Formalizing Threat Models for Virtualized Systems
We propose a framework, called FATHoM (FormAlizing THreat Models), to define threat models for virtualized systems. For each component of a virtualized system, we specify a set of security properties that defines its control responsibility, its vulnerability and protection states. Relations are used to represent how assumptions made about a component’s security state restrict the assumptions that can be made on the other components. FATHoM includes a set of rules to compute the derived security states from the assumptions and the components’ relations. A further set of relations and rules is used to define how to protect the derived vulnerable components. The resulting system is then analysed, among others, for consistency of the threat model. We have developed a tool that implements FATHoM, and have validated it with use-cases adapted from the literature.
Supported by FP7 EU-funded project Coco Cloud under grant no. 610853, and EPSRC Project CIPART grant no. EP/L022729/1.
- 2.Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: 2nd Workshop on Hardware and Architectural Support for Security and Privacy, HASP 2013 (2013)Google Scholar
- 3.Bleikertz, S., Mastelic, T., et al.: Defining the cloud battlefield - supporting security assessments by cloud customers. In: 2013 IEEE Cloud Engineering (IC2E), pp. 78–87, March 2013Google Scholar
- 5.Butt, S., Lagar-Cavilla, H.A., et al.: Self-service cloud computing. In: ACM Conference on Computer and Communications Security, pp. 253–264. ACM (2012)Google Scholar
- 6.Kamongi, P., Gomathisankaran, M., Kavi, K.: Nemesis: automated architecture for threat modeling and risk assessment for cloud computing. In: Academy of Science and Engineering, USA (2015)Google Scholar
- 7.Li, M., Zang, W., Bai, K., Yu, M., Liu, P.: Mycloud: supporting user-configured privacy protection in cloud computing. In: Annual Computer Security Applications Conference, ACSAC 2013, pp. 59–68. ACM (2013)Google Scholar
- 8.Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: 14th USENIX Security Symposium, SSYM 2005, vol. 14, p. 8 (2005)Google Scholar
- 9.Santos, N., Rodrigues, R., Gummadi, K.P., Saroiu, S.: Policy-sealed data: a new abstraction for building trusted cloud services. In: 21st USENIX Conference on Security Symposium, Security 2012, p. 10 (2012)Google Scholar
- 11.Shostack, A.: Threat Modeling: Designing for Security. Wiley (2014)Google Scholar
- 14.Szefer, J., Keller, E., Lee, R.B., Rexford, J.: Eliminating the hypervisor attack surface for a more secure cloud. In: 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 401–412. ACM (2011)Google Scholar
- 15.Xiong, X., Tian, D., Liu, P.: Practical protection of kernel integrity for commodity OS from untrusted extensions. In: NDSS (2011)Google Scholar