Modeling and Analysis of Dynamic Infrastructure Clouds

Misconfigurations and insider attacks contribute to one of the major technical risks in multi-tenant cloud computing: the lack of resource isolation. Breaches in tenant isolation put both the cloud provider as well as the consumers at risk. The dynamic nature of infrastructure clouds increases the risk for misconfigurations because of their self-service administration and rapid provisioning. We tackle this challenge by establishing a practical security system that proactively analyzes changes induced by cloud management operations with regard to a security policy. We achieve this by contributing the first formal model of cloud management operations and their impact on a virtualized infrastructure. Our approach combines such a model of operations with a security policy verification as well as an information flow analysis suited for isolation policies. Our system finds practical applications in change planning as well as in auditing of changes at run-time. We evaluate our system for virtualized infrastructures in laboratory and production settings, and it yields a performance suitable for applications in practice.

By: Soeren Bleikertz, Thomas Gross, Sebastian Moedersheim

Published in: RZ3859 in 2013


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .