Proactive Verification of Security Compliance for Clouds Through Pre-computation: Application to OpenStack

  • Suryadipta MajumdarEmail author
  • Yosr Jarraya
  • Taous Madi
  • Amir Alimohammadifar
  • Makan Pourzandi
  • Lingyu Wang
  • Mourad Debbabi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


The verification of security compliance with respect to security standards and policies is desirable to both cloud providers and users. However, the sheer size of a cloud implies a major challenge to be scalability and in particular response time. Most existing approaches are either after the fact or incur prohibitive delay in processing user requests. In this paper, we propose a scalable approach that can reduce the response time of online security compliance verification in large clouds to a practical level. The main idea is to start preparing for the costly verification proactively, as soon as the system is a few steps ahead of potential operations causing violations. We present detailed models and algorithms, and report real-life experiences and challenges faced while implementing our solution in OpenStack. We also conduct experiments whose results confirm the efficiency and scalability of our approach.


Proactive compliance verification Cloud security Auditing OpenStack 



The authors thank the anonymous reviewers for their valuable comments. This work is partially supported by the Natural Sciences and Engineering Research Council of Canada and Ericsson Canada under CRD Grant N01566.


  1. 1.
    Bellare, M., Yee, B.: Forward integrity for secure audit logs. Technical report, Citeseer (1997)Google Scholar
  2. 2.
    Bleikertz, S., Vogel, C., Groß, T.: Cloud radar: near real-time detection of security failures in dynamic virtualized infrastructures. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014 (2014)Google Scholar
  3. 3.
    Bleikertz, S., Vogel, C., Groß, T., Mödersheim, S.: Proactive security analysis of changes in virtualized infrastructure. In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015 (2015)Google Scholar
  4. 4.
    Cloud Auditing Data Federation: pyCADF: A Python-based CADF library (2015).
  5. 5.
    Cloud Security Alliance: Security guidance for critical areas of focus in cloud computing v3.0 (2011)Google Scholar
  6. 6.
    Cloud Security Alliance: Cloud control matrix CCM v3.0.1.
  7. 7.
    Cloud Security Alliance: CSA STAR program and open certification framework in 2016 and beyond (2016).
  8. 8.
    Data Center Knowledge: Survey one-third of cloud users’ clouds are private, heavily OpenStack (2015).
  9. 9.
    Dolzhenko, E., Ligatti, J., Reddy, S.: Modeling runtime enforcement with mandatory results automata. Int. J. Inf. Secur. (2014)Google Scholar
  10. 10.
    Foley, S.N., Neville, U.: A firewall algebra for openstack. In: IEEE Conference on Communications and Network Security (CNS) (2015)Google Scholar
  11. 11.
    Ibrahim, A.S., Hamlyn-Harris, J., Grundy, J., Almorsy, M.: CloudSec: a security monitoring appliance for virtual machines in the IaaS cloud model. In: 5th International Conference on Network and System Security (NSS) (2011)Google Scholar
  12. 12.
    ISO Std IEC. ISO 27017: Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services (DRAFT) (2012).
  13. 13.
    Kazemian, P., Chang, M., Zeng, H., Varghese, G., McKeown, N., Whyte, S.: Real time network policy checking using header space analysis. In: Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2013) (2013)Google Scholar
  14. 14.
    Khurshid, A., Zou, X., Zhou, W., Caesar, M., Godfrey, P.B.: VeriFlow: verifying network-wide invariants in real time. In: Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2013) (2013)Google Scholar
  15. 15.
    Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans Inf. Syst. Secur. (TISSEC) 12, 19 (2009)CrossRefGoogle Scholar
  16. 16.
    Ligatti, J., Reddy, S.: A theory of runtime enforcement, with results. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 87–100. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Madi, T., Majumdar, S., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L.: Auditing security compliance of the virtualized infrastructure in the cloud: application to OpenStack. In: Proceedings of the Sixth ACM on Conference on Data and Application Security and Privacy (CODASPY) (2016)Google Scholar
  18. 18.
    Majumdar, S., Madi, T., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L., Debbabi, M.: Security compliance auditing of identity and access management in the cloud: application to OpenStack. In: IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom) (2015)Google Scholar
  19. 19.
    Narain, S.: Network configuration management via model finding. In: Proceedings of the 19th Conference on Large Installation System Administration Conference, LISA 2005 (2005)Google Scholar
  20. 20.
    OpenStack: Neutron firewall rules bypass through port update.
  21. 21.
    OpenStack: OpenStack Congress.
  22. 22.
    OpenStack: OpenStack open source cloud computing software.
  23. 23.
  24. 24.
  25. 25.
  26. 26.
    Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy (SP 2008) (2008)Google Scholar
  27. 27.
    Petcu, D., Craciun, C.: Towards a security SLA-based cloud monitoring service. In: Proceedings of the 4th International Conference on Cloud Computing and Services Science (2014)Google Scholar
  28. 28.
    Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Comput. 29, 38–47 (1996)CrossRefGoogle Scholar
  29. 29.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 3, 30–50 (2000)CrossRefGoogle Scholar
  30. 30.
    Solanas, M., Hernandez-Castro, J., Dutta, D.: Detecting fraudulent activity in a cloud using privacy-friendly data aggregates. Technical report, arXiv preprint (2014)Google Scholar
  31. 31.
    Tamura, N., Banbara, M.: Sugar: a CSP to SAT translator based on order encoding. In: Proceedings of the Second International CSP Solver Competition (2008)Google Scholar
  32. 32.
    Tang, B., Sandhu, R.: Extending OpenStack access control with domain trust. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 54–69. Springer, Heidelberg (2014)Google Scholar
  33. 33.
    Zhang, T., Lee, R.B.: Cloudmonatt: an architecture for security health monitoring and attestation of virtual machines in cloud computing. In: ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA) (2015)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Suryadipta Majumdar
    • 1
    Email author
  • Yosr Jarraya
    • 2
  • Taous Madi
    • 1
  • Amir Alimohammadifar
    • 1
  • Makan Pourzandi
    • 2
  • Lingyu Wang
    • 1
  • Mourad Debbabi
    • 1
  1. 1.CIISEConcordia UniversityMontrealCanada
  2. 2.Ericsson Security Research, Ericsson CanadaMontrealCanada

Personalised recommendations