Cloud Security Verification

Cloud7 Overview of our architecture for tool-supported infrastructure cloud analysisWe pursue the verification of security properties of infrastructure clouds. See talks at EU CSP'12 or ACM CCSW'11.

We consider two domains:

Approach: Actual State vs. Desired State

We apply model checking to verify that the topology is free of security violations (static case) or that administrators cannot reach a state that violates the policy by their cloud operations (dynamic case).

We analyzed isolation security for a production infrastructure of a global financial institution.

Open PhD Position

PhD in Security Verification of Dynamic Infrastructure Clouds (CS033)

Impact

The research prototype of our cloud security assurance analysis has been transferred to IBM as part of the IBM PowerSC Trusted Surveyor product in 2012. The research started during my time at IBM Research and continued in an industry collaboration at Newcastle.

Image Gallery

Cloud1 Ideal-world view of an abstract infrastructure cloud topology Cloud2 Real-world complexity of a production infrastructure cloud topology Cloud3 Information flow analysis by graph coloring exemplified with a small color tree Cloud4 Tool-supported information flow analysis against an abstract attack state - 1 Same zone Cloud5 Tool-supported information flow analysis against an abstract attack state - 2 VLAN separation Cloud6 Tool-supported information flow analysis against an abstract attack state - 3 Isolation breach found Cloud7 Overview of our architecture for tool-supported infrastructure cloud analysis

Selected Presentations

EU Cyber Security and Privacy Forum 2012

Verification of Infrastructure Clouds (ACM CCSW'11)

Selected Papers

Sören Bleikertz, Thomas Groß, and Sebastian Mödersheim. Automated Verification of Virtualized Infrastructures. In Proceedings of the CCS Cloud Security Workshop(CCSW) 2011.

Sören Bleikertz and Thomas Groß. A Virtualization Assurance Language for Isolation and Deployment. In proceedings of IEEE POLICY 2011.

Sören Bleikertz, Thomas Groß, Matthias Schunter, and Konrad Eriksson. Automated Information Flow Analysis of Virtualized Infrastructures. In Proceedings of the European Symposium on Research in Computer Security (ESORICS) 2011.