Formal verification of secure information flow in cloud computing
Introduction
The extent and importance of cloud computing is rapidly increasing due to the ever increasing demand for internet services and communications. Instead of building individual information technology infrastructure to host databases or software, a third party can host them in its large server clouds. However, large organisations may wish to keep sensitive information on their more restricted servers rather than in the public cloud. This has led to the introduction of federated cloud computing (FCC) in which both public and private cloud computing resources are used (see Watson, 2012).
A federated cloud is the deployment and management of multiple cloud computing services with the aim of matching business needs. Data, services, and software are required to be allocated in different clouds for both security and business concerns. Although federated cloud systems (FCSs) can increase the reliability and reduce the cost of computational support to an organisation, the large number of services and data on a cloud system creates security risks due to the dynamic movement of the entities between the clouds. As a result, it is necessary to develop tractable formal models faithfully capturing information flow security within FCSs.
In this paper, we introduce a formal model of dynamic information flow in an FCS, where services and data can migrate and change their security status dynamically. We then explain how Petri nets (more precisely, coloured Petri nets (CPNs)) could be used to analyse the correctness of such system. We also show how one could use the notion of diagnosability investigated in Germanos et al, 2014, Germanos et al, 2015 in order to detect malicious events violating the proposed security policy in FCSs. We also evaluate experimentally the efficiency of the proposed setup using model checking of Clarke et al. (1999).
The paper is organised as follows. Section 3 provides the basic notions about security policies. In Section 4, a model for secure information flow analysis in FCSs is presented. The basic definitions relating to Petri nets are given in Section 5. Section 6 outlines how Petri nets could be used to support property verification in FCSs. Section 7 describes the diagnosis of behavioural properties, and Section 8 presents experimental results obtained for the proposed approach. Section 9 concludes the paper.
Section snippets
Related work
There exist different methods for addressing workflow1 security; for example, the flow-sensitive analysis of programs in Smith (2001) and Russo et al. (2009). Using Petri nets to model workflows, Knorr, 2000, Knorr, 2001 applied the Bell–LaPadula model to workflow security. In particular, Knorr
Security policies in cloud computing systems
In this section, we recall some basic concepts concerning security policies in cloud computing systems.
System model
We now introduce a formal model for capturing the dynamic behaviour of federated cloud computing systems. Such a model can then be analysed to verify that the system satisfies the requirements of a given set of Bell–LaPadula rules, as well as the cloud security rule for confidentiality considerations and any user-specified policies.
The proposed model uses tuples to represent entities located in the clouds. Each such tuple comprises information about the nature of the entity (service or data),
Petri nets
Petri nets are a graphical modelling tool for a formal description of systems whose dynamics are characterised by concurrency, synchronisation, mutual exclusion and conflict. In this section, we briefly recall three classes of Petri nets used in our discussion (see Reisig, 1985 and Jensen, 2009 for more details).
Dynamic flow-sensitive security model in CPNs
We will now outline how CPNs could be used to represent (and then used to verify) a given Dfssm.To facilitate the discussion, following the definitions in Section 4, the net modelling Dfssm is decomposed into three parts: the access control sub-net, data flow sub-net, and control flow sub-net.
Diagnosis and WF-diagnosability
In this section, we outline the diagnosis and weakly fair diagnosability property. This formal verification technique will be used in Section 8.
Diagnosis is the procedure of discovering abnormal behaviours of a system, and diagnosability is an associated property of, e.g., a Petri net stating that in any possible execution sequence (called below executions) an occurrence of a fault can eventually be diagnosed. Sampath et al. (1995) proposed a method for diagnosability based on the construction
Experimental results
We now present experimental results relating to the diagnosis of potential actions of malicious insider in a cloud computing systems.
We use three scalable benchmarks based on the model shown in Fig. 2. To keep the model simple, we do not consider how the interaction between entities (tokens in the PN model) inside clouds are related to the security rules (1), (2), and (3). Instead, we evaluate the cloud security rule (4), which states that an entity must be deployed on a cloud with a security
Conclusions
In this paper, we presented a dynamic flow-sensitive security model that can be used to analyse the information flow in FCSs. The entities present in the cloud system can be assigned different security levels belonging to a given security lattice. Moreover, each cloud is assigned a security level that captures the confidentiality level of the cloud. It is also possible to specify in a formal way different security policies for the movement of entities between different clouds. The resulting
Acknowledgments
We would like to thank the referees for their comments and useful suggestions. This research was supported by the 973 Program, Grant no. 2010CB328102, the NSFC, Grant no. 61133001, and EPSRC UNCOVER EP/K001698/1 project.
References (33)
Fairness and partial order semantics
Inf Process Lett
(1995)- et al.
Effective verification of weak diagnosability
(2012) - et al.
Secure computer systems: mathematical foundations
(1973) - et al.
Diagnosis of asynchronous discrete event systems: a net unfolding approach
Autom Control IEEE Trans
(2003) - et al.
Towards a formal model for cloud computing
- et al.
Model checking
(1999) - et al.
A lattice model of secure information flow
Commun ACM
(1976) - et al.
Cryptography and data security
(1982) - et al.
Diagnosability under weak fairness
(2014) - et al.
Diagnosability under weak fairness
ACM Trans Embed Comput Syst
(2015)
A methodology for the development and verification of access control systems in cloud computing
Partial order diagnosability of discrete event systems using Petri nets unfoldings
Coloured Petri nets
A polynomial algorithm for testing diagnosability of discrete event systems
Dynamic access control through Petri net workflows
Multilevel security and information flow in Petri net workflows
Cited by (27)
An adaptive formal parallel technique with reputation integration for the enforcement of security policy in the cloud environment
2022, Computer CommunicationsCitation Excerpt :The cloud systems must use formal verification approaches to demonstrate the precision and the correctness of the system behavior and quality. However, to the best of our knowledge, there is limited work related to formal verification of access control in cloud computing environments [22,23]. Table 1 summarizes this section by comparing our approach with referenced papers.
Improved TOPSIS: A multi-criteria decision making for research productivity in cloud security
2019, Computer Standards and InterfacesCitation Excerpt :Based on literature [32,44–46,67] this section aims to list techniques and properties that should be inherited to CC architecture. Table 1 illustrates various security techniques and properties listed in literature [21,68–115]. As per literature security technique is an action, device, or procedure that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective measures and action can be taken [70,110–112,118].
Investigating the Cost of Transfer Delay on the Performance of Security in Cloud Computing
2018, Electronic Notes in Theoretical Computer ScienceFormal verification approaches and standards in the cloud computing: A comprehensive and systematic review
2018, Computer Standards and InterfacesCitation Excerpt :In addition, it should be discussed whether the approach can be leveraged in service systems with a large scale. Moreover, Zeng et al. [7] have proposed an entities-based federated approach in the cloud to assign security levels of a given security lattice. Also, a dynamic flow sensitive security model for a merged cloud scheme has been presented in which the Bell–LaPadula instructions and cloud security rule can be captured.
Specifying and Model Checking Distributed Control Algorithms at Meta-level
2022, Computer JournalA Survey of Practical Formal Methods for Security
2022, Formal Aspects of Computing