From Modelization to Deployment . Arnaud Lefray Workshop SEC2 - 4 Juillet 2016 Qirinus - Inria Sous la direction de : Réalisée dans les équipes : Eddy Caron, Avalon - LIP - ENS Lyon Christian Toinard, SDS - LIFO - INSA CVL Jonathan Rouzaud-Cornabas Security for Virtualized Distributed Systems Thèse soutenue le 3 Novembre 2015
. Context
Hacker profile: 15 years old irish teen. Consequences: 10% share value drop. Previous breach: August 2015 TalkTalk: a Cloud provider for businesses . 2/45 A data breach story ▶ Date: October 21st. 2015 ▶ Nb stolen records: 4 million ▶ Data types: ▶ personal infos (names, addresses, dates of birth) ▶ contact infos (email addresses, phone numbers) ▶ financial infos (credit card, bank details)
TalkTalk: a Cloud provider for businesses . 2/45 A data breach story ▶ Date: October 21st. 2015 ▶ Nb stolen records: 4 million ▶ Data types: ▶ personal infos (names, addresses, dates of birth) ▶ contact infos (email addresses, phone numbers) ▶ financial infos (credit card, bank details) ▶ Hacker profile: 15 years old irish teen. ▶ Consequences: 10% share value drop. ▶ Previous breach: August 2015
2/45 . A data breach story ▶ Date: October 21st. 2015 ▶ Nb stolen records: 4 million ▶ Data types: ▶ personal infos (names, addresses, dates of birth) ▶ contact infos (email addresses, phone numbers) ▶ financial infos (credit card, bank details) ▶ Hacker profile: 15 years old irish teen. ▶ Consequences: 10% share value drop. ▶ Previous breach: August 2015 TalkTalk: a Cloud provider for businesses
2015 Average cost per breach: $3.79 million . 2015 Average cost per stolen record: $154 3/45 Growing security breaches
. 2015 Average cost per stolen record: $154 3/45 Growing security breaches 2015 Average cost per breach: $3.79 million
Cloud model 93% of organizations are running/experimenting Cloud. [RightScale2015] . Data and services hosted on-premise 1 resources/services provider for multiple clients Economical benefits Automatic management Loss of control Security complexification 4/45 From on-premise to Cloud Traditional model
. Data and services hosted on-premise 1 resources/services provider for multiple clients 4/45 From on-premise to Cloud Traditional model Cloud model 93% of organizations are running/experimenting Cloud. [RightScale2015] ▶ Economical benefits ▶ Loss of control ▶ Automatic management ▶ Security complexification
Key technology: Virtualization . Infinite resources Pay per use Multitenant provisioning Virtual resources sharing real resources 5/45 Cloud and Virtualization Cloud Characteristics ▶ On-demand resources
Key technology: Virtualization . Pay per use Multitenant provisioning Virtual resources sharing real resources 5/45 Cloud and Virtualization Cloud Characteristics ▶ On-demand resources ▶ Infinite resources
Key technology: Virtualization Multitenant provisioning . Virtual resources sharing real resources 5/45 Cloud and Virtualization Cloud Characteristics ▶ Pay per use ▶ On-demand resources ▶ Infinite resources
Key technology: Virtualization . Virtual resources sharing real resources 5/45 Cloud and Virtualization Cloud Characteristics ▶ Pay per use ▶ On-demand resources ▶ Multitenant provisioning ▶ Infinite resources
Virtual resources sharing real resources . 5/45 Cloud and Virtualization Cloud Characteristics ▶ Pay per use ▶ On-demand resources ▶ Multitenant provisioning ▶ Infinite resources Key technology: Virtualization
Cloud model Threats 6/45 Multitenancy An IT managing security “by hand” (configuration, etc.) Internal External Currently, same as traditional . Security Issues Traditional model Threats Problems ▶ External ▶ Oversight ▶ Lack of expertise ▶ Misconfiguration
6/45 . Multitenancy An IT managing security “by hand” (configuration, etc.) Currently, same as traditional Security Issues Traditional model Threats Problems ▶ External ▶ Oversight ▶ Lack of expertise ▶ Misconfiguration Cloud model Threats ▶ External ▶ Internal
. Virtualized Distributed Systems 7/45 What to Secure? ▶ Data ▶ Processes/Services ▶ VM ▶ Network The vast majority of applications are distributed systems
Proposition: Automatic security enforcement . distributed systems? User-centric approach Bridge the gap between the user’s security specification skills and complex configurations of security mechanisms. Distributed security with heterogeneous mechanisms 8/45 Cloud Security: Problem Problem How to provide a trusted end-to-end security of virtualized ▶ Transversal: secure from endpoints to services ▶ In-depth: secure all layers ▶ Temporal: secure whole lifecycle
. distributed systems? skills and complex configurations of security mechanisms. 8/45 Cloud Security: Problem Problem How to provide a trusted end-to-end security of virtualized ▶ Transversal: secure from endpoints to services ▶ In-depth: secure all layers ▶ Temporal: secure whole lifecycle Proposition: Automatic security enforcement ▶ User-centric approach ▶ Bridge the gap between the user’s security specification ▶ Distributed security with heterogeneous mechanisms
. 17 partners from 4 countries. From Apr. 2012 to Feb. 2015. . 9/45 The Seed4C Celtic+ European Project France Finland Spain South Korea
. 17 partners from 4 countries. From Apr. 2012 to Feb. 2015. . 9/45 The Seed4C Celtic+ European Project France Finland Spain South Korea
. Build a secure Cloud with cooperative points of enforcement. 10/45 The Seed4C Celtic+ European Project – Logical Architecture Idea
. . 11/45 My Thesis: From Modelization To Deployment
. Contributions
. . 13/45 My Thesis – Modelization
What? 3D Printer . 14/45 Modelization - Why and What? Why? ▶ To apply algorithms ( e.g., verification) ▶ To automate security configuration ▶ To automate application deployment
3D Printer . 14/45 Modelization - Why and What? Why? ▶ To apply algorithms ( e.g., verification) ▶ To automate security configuration ▶ To automate application deployment What?
Security Policy What it means to be secure. Defined by security properties Security Properties . Confidentiality: Absence of unauthorized disclosure Integrity: Absence of unauthorized alteration Isolation: Confidentiality + Integrity Availability: Absence of denial of use 15/45 What is Security?
. 15/45 What is Security? Security Policy What it means to be secure. Defined by security properties Security Properties ▶ Confidentiality: Absence of unauthorized disclosure ▶ Integrity: Absence of unauthorized alteration ▶ Isolation: Confidentiality + Integrity ▶ Availability: Absence of denial of use
Access Control Information Flow Control A. Yes, access is granted. A. Depends on previous flows. information but not its propagation . . Explicit perms., implicit flows Implicit perms., explicit flows Access Control checks place restrictions on the release of 16/45 What Security Model? Q. Can I read document File?
Information Flow Control A. Depends on previous flows. information but not its propagation . . Explicit perms., implicit flows Implicit perms., explicit flows Access Control checks place restrictions on the release of 16/45 What Security Model? Q. Can I read document File? Access Control A. Yes, access is granted.
. Explicit perms., implicit flows Implicit perms., explicit flows Access Control checks place restrictions on the release of 16/45 What Security Model? Q. Can I read document File? Access Control Information Flow Control A. Yes, access is granted. A. Depends on previous flows. information but not its propagation .
. properties) process-integration, etc.) 17/45 Model-driven Security - Lack of suitable models Existing models – Nguyen et al. [APSEC2013] ▶ Specific isolated security concerns (Not all security ▶ Lack of formality ▶ Incomplete integrated approach (automation, Problem No Models for Information Flow Properties on Virtualized Distributed Systems
. A unified security-aware metamodel: Sam4C 18/45 Sam4C - Security Aware Models for Clouds Solution
. Reducing complex programming tasks by: 19/45 Unified Model – Metamodelisation Metamodel (Model of models) ▶ abstracting system-specific constraints ▶ providing automatic transformation
. . 20/45 UseCase: Airport Management ▶ Industrial UseCase (Ikusi Company) ▶ n -tier application (Standard for building enterprise software)
. Client VM Domain (Madrid) AppDomain (System): Service (SSH) – Data (Logs) 21/45 Application Model Entities
VNet (Intranet) . Composition VM and AppDom 22/45 Application Model Entities (cont’d)
23/45 . UseCase: Application Model
. the Musik MAD service . from any other tenant in the hosting virtualized infrastructure. 24/45 UseCase – Security Constraints 70 properties for the AirportContentManager UseCase. Integrity Property Musik MAD application logs can only be modified by Isolation Property The whole AirportContentManager framework is isolated
Recommend
More recommend