Advances in Information Security 76 Suryadipta Majumdar · Taous Madi Yushun Wang · Azadeh Tabiban Momen Oqaily · Amir Alimohammadifar Yosr Jarraya · Makan Pourzandi Lingyu Wang · Mourad Debbabi Cloud Security Auditing Advances in Information Security Volume 76 Serieseditor SushilJajodia,GeorgeMasonUniversity,Fairfax,VA,USA Moreinformationaboutthisseriesathttp://www.springer.com/series/5576 Suryadipta Majumdar • Taous Madi (cid:129) Yushun Wang Azadeh Tabiban (cid:129) Momen Oqaily Amir Alimohammadifar (cid:129) Yosr Jarraya Makan Pourzandi (cid:129) Lingyu Wang Mourad Debbabi Cloud Security Auditing 123 SuryadiptaMajumdar TaousMadi InformationSecurityandDigitalForensi CIISE UniversityatAlbany-SUNY ConcordiaUniversity Albany,NY,USA Montréal,QC,Canada YushunWang AzadehTabiban CIISE CIISE ConcordiaUniversity ConcordiaUniversity Montreal,QC,Canada Montreal,QC,Canada MomenOqaily AmirAlimohammadifar CIISE ConcordiaUniversity ConcordiaUniversity Montreal,QC,Canada Montreal,QC,Canada YosrJarraya MakanPourzandi EricssonSecurityResearch EricssonSecurityResearch Saint-Laurent,QC,Canada Montreal,QC,Canada LingyuWang MouradDebbabi CIISE ConcordiaUniversity ConcordiaUniversity Montreal,QC,Canada Montreal,QC,Canada ISSN1568-2633 AdvancesinInformationSecurity ISBN978-3-030-23127-9 ISBN978-3-030-23128-6 (eBook) https://doi.org/10.1007/978-3-030-23128-6 ©SpringerNatureSwitzerlandAG2019 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthors,andtheeditorsaresafetoassumethattheadviceandinformationinthisbook arebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsor theeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforany errorsoromissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictional claimsinpublishedmapsandinstitutionalaffiliations. ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAG. Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Preface Auditingandsecurityassuranceverificationis,andhastraditionallybeen,essential for many industries due to regulatory requirements. Examples of this are ISO 27001 for information security management, the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard(PCIDSS).Withthecurrentdeploymentofcloudcomputingtechnologies in IT solutions and mobile communication networks comes the need to extend auditingandsecurityassuranceverificationtothecloud. The cloud, due to its elastic, on-demand, and self-service nature, is attracting many new applications from different fields, making it part of the cyber critical infrastructure and part of everyday life. Cloud computing technologies such as virtualization allow physical resources to be dynamically shared through virtual instances, and in the latest generation of mobile communication networks the network function virtualization approach instantiates virtual functions to deliver networkservicesfordifferentverticals. However, while the unique properties of the cloud (elastic, self-service, multi- tenancy) generate opportunities for high efficiency and customization, they also bring novel security challenges. Perhaps most importantly, multi-tenancy allows different customers to share physical resources, opening the door to possible attacks through virtual layers. Also, the increased complexity due to multiple abstractionlayersinthecloud(suchasvirtualandphysicallayerscoveringdifferent resources for networking, compute, and storage) may cause inconsistencies which needauditingmechanismsspanningthroughalldifferentlayers.Whileinclassical auditing we had only two actors (service provider and user), the cloud setup introduces a new actor: the cloud service provider. The auditing therefore needs to account for the addition of new actors. Lastly, the dynamic nature of the cloud meanschangingtheentirevirtualresourceconfigurationatruntime,toscaleinand out in response to service load. This in turn may invalidate earlier auditing results andcallsforacontinuousandadaptiveauditingapproach. In short, the complex design and implementation of a cloud infrastructure may cause vulnerabilities and misconfigurations, which adversaries could exploit to conduct serious damage. The security concerns and challenges therefore generate v vi Preface a demand for transparency and accountability, and the auditing becomes a main element in building the confidence of cloud tenants and users in their cloud providers. Because auditing of services in the cloud ecosystem differs in many ways from existing auditing approaches, new methods are required to span larger anddeeperatdifferentvirtualandphysicallayers,toaccountfornewactors,andto providecontinuousandadaptivesecurityauditing. This book is the result of a collaboration between academic and industrial researchers to address real-world issues in the cloud environment. Itaddresses the majorchallengesandpresentsnewauditingmethodsforthecloud.Pointingtothe problemencounteredwhenauditinginthecloud,theauthorscoversecuritythreats fromallcloudabstractionlevelsandproposeauditingmechanismsforawiderange of security and functional requirements from the cloud tenants and users to the relevantsecuritystandards. Through their journey, the authors first tackle the complexity of the cloud due toitsvirtualandphysicallayers,concentratingonthemostchallengingaspectsof virtual L2–L3 networks. Essential issues for auditing in the cloud are considered: from user-level auditing verification to virtual network isolation verification. For user-level auditing, a method is presented verifying an extensive list of security propertiesrelatedtoauthenticationandauthorizationmechanismsinthecloud.The security property verification is then extended to the virtual network layer. The virtualnetworklayer2auditingaddressesvarioussecurityconcernsgeneratedfrom potential inconsistencies between cloud layers and tenant isolation breaches while thevirtuallayer3auditingtacklesthethreatsfrommulti-tenancy. Next,theauthorsconsidertheneedforanefficientcontinuousauditingapproach to address the dynamic nature of the cloud. They propose three different audit- ing methods: retroactive, intercept-and-check, and proactive. Retroactive auditing subscribes to the traditional way of auditing by identifying security breaches after thefact.Theintercept-and-checkauditingenablescontinuousauditing,specifically elaboratingonenablingruntimesecuritypolicyenforcement.Finally,theproactive auditingaddressestheneedtoefficientlyauditthecloudatruntime.Attheend,the authorsproposearuntimesecuritypolicyenforcementinawidelyusedopen-source cloudplatformasanapproachtocontinuoussecurityauditinginthecloud. Thisbookprovidesacomprehensivestate-of-the-artknowledgeoncloudsecurity auditing, covering a wide range of security auditing issues and proposing new solutions to the challenges. It is beneficial to researchers and engineers involved insecurityforcloudcomputing. Stockholm,Sweden EvaFogelström March2019 Acknowledgments We would like to express our deepest gratitude to all people who contributed to the realization of this work. This book is a result of research work supported by the Natural Sciences and Engineering Research Council of Canada and Ericsson CanadaunderCRDGrants(N01566andN01823)andbyPROMPTQuebec. vii Contents 1 Introduction .................................................................. 1 1.1 Motivations.............................................................. 2 1.2 CloudSecurityAuditing................................................ 3 1.3 ChallengesinCloudSecurityAuditing................................ 5 1.4 Outline................................................................... 6 2 LiteratureReview............................................................ 9 2.1 RetroactiveAuditing.................................................... 9 2.2 Intercept-and-CheckAuditing.......................................... 10 2.3 ProactiveAuditing ...................................................... 11 2.4 TaxonomyofCloudSecurityAuditing ................................ 12 2.5 ComparativeStudy...................................................... 13 3 AuditingSecurityComplianceofVirtualizedInfrastructure........... 17 3.1 AuditingApproachforVirtualizedInfrastructure..................... 19 3.1.1 ThreatModel.................................................... 19 3.1.2 ModelingtheVirtualizedInfrastructure ....................... 19 3.1.3 CloudAuditingProperties...................................... 21 3.2 AuditReadyCloudFramework ........................................ 25 3.3 FormalVerification...................................................... 27 3.3.1 ModelFormalization ........................................... 27 3.3.2 PropertiesFormalization ....................................... 28 3.4 ApplicationtoOpenStack .............................................. 30 3.4.1 Background ..................................................... 30 3.4.2 IntegrationtoOpenStack....................................... 31 3.5 Experiments............................................................. 35 3.5.1 ExperimentalSetting ........................................... 35 3.5.2 Results........................................................... 35 3.6 Conclusion .............................................................. 38 ix x Contents 4 AuditingVirtualNetworkIsolationAcrossCloudLayers .............. 39 4.1 Models................................................................... 42 4.1.1 Preliminaries.................................................... 42 4.1.2 ThreatModel.................................................... 43 4.1.3 VirtualizedCloudInfrastructureModel ....................... 44 4.2 Methodology ............................................................ 47 4.2.1 Overview........................................................ 47 4.2.2 CloudAuditingProperties...................................... 48 4.2.3 VerificationApproach .......................................... 52 4.3 Implementation.......................................................... 57 4.3.1 Background ..................................................... 57 4.3.2 IntegrationintoOpenStack..................................... 57 4.3.3 IntegrationintoOpenStackCongress.......................... 63 4.4 Experiments............................................................. 63 4.4.1 ExperimentalSetting ........................................... 63 4.4.2 Results........................................................... 63 4.5 Discussion............................................................... 67 4.6 Conclusion .............................................................. 69 5 User-LevelRuntimeSecurityAuditingfortheCloud.................... 71 5.1 User-LevelSecurityProperties......................................... 73 5.1.1 Models .......................................................... 73 5.1.2 SecurityProperties.............................................. 76 5.1.3 ThreatModel.................................................... 78 5.2 RuntimeSecurityAuditing............................................. 78 5.2.1 Overview........................................................ 78 5.2.2 InitializationPhase.............................................. 79 5.2.3 RuntimePhase.................................................. 80 5.2.4 FormalizationofSecurityProperties .......................... 83 5.3 Implementation.......................................................... 87 5.3.1 Architecture..................................................... 87 5.3.2 IntegrationintoOpenStack..................................... 87 5.3.3 IntegrationtoOpenStackCongress............................ 93 5.4 Experiments............................................................. 93 5.4.1 ExperimentalSetting ........................................... 94 5.4.2 Results........................................................... 94 5.5 Discussion............................................................... 101 5.6 Conclusion .............................................................. 102 6 ProactiveSecurityAuditinginClouds..................................... 103 6.1 Overview ................................................................ 105 6.1.1 MotivatingExample............................................ 105 6.1.2 ThreatModel.................................................... 106 6.1.3 ApproachOverview ............................................ 107