Security for Virtualized Distributed Systems Thse soutenue le 3 - - PowerPoint PPT Presentation

Security for Virtualized Distributed Systems

From Modelization to Deployment

.

Arnaud Lefray Workshop SEC2 - 4 Juillet 2016 Qirinus - Inria

Thèse soutenue le 3 Novembre 2015 Sous la direction de : Réalisée dans les équipes : Eddy Caron, Avalon - LIP - ENS Lyon Christian Toinard, SDS - LIFO - INSA CVL Jonathan Rouzaud-Cornabas

Context .

A data breach story .

▶ Date: October 21st. 2015 ▶ Nb stolen records: 4 million ▶ Data types:

▶ personal infos (names, addresses, dates of birth) ▶ contact infos (email addresses, phone numbers) ▶ financial infos (credit card, bank details)

Hacker profile: 15 years old irish teen. Consequences: 10% share value drop. Previous breach: August 2015 TalkTalk: a Cloud provider for businesses

2/45

A data breach story .

▶ Date: October 21st. 2015 ▶ Nb stolen records: 4 million ▶ Data types:

▶ personal infos (names, addresses, dates of birth) ▶ contact infos (email addresses, phone numbers) ▶ financial infos (credit card, bank details)

▶ Hacker profile: 15 years old irish teen. ▶ Consequences: 10% share value drop. ▶ Previous breach: August 2015

TalkTalk: a Cloud provider for businesses

2/45

A data breach story .

▶ Date: October 21st. 2015 ▶ Nb stolen records: 4 million ▶ Data types:

▶ personal infos (names, addresses, dates of birth) ▶ contact infos (email addresses, phone numbers) ▶ financial infos (credit card, bank details)

▶ Hacker profile: 15 years old irish teen. ▶ Consequences: 10% share value drop. ▶ Previous breach: August 2015

TalkTalk: a Cloud provider for businesses

2/45

Growing security breaches .

2015 Average cost per breach: $3.79 million 2015 Average cost per stolen record: $154

3/45

Growing security breaches .

2015 Average cost per breach: $3.79 million 2015 Average cost per stolen record: $154

3/45

From on-premise to Cloud .

Traditional model Data and services hosted

• n-premise

Cloud model 1 resources/services provider for multiple clients

93% of organizations are running/experimenting Cloud. [RightScale2015]

Economical benefits Automatic management Loss of control Security complexification

4/45

From on-premise to Cloud .

Traditional model Data and services hosted

• n-premise

Cloud model 1 resources/services provider for multiple clients

93% of organizations are running/experimenting Cloud. [RightScale2015]

▶ Economical benefits ▶ Automatic management ▶ Loss of control ▶ Security complexification 4/45

Cloud and Virtualization .

Cloud Characteristics

▶ On-demand resources

Infinite resources Pay per use Multitenant provisioning Key technology: Virtualization Virtual resources sharing real resources

5/45

Cloud and Virtualization .

Cloud Characteristics

▶ On-demand resources ▶ Infinite resources

Pay per use Multitenant provisioning Key technology: Virtualization Virtual resources sharing real resources

5/45

Cloud and Virtualization .

Cloud Characteristics

▶ On-demand resources ▶ Infinite resources ▶ Pay per use

Multitenant provisioning Key technology: Virtualization Virtual resources sharing real resources

5/45

Cloud and Virtualization .

Cloud Characteristics

▶ On-demand resources ▶ Infinite resources ▶ Pay per use ▶ Multitenant provisioning

Key technology: Virtualization Virtual resources sharing real resources

5/45

Cloud and Virtualization .

Cloud Characteristics

▶ On-demand resources ▶ Infinite resources ▶ Pay per use ▶ Multitenant provisioning

Key technology: Virtualization Virtual resources sharing real resources

5/45

Security Issues .

Traditional model An IT managing security “by hand” (configuration, etc.) Threats

▶ External

Problems

▶ Oversight ▶ Misconfiguration ▶ Lack of expertise

Cloud model Currently, same as traditional Threats External Internal

Multitenancy 6/45

Security Issues .

Traditional model An IT managing security “by hand” (configuration, etc.) Threats

▶ External

Problems

▶ Oversight ▶ Misconfiguration ▶ Lack of expertise

Cloud model Currently, same as traditional Threats

▶ External ▶ Internal Multitenancy 6/45

What to Secure? .

Virtualized Distributed Systems

▶ Data ▶ Processes/Services ▶ VM ▶ Network

The vast majority of applications are distributed systems

7/45

Cloud Security: Problem .

Problem How to provide a trusted end-to-end security of virtualized distributed systems?

▶ Transversal: secure from endpoints to services ▶ In-depth: secure all layers ▶ Temporal: secure whole lifecycle

Proposition: Automatic security enforcement User-centric approach Bridge the gap between the user’s security specification skills and complex configurations of security mechanisms. Distributed security with heterogeneous mechanisms

8/45

Cloud Security: Problem .

Problem How to provide a trusted end-to-end security of virtualized distributed systems?

▶ Transversal: secure from endpoints to services ▶ In-depth: secure all layers ▶ Temporal: secure whole lifecycle

Proposition: Automatic security enforcement

▶ User-centric approach ▶ Bridge the gap between the user’s security specification

skills and complex configurations of security mechanisms.

▶ Distributed security with heterogeneous mechanisms 8/45

The Seed4C Celtic+ European Project .

17 partners from 4 countries. From Apr. 2012 to Feb. 2015. France Finland Spain . South Korea

9/45

The Seed4C Celtic+ European Project .

17 partners from 4 countries. From Apr. 2012 to Feb. 2015. France Finland Spain . South Korea

9/45

The Seed4C Celtic+ European Project – Logical Architecture .

Idea Build a secure Cloud with cooperative points of enforcement.

10/45

My Thesis: From Modelization To Deployment .

.

11/45

Contributions .

My Thesis – Modelization .

.

13/45

Modelization - Why and What? .

Why?

▶ To apply algorithms (e.g., verification) ▶ To automate security configuration ▶ To automate application deployment 3D Printer

What?

14/45

Modelization - Why and What? .

Why?

▶ To apply algorithms (e.g., verification) ▶ To automate security configuration ▶ To automate application deployment 3D Printer

What?

14/45

What is Security? .

Security Policy What it means to be secure. Defined by security properties Security Properties Confidentiality: Absence of unauthorized disclosure Integrity: Absence of unauthorized alteration Isolation: Confidentiality + Integrity Availability: Absence of denial of use

15/45

What is Security? .

Security Policy What it means to be secure. Defined by security properties Security Properties

▶ Confidentiality: Absence of unauthorized disclosure ▶ Integrity: Absence of unauthorized alteration ▶ Isolation: Confidentiality + Integrity ▶ Availability: Absence of denial of use 15/45

What Security Model? .

• Q. Can I read document File?

Access Control Explicit perms., implicit flows

• A. Yes, access is granted.

Information Flow Control Implicit perms., explicit flows

• A. Depends on previous flows.

Access Control checks place restrictions on the release of information but not its propagation.

16/45

What Security Model? .

• Q. Can I read document File?

Access Control Explicit perms., implicit flows

• A. Yes, access is granted.

Information Flow Control Implicit perms., explicit flows

• A. Depends on previous flows.

Access Control checks place restrictions on the release of information but not its propagation.

16/45

What Security Model? .

• Q. Can I read document File?

Access Control Explicit perms., implicit flows

• A. Yes, access is granted.

Information Flow Control Implicit perms., explicit flows

• A. Depends on previous flows.

Access Control checks place restrictions on the release of information but not its propagation.

16/45

Model-driven Security - Lack of suitable models .

Existing models – Nguyen et al. [APSEC2013]

▶ Specific isolated security concerns (Not all security

properties)

▶ Lack of formality ▶ Incomplete integrated approach (automation,

process-integration, etc.) Problem No Models for Information Flow Properties on Virtualized Distributed Systems

17/45

Sam4C - Security Aware Models for Clouds .

Solution A unified security-aware metamodel: Sam4C

18/45

Unified Model – Metamodelisation .

Metamodel (Model of models) Reducing complex programming tasks by:

▶ abstracting system-specific constraints ▶ providing automatic transformation 19/45

.

UseCase: Airport Management .

▶ Industrial UseCase (Ikusi Company) ▶ n-tier application (Standard for building enterprise software) 20/45

Application Model Entities .

Client VM Domain (Madrid) AppDomain (System): Service (SSH) – Data (Logs)

21/45

Application Model Entities (cont’d) .

VNet (Intranet) Composition VM and AppDom

22/45

UseCase: Application Model .

23/45

UseCase – Security Constraints .

70 properties for the AirportContentManager UseCase. Integrity Property Musik MAD application logs can only be modified by the Musik MAD service. Isolation Property The whole AirportContentManager framework is isolated from any other tenant in the hosting virtualized infrastructure.

24/45

Security Model – Properties .

Context Identifier referring to a (single or) group of entities represented by a list of attributes Integrity Property Secured [, Authorized] Isolation Property Secured [, Authorized] . .

ctxServiceMusikMad

.

ctxLogMusikMad

Integrity(ctxLogMusikMAD,ctxServiceMusikMAD) Isolation({AirportContentManager})

25/45

My Thesis – Formalization .

.

26/45

Security Properties Interpretation .

Problem

▶ What is the definition/interpretation of security

properties? (e.g., Integrity)

▶ How to guarantee that ∑ localConfigs ≡ globalProperty?

(e.g., Isolation) Solution Use a formal language: Logic Unique interpretation Proof of equivalences (global/local)

27/45

Security Properties Interpretation .

Problem

▶ What is the definition/interpretation of security

properties? (e.g., Integrity)

▶ How to guarantee that ∑ localConfigs ≡ globalProperty?

(e.g., Isolation) Solution Use a formal language: Logic

▶ Unique interpretation ▶ Proof of equivalences (global/local) 27/45

Information Flows .

Flows

▶ B read A = (A > B) ▶ B write C = (B > C)

Types of Flows

▶ Direct (e.g., A > B) ▶ Indirect (e.g., A ≫ C) 28/45

IF-PLTL: Information Flow Past Linear Time Logic .

Existing Logics not suitable

▶ Focus on Access Control (and not Information Flow Control) ▶ Do not tackle Indirect Flows (Transitive Closure)

IF-PLTL: a many-sorted first-order temporal logic first-order, Exists/Forall temporal, Condition(s) on past actions many-sorted, 2 sorts: Context (e.g., Alice, File) and Domain (e.g., Admins, Madrid)

29/45

IF-PLTL: Information Flow Past Linear Time Logic .

Existing Logics not suitable

▶ Focus on Access Control (and not Information Flow Control) ▶ Do not tackle Indirect Flows (Transitive Closure)

IF-PLTL: a many-sorted first-order temporal logic

▶ first-order, Exists/Forall ▶ temporal, Condition(s) on past actions ▶ many-sorted, 2 sorts: Context (e.g., Alice, File) and Domain

(e.g., Admins, Madrid)

29/45

Confidentiality, Integrity and Isolation Definitions .

Confidentiality (S,A) (∀ctxx ∈ S)(∀ctxy)(x > y) → (y ∈ S ∪ A) Integrity (S,A) (∀ctxx ∈ S)(∀ctxy)(x < y) → (y ∈ S ∪ A) Isolation (S,A) confidentiality(S, A) ∧ integrity(S, A)

30/45

My Thesis – Preprocessing .

.

31/45

Global/Local Equivalences .

Integrity(S, A) (∀ctxx ∈ S)(∀ctxy)(x > y) → (y ∈ S ∪ A) Given S = S1 ∪ S2 Integrity(S, A) ≡ Integrity(S1, A ∪ S2) ∧ Integrity(S2, A ∪ S1)

32/45

Preprocessing .

. . .

33/45

Preprocessing .

. . . Tenant Input

1 global implicit property: Isolation

Problem

Public should access Proxy 33/45

Preprocessing .

. . . Solution

Use graph connectivity

Result

2 Explicit Isolation Properties

33/45

Preprocessing .

. . . . . Input

1 global explicit property: Isolation

Problem

No solution for Musik_MAD, …, Intranet.

33/45

Preprocessing .

. . . . . Solution

Use global/local equivalences

Result

4 singleton explicit properties

33/45

Preprocessing .

. . . . . Input

1 singleton explicit properties

Problem

No isolation mechanism for mixed VM/VNet e.g., Mysql, Intranet

33/45

Preprocessing .

. . . . Solution

Use typed equivalences

Result

1 Explicit Property = 2 Typed Properties IsolationVM and IsolationVNET

33/45

Deployment .

Problem How to enforce a typed property ? 2 Solutions

▶ Agent-based enforcement ▶ Placement-based enforcement 34/45

My Thesis – Agent-based Enforcement .

.

35/45

My Thesis – Deployment – Agent-based enforcement .

36/45

My Thesis – Deployment – Agent-based enforcement .

36/45

My Thesis – Deployment – Agent-based enforcement .

36/45

My Thesis – Deployment – Agent-based enforcement .

36/45

My Thesis – Deployment – Agent-based enforcement .

36/45

My Thesis – Deployment – Placement-based Enforcement .

.

37/45

Deployment – Placement-based enforcement .

Concerned Properties Properties between VMs (e.g., IsolationVM) Problem: Side/Covert channels Using legal means to exfiltrate information.

▶ AES/RSA key extraction, Activity monitoring , etc. 38/45

Co-residency: An isolation problem .

In 2009, Ristenpart et al. [ACM CCS] demonstrated on EC2:

▶ 40% success co-residency VM ▶ Cross-VM exploits

Mitigation techniques:

▶ Impractical (High overhead) ▶ Application-specific

Remark: Ultimately, we believe that the best solution is simply to expose the risk and placement decisions directly to users.

39/45

Placement-based enforcement .

Proposition Use the micro-architecture in the placement decision to enforce VMs isolation. Micro-architecture Hardware components design Issue

▶ Need cross-VM risk metric 40/45

Exposing the risk: Lack of metrics .

Existing Metrics

▶ Side channel Vulnerability Factor (SVF) ▶ Cache Side channel Vulnerability (CSV)

Limitations

▶ Do not reflect a global risk ▶ Hard to specify in practice

Contribution Risk Metric = Covert channel maximum theoretical bandwidth

41/45

Risk-based Placement .

Information leakage metric (Memory, Cores) + Latencies + attack protocol → Bandwidth Measurements on Grid’5000: O(Kbps). NP-Hard Problem: First-Fit

42/45

Conclusion and Perspectives .

Conclusion – Global Workflow .

44/45

Perspectives - From Research to Industry .

Qirinus Startup Project

▶ Supported by Inria ▶ Started January 2016

Secured application deployment in Clouds

▶ TOSCA based Models for Automatic Deployment ▶ Global Security (Network, Access Control, etc.) ▶ Compliance to security standards (PCI-DSS, NIST 800.53, ...)

Research Agenda

▶ Support for Elastic Apps ▶ Dynamic security reconfiguration ▶ Dynamic adaptation for incident-response scenarios 45/45

Grade .

Quality Level Grade Bitrate Low 20 <6 Kpbs Medium 40 <3 Kbps High 60 <1 Kbps Very High 100 <100 bps Isolation({AirportContentManager}, MEDIUM) Isolation({AirportContentManager}, 40)

45/45

Cache-based Covert Channel – Protocol .

▶ Cached = Small access time = Bit 0 ▶ Flushed = Huge access time = Bit 1

Bandwidth = (latencycached + latencyflushed) 2 × cachesize pagesize

45/45

Cache-based Covert Channel: Does it work? .

Measurements on L2 cache with distinct cores (Grid’5000): 100 bps

45/45

NUMA Topology .

Intel Xeon E5420 QC (shared L2) Intel Xeon E5-2630 (shared L3) Hwloc topologies (http://www.open-mpi.org/projects/hwloc/)

45/45

NUMA Allocation Algorithm .

45/45

Cache latencies .

Tool: lat_mem_rd (lmbench) NUMA arch latencies L1 (1-32KB): 1.43ns L2 (-256KB): 4.3ns L3 (-15MB): 17.0ns Local NUMA: 108ns Remote NUMA: 184.5ns

45/45

Bitrates – Results and Workflow .

Bitrates

▶ Local NUMA L3 = 4.167 Kbps ▶ Remote NUMA L3 = 2.585 Kbps ▶ SMP L2 = 9.551 Kbps.

Automatic procedure

45/45