Modeling virtualized infrastructures under security constrains

1. Modeling virtualized infrastructures under security constrains Muhammad Ali, Michael Niedermeier, Hermann de Meer Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

2. Overview • Motivation • Mapping virtualized resources • Classic approach • Incorporating security constraints • Future work Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

3. Motivation • The rising costs of both hardware as well as energy in ITC, making them lucrative targets for optimization. • This has given rise to solutions like cloud computing and service consolidation, based on virtualization technology. • While the adoption of virtualization is advancing rapidly, the question of security is often not considered appropriately. • This work targets to develop a solution that models virtual infrastructures and includes security constrains during the distribution of virtual resources (VMs) onto physical ones. • This is an ongoing work and is in its initial stages. Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

4. Mapping of virtual resources • How should virtual machines be distributed to physical hosts? VM1 VM2 VM3 VM4 ? PM1 PM2 Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

5. Classic approach Classic approach Decide where to distribute VMs based on available resources • How should virtual machines be distributed to physical hosts? VM1 VM2 VM3 VM4 ? Available Resources PM1 PM2 Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

6. Classic approach • A physical resource is described by: • P: Set of 1 to n physical resources • Each pn є P is a tuple: (Apn, cpn) • Apnis a list of attributes (|Apn| ≥ 0). Could be a name-value pair. • cpn is the maximum capacity in units VM1 VM2 VM3 VM4 Available Resources PM1 PM2 Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

7. Classic approach • A virtual resource is described by: • V: Set of 1 to m virtual resources • Each vm є V is a tuple: (Avm,λvm) • Avmis a list of attributes, each represented as a name-value pair • λvm is a set of 1 to n tuples (pnvm, cnvm), where: • pnvm is a nth physical resource vm is dependent upon • cnvm is the respective required capacity of this resource • Cnvm = 0 means mth virtual resource is not dependent on nth physical resource. VM1 VM2 VM3 VM4 Available Resources PM1 PM2 Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

8. Classic solution • Find if all needed physical resources are available. • For all pnvmєλvm exists pnєP |pn=pnvm • Every physical resource can only be specified once by a virtual resource. • For all pivm, pjvm є λvm, pivm ≠pjvm • There must be enough capacities available of every physical resource. • For all pn є P, cpn ≥ ∑ cnvm Muhammad Ali, EuroNF workshop, Volos, Greece, 01.04.2011

9. Extension Extended approach Decide where to distribute VMs based on available resources AND security constraints • How should virtual machines be distributed to physical hosts? VM1 VM2 VM3 VM4 Available Resources Available Resources & Security PM1 PM2 Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

10. Incorporating security constraints • To include security in the mathematical formulation, the previous descriptions have to be extended: • The physical resource description pnis extended with the security context ∆pn: • pn = (Apn, cpn, ∆pn) • ∆pn changes each time a VM gets allocated on pn • The virtual description resource vmis extended with the security requirements element ωnvm : • vm = (pnvm , cnvm , ωnvm) Check if security requirements of a virtual resource can be fulfilled by the current security context, to a specified degree ◊D , of the physical resource Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

11. Incorporating security constraints • Fulfill all previously stated requirements. • All the required physical resources are available. • Physical resources must be distinctly defined. • Physical resources must have ample capacity to accommodate incoming virtual resource. • Security constraints for each virtual resource have to be satisfied at least to the respective degree ‘D’ in order to be able to successfully map all virtual resources. • For all pn є P, vm є V, ωnvm ◊D ∆pn Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

12. Some examples • Virtual resource constraints: • Requires authenticated access by third party entities to the underlying physical resource. • Requires that USB devices must not be used on the underlying physical host. • Physical resource context: • Evolves its state as new virtual resources are added onto it. • Represented by the properties and attributes of the physical resource. • Additionally, it covers the restrictions imposed by the currently hosted virtual resources. Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

13. Future work • Identify, classify and formalize virtual resource security constraints. Set of constraints present a virtual resource security policy. • Develop an efficient way to find valid and optimal solution (policy matching algorithm). • Define an appropriate modeling language and extend it to include other constraints, like energy usage. Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

14. Limitations • Trust between the entities in certain scenarios: • When ownership of physical and virtual resources lies with different entities. • E.g. Migration of virtual resources between data centers in different countries. Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

15. State of the art • Surveys has been conducted to analyse virtual infrastructures in general and their adoption rate. • Identification and development of new forms of threats like hyperjacking. • Efforts to compromise hypervisors. • EU PASSIVE project is also directed in the same direction. • Just started in Sep 2010 and no published work has been identified as yet. Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011