当前位置:
X-MOL 学术
›
ACM Trans. Priv. Secur.
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
ISOTOP
ACM Transactions on Privacy and Security ( IF 2.3 ) Pub Date : 2018-10-23 , DOI: 10.1145/3267339 Taous Madi 1 , Yosr Jarraya 2 , Amir Alimohammadifar 1 , Suryadipta Majumdar 1 , Yushun Wang 1 , Makan Pourzandi 2 , Lingyu Wang 1 , Mourad Debbabi 1
ACM Transactions on Privacy and Security ( IF 2.3 ) Pub Date : 2018-10-23 , DOI: 10.1145/3267339 Taous Madi 1 , Yosr Jarraya 2 , Amir Alimohammadifar 1 , Suryadipta Majumdar 1 , Yushun Wang 1 , Makan Pourzandi 2 , Lingyu Wang 1 , Mourad Debbabi 1
Affiliation
Multi-tenancy in the cloud is a double-edged sword. While it enables cost-effective resource sharing, it increases security risks for the hosted applications. Indeed, multiplexing virtual resources belonging to different tenants on the same physical substrate may lead to critical security concerns such as cross-tenants data leakage and denial of service. Particularly, virtual networks isolation failures are among the foremost security concerns in the cloud. To remedy these, automated tools are needed to verify security mechanisms compliance with relevant security policies and standards. However, auditing virtual networks isolation is challenging due to the dynamic and layered nature of the cloud. Particularly, inconsistencies in network isolation mechanisms across cloud-stack layers, namely, the infrastructure management and the implementation layers, may lead to virtual networks isolation breaches that are undetectable at a single layer. In this article, we propose an offline automated framework for auditing consistent isolation between virtual networks in OpenStack-managed cloud spanning over overlay and layer 2 by considering both cloud layers’ views. To capture the semantics of the audited data and its relation to consistent isolation requirement, we devise a multi-layered model for data related to each cloud-stack layer’s view. Furthermore, we integrate our auditing system into OpenStack, and present our experimental results on assessing several properties related to virtual network isolation and consistency. Our results show that our approach can be successfully used to detect virtual network isolation breaches for large OpenStack-based data centers in reasonable time.
中文翻译:
ISOTOP
云中的多租户是一把双刃剑。虽然它实现了具有成本效益的资源共享,但它增加了托管应用程序的安全风险。实际上,在同一物理基板上多路复用属于不同租户的虚拟资源可能会导致严重的安全问题,例如跨租户数据泄漏和拒绝服务。特别是,虚拟网络隔离故障是云中最重要的安全问题之一。为了解决这些问题,需要自动化工具来验证安全机制是否符合相关的安全策略和标准。然而,由于云的动态和分层性质,审计虚拟网络隔离具有挑战性。特别是跨云堆栈层的网络隔离机制的不一致,即 基础设施管理和实施层,可能会导致在单层无法检测到的虚拟网络隔离漏洞。在本文中,我们提出了一个离线自动化框架,用于通过考虑两个云层的视图来审核 OpenStack 管理的云中跨越覆盖层和第 2 层的虚拟网络之间的一致隔离。为了捕获审计数据的语义及其与一致隔离要求的关系,我们为与每个云堆栈层视图相关的数据设计了一个多层模型。此外,我们将我们的审计系统集成到 OpenStack 中,并展示了我们评估与虚拟网络隔离和一致性相关的几个属性的实验结果。
更新日期:2018-10-23
中文翻译:
ISOTOP
云中的多租户是一把双刃剑。虽然它实现了具有成本效益的资源共享,但它增加了托管应用程序的安全风险。实际上,在同一物理基板上多路复用属于不同租户的虚拟资源可能会导致严重的安全问题,例如跨租户数据泄漏和拒绝服务。特别是,虚拟网络隔离故障是云中最重要的安全问题之一。为了解决这些问题,需要自动化工具来验证安全机制是否符合相关的安全策略和标准。然而,由于云的动态和分层性质,审计虚拟网络隔离具有挑战性。特别是跨云堆栈层的网络隔离机制的不一致,即 基础设施管理和实施层,可能会导致在单层无法检测到的虚拟网络隔离漏洞。在本文中,我们提出了一个离线自动化框架,用于通过考虑两个云层的视图来审核 OpenStack 管理的云中跨越覆盖层和第 2 层的虚拟网络之间的一致隔离。为了捕获审计数据的语义及其与一致隔离要求的关系,我们为与每个云堆栈层视图相关的数据设计了一个多层模型。此外,我们将我们的审计系统集成到 OpenStack 中,并展示了我们评估与虚拟网络隔离和一致性相关的几个属性的实验结果。
京公网安备 11010802027423号