Amani S. Ibrahim

CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model

The Infrastructure-as-a-Service (IaaS) cloud computing model has become a compelling computing solution with a proven ability to reduce costs and improve resource efficiency. Virtualization has a key role in supporting the IaaS model. However, virtualization also makes it a target for potent rootkits because of the loss of control problem over the hosted Virtual Machines (VMs). This makes traditional in-guest security solutions, relying on operating system kernel trustworthiness, no longer an effective solution to secure the virtual infrastructure of the IaaS model. In this paper, we explore briefly the security problem of the IaaS cloud computing model, and present CloudSec, a new virtualization-aware monitoring appliance that provides active, transparent and real-time security monitoring for hosted VMs in the IaaS model. CloudSec utilizes virtual machine introspection techniques to provide fine-grained inspection of VMs physical memory without installing any monitoring code inside the VM. It actively reconstructs and monitors the dynamically changing kernel data structures instances, as a prior step to enable providing protection for kernel data structures. We have implemented a proof-of-concept prototype using VMsafe libraries on a VMware ESX platform. We have evaluated the system monitoring accuracy and the performance overhead of CloudSec.

Adaptable, model-driven security engineering for SaaS cloud-based applications

Software-as-a-service (SaaS) multi-tenancy in cloud-based applications helps service providers to save cost, improve resource utilization, and reduce service customization and maintenance time. This is achieved by sharing of resources and service instances among multiple “tenants” of the cloud-hosted application. However, supporting multi-tenancy adds more complexity to SaaS applications required capabilities. Security is one of these key requirements that must be addressed when engineering multi-tenant SaaS applications. The sharing of resources among tenants—i.e. multi-tenancy—increases tenants’ concerns about the security of their cloud-hosted assets. Compounding this, existing traditional security engineering approaches do not fit well with the multi-tenancy application model where tenants and their security requirements often emerge after the applications and services were first developed. The resultant applications do not usually support diverse security capabilities based on different tenants’ needs, some of which may change at run-time i.e. after cloud application deployment. We introduce a novel model-driven security engineering approach for multi-tenant, cloud-hosted SaaS applications. Our approach is based on externalizing security from the underlying SaaS application, allowing both application/service and security to evolve at runtime. Multiple security sets can be enforced on the same application instance based on different tenants’ security requirements. We use abstract models to capture service provider and multiple tenants’ security requirements and then generate security integration and configurations at runtime. We use dependency injection and dynamic weaving via Aspect-Oriented Programming (AOP) to integrate security within critical application/service entities at runtime. We explain our approach, architecture and implementation details, discuss a usage example, and present an evaluation of our approach on a set of open source web applications.

TOSSMA: A Tenant-Oriented SaaS Security Management Architecture

Multi-tenancy helps service providers to save costs, improve resource utilization, and reduce service customization and maintenance time by sharing of resources and services. On the other hand, supporting multi-tenancy adds more complexity to the shared applications required capabilities. Security is a key requirement that must be addressed when engineering new SaaS applications or when re-engineering existing applications to support multi-tenancy. Traditional security (re)engineering approaches do not fit with the multi-tenancy application model where tenants and their security requirements emerge after the system was first developed. Enabling, runtime, adaptable and tenant-oriented application security customization on single service instance is a key challenging security goal in multi-tenant application engineering. In this paper we introduce TOSSMA, a Tenant-Oriented SaaS Security Management Architecture. TOSSMA allows service providers to enable their tenants in defining, customizing and enforcing their security requirements without having to go back to application developers for maintenance or security customizations. TOSSMA supports security management for both new and existing systems. Service providers are not required to write security integration code to use a specific security platform or mechanism. In this paper, we describe details of our approach and architecture, our prototype implementation of TOSSMA, give a usage example of securing a multi-tenant SaaS, and discuss our evaluation experiments of TOSSMA.

Automated software architecture security risk analysis using formalized signatures

Reviewing software system architecture to pinpoint potential security flaws before proceeding with system development is a critical milestone in secure software development lifecycles. This includes identifying possible attacks or threat scenarios that target the system and may result in breaching of system security. Additionally we may also assess the strength of the system and its security architecture using well-known security metrics such as system attack surface, Compartmentalization, least-privilege, etc. However, existing efforts are limited to specific, predefined security properties or scenarios that are checked either manually or using limited toolsets. We introduce a new approach to support architecture security analysis using security scenarios and metrics. Our approach is based on formalizing attack scenarios and security metrics signature specification using the Object Constraint Language (OCL). Using formal signatures we analyse a target system to locate signature matches (for attack scenarios), or to take measurements (for security metrics). New scenarios and metrics can be incorporated and calculated provided that a formal signature can be specified. Our approach supports defining security metrics and scenarios at architecture, design, and code levels. We have developed a prototype software system architecture security analysis tool. To the best of our knowledge this is the first extensible architecture security risk analysis tool that supports both metric-based and scenario-based architecture security analysis. We have validated our approach by using it to capture and evaluate signatures from the NIST security principals and attack scenarios defined in the CAPEC database.

MDSE@R: model-driven security engineering at runtime

New security threats arise frequently and impact on enterprise software security requirements. However, most existing security engineering approaches focus on capturing and enforcing security requirements at design time. Many do not address how a system should be adapted to cope with new unanticipated security requirements that arise at runtime. We describe a new approach - Model Driven Security Engineering at Runtime (MDSE@R) - enabling security engineers to dynamically specify and enforce system security requirements based on current needs. We introduce a new domain-specific visual language to model customer security requirements in a given application. Moreover, we introduce a new UML profile to help capturing system architectural characteristics along with security specifications mapped to system entities. Our MDSE@R toolset supports refinement and merger of these visual models and uses model-driven engineering to take the merged model and specify security controls to be enforced on the target system components. A combination of interceptors (via generated configurations) and injected code (using aspect-oriented programming) are used to integrate the specified security controls within the target system. We describe MDSE@R, give an example of using it in securing an ERP system, describe its implementation, and discuss an evaluation of applying MDSE@R on a set of open source applications.

VAM-aaS: online cloud services security vulnerability analysis and mitigation-as-a-service

Cloud computing introduces a new paradigm shift in service delivery models. However, the potential benefits reaped from the adoption of this model are threatened by public accessibility of the cloud-hosted services and sharing of resources with other service tenants. This increases the potential for exploitation of newly discovered vulnerabilities that usually take a long time to discover and to mitigate. On the other hand, existing cloud platforms do not provide a means to validate the security of offered cloud services or mitigating security vulnerabilities that arise at runtime. We introduce VAM-aaS, Vulnerability Analysis and Mitigation as-a-service, as a novel, integrated, and online cloud-based security vulnerability analysis and mitigation service. VAM-aaS performs online service analysis to pinpoint new vulnerabilities and weaknesses. It then uses this information to generate security control integration and configuration scripts to block these discovered security holes at runtime. Our approach is based on a new vulnerability signature and mitigation-actions specification approach. We introduce our approach, describe implementation details, and describe an evaluation of our prototype on a set of .NET benchmark applications.

Operating system kernel data disambiguation to support security analysis

It is very challenging to verify the integrity of Operating System (OS) kernel data because of its complex layout. In this paper, we address the problem of systematically generating an accurate kernel data definition for OSes without any prior knowledge of the OS kernel data. This definition accurately reflects the kernel data layout by resolving the pointer-based relations ambiguities between kernel data, in order to support systemic kernel data integrity checking. We generate this definition by performing static points-to analysis on the kernels source code. We have designed a new points-to analysis algorithm and have implemented a prototype of our system. We have performed several experiments with real-world applications and OSes to prove the scalability and effectiveness of our approach for OS security applications.

Supporting operating system kernel data disambiguation using points-to analysis

Generic pointers scattered around operating system (OS) kernels make the kernel data layout ambiguous. This limits current kernel integrity checking research to covering a small fraction of kernel data. Hence, there is a great need to obtain an accurate kernel data definition that resolves generic pointer ambiguities, in order to formulate a set of constraints between structures to support precise integrity checking. In this paper, we present KDD, a new tool for systematically generating a sound kernel data definition for any C-based OS e.g. Windows and Linux, without any prior knowledge of the kernel data layout. KDD performs static points-to analysis on the kernels source code to infer the appropriate candidate types for generic pointers. We implemented a prototype of KDD and evaluated it to prove its scalability and effectiveness.

Adaptive Security Management in SaaS Applications

Despite the potential benefits, cost savings and revenues that can be gained from adopting the cloud computing model, a downside is that it increases malicious attackers’ interest and ability to find vulnerabilities to exploit in cloud software and/or infrastructure.

Supporting automated software re-engineering using re-aspects

System maintenance, including omitting an existing system feature e.g. buggy or vulnerable code, or modifying existing features, e.g. replacing them, is still very challenging. To address this problem we introduce the “re-aspect” (re-engineering aspect), inspired from traditional AOP. A re-aspect captures system modification details including signatures of entities to be updated; actions to apply including remove, modify, replace, or inject new code; and code to apply. Re-aspects locate entities to update, entities that will be impacted by the given update, and finally propagate changes on the system source code. We have applied our re-aspects technique to the security re-engineering problem and evaluated it on a set of open source .NET applications to demonstrate its usefulness.