1 / 32

Finding the Dark Cloud: Static Analysis of Cloud Configurations

Finding the Dark Cloud: Static Analysis of Cloud Configurations. Shriram Krishnamurthi Brown University. 1. A Cloud of Policies. Application Author: end-user access-control, … Datacenter Administrator: firewalls, hypervisor Chinese Walls, … Cloud-Based App Builder. Cloud-Based App Builder.

aine
Download Presentation

Finding the Dark Cloud: Static Analysis of Cloud Configurations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Finding the Dark Cloud:Static Analysis ofCloud Configurations Shriram KrishnamurthiBrown University 1

  2. A Cloud of Policies Application Author:end-user access-control, … Datacenter Administrator:firewalls, hypervisor Chinese Walls, … Cloud-Based App Builder

  3. Cloud-Based App Builder “Need isolation at serverand network level” —Shenoy

  4. … and other dens of iniquity

  5. employees contractors manager DMZ int dmz dmz ext

  6. tcp www blacklist blacklist telnet tcp smtp tcp www

  7. ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=manager 7: DROP otherwise

  8. tcp www tcp  smtp tcp smtp ipsrc fw2_static

  9. Problem The manager can’t connect to the Web.

  10. Policy Analysis Using Margrave 12

  11. When can a connection from the manager’s PC be denied if it’s • to port 80 (www) • over TCP • to any machine?

  12.  p . p.dstprt = www  p.proto = TCP  p.ipdest  outIPs  p.ipsrc = manager Int.ACL denies p   p’ . Int.NAT translates p to p’  p’.dstprt = p.dstprt  p’.proto = p.proto  p’.ipdest = p.ipdest  Ext.ACL denies p’

  13. p.entry-interface = IntFW.int p.ipsrc = manager p.ipdest in outIPs p.srcprt = any p.dstprt = www p.proto = tcp p’ = p except p’.entry-interface = ExtFW.dmz p’.ipsrc = fw2_static

  14. When can a connection from the manager’s PC be denied if it’s • to port 80 (www) • over TCP • to any machine? • Always.

  15. …same query…,but with rule-tracing enabled. • …same response…, with • Int’s ACL accepts the packet via rule 4. • Int’s NAT applies to the packet. • Int’s ACL denies the post-NAT packet via rule 7.

  16. tcp tcp www www ipsrc fw2_static tcp www

  17. ACL for External firewall: 1: DENY if: ifc=fw1_dmz, ipdest in blacklist 2: DENY if: ifc=fw1_ext, ipsrc in blacklist 3: DENY if: ifc=fw1_dmz, portdest=telnet 4: ACCEPT if: ifc=fw1_ext, ipdest=mailserver, portdest=smtp, proto=tcp 5: ACCEPT if: ifc=fw1_ext, ipdest=webserver, portdest=http, proto=tcp 6: ACCEPT if: ifc=fw1_dmz, ipdest=any outside, portdest=http, proto=tcp, ipsrc=managerfw2_static 7: DROP otherwise

  18. thepolicy  ⊦ P • Does • its property? • satisfy

  19. Can people state them? Are they good enough? ⊦ P “They tend to think in terms of procedures,rather than goals” —Anderson 21

  20. - P P’ Help people with policy evolution: study what has changed 22

  21.  p . Int.ACL accepts p   p’ . Int.NAT translates p to p’  p’.dstprt = p.dstprt  p’.proto = p.proto  p’.ipdest = p.ipdest  ((Ext.ACL denies p’  Ext.ACLNew accepts p’)  (Ext.ACL accepts p’  Ext.ACLNew denies p’))

  22. p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp Presenting “Change” A function mappingrequests tochanges in outcome Deny to Permit Permit to Deny  packets

  23. Denied  Permit p.entry-interface = fw2_int p.ipsrc = manager p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = contractor p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp p.entry-interface = fw2_int p.ipsrc = employee p.ipdest in outIPs p.srcprt = any p.dstprt = www p.protocol = tcp

  24. Change as a First-Class Entity • Restrict changes to External Firewall View • Which machines lost privileges? Query • Confirm no machines gained privileges Verification

  25. Configuration checking Refactoring testing ? “What if” questions Upgrade checking Finding “hotspots” Mutationtesting 27

  26. Scope of Margrave • Most of XACML 1.0 and 2.0 • Cisco IOS: • ACL: standard and extended • NAT: static; dynamic: ACL-based, map-based • routing: static and policy-based • limited: BGP announcements and VPN endpoints • Amazon Access Policy Language (in SQS) • Hypervisor, based on sHype (IBM) • A Datalog-based intermediate language

  27. Performance Production firewall (1108 rules): Change-impact: Time: 2.5 sec Space: baseline + 83 Mb List all superfluous rules: Time: 10 min Space: baseline + 467 Mb Production XACML policy: Verification: Time: <10 millisec Space: baseline + 316 Kb Change-impact: Time: 2 millisec Space: baseline + 16 Kb

  28. Under the Hood Translation into first-order logic Propositionalize to BDDs and SAT Bernays-Schönfinkel-Ramsey class Extended to multi-sorted logic Some small theories for networking Aggregation to compress i. and o. Rule-tracing  EDBs and IDBs in models

  29. Upcoming Work • More sophisticated modeling of state • Visualization of output • Generating constraints on components • Suggesting repairs • Handling numerics

  30. Dan Dougherty [WPI] • Kathi Fisler [WPI] • Tim Nelson [WPI] • Alums: • Leo Meyerovich [Brown u.g.  Berkeley] • Michael Tschantz [Brown u.g.  CMU] http://www.margrave-tool.org/

More Related