competition, pp. 65–69 (2008)
Ullah, K.W., Ahmed, A.S., Ylitalo, J.: Towards building an automated security compliance tool for the cloud. In: 12th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1587–1593. IEEE (2013)
Wang, C., Chow, S.S., Wang, Q., Ren, K., Lou, W.: Privacy-preserving public auditing for secure cloud storage. IEEE Trans. Comput. 62(2), 362–375 (2013)
Wang, Y., Wu, Q., Qin, B., Shi, W., Deng, R.H., Hu, J.: Identity-based data outsourcing with comprehensive auditing in clouds. IEEE Trans. Inf. Forensics Secur. 12(4), 940–952 (2017)
Wardell, D.C., Mills, R.F., Peterson, G.L., Oxley, M.E.: A method for revealing and addressing security vulnerabilities in cyber-physical systems by modeling malicious agent interactions with formal verification. Procedia Comput. Sci. 95, 24–31 (2016)
WSGI. Middleware and libraries for WSGI (2016). http://wsgi.readthedocs.io/en/latest/libraries.html. Accessed 15 Feb 2018
Yau, S.S. Buduru, A.B., Nagaraja, V.: Protecting critical cloud infrastructures with predictive capability. In: 8th International Conference on Cloud Computing (CLOUD), pp. 1119–1124. IEEE (2015)
Acknowledgement
We thank the anonymous reviewers for their insightful comments. This work is partially supported by the Natural Sciences and Engineering Research Council of Canada and Ericsson Canada under CRD Grant N01823 and by PROMPT Quebec.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Guideline to Adapt to Other Cloud Platforms
Our solution interacts with the cloud platform (e.g., while collecting logs and intercepting runtime events) through two modules: pre-processor and interceptor. These two modules require to interpret implementation- specific event instances, and intercept runtime events. First, to interpret platform-specific event instances to generic event types, we currently maintain a mapping of the APIs from different platforms. Table 4 enlists some examples of such mappings. Second, the interception mechanism may require to be implemented for each cloud platform. In OpenStack, we leverage WSGI middleware to intercept and enforce the proactive auditing results so that compliance can be preserved. Through our preliminary study, we identified that almost all major platforms provide an option to intercept cloud events. In Amazon using AWS Lambda functions, developers can write their own code to intercept and monitor events. Google GCP introduces GCP Metrics to configure charting or alerting different critical situations. Our understanding is that our solution can be integrated to GCP as one of the metrics similarly as the dos_intercept_count metric, which intends to prevent DoS attacks. The Azure Event Grid is an event managing service from Azure to monitor and control event routing which is quite similar as our interception mechanism. Therefore, we believe that our solution can be an extension of the Azure Event Grid to proactively audit cloud events. Tables 4 and 5 represent the necessary mapping to be used for extending our approach from OpenStack to other cloud platforms. The rest modules of our solution deal with the platform-independent data, and hence, the next steps in our solution are platform-agnostic.
B Performance of the Cache Implementation
Figure 12 illustrates the response time in case there is a cache hit (when runtime parameters is found in the implemented cache memory) and the additional delay for a cache miss (when requested parameters is not in the cache memory) for Patron and Congress, respectively. In Fig. 12(a), for different sizes of cache, we observe a quasi constant response time (which is less than one millisecond) for Patron with our framework, and an additional delay for a cache miss of up to four milliseconds. Figure 12(b) shows the results of similar experiment for Congress with our framework; where a cache hit causes further improvement on the response time, but a cache miss may cause up to 137 ms of delay. Overall the results show the response time can be even less than one millisecond at the best case, and at the worst case (when the prediction is incorrect), Proactivizer will have no effect on those applications. However, for most cases (around 85.5% time), Proactivizer can keep their response time within ten milliseconds.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Majumdar, S. et al. (2019). Proactivizer: Transforming Existing Verification Tools into Efficient Solutions for Runtime Security Enforcement. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-29962-0_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29961-3
Online ISBN: 978-3-030-29962-0
eBook Packages: Computer ScienceComputer Science (R0)