Security audits of multi-tier virtual infrastructures in public infrastructure clouds

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 93-102

  Bleikertz, Sören ^a   Schunter, Matthias ^a   Probst, Christian W ^b   Pendarakis, Dimitrios ^c   Eriksson, Konrad ^d  

^a IBM RESEARCH ZURICH   (Switzerland)

^b TECHNICAL UNIVERSITY OF DENMARK   (Denmark)

^c IBM T J WATSON RESEARCH CENTER   (United States)

^d InfraSight Labs   (Switzerland)

Author keywords

Amazon EC2; Attack graphs; Cloud computing; Reachability

Indexed keywords

AMAZON EC2; ATTACK GRAPH; AUTOMATED ANALYSIS; CLOUD COMPUTING; CLOUD INFRASTRUCTURES; CLOUD SERVICES; END USERS; MULTI TIER ARCHITECTURE; MULTI-TIER; POLICY LANGUAGE; PUBLIC INFRASTRUCTURES; REACHABILITY; SECURITY ASSESSMENT; SECURITY AUDIT; SECURITY CHALLENGES; SECURITY INCIDENT; SECURITY RISKS; START-UPS; VIRTUAL INFRASTRUCTURES; WIDE SPECTRUM;

CLOUDS; COMPUTER SYSTEMS; INVESTMENTS; RATING; VISUALIZATION; WEB SERVICES;

NETWORK SECURITY;

EID: 78650122895     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866835.1866853     Document Type: Conference Paper

References (34)

1. ACIIÇMEZ, O. Yet another microarchitectural attack: exploiting i-cache. In CSAW '07: Proceedings of the 2007 ACM workshop on Computer security architecture (New York, NY, USA, 2007), ACM, pp. 11-18.
2. ACIIÇMEZ, O., KOÇ, C. K., AND SEIFERT, J.-P. On the power of simple branch prediction analysis. In ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications security (New York, NY, USA, 2007), ACM, pp. 312-320.
3. AMAZON. The Amazon Elastic Compute Cloud (EC2) Available at http://aws.amazon.com/ec2/, last accessed March 2010, 2010.
4. AMAZON WEB SERVICES. Amazon Web Services: Overview of Security Processes, November 2009.
5. BELLARE, M., BRAKERSKI, Z., NAOR, M., RISTENPART, T., SEGEV, G., SHACHAM, H., AND YILEK, S. Hedged public-key encryption: How to protect against bad randomness. In ASIACRYPT (2009), pp. 232-249.
6. BOTO. boto - Python interface to Amazon Web Services. Available at http://code.google.com/p/boto/, last accessed June 2010, 2010.
7. CHRISTODORESCU, M., SAILER, R., SCHALES, D. L., SGANDURRA, D., AND ZAMBONI, D. Cloud Security Is Not (Just) Virtualization Security. In CCSW '09: Proceedings of the 2009 ACM workshop on Cloud computing security (New York, NY, USA, 2009), ACM, pp. 97-102.
8. COHEN, R. Announcing Enomaly ECP High Assurance Edition for Trusted Cloud Computing. Available at http://www.elasticvapor.com/2010/04/announcing-enomaly- ecp-high-assurance.html, last accessed June 2010, 2010.
9. GARFINKEL, T., PFAFF, B., CHOW, J., ROSENBLUM, M., AND BONEH, D. Terra: A Virtual Machine-Based Platform for Trusted Computing. SIGOPS Oper. Syst. Rev. 37, 5 (2003), 193-206.
10. GOODALL, J. R. Introduction to Visualization for Computer Security. In VizSEC (2007), pp. 1-17.
11. JAJODIA, S., LIU, P., SWARUP, V., AND WANG, C. Cyber Situational Awareness: Issues and Research. Springer, 2009, ch. Topological Vulnerability Analysis, pp. 139-154.
12. JAJODIA, S., AND NOEL, S. Algorithms, Architectures, and Information Systems Security. World Scientific Press, 2007, ch. Topological Vulnerability Analysis: A Powerful New Approach for Network Attack Prevention, Detection, and Response.
13. KRAUTHEIM, F. J. Private Virtual Infrastructure for Cloud Computing. In HotCloud '09: Workshop on Hot Topics in Cloud Computing (2009), USENIX.
14. LIPPMANN, R. P., AND INGOLS, K. W. An Annotated Review of Past Papers on Attack Graphs, 2005.
15. MAO, W., MARTIN, A., JIN, H., AND ZHANG, H. Innovations for grid security from trusted computing. In Fourteenth International Workshop on Security Protocols (2006), LNCS, Springer-Verlag.
16. MELL, P., AND GRANCE, T. Effectively and Securely Using the Cloud Computing Paradigm, October 2009.
17. MELL, P., SCARFONE, K., AND ROMANOSKY, S. A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Available at http://www.first.org/ cvss/cvss-guide.html, last accessed June 2010, June 2007.
18. NETWORKX DEVELOPERS. NetworkX. Available at http://networkx.lanl.gov/, last accessed June 2010, 2010.
19. NOEL, S., ELDER, M., JAJODIA, S., KALAPA, P., O'HARE, S., AND PROLE, K. Advances in Topological Vulnerability Analysis. In CATCH '09: Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security (Washington, DC, USA, 2009), IEEE Computer Society, pp. 124-129.
20. OPENVAS. OpenVAS, Open Vulnerability Assessment System. Available at http://www.openvas.org, last accessed May 2010, 2010.
21. PERCIVAL, C. Cache missing for fun and profit, May 2005.
22. PHILLIPS, C., AND SWILER, L. P. A graph-based system for network-vulnerability analysis. In NSPW '98: Proceedings of the 1998 workshop on New security paradigms (New York, NY, USA, 1998), ACM, pp. 71-79.
23. RISTENPART, T., TROMER, E., SHACHAM, H., AND SAVAGE, S. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security (New York, NY, USA, 2009), ACM, pp. 199-212.
24. RISTENPART, T., AND YILEK, S. When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography. In Proceedings of Network and Distributed Security Symposium - NDSS '10 (2010).
25. SANTOS, N., GUMMADI, K. P., AND RODRIGUES, R. Towards Trusted Cloud Computing. In HotCloud '09: Workshop on Hot Topics in Cloud Computing (2009), USENIX.
26. SHEYNER, O., HAINES, J., JHA, S., LIPPMANN, R., AND WING, J. M. Automated Generation and Analysis of Attack Graphs. In SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2002), IEEE Computer Society, p. 273.
27. SHEYNER, O., AND WING, J. Tools for generating and analyzing attack graphs. In Proceedings of formal methods for components and objects (2004), LNCS, pp. 344-371.
28. SWILER, L., PHILLIPS, C., ELLIS, D., AND CHAKERIAN, S. Computer-attack graph generation tool. In DARPA Information Survivability Conference Exposition II, 2001. DISCEX '01. Proceedings (2001), vol. 2, pp. 307-321 vol.2.
29. SWILER, L. P., PHILLIPS, C., AND GAYLOR, T. A Graph-Based Network-Vulnerability Analysis System. In Sandia National Laboratories, Albuquerque, New (1997), ACM Press, pp. 97-3010.
30. TENABLE NETWORK SECURITY. Nessus, the Network Vulnerability Scanner. Available at http://www.nessus.org, last accessed March 2010, 2010.
31. TRAN, T., AL-SHAER, E., AND BOUTABA, R. PolicyVis: Firewall Security Policy Visualization and Inspection. In LISA'07: Proceedings of the 21st conference on Large Installation System Administration Conference (Berkeley, CA, USA, 2007), USENIX Association, pp. 1-16.
32. WILLIAMS, L., LIPPMANN, R., AND INGOLS, K. An Interactive Attack Graph Cascade and Reachability Display. In VizSEC (2007), pp. 221-236.
33. WILLIAMS, L., LIPPMANN, R., AND INGOLS, K. GARNET: A Graphical Attack Graph and Reachability Network Evaluation Tool. In VizSec '08: Proceedings of the 5th international workshop on Visualization for Computer Security (Berlin, Heidelberg, 2008), Springer-Verlag, pp. 44-59.
34. WOOL, A. A Quantitative Study of Firewall Configuration Errors. Computer 37, 6 (2004), 62-67.