An Automated SMT-based Security Framework for Supporting Migrations in Cloud Composite Services

Oulaaffart, Mohamed; Badonnel, Rémi; Bianco, Christophe

doi:10.1109/noms54207.2022.9789768

Cited by 4 publications

(10 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, the authors of [16] propose an endogenous approach based on the generation of protected unikernel images, corresponding to lightweight virtual machines containing only the strict necessary packages and libraries in order to minimize the attack surface of cloud resources. We also started to work on securing composite services based on vulnerability descriptions expressed with the OVAL language [17], but without considering information disclosure issues [7]. Certification techniques, such as [18,19], have been considered for guaranteeing the behavior of cloud resources.…”

Section: Related Workmentioning

confidence: 99%

“…It then requests cloud service providers to get configuration information regarding potential hosting environments, including the resource versioning and parameterization of these cloud environments, and also information regarding security mechanisms that may be implemented by the cloud providers. Considering this overall knowledge and using our OVAL 3 -based vulnerability assessment framework detailed in [7], the third party determines configuration vulnerabilities that may appear during the migration of resources over potential hosting environments. These assessment results enable the trusted third party to recommend or decline the migration of a given resource back to the cloud tenant, while reducing the disclosure of configuration information amongst involved cloud tenants and cloud providers.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services

Oulaaffart,

Badonnel,

Festor

2024

J Netw Syst Manage

Self Cite

View full text Add to dashboard Cite

The large-scale deployment of cloud composite services distributed over heterogeneous environments poses new challenges in terms of security management. In particular, the migration of their resources is facilitated by recent advances in the area of virtualization techniques. This contributes to increase the dynamics of their configuration, and may induce vulnerabilities that could compromise the security of cloud resources, or even of the whole service. In addition, cloud providers may be reluctant to share precise information regarding the configuration of their infrastructures with cloud tenants that build and deploy cloud composite services. This makes the assessment of vulnerabilities difficult to be performed with only a partial view on the overall configuration. We therefore propose in this article an inter-cloud trusted third-party approach, called C3S-TTP, for supporting secure configurations in cloud composite services, more specifically during the migration of their resources. We describe the considered architecture, its main building blocks and their interactions based on an extended version of the TOSCA orchestration language. The trusted third party is capable to perform a precise and exhaustive vulnerability assessment, without requiring the cloud provider and the cloud tenant to share critical configuration information between each other. After designing and formalizing this third party solution, we perform large series of experiments based on a proof-of-concept prototype in order to quantify its benefits and limits.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services

Oulaaffart,

Badonnel,

Festor

2024

J Netw Syst Manage

Self Cite

View full text Add to dashboard Cite

show abstract

Section: Related Workmentioning

confidence: 99%

C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-based Cloud Services

Oulaaffart

Badonnel

Festor

2022

Preprint

Self Cite

View full text Add to dashboard Cite

The large-scale deployment of cloud composite services distributed over heterogeneous environments poses new challenges in terms of security management. In particular, the migration of their resources is facilitated by recent advances in the area of virtualization techniques. This contributes to increase the dynamics of their configuration, and may induce vulnerabilities that could compromise the security of cloud resources, or even of the whole service. In addition, cloud providers may be reluctant to share precise information regarding the configuration of their infrastructures with cloud tenants that build and deploy cloud composite services. This makes the assessment of vulnerabilities difficult to be performed with only a partial view on the overall configuration.We therefore propose in this article an inter-cloud trusted third-party approach, called C3S-TTP, for supporting secure configurations in cloud composite services, more specifically during the migration of their resources. We describe the considered architecture, its main building blocks and their interactions based on an extended version of the TOSCA orchestration language. The trusted third party is capable to perform a precise and exhaustive vulnerability assessment, without requiring the cloud provider and the cloud tenant to share critical configuration information between each other. After designing and formalizing this third party solution, we perform large series of experiments based on a proof-of-concept prototype in order to quantify its benefits and limits.

show abstract

“…The proposed tool, called CMSec (Cloud Migration Security), aims at preventing known vulnerabilities that may affect cloud composite services during the migration of their resources, through the assessment of their configurations and the selection of adequate countermeasures when vulnerabilities are identified. It corresponds to the implementation of the strategy that we have formalized in [6]. The CMSec architecture, detailed on Figure 1, has been prototyped using the Python language version 3.7, and relies on SMT solvers compatible with the SMT-LIB (Satisfiability Modulo Theories LIBrary) format [7] as back-end services.…”

Section: Cloud Migration Security Toolmentioning

confidence: 99%

“…This latter relies on a set of vulnerability descriptions from the official OVAL repository (Arrow 5). The vulnerability assessment process is formalized as a satisfiability issue [6], by considering the vulnerability descriptions together with the resource projection, and generates an SMT-LIB specification. Our assessor building block then exploits the CVC4 SMT solver to interpret and solve this SMT-LIB specification, and therefore determine whether the projection matches any vulnerable configurations.…”

Section: A Assessment Scenariomentioning

confidence: 99%

CMSec: A Vulnerability Prevention Tool for Supporting Migrations in Cloud Composite Services

Oulaaffart

Badonnel

Festor

2022

2022 IEEE 11th International Conference on Cloud Networking (CloudNet)

Self Cite

View full text Add to dashboard Cite

The growing maturity of orchestration languages, such as the Topology and Orchestration Specification for Cloud Applications (TOSCA) language, and the continuous improvement of virtualization techniques contribute to the large-scale deployment of cloud composite services based on multiple resources that may be hosted over different cloud service providers. The resources composing these services may be subject to migrations, either live or offline, in order to cope with performance objectives, such as load balancing, latency minimization, and energy savings. However, these migrations may induce changes affecting the configurations of migrated resources. In particular, these changes may lead to vulnerabilities, that may compromise the security of resources, or even the security of the whole cloud service. This demonstration showcases a vulnerability prevention tool, called CMSec, for supporting the resource migrations of TOSCA-based cloud composite services by considering OVAL vulnerability descriptions together with verification techniques. Based on two main scenarios, we will expose how the CMSec tool is able to detect vulnerable configurations prior to resource migrations, and to suggest corrective operations for remediating them.

show abstract

An Automated SMT-based Security Framework for Supporting Migrations in Cloud Composite Services

Cited by 4 publications

References 19 publications

C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services

C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services

C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-based Cloud Services

CMSec: A Vulnerability Prevention Tool for Supporting Migrations in Cloud Composite Services

Contact Info

Product

Resources

About