A Chaos Engineering System for Live Analysis and Falsification of Exception-Handling in the JVM

Zhang, Long; Morin, Brice; Haller, Philipp; Baudry, Benoît; Monperrus, Martin

doi:10.1109/tse.2019.2954871

Cited by 22 publications

(18 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…terraform apply. Furthermore, this feature internally uses GraphViz 10 and Dot 11 , which are popularly used for graph visualization and expression language respectively. Attack graphs can also be constructed for cloud infrastructure orchestrated using other tools by discovering the infrastructure Terraform resource discovery feature 12 .…”

Section: ) Attack Graphsmentioning

confidence: 99%

“…Our fault injection strategies leverage the API connecting cloud customers and cloud services and focus on security faults. Zhang et'al [10] proposed ChaosMachine, a system for live analysis and falsification of exceptionhandling in the JVM. ChaosMachine employs bytecode instrumentation and remote control of fine-grained fault injection to detect resilience weaknesses in try-catch-exemption handling.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

CloudStrike: Chaos Engineering for Security and Resiliency in Cloud Infrastructure

et al. 2020

View full text Add to dashboard Cite

Most cyber-attacks and data breaches in cloud infrastructure are due to human errors and misconfiguration vulnerabilities. Cloud customer-centric tools are imperative for mitigating these issues, however existing cloud security models are largely unable to tackle these security challenges. Therefore, novel security mechanisms are imperative, we propose Risk-driven Fault Injection (RDFI) techniques to address these challenges. RDFI applies the principles of chaos engineering to cloud security and leverages feedback loops to execute, monitor, analyze and plan security fault injection campaigns, based on a knowledge-base. The knowledge-base consists of fault models designed from secure baselines, cloud security best practices and observations derived during iterative fault injection campaigns. These observations are helpful for identifying vulnerabilities while verifying the correctness of security attributes (integrity, confidentiality and availability). Furthermore, RDFI proactively supports risk analysis and security hardening efforts by sharing security information with security mechanisms. We have designed and implemented the RDFI strategies including various chaos engineering algorithms as a software tool: CloudStrike. Several evaluations have been conducted with CloudStrike against infrastructure deployed on two major public cloud infrastructure: Amazon Web Services and Google Cloud Platform. The time performance linearly increases, proportional to increasing attack rates. Also, the analysis of vulnerabilities detected via security fault injection has been used to harden the security of cloud resources to demonstrate the effectiveness of the security information provided by CloudStrike. Therefore, we opine that our approaches are suitable for overcoming contemporary cloud security issues.

show abstract

Section: ) Attack Graphsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

CloudStrike: Chaos Engineering for Security and Resiliency in Cloud Infrastructure

et al. 2020

View full text Add to dashboard Cite

show abstract

“…The Cloud Storage Enumeration Attack is comparable to brute force password guessing attacks e.g. CVE-2012-3137 9 .…”

Section: B Security Risk Metricsmentioning

confidence: 99%

“…Essentially, our failure scope encapsulates the impact of security failures against cloud assets. We based our 8 this is a vector string representation of all computed metrics for a vulnerability 9 https://nvd.nist.gov/vuln/detail/CVE-2012-3137 selectRandomBucket ← getCloudBuckets() select a random bucket from the set of enumerated buckets 4: disableBucketLogging() stop all logging activities against the bucket 5: end procedure fault models on the CSA cloud penetration test playbook [22], which categorizes public IaaS into three domains for security testing: (1) application, data, business logic, (2) cloud service and (3) cloud account. However, we focus on the latter two domains: cloud account security and cloud service security which directly map to the cloud IAM and cloud storage respectively.…”

Section: Fault Modelsmentioning

confidence: 99%

“…Our fault injection strategies leverage the API connecting cloud customers and cloud services and focus on security faults. Zhang et'al [9] proposed ChaosMachine, a system for live analysis and falsification of exception-handling in the JVM. ChaosMachine employs bytecode instrumentation and remote control of fine-grained fault injection to detect resilience weaknesses in try-catch-exemption handling.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Cloudstrike: Chaos Engineering for Security and Resiliency in Cloud Infrastructure

Torkura¹

2020

Preprint

View full text Add to dashboard Cite

<div>Most cyber-attacks and data breaches in cloud</div><div>infrastructure are due to human errors and misconfiguration</div><div>vulnerabilities. Cloud customer-centric tools are lacking, and existing</div><div>security models do not efficiently tackle these security challenges.</div><div>Novel security mechanisms are imperative, therefore, we</div><div>propose Risk-driven Fault Injection (RDFI) techniques to tackle</div><div>these challenges. RDFI applies the principles of chaos engineering</div><div>to cloud security and leverages feedback loops to execute, monitor,</div><div>analyze and plan security fault injection campaigns, based on</div><div>a knowledge-base. The knowledge-base consists of fault models</div><div>designed from cloud security best practices and observations</div><div>derived during iterative fault injection campaigns. Furthermore,</div><div>the observations indicate security weaknesses and verify the</div><div>correctness of security attributes (integrity, confidentiality and</div><div>availability) and security controls. Ultimately this knowledge is</div><div>critical in guiding security hardening efforts and risk analysis.</div><div>We have designed and implemented the RDFI strategies including</div><div>various chaos algorithms as a software tool: CloudStrike. Furthermore,</div><div>CloudStrike has been evaluated against infrastructure</div><div>deployed on two major public cloud systems: Amazon Web Service</div><div>and Google Cloud Platform. The time performance linearly</div><div>increases, proportional to increasing attack rates. Similarly, CPU</div><div>and memory consumption rates are acceptable. Also, the analysis</div><div>of vulnerabilities detected via security fault injection has been</div><div>used to harden the security of cloud resources to demonstrate the</div><div>value of CloudStrike. Therefore, we opine that our approaches</div><div>are suitable for overcoming contemporary cloud security issues</div>

show abstract

Chaos as a Software Product Line—A platform for improving open hybrid‐cloud systems resiliency

et al. 2022

View full text Add to dashboard Cite

Nowadays, cloud-native software architectures have a significant relevance due to the speed and agility they provide. These properties lead relevant organizations in different industries, like video streaming (Netflix), car-sharing (Uber, Cabify), banking (BBVA, HSBC), and governmental agencies (NASA, FBI, CERN, ESA) to heavily rely on cloud-native software to run their business-critical applications. Additionally, including fault injection actions in the production infrastructure allows companies to have consistent environments, to improve applications dependability against unexpected failures, to provide better user experience, and to improve the overall system quality. Thus, cloud computing technologies allow development teams to rapidly create complex systems and to continuously deploy them, at a global scale. This work describes Pystol, a novel fault injection platform-represented as aSoftware Product Line-to analyze the effects caused by a wide spectrum of adverse conditions. Pystol is designed to be executed on top of cloud-native environments, either in private or public clouds. The proposed architecture shows a way for representing feature models based on Unified Model Language (in short, UML) component diagrams. Furthermore, we present a thorough empirical study carried out in real-world environments, providing promising results.

show abstract

A Chaos Engineering System for Live Analysis and Falsification of Exception-Handling in the JVM

Cited by 22 publications

References 33 publications

CloudStrike: Chaos Engineering for Security and Resiliency in Cloud Infrastructure

CloudStrike: Chaos Engineering for Security and Resiliency in Cloud Infrastructure

Cloudstrike: Chaos Engineering for Security and Resiliency in Cloud Infrastructure

Chaos as a Software Product Line—A platform for improving open hybrid‐cloud systems resiliency

Contact Info

Product

Resources

About