1 / 15

Modeling virtualized infrastructures under security constrains

Modeling virtualized infrastructures under security constrains. Muhammad Ali, Michael Niedermeier, Hermann de Meer. Overview. Motivation Mapping virtualized resources Classic approach Incorporating security constraints Future work. Motivation.

Download Presentation

Modeling virtualized infrastructures under security constrains

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Modeling virtualized infrastructures under security constrains Muhammad Ali, Michael Niedermeier, Hermann de Meer Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  2. Overview • Motivation • Mapping virtualized resources • Classic approach • Incorporating security constraints • Future work Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  3. Motivation • The rising costs of both hardware as well as energy in ITC, making them lucrative targets for optimization. • This has given rise to solutions like cloud computing and service consolidation, based on virtualization technology. • While the adoption of virtualization is advancing rapidly, the question of security is often not considered appropriately. • This work targets to develop a solution that models virtual infrastructures and includes security constrains during the distribution of virtual resources (VMs) onto physical ones. • This is an ongoing work and is in its initial stages. Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  4. Mapping of virtual resources • How should virtual machines be distributed to physical hosts? VM1 VM2 VM3 VM4 ? PM1 PM2 Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  5. Classic approach Classic approach Decide where to distribute VMs based on available resources • How should virtual machines be distributed to physical hosts? VM1 VM2 VM3 VM4 ? Available Resources PM1 PM2 Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  6. Classic approach • A physical resource is described by: • P: Set of 1 to n physical resources • Each pn є P is a tuple: (Apn, cpn) • Apnis a list of attributes (|Apn| ≥ 0). Could be a name-value pair. • cpn is the maximum capacity in units VM1 VM2 VM3 VM4 Available Resources PM1 PM2 Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  7. Classic approach • A virtual resource is described by: • V: Set of 1 to m virtual resources • Each vm є V is a tuple: (Avm,λvm) • Avmis a list of attributes, each represented as a name-value pair • λvm is a set of 1 to n tuples (pnvm, cnvm), where: • pnvm is a nth physical resource vm is dependent upon • cnvm is the respective required capacity of this resource • Cnvm = 0 means mth virtual resource is not dependent on nth physical resource. VM1 VM2 VM3 VM4 Available Resources PM1 PM2 Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  8. Classic solution • Find if all needed physical resources are available. • For all pnvmєλvm exists pnєP |pn=pnvm • Every physical resource can only be specified once by a virtual resource. • For all pivm, pjvm є λvm, pivm ≠pjvm • There must be enough capacities available of every physical resource. • For all pn є P, cpn ≥ ∑ cnvm Muhammad Ali, EuroNF workshop, Volos, Greece, 01.04.2011

  9. Extension Extended approach Decide where to distribute VMs based on available resources AND security constraints • How should virtual machines be distributed to physical hosts? VM1 VM2 VM3 VM4 Available Resources Available Resources & Security PM1 PM2 Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  10. Incorporating security constraints • To include security in the mathematical formulation, the previous descriptions have to be extended: • The physical resource description pnis extended with the security context ∆pn: • pn = (Apn, cpn, ∆pn) • ∆pn changes each time a VM gets allocated on pn • The virtual description resource vmis extended with the security requirements element ωnvm : • vm = (pnvm , cnvm , ωnvm) Check if security requirements of a virtual resource can be fulfilled by the current security context, to a specified degree ◊D , of the physical resource Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  11. Incorporating security constraints • Fulfill all previously stated requirements. • All the required physical resources are available. • Physical resources must be distinctly defined. • Physical resources must have ample capacity to accommodate incoming virtual resource. • Security constraints for each virtual resource have to be satisfied at least to the respective degree ‘D’ in order to be able to successfully map all virtual resources. • For all pn є P, vm є V, ωnvm ◊D ∆pn Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  12. Some examples • Virtual resource constraints: • Requires authenticated access by third party entities to the underlying physical resource. • Requires that USB devices must not be used on the underlying physical host. • Physical resource context: • Evolves its state as new virtual resources are added onto it. • Represented by the properties and attributes of the physical resource. • Additionally, it covers the restrictions imposed by the currently hosted virtual resources. Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  13. Future work • Identify, classify and formalize virtual resource security constraints. Set of constraints present a virtual resource security policy. • Develop an efficient way to find valid and optimal solution (policy matching algorithm). • Define an appropriate modeling language and extend it to include other constraints, like energy usage. Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  14. Limitations • Trust between the entities in certain scenarios: • When ownership of physical and virtual resources lies with different entities. • E.g. Migration of virtual resources between data centers in different countries. Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

  15. State of the art • Surveys has been conducted to analyse virtual infrastructures in general and their adoption rate. • Identification and development of new forms of threats like hyperjacking. • Efforts to compromise hypervisors. • EU PASSIVE project is also directed in the same direction. • Just started in Sep 2010 and no published work has been identified as yet. Muhammad Ali, EuroNF workshop, Volos, Greece, 31.03.2011

More Related