skip to main content
research-article

ISOTOP: Auditing Virtual Networks Isolation Across Cloud Layers in OpenStack

Published:23 October 2018Publication History
Skip Abstract Section

Abstract

Multi-tenancy in the cloud is a double-edged sword. While it enables cost-effective resource sharing, it increases security risks for the hosted applications. Indeed, multiplexing virtual resources belonging to different tenants on the same physical substrate may lead to critical security concerns such as cross-tenants data leakage and denial of service. Particularly, virtual networks isolation failures are among the foremost security concerns in the cloud. To remedy these, automated tools are needed to verify security mechanisms compliance with relevant security policies and standards. However, auditing virtual networks isolation is challenging due to the dynamic and layered nature of the cloud. Particularly, inconsistencies in network isolation mechanisms across cloud-stack layers, namely, the infrastructure management and the implementation layers, may lead to virtual networks isolation breaches that are undetectable at a single layer. In this article, we propose an offline automated framework for auditing consistent isolation between virtual networks in OpenStack-managed cloud spanning over overlay and layer 2 by considering both cloud layers’ views. To capture the semantics of the audited data and its relation to consistent isolation requirement, we devise a multi-layered model for data related to each cloud-stack layer’s view. Furthermore, we integrate our auditing system into OpenStack, and present our experimental results on assessing several properties related to virtual network isolation and consistency. Our results show that our approach can be successfully used to detect virtual network isolation breaches for large OpenStack-based data centers in reasonable time.

References

  1. ISO. org. 2013. ISO/IEC 11889-1:2009.Google ScholarGoogle Scholar
  2. Perry Alexander, Lee Pike, Peter Loscocco, and George Coker. 2015. Model checking distributed mandatory access control policies. ACM Transactions on Information and System Security 18, 2 (July 2015), Article 6, 25 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Amazon. 2017. Amazon Virtual Private Cloud. Retrieved from https://aws.amazon.com/vpc.Google ScholarGoogle Scholar
  4. Mihir Bellare and Bennet Yee. 1997. Forward Integrity for Secure Audit Logs. Technical Report. Citeseer.Google ScholarGoogle Scholar
  5. Mordechai Ben-Ari. 2012. Mathematical Logic for Computer Science. Springer Science 8 Business Media, London. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Sören Bleikertz. 2010. Automated Security Analysis of Infrastructure Clouds. Master’s thesis. Technical University of Denmark and Norwegian University of Science and Technology.Google ScholarGoogle Scholar
  7. Sören Bleikertz, Thomas Groß, and Sebastian Mödersheim. 2011. Automated verification of virtualized infrastructures. In Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop (CCSW’11). ACM, New York, 47--58. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Sören Bleikertz, Thomas Gross, M. Schunter, and K. Eriksson. 2010. Automating Security Audits of Heterogeneous Virtual Infrastructures. Technical Report RZ3786. IBM.Google ScholarGoogle Scholar
  9. Sören Bleikertz, Thomas Groß, Matthias Schunter, and Konrad Eriksson. 2011. Automated information flow analysis of virtualized infrastructures. In Proceedings of ESORICS, Lecture Notes in Computer Science, Vol. 6879, Vijay Atluri and Claudia Díaz (Eds.). Springer, Berlin, 392--415. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Sören Bleikertz, Carsten Vogel, and Thomas Groß. 2014. Cloud radar: Near real-time detection of security failures in dynamic virtualized infrastructures. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC’14). ACM, New York, 26--35. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Sören Bleikertz, Carsten Vogel, Thomas Groß, and Sebastian Mödersheim. 2015. Proactive security analysis of changes in virtualized infrastructures. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC’15). ACM, New York, 51--60. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. N. M. Mosharaf Kabir Chowdhury and Raouf Boutaba. 2010. A survey of network virtualization. Comput. Netw. 54, 5 (2010), 862--876. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Cloud Security Alliance. 2014. Cloud Control mMatrix CCM v3.0.1. Retrieved from DOI:https://cloudsecurityalliance.org/research/ccm/.Google ScholarGoogle Scholar
  14. Cloud Security Alliance. 2016. Cloud Computing Top Threats in 2016.Google ScholarGoogle Scholar
  15. Carlos Cotrini, Thilo Weghorn, David Basin, and Manuel Clavel. 2015. Analyzing first-order role based access control. In Proceedings of the 2015 IEEE 28th Computer Security Foundations Symposium. IEEE, 3--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Crandall et al. 2012. Virtual Networking Management White Paper. Technical Report. DMTF. DMTF Draft White Paper.Google ScholarGoogle Scholar
  17. datacenterknowledge. 2015. Survey: One-Third of Cloud Users’ Clouds are Private, Heavily OpenStack. Retrieved from http://www.datacenterknowledge.com.Google ScholarGoogle Scholar
  18. Valentin Del Piccolo, Ahmed Amamou, Kamel Haddadou, and Guy Pujolle. 2016. A survey of network isolation solutions for multi-tenant data centers. IEEE Communications Surveys Tutorials PP, 99 (2016), 1--1. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Mohan Dhawan, Rishabh Poddar, Kshiteej Mahajan, and Vijay Mann. 2015. SPHINX: Detecting security attacks in software-defined networks. In Proceedings of the NDSS Symposium. Internet Society.Google ScholarGoogle ScholarCross RefCross Ref
  20. Frank Doelitzscher, Christoph Reich, Martin Knahl, Alexander Passfall, and Nathan Clarke. 2012. An agent based business aware incident detection system for cloud environments. Journal of Cloud Computing 1, 1 (2012), Article 9, 9 pages.Google ScholarGoogle Scholar
  21. Hewlett Packard Enterprise. 2017. HPE Helion Eucalyptus. Retrieved from http://www8.hp.com/us/en/cloud/helion-eucalyptus.html.Google ScholarGoogle Scholar
  22. Open Networking Foundation. 2013. OpenFlow Switch Specification. Retrieved from http://www.gesetze-im-internet.de/englisch_bdsg.Google ScholarGoogle Scholar
  23. Google. 2017. Google Compute Engine Subnetworks Beta. Retrieved from https://cloud.google.com.Google ScholarGoogle Scholar
  24. Stephen Gutz, Alec Story, Cole Schlesinger, and Nate Foster. 2012. Splendid isolation: A slice abstraction for software-defined networks. In Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks (HotSDN’12). ACM, New York, 79--84. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Institute of Electrical and Electronics Engineers. 2005. IEEE 802.1q- 2005. 802.1q - Virtual Bridged Local Area Networks.Google ScholarGoogle Scholar
  26. ISO Std IEC. 2005. ISO 27002:2005.Google ScholarGoogle Scholar
  27. ISO Std IEC. 2012. ISO 27017.Google ScholarGoogle Scholar
  28. Peyman Kazemian, Michael Chan, Hongyi Zeng, George Varghese, Nick McKeown, and Scott Whyte. 2013. Real time network policy checking using header space analysis. In NSDI. USENIX, Lombard, IL, 99--111. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Peyman Kazemian, George Varghese, and Nick McKeown. 2012. Header space analysis: Static checking for networks. In Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI'12). USENIX, 113--126. DOI:https://www.usenix.org/conference/nsdi12/technical-sessions/presentation/kazemian. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Ahmed Khurshid, Xuan Zou, Wenxuan Zhou, Matthew Caesar, and P. Brighten Godfrey. 2013. VeriFlow: Verifying network-wide invariants in real time. In Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI’13). USENIX, 15--27. DOI:https://www.usenix.org/conference/nsdi13/technical-sessions/presentation/khurshid. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Taous Madi, Suryadipta Majumdar, Yushun Wang, Yosr Jarraya, Makan Pourzandi, and Lingyu Wang. 2016. Auditing security compliance of the virtualized infrastructure in the cloud: Application to OpenStack. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY’16). ACM, New York, 195--206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Haohui Mai, Ahmed Khurshid, Rachit Agarwal, Matthew Caesar, P. Godfrey, and Samuel Talmadge King. 2011. Debugging the data plane with anteater. ACM SIGCOMM Computer Communication Review 41, 4 (2011), 290--301. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Suryadipta Majumdar, Yosr Jarraya, Taous Madi, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2016. In Proactive Verification of Security Compliance for Clouds Through Pre-computation: Application to OpenStack. Springer International Publishing, Cham, 47--66.Google ScholarGoogle Scholar
  34. Suryadipta Majumdar, Taous Madi, Yushun Wang, Yosr Jarraya, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2015. Security compliance auditing of identity and access management in the cloud: Application to OpenStack. In IEEE CloudCom. IEEE, Vancouver, Canada, 58--65. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Ruben Martins, Vasco Manquinho, and Inês Lynce. 2012. An overview of parallel SAT solving. Constraints 17, 3 (1 July 2012), 304--347. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Microsoft. 2016. Microsoft Azure Virtual Network. Retrieved from https://azure.microsoft.com.Google ScholarGoogle Scholar
  37. Midokura. 2017. Run MidoNet at Scale. Retrieved from http://www.midokura.com/midonet/.Google ScholarGoogle Scholar
  38. H. Moraes, M. A. M. Vieira, Í. Cunha, and D. Guedes. 2016. Efficient virtual network isolation in multi-tenant data centers on commodity ethernet switches. In Proceedings of the 2016 IFIP Networking Conference (IFIP Networking) and Workshops. IEEE, 100--108.Google ScholarGoogle Scholar
  39. Yogesh Mundada, Anirudh Ramachandran, and Nick Feamster. 2011. Silverline: Data and network isolation for cloud services. In Proceedings of the 3rd USENIX Conference on Hot Topics in Cloud Computing (HotCloud’11). USENIX Association, 13--13. DOI:http://dl.acm.org/citation.cfm?id=2170444.2170457 Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Naoyuki Tamura. 2010. Syntax of Sugar CSP description. Retrieved from http://bach.istc.kobe-u.ac.jp/sugar/current/docs/syntax.html.Google ScholarGoogle Scholar
  41. NIST, SP. 2003. NIST SP 800-53.Google ScholarGoogle Scholar
  42. OpenStack. 2014. Ossa-2014-008: Routers Can Be Cross Plugged by Other Tenants. Retrieved from https://security.openstack.org/ossa/OSSA-2014-008.html.Google ScholarGoogle Scholar
  43. OpenStack. 2014. OSSA-2014-008: Routers Can Be Cross Plugged by Other Tenants. Retrieved from https://security.openstack.org/ossa/OSSA-2014-008.html.Google ScholarGoogle Scholar
  44. OpenStack. 2014. Policy as a Service (“Congress”). Retrieved from http://wiki.openstack.org/wiki/Congress.Google ScholarGoogle Scholar
  45. OpenStack. 2015. OpenStack Open Source Cloud Computing Software. Retrieved from http://www.openstack.org.Google ScholarGoogle Scholar
  46. Diego Perez-Botero, Jakub Szefer, and Ruby B. Lee. 2013. Characterizing hypervisor vulnerabilities in cloud computing servers. In Proceedings of the 2013 International Workshop on Security in Cloud Computing (Cloud Computing’13). ACM, New York, 3--10. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Ben Pfaff, Justin Pettit, Teemu Koponen, Keith Amidon, Martin Casado, and Scott Shenker. 2009. Extending networking into the virtualization layer. In HotNets. ACM, NY.Google ScholarGoogle Scholar
  48. Penny Pritzker and Patrick D. Gallagher. 2013. NIST Cloud Computing Standards Roadmap. Technical Report. NIST, Gaithersburg, MD, United States. 108 pages. NIST Special Publication 500-291.Google ScholarGoogle Scholar
  49. Thibaut Probst, Eric Alata, Mohamed Kaâniche, and Vincent Nicomette. 2014. An approach for the automated analysis of network access controls in cloud computing infrastructures. In Network and System Security. Springer, Xi’an, China, 1--14.Google ScholarGoogle Scholar
  50. Kui Ren, Cong Wang, and Qian Wang. 2012. Security challenges for the public cloud. IEEE Internet Computing 16, 1 (Jan. 2012), 69--73. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, 199--212. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Cisco Systems Sean Convery. 2002. Hacking Layer 2: Fun with Ethernet switches. BlackHat Briefings.Google ScholarGoogle Scholar
  53. Naoyuki Tamura and Mutsunori Banbara. 2008. Sugar: A CSP to SAT translator based on order encoding. In Proceedings of the 2nd International CSP Solver Competition, 65--69.Google ScholarGoogle Scholar
  54. VMware. 2017. vCloud Director. Retrieved from https://www.vmware.com/fr/products/vcloud-director.html.Google ScholarGoogle Scholar
  55. Yang Xu, Yong Liu, Rahul Singh, and Shu Tao. 2015. Identifying SDN state inconsistency in OpenStack. In Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research (SOSR’15). ACM, New York, 11:1--11:7. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Hongkun Yang and Simon S. Lam. 2013. Real-time verification of network properties using atomic predicates. In Proceedings of ICNP. IEEE, 1--11.Google ScholarGoogle Scholar
  57. Hongyi Zeng, Shidong Zhang, Fei Ye, Vimalkumar Jeyakumar, Mickey Ju, Junda Liu, Nick McKeown, and Amin Vahdat. 2014. Libra: Divide and conquer to verify forwarding tables in huge networks. In Proceedings of NSDI’14. USENIX Association, Seattle, WA, 87--99. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Shuyuan Zhang and Sharad Malik. 2013. SAT based verification of network data planes. In Automated Technology for Verification and Analysis, Dang Van Hung and Mizuhito Ogawa (Eds.). Lecture Notes in Computer Science, Vol. 8172. Springer International Publishing, Cham, 496--505.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. ISOTOP: Auditing Virtual Networks Isolation Across Cloud Layers in OpenStack

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format .

    View HTML Format
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!