Formal verification of secure information flow in cloud computing

https://doi.org/10.1016/j.jisa.2016.03.002Get rights and content

Abstract

Federated cloud systems increase the reliability and reduce the cost of computational support to an organisation. However, the resulting combination of secure private clouds and less secure public clouds impacts on the overall security of the system as applications need to be located within different clouds. In this paper, the entities of a federated cloud system as well as the clouds are assigned security levels of a given security lattice. Then a dynamic flow sensitive security model for a federated cloud system is introduced within which the Bell–LaPadula rules and cloud security rule can be captured. The rest of the paper demonstrates how Petri nets and the associated verification techniques could be used to analyse the security of information flow in federated cloud systems.

Introduction

The extent and importance of cloud computing is rapidly increasing due to the ever increasing demand for internet services and communications. Instead of building individual information technology infrastructure to host databases or software, a third party can host them in its large server clouds. However, large organisations may wish to keep sensitive information on their more restricted servers rather than in the public cloud. This has led to the introduction of federated cloud computing (FCC) in which both public and private cloud computing resources are used (see Watson, 2012).

A federated cloud is the deployment and management of multiple cloud computing services with the aim of matching business needs. Data, services, and software are required to be allocated in different clouds for both security and business concerns. Although federated cloud systems (FCSs) can increase the reliability and reduce the cost of computational support to an organisation, the large number of services and data on a cloud system creates security risks due to the dynamic movement of the entities between the clouds. As a result, it is necessary to develop tractable formal models faithfully capturing information flow security within FCSs.

In this paper, we introduce a formal model of dynamic information flow in an FCS, where services and data can migrate and change their security status dynamically. We then explain how Petri nets (more precisely, coloured Petri nets (CPNs)) could be used to analyse the correctness of such system. We also show how one could use the notion of diagnosability investigated in Germanos et al, 2014, Germanos et al, 2015 in order to detect malicious events violating the proposed security policy in FCSs. We also evaluate experimentally the efficiency of the proposed setup using model checking of Clarke et al. (1999).

The paper is organised as follows. Section 3 provides the basic notions about security policies. In Section 4, a model for secure information flow analysis in FCSs is presented. The basic definitions relating to Petri nets are given in Section 5. Section 6 outlines how Petri nets could be used to support property verification in FCSs. Section 7 describes the diagnosis of behavioural properties, and Section 8 presents experimental results obtained for the proposed approach. Section 9 concludes the paper.

Section snippets

Related work

There exist different methods for addressing workflow1 security; for example, the flow-sensitive analysis of programs in Smith (2001) and Russo et al. (2009). Using Petri nets to model workflows, Knorr, 2000, Knorr, 2001 applied the Bell–LaPadula model to workflow security. In particular, Knorr

Security policies in cloud computing systems

In this section, we recall some basic concepts concerning security policies in cloud computing systems.

System model

We now introduce a formal model for capturing the dynamic behaviour of federated cloud computing systems. Such a model can then be analysed to verify that the system satisfies the requirements of a given set of Bell–LaPadula rules, as well as the cloud security rule for confidentiality considerations and any user-specified policies.

The proposed model uses tuples to represent entities located in the clouds. Each such tuple comprises information about the nature of the entity (service or data),

Petri nets

Petri nets are a graphical modelling tool for a formal description of systems whose dynamics are characterised by concurrency, synchronisation, mutual exclusion and conflict. In this section, we briefly recall three classes of Petri nets used in our discussion (see Reisig, 1985 and Jensen, 2009 for more details).

Dynamic flow-sensitive security model in CPNs

We will now outline how CPNs could be used to represent (and then used to verify) a given Dfssm.To facilitate the discussion, following the definitions in Section 4, the net modelling Dfssm is decomposed into three parts: the access control sub-net, data flow sub-net, and control flow sub-net.

Diagnosis and WF-diagnosability

In this section, we outline the diagnosis and weakly fair diagnosability property. This formal verification technique will be used in Section 8.

Diagnosis is the procedure of discovering abnormal behaviours of a system, and diagnosability is an associated property of, e.g., a Petri net stating that in any possible execution sequence (called below executions) an occurrence of a fault can eventually be diagnosed. Sampath et al. (1995) proposed a method for diagnosability based on the construction

Experimental results

We now present experimental results relating to the diagnosis of potential actions of malicious insider in a cloud computing systems.

We use three scalable benchmarks based on the model shown in Fig. 2. To keep the model simple, we do not consider how the interaction between entities (tokens in the PN model) inside clouds are related to the security rules (1), (2), and (3). Instead, we evaluate the cloud security rule (4), which states that an entity must be deployed on a cloud with a security

Conclusions

In this paper, we presented a dynamic flow-sensitive security model that can be used to analyse the information flow in FCSs. The entities present in the cloud system can be assigned different security levels belonging to a given security lattice. Moreover, each cloud is assigned a security level that captures the confidentiality level of the cloud. It is also possible to specify in a formal way different security policies for the movement of entities between different clouds. The resulting

Acknowledgments

We would like to thank the referees for their comments and useful suggestions. This research was supported by the 973 Program, Grant no. 2010CB328102, the NSFC, Grant no. 61133001, and EPSRC UNCOVER EP/K001698/1 project.

References (33)

  • W. Vogler

    Fairness and partial order semantics

    Inf Process Lett

    (1995)
  • A. Agarwal et al.

    Effective verification of weak diagnosability

    (2012)
  • D.E. Bell et al.

    Secure computer systems: mathematical foundations

    (1973)
  • A. Benveniste et al.

    Diagnosis of asynchronous discrete event systems: a net unfolding approach

    Autom Control IEEE Trans

    (2003)
  • Z. Benzadri et al.

    Towards a formal model for cloud computing

  • E.M. Clarke et al.

    Model checking

    (1999)
  • R. Denning et al.

    A lattice model of secure information flow

    Commun ACM

    (1976)
  • R. Denning et al.

    Cryptography and data security

    (1982)
  • V. Germanos et al.

    Diagnosability under weak fairness

    (2014)
  • V. Germanos et al.

    Diagnosability under weak fairness

    ACM Trans Embed Comput Syst

    (2015)
  • A. Gouglidis et al.

    A methodology for the development and verification of access control systems in cloud computing

  • S. Haar et al.

    Partial order diagnosability of discrete event systems using Petri nets unfoldings

    (2003)
  • K. Jensen

    Coloured Petri nets

    (2009)
  • JiangS. et al.

    A polynomial algorithm for testing diagnosability of discrete event systems

    (2001)
  • K. Knorr

    Dynamic access control through Petri net workflows

    (2000)
  • K. Knorr

    Multilevel security and information flow in Petri net workflows

    (2001)
  • Cited by (27)

    • An adaptive formal parallel technique with reputation integration for the enforcement of security policy in the cloud environment

      2022, Computer Communications
      Citation Excerpt :

      The cloud systems must use formal verification approaches to demonstrate the precision and the correctness of the system behavior and quality. However, to the best of our knowledge, there is limited work related to formal verification of access control in cloud computing environments [22,23]. Table 1 summarizes this section by comparing our approach with referenced papers.

    • Improved TOPSIS: A multi-criteria decision making for research productivity in cloud security

      2019, Computer Standards and Interfaces
      Citation Excerpt :

      Based on literature [32,44–46,67] this section aims to list techniques and properties that should be inherited to CC architecture. Table 1 illustrates various security techniques and properties listed in literature [21,68–115]. As per literature security technique is an action, device, or procedure that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective measures and action can be taken [70,110–112,118].

    • Formal verification approaches and standards in the cloud computing: A comprehensive and systematic review

      2018, Computer Standards and Interfaces
      Citation Excerpt :

      In addition, it should be discussed whether the approach can be leveraged in service systems with a large scale. Moreover, Zeng et al. [7] have proposed an entities-based federated approach in the cloud to assign security levels of a given security lattice. Also, a dynamic flow sensitive security model for a merged cloud scheme has been presented in which the Bell–LaPadula instructions and cloud security rule can be captured.

    • A Survey of Practical Formal Methods for Security

      2022, Formal Aspects of Computing
    View all citing articles on Scopus
    View full text