Formalizing Threat Models for Virtualized Systems

  • Daniele Sgandurra
  • Erisa Karafili
  • Emil Lupu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9766)


We propose a framework, called FATHoM (FormAlizing THreat Models), to define threat models for virtualized systems. For each component of a virtualized system, we specify a set of security properties that defines its control responsibility, its vulnerability and protection states. Relations are used to represent how assumptions made about a component’s security state restrict the assumptions that can be made on the other components. FATHoM includes a set of rules to compute the derived security states from the assumptions and the components’ relations. A further set of relations and rules is used to define how to protect the derived vulnerable components. The resulting system is then analysed, among others, for consistency of the threat model. We have developed a tool that implements FATHoM, and have validated it with use-cases adapted from the literature.


Virtual Machine Security Property Security State Enterprise Architecture Cloud Service Provider 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



Supported by FP7 EU-funded project Coco Cloud under grant no. 610853, and EPSRC Project CIPART grant no. EP/L022729/1.


  1. 1.
    Alexander, P., Pike, L., Loscocco, P., Coker, G.: Model checking distributed mandatory access control policies. ACM Trans. Inf. Syst. Secur. 18(2), 6:1–6:25 (2015)CrossRefGoogle Scholar
  2. 2.
    Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: 2nd Workshop on Hardware and Architectural Support for Security and Privacy, HASP 2013 (2013)Google Scholar
  3. 3.
    Bleikertz, S., Mastelic, T., et al.: Defining the cloud battlefield - supporting security assessments by cloud customers. In: 2013 IEEE Cloud Engineering (IC2E), pp. 78–87, March 2013Google Scholar
  4. 4.
    Brændeland, G., Dahl, H.E.I., Engan, I., Stølen, K.: Using dependent CORAS diagrams to analyse mutual dependency. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 135–148. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Butt, S., Lagar-Cavilla, H.A., et al.: Self-service cloud computing. In: ACM Conference on Computer and Communications Security, pp. 253–264. ACM (2012)Google Scholar
  6. 6.
    Kamongi, P., Gomathisankaran, M., Kavi, K.: Nemesis: automated architecture for threat modeling and risk assessment for cloud computing. In: Academy of Science and Engineering, USA (2015)Google Scholar
  7. 7.
    Li, M., Zang, W., Bai, K., Yu, M., Liu, P.: Mycloud: supporting user-configured privacy protection in cloud computing. In: Annual Computer Security Applications Conference, ACSAC 2013, pp. 59–68. ACM (2013)Google Scholar
  8. 8.
    Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: 14th USENIX Security Symposium, SSYM 2005, vol. 14, p. 8 (2005)Google Scholar
  9. 9.
    Santos, N., Rodrigues, R., Gummadi, K.P., Saroiu, S.: Policy-sealed data: a new abstraction for building trusted cloud services. In: 21st USENIX Conference on Security Symposium, Security 2012, p. 10 (2012)Google Scholar
  10. 10.
    Sgandurra, D., Lupu, E.: Evolution of attacks, threat models, and solutions for virtualized systems. ACM Comput. Surv. 48(3), 46:1–46:38 (2016)CrossRefGoogle Scholar
  11. 11.
    Shostack, A.: Threat Modeling: Designing for Security. Wiley (2014)Google Scholar
  12. 12.
    Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)CrossRefGoogle Scholar
  13. 13.
    Srivastava, A., Raj, H., Giffin, J., England, P.: Trusted VM snapshots in untrusted cloud infrastructures. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 1–21. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Szefer, J., Keller, E., Lee, R.B., Rexford, J.: Eliminating the hypervisor attack surface for a more secure cloud. In: 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 401–412. ACM (2011)Google Scholar
  15. 15.
    Xiong, X., Tian, D., Liu, P.: Practical protection of kernel integrity for commodity OS from untrusted extensions. In: NDSS (2011)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Imperial College LondonLondonUK

Personalised recommendations