research-article

ISOTOP: Auditing Virtual Networks Isolation Across Cloud Layers in OpenStack

Authors:

Amir Alimohammadifar,

Suryadipta Majumdar,

Makan Pourzandi,

Mourad DebbabiAuthors Info & Claims

ACM Transactions on Privacy and Security (TOPS), Volume 22, Issue 1

Article No.: 1, Pages 1 - 35

https://doi.org/10.1145/3267339

Published: 23 October 2018 Publication History

Abstract

Multi-tenancy in the cloud is a double-edged sword. While it enables cost-effective resource sharing, it increases security risks for the hosted applications. Indeed, multiplexing virtual resources belonging to different tenants on the same physical substrate may lead to critical security concerns such as cross-tenants data leakage and denial of service. Particularly, virtual networks isolation failures are among the foremost security concerns in the cloud. To remedy these, automated tools are needed to verify security mechanisms compliance with relevant security policies and standards. However, auditing virtual networks isolation is challenging due to the dynamic and layered nature of the cloud. Particularly, inconsistencies in network isolation mechanisms across cloud-stack layers, namely, the infrastructure management and the implementation layers, may lead to virtual networks isolation breaches that are undetectable at a single layer. In this article, we propose an offline automated framework for auditing consistent isolation between virtual networks in OpenStack-managed cloud spanning over overlay and layer 2 by considering both cloud layers’ views. To capture the semantics of the audited data and its relation to consistent isolation requirement, we devise a multi-layered model for data related to each cloud-stack layer’s view. Furthermore, we integrate our auditing system into OpenStack, and present our experimental results on assessing several properties related to virtual network isolation and consistency. Our results show that our approach can be successfully used to detect virtual network isolation breaches for large OpenStack-based data centers in reasonable time.

References

[1]

ISO. org. 2013. ISO/IEC 11889-1:2009.

[2]

Perry Alexander, Lee Pike, Peter Loscocco, and George Coker. 2015. Model checking distributed mandatory access control policies. ACM Transactions on Information and System Security 18, 2 (July 2015), Article 6, 25 pages.

Digital Library

[3]

Amazon. 2017. Amazon Virtual Private Cloud. Retrieved from https://aws.amazon.com/vpc.

[4]

Mihir Bellare and Bennet Yee. 1997. Forward Integrity for Secure Audit Logs. Technical Report. Citeseer.

[5]

Mordechai Ben-Ari. 2012. Mathematical Logic for Computer Science. Springer Science 8 Business Media, London.

Digital Library

[6]

Sören Bleikertz. 2010. Automated Security Analysis of Infrastructure Clouds. Master’s thesis. Technical University of Denmark and Norwegian University of Science and Technology.

[7]

Sören Bleikertz, Thomas Groß, and Sebastian Mödersheim. 2011. Automated verification of virtualized infrastructures. In Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop (CCSW’11). ACM, New York, 47--58.

Digital Library

[8]

Sören Bleikertz, Thomas Gross, M. Schunter, and K. Eriksson. 2010. Automating Security Audits of Heterogeneous Virtual Infrastructures. Technical Report RZ3786. IBM.

[9]

Sören Bleikertz, Thomas Groß, Matthias Schunter, and Konrad Eriksson. 2011. Automated information flow analysis of virtualized infrastructures. In Proceedings of ESORICS, Lecture Notes in Computer Science, Vol. 6879, Vijay Atluri and Claudia Díaz (Eds.). Springer, Berlin, 392--415.

Digital Library

[10]

Sören Bleikertz, Carsten Vogel, and Thomas Groß. 2014. Cloud radar: Near real-time detection of security failures in dynamic virtualized infrastructures. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC’14). ACM, New York, 26--35.

Digital Library

[11]

Sören Bleikertz, Carsten Vogel, Thomas Groß, and Sebastian Mödersheim. 2015. Proactive security analysis of changes in virtualized infrastructures. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC’15). ACM, New York, 51--60.

Digital Library

[12]

N. M. Mosharaf Kabir Chowdhury and Raouf Boutaba. 2010. A survey of network virtualization. Comput. Netw. 54, 5 (2010), 862--876.

Digital Library

[13]

Cloud Security Alliance. 2014. Cloud Control mMatrix CCM v3.0.1. Retrieved from

[14]

Cloud Security Alliance. 2016. Cloud Computing Top Threats in 2016.

[15]

Carlos Cotrini, Thilo Weghorn, David Basin, and Manuel Clavel. 2015. Analyzing first-order role based access control. In Proceedings of the 2015 IEEE 28th Computer Security Foundations Symposium. IEEE, 3--17.

Digital Library

[16]

Crandall et al. 2012. Virtual Networking Management White Paper. Technical Report. DMTF. DMTF Draft White Paper.

[17]

datacenterknowledge. 2015. Survey: One-Third of Cloud Users’ Clouds are Private, Heavily OpenStack. Retrieved from http://www.datacenterknowledge.com.

[18]

Valentin Del Piccolo, Ahmed Amamou, Kamel Haddadou, and Guy Pujolle. 2016. A survey of network isolation solutions for multi-tenant data centers. IEEE Communications Surveys Tutorials PP, 99 (2016), 1--1.

Digital Library

[19]

Mohan Dhawan, Rishabh Poddar, Kshiteej Mahajan, and Vijay Mann. 2015. SPHINX: Detecting security attacks in software-defined networks. In Proceedings of the NDSS Symposium. Internet Society.

[20]

Frank Doelitzscher, Christoph Reich, Martin Knahl, Alexander Passfall, and Nathan Clarke. 2012. An agent based business aware incident detection system for cloud environments. Journal of Cloud Computing 1, 1 (2012), Article 9, 9 pages.

[21]

Hewlett Packard Enterprise. 2017. HPE Helion Eucalyptus. Retrieved from http://www8.hp.com/us/en/cloud/helion-eucalyptus.html.

[22]

Open Networking Foundation. 2013. OpenFlow Switch Specification. Retrieved from http://www.gesetze-im-internet.de/englisch_bdsg.

[23]

Google. 2017. Google Compute Engine Subnetworks Beta. Retrieved from https://cloud.google.com.

[24]

Stephen Gutz, Alec Story, Cole Schlesinger, and Nate Foster. 2012. Splendid isolation: A slice abstraction for software-defined networks. In Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks (HotSDN’12). ACM, New York, 79--84.

Digital Library

[25]

Institute of Electrical and Electronics Engineers. 2005. IEEE 802.1q- 2005. 802.1q - Virtual Bridged Local Area Networks.

[26]

ISO Std IEC. 2005. ISO 27002:2005.

[27]

ISO Std IEC. 2012. ISO 27017.

[28]

Peyman Kazemian, Michael Chan, Hongyi Zeng, George Varghese, Nick McKeown, and Scott Whyte. 2013. Real time network policy checking using header space analysis. In NSDI. USENIX, Lombard, IL, 99--111.

Digital Library

[29]

Peyman Kazemian, George Varghese, and Nick McKeown. 2012. Header space analysis: Static checking for networks. In Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI'12). USENIX, 113--126.

Digital Library

[30]

Ahmed Khurshid, Xuan Zou, Wenxuan Zhou, Matthew Caesar, and P. Brighten Godfrey. 2013. VeriFlow: Verifying network-wide invariants in real time. In Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI’13). USENIX, 15--27.

Digital Library

[31]

Taous Madi, Suryadipta Majumdar, Yushun Wang, Yosr Jarraya, Makan Pourzandi, and Lingyu Wang. 2016. Auditing security compliance of the virtualized infrastructure in the cloud: Application to OpenStack. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY’16). ACM, New York, 195--206.

Digital Library

[32]

Haohui Mai, Ahmed Khurshid, Rachit Agarwal, Matthew Caesar, P. Godfrey, and Samuel Talmadge King. 2011. Debugging the data plane with anteater. ACM SIGCOMM Computer Communication Review 41, 4 (2011), 290--301.

Digital Library

[33]

Suryadipta Majumdar, Yosr Jarraya, Taous Madi, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2016. In Proactive Verification of Security Compliance for Clouds Through Pre-computation: Application to OpenStack. Springer International Publishing, Cham, 47--66.

[34]

Suryadipta Majumdar, Taous Madi, Yushun Wang, Yosr Jarraya, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2015. Security compliance auditing of identity and access management in the cloud: Application to OpenStack. In IEEE CloudCom. IEEE, Vancouver, Canada, 58--65.

Digital Library

[35]

Ruben Martins, Vasco Manquinho, and Inês Lynce. 2012. An overview of parallel SAT solving. Constraints 17, 3 (1 July 2012), 304--347.

Digital Library

[36]

Microsoft. 2016. Microsoft Azure Virtual Network. Retrieved from https://azure.microsoft.com.

[37]

Midokura. 2017. Run MidoNet at Scale. Retrieved from http://www.midokura.com/midonet/.

[38]

H. Moraes, M. A. M. Vieira, Í. Cunha, and D. Guedes. 2016. Efficient virtual network isolation in multi-tenant data centers on commodity ethernet switches. In Proceedings of the 2016 IFIP Networking Conference (IFIP Networking) and Workshops. IEEE, 100--108.

[39]

Yogesh Mundada, Anirudh Ramachandran, and Nick Feamster. 2011. Silverline: Data and network isolation for cloud services. In Proceedings of the 3rd USENIX Conference on Hot Topics in Cloud Computing (HotCloud’11). USENIX Association, 13--13.

Digital Library

[40]

Naoyuki Tamura. 2010. Syntax of Sugar CSP description. Retrieved from http://bach.istc.kobe-u.ac.jp/sugar/current/docs/syntax.html.

[41]

NIST, SP. 2003. NIST SP 800-53.

[42]

OpenStack. 2014. Ossa-2014-008: Routers Can Be Cross Plugged by Other Tenants. Retrieved from https://security.openstack.org/ossa/OSSA-2014-008.html.

[43]

OpenStack. 2014. OSSA-2014-008: Routers Can Be Cross Plugged by Other Tenants. Retrieved from https://security.openstack.org/ossa/OSSA-2014-008.html.

[44]

OpenStack. 2014. Policy as a Service (“Congress”). Retrieved from http://wiki.openstack.org/wiki/Congress.

[45]

OpenStack. 2015. OpenStack Open Source Cloud Computing Software. Retrieved from http://www.openstack.org.

[46]

Diego Perez-Botero, Jakub Szefer, and Ruby B. Lee. 2013. Characterizing hypervisor vulnerabilities in cloud computing servers. In Proceedings of the 2013 International Workshop on Security in Cloud Computing (Cloud Computing’13). ACM, New York, 3--10.

Digital Library

[47]

Ben Pfaff, Justin Pettit, Teemu Koponen, Keith Amidon, Martin Casado, and Scott Shenker. 2009. Extending networking into the virtualization layer. In HotNets. ACM, NY.

[48]

Penny Pritzker and Patrick D. Gallagher. 2013. NIST Cloud Computing Standards Roadmap. Technical Report. NIST, Gaithersburg, MD, United States. 108 pages. NIST Special Publication 500-291.

[49]

Thibaut Probst, Eric Alata, Mohamed Kaâniche, and Vincent Nicomette. 2014. An approach for the automated analysis of network access controls in cloud computing infrastructures. In Network and System Security. Springer, Xi’an, China, 1--14.

[50]

Kui Ren, Cong Wang, and Qian Wang. 2012. Security challenges for the public cloud. IEEE Internet Computing 16, 1 (Jan. 2012), 69--73.

Digital Library

[51]

Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, 199--212.

Digital Library

[52]

Cisco Systems Sean Convery. 2002. Hacking Layer 2: Fun with Ethernet switches. BlackHat Briefings.

[53]

Naoyuki Tamura and Mutsunori Banbara. 2008. Sugar: A CSP to SAT translator based on order encoding. In Proceedings of the 2nd International CSP Solver Competition, 65--69.

[54]

VMware. 2017. vCloud Director. Retrieved from https://www.vmware.com/fr/products/vcloud-director.html.

[55]

Yang Xu, Yong Liu, Rahul Singh, and Shu Tao. 2015. Identifying SDN state inconsistency in OpenStack. In Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research (SOSR’15). ACM, New York, 11:1--11:7.

Digital Library

[56]

Hongkun Yang and Simon S. Lam. 2013. Real-time verification of network properties using atomic predicates. In Proceedings of ICNP. IEEE, 1--11.

[57]

Hongyi Zeng, Shidong Zhang, Fei Ye, Vimalkumar Jeyakumar, Mickey Ju, Junda Liu, Nick McKeown, and Amin Vahdat. 2014. Libra: Divide and conquer to verify forwarding tables in huge networks. In Proceedings of NSDI’14. USENIX Association, Seattle, WA, 87--99.

Digital Library

[58]

Shuyuan Zhang and Sharad Malik. 2013. SAT based verification of network data planes. In Automated Technology for Verification and Analysis, Dang Van Hung and Mizuhito Ogawa (Eds.). Lecture Notes in Computer Science, Vol. 8172. Springer International Publishing, Cham, 496--505.

Cited By

Zhang ZHu JYu CChang RZhao Y(2023)VeriReach: A Formally Verified Algorithm for Reachability Analysis in Virtual Private Cloud Networks2023 IEEE International Conference on Web Services (ICWS)10.1109/ICWS60048.2023.00022(71-77)Online publication date: Jul-2023
https://doi.org/10.1109/ICWS60048.2023.00022
Kulik TDongol BLarsen PMacedo HSchneider STran-Jørgensen PWoodcock J(2022)A Survey of Practical Formal Methods for SecurityFormal Aspects of Computing10.1145/352258234:1(1-39)Online publication date: 5-Jul-2022
https://dl.acm.org/doi/10.1145/3522582
Saeed AGarraghan PHussain S(2022)Cross-VM Network Channel Attacks and Countermeasures Within Cloud Computing EnvironmentsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.303702219:3(1783-1794)Online publication date: 1-May-2022
https://doi.org/10.1109/TDSC.2020.3037022
Show More Cited By

Index Terms

ISOTOP: Auditing Virtual Networks Isolation Across Cloud Layers in OpenStack
1. Security and privacy
  1. Systems security
    1. Distributed systems security

Recommendations

Auditing Security Compliance of the Virtualized Infrastructure in the Cloud: Application to OpenStack
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Cloud service providers typically adopt the multi-tenancy model to optimize resources usage and achieve the promised cost-effectiveness. Sharing resources between different tenants and the underlying complex technology increase the necessity of ...
The vAMP Attack: Taking Control of Cloud Systems via the Unified Packet Parser
CCSW '17: Proceedings of the 2017 on Cloud Computing Security Workshop

Virtual switches are a crucial component of cloud operating systems that interconnect virtual machines in a flexible manner. They implement complex network protocol parsing in the unified packet parser - parsing all supported packet header fields in a ...
Cloud-based Network Virtualization in IoT with OpenStack
In Cloud computing deployments, specifically in the Infrastructure-as-a-Service (IaaS) model, networking is one of the core enabling facilities provided for the users. The IaaS approach ensures significant flexibility and manageability, since the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security

ACM Transactions on Privacy and Security Volume 22, Issue 1

February 2019

226 pages

ISSN:2471-2566

EISSN:2471-2574

DOI:10.1145/3287762

Editor:
David Basin
ETH Zurich, Switzerland

Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 October 2018

Accepted: 01 August 2018

Revised: 01 May 2018

Received: 01 March 2017

Published in TOPS Volume 22, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
570
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)5

Reflects downloads up to 13 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang ZHu JYu CChang RZhao Y(2023)VeriReach: A Formally Verified Algorithm for Reachability Analysis in Virtual Private Cloud Networks2023 IEEE International Conference on Web Services (ICWS)10.1109/ICWS60048.2023.00022(71-77)Online publication date: Jul-2023
https://doi.org/10.1109/ICWS60048.2023.00022
Kulik TDongol BLarsen PMacedo HSchneider STran-Jørgensen PWoodcock J(2022)A Survey of Practical Formal Methods for SecurityFormal Aspects of Computing10.1145/352258234:1(1-39)Online publication date: 5-Jul-2022
https://dl.acm.org/doi/10.1145/3522582
Saeed AGarraghan PHussain S(2022)Cross-VM Network Channel Attacks and Countermeasures Within Cloud Computing EnvironmentsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.303702219:3(1783-1794)Online publication date: 1-May-2022
https://doi.org/10.1109/TDSC.2020.3037022
Oqaily AJarraya YWang LPourzandi MMajumdar S(2022)MLFM: Machine Learning Meets Formal Method for Faster Identification of Security Breaches in Network Functions Virtualization (NFV)Computer Security – ESORICS 202210.1007/978-3-031-17143-7_23(466-489)Online publication date: 24-Sep-2022
https://doi.org/10.1007/978-3-031-17143-7_23
Zoure MAhmed TRéveillère LHung CHong JBechini ASong E(2021)VeriNeSProceedings of the 36th Annual ACM Symposium on Applied Computing10.1145/3412841.3441988(1138-1146)Online publication date: 22-Mar-2021
https://dl.acm.org/doi/10.1145/3412841.3441988
Noor JSalim SIslam A(2021)Strategizing secured image storing and efficient image retrieval through a new cloud frameworkJournal of Network and Computer Applications10.1016/j.jnca.2021.103167192:COnline publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1016/j.jnca.2021.103167
Madi TAlameddine HPourzandi MBoukhtouta A(2021)NFV security survey in 5G networksComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2021.108288197:COnline publication date: 9-Oct-2021
https://dl.acm.org/doi/10.1016/j.comnet.2021.108288
Alani M(2021)Big data in cybersecurity: a survey of applications and future trendsJournal of Reliable Intelligent Environments10.1007/s40860-020-00120-37:2(85-114)Online publication date: 6-Jan-2021
https://doi.org/10.1007/s40860-020-00120-3
Majumdar SBastos DSinghal A(2021)SECURITY AUDITING OF INTERNET OF THINGS DEVICES IN A SMART HOMEAdvances in Digital Forensics XVII10.1007/978-3-030-88381-2_11(213-234)Online publication date: 15-Oct-2021
https://doi.org/10.1007/978-3-030-88381-2_11
Lakshmanan Thirunavukkarasu SZhang MOqaily AChawla GWang LPourzandi MDebbabi M(2019)Modeling NFV Deployment to Identify the Cross-Level Inconsistency Vulnerabilities2019 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)10.1109/CloudCom.2019.00034(167-174)Online publication date: Dec-2019
https://doi.org/10.1109/CloudCom.2019.00034
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Issue’s Table of Contents