Professional Documents
Culture Documents
Network and System Security 8th International Conference NSS 2014 Xi An China October 15 17 2014 Proceedings 1st Edition Man Ho Au
Network and System Security 8th International Conference NSS 2014 Xi An China October 15 17 2014 Proceedings 1st Edition Man Ho Au
https://textbookfull.com/product/network-and-system-
security-12th-international-conference-nss-2018-hong-kong-china-
august-27-29-2018-proceedings-man-ho-au/
https://textbookfull.com/product/frontiers-in-cyber-security-
second-international-conference-fcs-2019-xi-an-china-
november-15-17-2019-proceedings-bazhong-shen/
https://textbookfull.com/product/network-and-system-
security-13th-international-conference-nss-2019-sapporo-japan-
december-15-18-2019-proceedings-joseph-k-liu/
https://textbookfull.com/product/security-standardisation-
research-first-international-conference-ssr-2014-london-uk-
december-16-17-2014-proceedings-1st-edition-liqun-chen/
https://textbookfull.com/product/information-security-and-
cryptology-10th-international-conference-inscrypt-2014-beijing-
china-december-13-15-2014-revised-selected-papers-1st-edition-
dongdai-lin/
https://textbookfull.com/product/web-and-internet-economics-10th-
international-conference-wine-2014-beijing-china-
december-14-17-2014-proceedings-1st-edition-tie-yan-liu/
https://textbookfull.com/product/applied-cryptography-and-
network-security-12th-international-conference-
acns-2014-lausanne-switzerland-june-10-13-2014-proceedings-1st-
edition-ioana-boureanu/
https://textbookfull.com/product/intelligent-robotics-and-
applications-7th-international-conference-icira-2014-guangzhou-
china-december-17-20-2014-proceedings-part-ii-1st-edition-
Man Ho Au Barbara Carminati
C.-C. Jay Kuo (Eds.)
LNCS 8792
Network and
System Security
8th International Conference, NSS 2014
Xi'an, China, October 15–17, 2014
Proceedings
123
Lecture Notes in Computer Science 8792
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany
Man Ho Au Barbara Carminati
C.-C. Jay Kuo (Eds.)
Network and
System Security
8th International Conference, NSS 2014
Xi’an, China, October 15-17, 2014
Proceedings
13
Volume Editors
Man Ho Au
Hong Kong Polytechnic University
Department of Computing
Hung Hom, Kowloon, Hong Kong
E-mail: csallen@comp.polyu.edu.hk
Barbara Carminati
University of Insubria
Department of Computer Science
and Communication
Via Mazzini, 5
21100 Varese, Italy
E-mail: barbara.carminati@uninsubria.it
C.-C. Jay Kuo
University of Southern California
Ming Hsieh Department
of Electrical Engineering
3740 McClintock Avenue, EEB 100
Los Angeles, CA 90089-2560, USA
E-mail: cckuo@ee.usc.edu
The 8th International Conference on Network and System Security, NSS 2014,
was held during October 15-17, 2014 in Xi’an, China. The conference was or-
ganized and supported by the State Key Laboratory of Integrated Service Net-
works (ISN), Xidian University, China. The submission and review process was
conducted in Easychair system.
There were 155 submissions. Each submission was reviewed by an average of 3
Program Committee members. These papers were evaluated on the basis of their
significance, novelty, and technical quality. After a rigorous review process and
thorough discussion, the Program Committee selected 35 full papers and 12 short
papers respectively for presentation at the conference. These papers covered
a wide range of topics within the theme of the conference, including access
control, cloud computing, key management and distribution, network and system
security, privacy, biometrics, and cryptographic protocols and applications. This
Springer volume (LNCS 8792) contain revised versions of the selected papers.
The NSS conference series covers research on all theoretical and practical
aspects related to network and system security. NSS aims at providing a leading
edge forum to foster interaction between researchers and developers within the
network and system security communities, and giving attendees the opportunity
to interact with experts in academia, industry, and governments.
In addition to the contributed papers, the conference program comprised two
invited keynote talks. The invited speakers were Professor Elisa Bertino (Pur-
due University, USA) with the topic on “Cloud Security - Research Challenges
and Opportunities” and Professor Jiankun Hu (University of New South Wales
at the Australian Defence Force Academy, Australia) with the topic on “Bio-
Cryptography: Is This Going to Be Big?”. We would like to express our sincere
thanks to them.
We are very grateful to the people who helped with the conference program
and organization. Specifically, we heartily thank the Program Committee and the
sub-reviewers for their contributions to the review process. We would also like to
express our gratitude to Springer for continuing to support the NSS conference
and for the help in the production of the conference proceedings. In addition,
we wish to thank the general chairs, Professor Xiaofeng Chen, Professor Dieter
Gollmann and Professor Xinyi Huang as well as the Organizing Committee for
their excellent contributions to the conference.
Last but not least, our thanks go to all the authors who submitted papers
and all attendees. We hope you enjoy the conference!
Honorary Chairs
Xinbo Gao Xidian University, China
Jianfeng Ma Xidian University, China
Hui Li Xidian University, China
General Chairs
Xiaofeng Chen Xidian University, China
Dieter Gollmann Hamburg University of Technology, Germany
Xinyi Huang Fujian Normal University, China
Program Chairs
Man Ho Au Hong Kong Polytechnic University, China
Barbara Carminati University of Insubria, Italy
C.-C. Jay Kuo University of Southern California, USA
Steering Chair
Yang Xiang Deakin University, Australia
Steering Committee
Elisa Bertino Purdue University, USA
Robert H. Deng Singapore Management University, Singapore
Dieter Gollmann Hamburg University of Technology, Germany
Xinyi Huang Fujian Normal University, China
Kui Ren University at Buffalo, State University of
New York, USA
Ravi Sandhu University of Texas at San Antonio, USA
Wanlei Zhou Deakin University, Australia
VIII Organization
Publicity Chairs
Jin Li Guangzhou University, China
Muhammad Khurram Khan King Saud University,
Saudi Arabia
Workshop Chairs
Yilei Wang Ludong University, China
Advisory Committee
Robert H. Deng Singapore Management University, Singapore
C.-C. Jay Kuo University of Southern California, USA
Kuan-Ching Li Providence University, China
Peter Mueller IBM Zurich Research, Switzerland
Makoto Takizawa Seikei University, Japan
Yi Mu University of Wollongong, Australia
Vijay Varadharajan Macquarie University, Australia
Program Committee
Rafael Accorsi University of Freiburg, Germany
Gail-Joon Ahn Arizona State University, USA
Eric Alata LAAS, France
Joonsang Baek Khalifa University of Science, Technology and
Research, UAE
Carlo Blundo Università degli Studi di Salerno, Italy
Marco Casassa Mont Hewlett-Packard Labs, UK
David Chadwick University of Kent, UK
Aldar C-F. Chan Institute for Infocomm Research, Singapore
Xiaofeng Chen Xidian University, China
Mauro Conti University of Padua, Italy
Frédéric Cuppens TELECOM Bretagne, France
Wenliang Du Syracuse University, USA
Jesús Dı́az-Verdejo University of Granada, Spain
Junbin Fang Jinan University, China
Jordi Forne Universitat Politecnica de Catalunya, Spain
Steven Furnell Plymouth University, UK
Alban Gabillon University of Polynésie Française, French
Polynesia
Joaquin Garcia-Alfaro TELECOM Bretagne, France
Dieter Gollmann Hamburg University of Technology, Germany
Jinguang Han Nanjing University of Finance and Economics,
China
Organization IX
Additional Reviewers
Agosta, Giovanni Fromm, Alexander
Ahlawat, Amit Fuchs, Ludwig
Al Khalil, Firas Galdi, Clemente
Ambrosin, Moreno Gao, Xing
Ambroze, Marcel Georgiopoulou, Zafeiroula
Autrel, Fabien Graa, Mariem
Ayed, Samiha Guo, Xu
Banescu, Sebastian Holling, Dominik
Blanc, Gregory Idrees, Sabir
Brumley, Billy Jiang, Jiaojiao
Büchler, Matthias Jin, Xing
Cai, Liang Kumari, Prachi
Camilo Corena Juan Lalas, Efthymios
Chen, Chao Li, Chengqing
Chen, Chi Li, Fudong
Chen, Xiao Li, Shujun
Chin, Ji-Jian Liang, Kaitai
Compagno, Alberto Liu, Daiping
Dargahi, Tooska Long, Xuelian
Diener, Michael Lu, Jiqiang
El Samarji, Layal Ma, Sha
Fereidooni, Hossien Mannan, Mohammad
Fragkiadakis, Ioannis Mannes, Elisa
Organization XI
Cloud Computing
An Approach for the Automated Analysis of Network Access Controls
in Cloud Computing Infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Thibaut Probst, Eric Alata, Mohamed Kaâniche, and
Vincent Nicomette
Access Control
Extending OpenStack Access Control with Domain Trust . . . . . . . . . . . . . 54
Bo Tang and Ravi Sandhu
Network Security
psOBJ: Defending against Traffic Analysis with pseudo-Objects . . . . . . . . 96
Yi Tang, Piaoping Lin, and Zhaokai Luo
Security Analysis
Exploiting the Hard-Wired Vulnerabilities of Newscast via
Connectivity-Splitting Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Jakub Muszyński, Sébastien Varrette,
Juan Luis Jiménez Laredo, and Pascal Bouvry
A Meet-in-the-Middle Attack on Round-Reduced mCrypton Using the
Differential Enumeration Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Yonglin Hao, Dongxia Bai, and Leibo Li
Improving Impossible Differential Cryptanalysis with Concrete
Investigation of Key Scheduling Algorithm and Its Application to
LBlock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Jiageng Chen, Yuichi Futa, Atsuko Miyaji, and Chunhua Su
Cryptanalysis on the Authenticated Cipher Sablier . . . . . . . . . . . . . . . . . . . 198
Xiutao Feng and Fan Zhang
A Stochastic Cyber-Attack Detection Scheme for Stochastic Control
Systems Based on Frequency-Domain Transformation Technique . . . . . . . 209
Yumei Li, Holger Voos, Albert Rosich, and Mohamed Darouach
Security Analysis and Improvement of Femtocell Access Control . . . . . . . 223
Chien-Ming Chen, Tsu-Yang Wu, Raylin Tso, and Mu-En Wu
System Security
Countering Ballot Stuffing and Incorporating Eligibility Verifiability in
Helios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Sriramkrishnan Srinivasan, Chris Culnane, James Heather,
Steve Schneider, and Zhe Xia
Short Papers
Rational Secure Two-party Computation in Social Cloud . . . . . . . . . . . . . . 476
Yilei Wang, Zhe Liu, Tao Li, and Qiuliang Xu
1 Introduction
Cloud computing is an emerging paradigm which allows the easy hosting and
management of infrastructures, platforms and applications, while reducing de-
ployment and operation costs. Providers propose to clients different kinds of
resources as services. To satisfy these needs, various technologies like virtual-
ization, new networking concepts, Web services, are mixed in complex architec-
tures. This complexity, along with the presence of many different actors (service
providers and consumers, developers, vendors, brokers, etc.) that cannot trust
each other, make such environments vulnerable to many security threats [1–3]
and raise security concerns for the clients and the providers. To cope with these
threats, various security mechanisms can be deployed in the cloud, including
firewalls or Identity Access Management (IAM) tools, and Intrusion Detection
and Prevention Systems (IDS/IPS). The first category aims to implement net-
work access controls, while the second one aims to detect (and possibly block)
attacks in a network or on a host. Cloud environments constantly evolve over
time as clients can add or remove instances and users or modify configurations,
which could have impacts on the cloud security. Therefore, it is important for
M.H. Au et al. (Eds.): NSS 2014, LNCS 8792, pp. 1–14, 2014.
c Springer International Publishing Switzerland 2014
2 T. Probst et al.
the client and the provider to monitor and analyze at a regular basis the security
level of cloud infrastructures, in order to adapt and improve the configuration
of the security tools. In this paper, we focus on analyzing cloud computing fire-
walls access controls, because they have a direct impact on network accessibility
(or reachability) in virtual infrastructures. An accessibility is the first support
of attack vectors, hence finding accessibilities is the first step in building attack
scenarios and assessing the efficiency of security mechanisms. Various types of
firewalls can be deployed in the cloud either in the client’s network topology (and
thus configured by the client), or at the hypervisor level (and thus configured by
the cloud administrator). As a consequence, controls on cloud firewalls are often
balanced between the clients and the provider.
The configuration of such firewalls is generally tedious and error prone due
to the increasing complexity of virtualized infrastructures. Therefore, efficient
methods are needed to analyze network accessibilities in an operational context
and identify potential discrepancies with those defined and desired by the clients.
Two methods can be used for this purpose: 1) static analysis of devices config-
uration; 2) dynamic analysis by sending traffic over the network. In traditional
network environments, static analysis is generally preferred because dynamic
analysis is more intrusive and hardly doable on production environments. How-
ever, actual static analysis tools are often not designed to support the analysis of
end-to-end accessibilities. Also, such tools may fail to reveal all possible network
accessibilities, in particular when hidden and implicit access control rules (not
part of firewall specifications) are enforced at different layers of the virtualized
infrastructures. We argue that such access control rules could be revealed by dy-
namic analysis approaches that could complement static analysis. Therefore, our
research is aimed at providing automated ways (both static and dynamic) to de-
termine network accessibilities in a client’s infrastructure and look for potential
discrepancies in the results. We provide the following contributions:
– A static analysis method of cloud components configurations.
– A dynamic analysis method of cloud components.
As an outcome, network accessibilities are provided for both methods, along with
an analysis of the discrepancies in firewall access controls by comparing results
along with the client’s network security policy that we consider provided by the
client1 . Our approach is aimed at taking into account cloud security constraints
by protecting the virtual infrastructures during the audits. This is achieved by
running the static and dynamic accessibility analysis on a clone of the cloud
infrastructure. Moreover, we leverage cloud advantages to perform quicker and
deeper audits and we make the process fully automated.
The rest of the paper is organised as follows. Section 2 introduces our ap-
proach. Section 3 describes the main phase of our approach about analysis of
network access controls. Section 4 presents a VMware-based testbed environ-
ment used to validate our approach, along with the experimental results. Section
5 discusses related work. Finally, conclusion and future work are provided.
1
The definition and retrieval of a cloud security policy, along with its implementation
as filtering rules, are out of the scope of our contributions.
An Approach for the Automated Analysis of Network Access Controls 3
– Edge firewall: gateway for client’s networks that routes, filters and translates
inbound or outbound traffic. It is generally controlled by the client.
– Hypervisor-based firewall: introspects the traffic sent and received by VMs
disregarding the topology. It can act on different scopes, with a set of rules
for each scope. A scope is referred to as a client’s IP network. This allows
the creation of rules inside each client’s network and applied to traffic to
and from VMs of this network. This kind of firewall is generally managed by
the provider, though some cloud portals can give the client access to certain
scopes.
The security analysis should not disturb the client’s business. It is intended to
be fully automated (it does not need human intervention). The security analysis
can be performed on demand (audits can be run on the client’s will). Provided
results correspond to the state of the system at the time when the analysis is run.
These reports should be relevant to the actors (clients, provider) that control
the analyzed tools. The accessibility analysis operations are run on behalf of the
provider, and therefore use administrator rights on the cloud components.
1. Fetch the configuration from the client’s vDCs: users’ privileges, IP address-
ing, network connections, etc.
2. Create new vDCs from the configuration information.
3. Copy VMs, networks, firewalls, to the newly created datacenters.
4. Reset cloned VMs administrator password by using single-user mode. This
avoids to ask the client any password for further actions on the cloned VMs.
The second phase analyzes access controls statically and dynamically to gener-
ate a security analysis report containing the accessibilities found by both meth-
ods. These are also compared with the user-defined accessibilities to perform
an analysis of discrepancies in the results. This second phase is the core of our
contributions and is developed in the next sections. During the audit process, we
do not need to know any supplementary information, beyond what is supplied
in a traditional cloud subscription process. All the other information we need
are automatically retrieved using APIs provided by the cloud infrastructure and
without human intervention. We take advantage of cloud computing embedded
technologies to run audit operations described later on (cloning infrastructures,
deploying and executing programs...).
Destinations
IP A1 IP B1 IP B2 IP C1
VM A Service W
Sources VM B Service X Service Y
VM C Service Z
An Approach for the Automated Analysis of Network Access Controls 5
provided REST API and Shell scripts to retrieve XML files from VMs, firewalls,
and cloud management modules. Then, we run XSLT processing in conjunc-
tion with Python to parse and transform XML into Prolog logic predicates. We
designed a XSLT sheet for each configuration we need to parse3 .
Logic Engine. The logic engine runs an internal logic (set of Prolog rules
using the previously presented predicates) upon the submission of an accessibility
request. Accessibility requests aim to generate the accessibility predicates, as
stated earlier. Let us consider the following requests:
• accessibility(vm-372, tcp, any,’172.16.2.66’, tcp, DP ORT ).
• accessibility(’0.0.0.0’, icmp, any,’192.168.1.150’, icmp, DP ORT ).
The logic engine is asked to return the accessibility predicates associated to
all open TCP ports from vm-372 to 172.16.2.66, and then all the open ICMP
subprotocols from 0.0.0.0 (external networks) to 192.168.1.150.
To process such accessibility requests, we designed an algorithm based on a
set of Prolog rules, as shown on Figure 2. Starting from the source, the algorithm
checks routing, NAT and filtering rules (using the initial parameters) on each
edge firewall node of the route from the source to the destination. In our model,
an edge firewall can also act as a simple router that allows all the traffic. Then,
it checks routing from the destination to the source, but it does not verify filter-
ing there because we consider stateful inspection firewalls. Eventually, it checks
filtering at the hypervisor-based firewall, if present, for the appropriate scopes
(source and destination network scopes, or the global scope by default).
The algorithm execution tune depends on the number of accessibility requests
to execute, because each request may process thousands of Prolog rules. For ex-
ample, to check whether a traffic is allowed on a firewall, the algorithm first looks
for a rule which allows this traffic, where the source and destination can take
several values: IP address, address range, group, network, list of IPs, keywords
like ”any”, ”internal”, ”external”, etc. The ”any” keyword can also be found for
destination protocol and port values. Then, we verify that there is no potential
denying rule with a higher priority (to take into account the cancellation of an
allowing rule) than the previously found accepting rule (the default policy is
also assumed as a rule with the lowest priority). All these possible combinations
lead to an exponential computational complexity (and can make accessibility
requests take too long, which is not acceptable in a cloud audit process). To
reduce the execution time, a maximum of rules are precompiled (once and for
all) to generate all the associated predicates (for example all the allowed traffic
on every firewall, i.e. traffic from/to each VM on every destination protocol and
port combinations). Also, the the accessibility requests jobs are multithreaded.
ready to receive packets. The client and server programs were developed using
Python sockets and Scapy API. They are automatically deployed on all the
VMs prior to the execution of the algorithm. We use a three-dimension session
array (1st dimension: clients; 2nd dimension: servers; 3rd dimension: servers IP
addresses) to report the done and undone sessions throughout the iterations of
the main algorithm. All the values of this array are initialized to false, except
when the server and the client are the same (we do not perform local sessions).
At the end of each iteration of the algorithm, the clients are monitored to know
whether their sending of packets is done so the servers can be interrupted and the
results retrieved from them. The algorithm starts by running the VMs to VMs
sessions, then the external location to VMs sessions (multithreaded, because the
external location can be client of all VMs at the same time), and finally the VMs
to the external location sessions sequentially. Let us note:
– N V as the total number of VMs.
– N IPi as the
total number
of IP addressesof VM i.
– NS = (1 + N IPj ) + N IPi as the total number of
0<i<N V 0<j<N V 0<i<N V
i=j
sessions. It is composed of the sessions from VMs to other VMs and the
external location, and sessions from the external location to VMs.
– N Si = N IPi × (N V − 1) the number of inter-VM sessions for a server i.
– d as the delay between packet sendings.
– N P as the number of packets to be sent in each session.
An iteration is defined as the time needed to execute a session, which is
N P × d + t1 (t1 is the sleeping time between the launch of a server and a client).
Remember that several sessions can be executed in a single iteration. When VMs
have one IP address, N Si = N V − 1, and this is also the number of iterations for
inter-VM exchanges (one session as a server per iteration for each VM). However,
VMs can have multiple IP addresses (known as multihoming), and a VM cannot
be server twice during the same iteration. The number of extra inter-VM sessions
related to a server i due to multihoming is noted as N Ai = N Si − (N V − 1).
Multihoming entails max{N Ai } additional iterations (where the extra sessions
are executed in parallel according to the algorithm). Therefore, we can deduce
the number of iterations for inter-VM exchanges as N V −1+max{N Ai }. Sessions
from the external location to VMs IP address are run in parallel (max{N IPi }
iterations), and sessions from VMs to an external location are run sequentially
(N V iterations). Adding the sleeping time (t2) present in the update access()
function (ensuring the results of each session are generated on a server before
retrieving them), we get an estimation of the execution time:
T = (2N V − 1 + max{N Ai } + max{N IPi }) × (N P × d + t1) + N S × t2
In the formula, we do not take into account the time of code instructions and the
time needed to retrieve the accessibilities and write them on disk. Our algorithm
has a linear execution time which depends on the number of VMs and IPs per
VM. A simple algorithm that would execute each session sequentially would have
an exponential execution time depending on the number of sessions (of course
the sleeping times we put would be needed and to be considered too).
An Approach for the Automated Analysis of Network Access Controls 9
Destinations
172.16.2.1 172.16.2.2 192.168.1.150 172.16.2.66 0.0.0.0
vm-372 echo-request
vm-375 MySQL SSH
Sources
vm-378 echo-reply
0.0.0.0 any
Prior to the execution of the static and dynamic analysis, we used a set of
embedded tools provided by VMware to perform the automated cloning phase of
the infrastructure. Note that in both scenarios, we consider a total of 587 known
TCP, UDP and ICMP services4, though this can be configured differently.
have to be adjusted according to the capacity of the physical hardware and the
size of the infrastructure to analyze. For instance, with a 5ms inter-packet delay
and 1-second sleeping times, the duration came down to 56mn47s, and 46mn30s
with a 1ms inter-packet delay and 0.5-second sleeping times.
The discrepancies noticed in scenario 2 are of the same type. There are not a lot of
them, but they can be explained. Implicitly rules (related to UDP ports 67 and 68
traffics) are configured when activating DHCP features, which was omitted in the
user-defined accessibility matrix. Furthermore, VMware firewalls let pass more
ICMP management traffic (router-solicitation, traceroute, photuris, addr-mask-
reply) than configured when allowing echo-request or echo-reply subprotocols.
5 Related Work
Network accessibilities are built by discovering the hosts and analyzing connec-
tivity between them. They could be derived either statically, based on network
equipments configuration; or dynamically, by running port scans. In [4], the au-
thors rigorously formulate the problem of reachability in networks. While this is
useful as grounding work to understand well this problem, they do not provide
methods to collect network information and their model does not handle complex
NAT. Furthermore, they do not provide a practical algorithm or experimental
An Approach for the Automated Analysis of Network Access Controls 13
results showing the scalability of their approach. The approach presented in [5],
about computing accessibility matrices and expressing accessibility queries, is
thorough and very relevant. Their data structures, algortihms and query lan-
guage were a basis to build our static analysis approach, though we kept it
simpler and more adapted to cloud networks. We also believe that using an im-
perative language (Prolog) rather than a declarative one (C++) is more adapted
to compute complex accessibility queries. [6, 7] are good examples of analysis of
filtering configurations but are restricted to a device scope. They do not compute
end-to-end accessibilities, needed in our context.
Considering the general topic of cloud security audits, one can mention the
approaches presented in [8, 9], in addition to the publication of recommandations
and guidance on security assessments by the Cloud Security Alliance (CSA) [10].
In [8], cloud infrastructures are analyzed using accessibility graphs and vulnera-
bility discovery to build attack graphs and find shortest paths as critical attack
scenarios. Although the proposed approach is judicious, their static analysis
model includes only one global firewall and thus does not address rules consis-
tency and interactions in complex network topologies. We can also cite the work
in [11] on static flow analysis in virtualized infrastructures, where interaction of
cloud resources are generated as a graph model. However, they do not take into
account filtering rules at the upper levels. Furthermore, both [8] and [11] do not
propose a dynamic analysis method to verify network accessibilities. In [9], the
authors provide an automated audit system as a service for cloud environments,
along with a language to define a cloud security policy. The goal of this system
is to allow automatic auditing of VMs following user-defined policies. The policy
scenarios are quite thorough and tend to model the security requirements a cloud
would have to meet, including network access controls. Although it can audit
systems in real time, their solution requires embedding agents within each of
the key points of the infrastructure, which is not feasible in proprietary clouds.
Our approach is more lightweight as we preserve the original components and
execute programs in cloned VMs only for the time of the analysis.
Ongoing work includes the extension of the evaluation of cloud security tools
to IDS/IPS mechanisms. We are currently exploring the construction and exe-
cution of attack scenarios from the accessibilities found, in order to assess the
efficiency of deployed IPS/IDS probes. We intend to keep the evaluation process
fully automated and without any impact on the client’s business.
References
1. Jensen, M., Schwenk, J., Gruschka, N., Iacono, L.L.: On technical security is-
sues in cloud computing. In: IEEE International Conference on Cloud Computing,
CLOUD 2009, pp. 109–116. IEEE (2009)
2. Studnia, I., Alata, E., Deswarte, Y., Kaâniche, M., Nicomette, V., et al.: Survey of
security problems in cloud computing virtual machines. In: Proceedings of Com-
puter and Electronics Security Applications Rendez-vous (C&ESAR 2012), pp.
61–74 (2012)
3. Oktay, Sahingoz: Attack types and intrusion detection systems in cloud comput-
ing. In: Proceedings of the 6th International Information Security & Cryptology
Conference, pp. 71–76 (2013)
4. Xie, G.G., Zhan, J., Maltz, D.A., Zhang, H., Greenberg, A., Hjalmtysson, G.,
Rexford, J.: On static reachability analysis of ip networks. In: Proceedings of the
IEEE 24th Annual Joint Conference of the IEEE Computer and Communications
Societies, INFOCOM 2005, vol. 3, pp. 2170–2183. IEEE (2005)
5. Khakpour, A., Liu, A.X.: Quarnet: A tool for quantifying static network reachabil-
ity. Michigan State University, East Lansing, Michigan, Tech. Rep. MSU-CSE-09-2
(2009)
6. Marmorstein, R., Kearns, P.: A tool for automated iptables firewall analysis. In:
USENIX Association (ed.) ATEC 2005: Proceedings of the Annual Conference on
USENIX Annual Technical Conference, p. 44 (2005)
7. Nelson, T., Barratt, C., Dougherty, D.J., Fisler, K., Krishnamurthi, S.: The mar-
grave tool for firewall analysis. In: USENIX Large Installation System Adminis-
tration Conference (2010)
8. Bleikertz, S.: Automated security analysis of infrastructure clouds. Master’s thesis,
Norwegian University of Science and Technologys (2010)
9. Doelitzscher, F., Ruebsamen, T., Karbe, T., Knahl, M., Reich, C., Clarke, N.:
Sun behind clouds-on automatic cloud security audits and a cloud audit policy
language. International Journal on Advances in Networks and Services 6(1 and 2),
1–16 (2013)
10. Alliance, C.S.: Secaas implementation guidance: Security assessments (2012)
11. Bleikertz, S., Groß, T., Schunter, M., Eriksson, K.: Automated information flow
analysis of virtualized infrastructures. In: Atluri, V., Diaz, C. (eds.) ESORICS
2011. LNCS, vol. 6879, pp. 392–415. Springer, Heidelberg (2011)
Another random document with
no related content on Scribd:
D 28
103 July
2914 Jordan D W
B 5
July
3499 Johnson D 45 I
18
45 July
3510 Jennings H
G 18
July
3885 Jones Wm 55 C
24
July
4057 John Thomas 54 E
27
July
4093 Jones J 79 A
27
50 Aug
4540 Johnson J W
G 2
103 Aug
4590 Jameson Wm
H 3
101 Aug
4817 Johns Rob’t
I 5
Aug
5295 Johnson H Art 2 I
11
150 Aug
5516 Jacobs B G
F 13
100 Aug
5871 Jones Rob’t
A 16
101 Aug
6197 Jones T
I 19
Aug
6200 Jones W E 27 B
19
49 Aug
6317 Jones S
G 22
145 Aug
6760 Joslin J
I 25
Aug
6817 Jober J 77 B
25
6931 Jarmter C 7A Aug
26
53 Sept
7566 Johnson Chas
G 2
Sept
8318 Johnson J 45 I
10
101 Sept
8853 Jolly Jas
H 15
Sept
9303 Jones P 63 F
20
149 Sept
9351 Jordan J M
D 20
Sept
9378 Jacobs J S Cav 6F
20
Sept
9982 Jeffries C 4B
29
101 Sept
9999 Jones T
B 29
Oct
10735 Jabin Jas 55 E
11
Oct
10987 Jones A 27 D
16
184 Oct
11058 Johnson Wm
D 17
148 Oct
11430 Jordan Thos
- 24
115 Oct
11539 Jenks J C
H 27
118 Nov
12007 Johnson L
C 4
Dec
12331 Jack J P 7E
24
103 July
2889 Johnson A G, Cor
I 4
2 Kelly Chas H 71 H Mch
1
Mar
238 Kelly H S, S’t Cav 13 H
30
Mar
266 Kuntzelman J 63 E
31
May
1024 Kenny Wm 12 F
11
June
1824 Kyle Wm 5H
10
June
1875 Kelly Peter 73 -
12
June
2076 Knight Jno Cav 7K
17
June
2335 Kehoe Moses 8H
22
June
2639 Kenoan M A Cav 14 L
29
July
3048 King C 6C
8
July
3187 Kiech N, Cor 54 A
12
101 July
3265 Klink A
C 13
103 July
3471 Kemp E
A 17
103 July
3634 Keeston E
I 20
July
4162 Kagman J T 45 B
28
July
4293 Kuffman S D 45 E
30
Aug
4545 Kauf J Art 2B
2
148 Aug
4895 Kelley O F
B 6
5058 Kock H 21 H Aug
8
Aug
5145 Kawell Jno Cav 18 E
9
Aug
5154 Keyes Alex C, Cor Cav 16 H 64
9
149 Aug
5208 Kester L
F 10
Aug
5443 Kelley T Cav 13 H
12
Aug
5851 Kahn R 96 K
13
103 Aug
5718 Keister Jno M
A 15
Aug
5744 Keeley Wm Cav 13 A
15
Aug
6028 Kauffman B F 45 K
18
Aug
6084 Kemper J 73 D
18
Aug
6459 Kiger Wm Cav 3C
22
Aug
6497 Kenter A W 67 B
22
184 Aug
6514 Kniver S
F 22
Aug
6638 Krigle H 11 K
23
Aug
6965 Krader W O 55 H
27
Aug
7005 King M Cav 3A
27
Aug
7372 Keller A 9M
31
7553 Keller M 105 Sept
G 1
118 Sept
7781 Kyle Wm
F 7
184 Sept
8210 Kinsman F P
F 8
Kanford Jno C, S Sept
8734 C 5 -
m 14
Sept
8799 Kaufman J 45 E
17
Sept
9139 Kipp W Cav 12 D
18
145 Sept
9563 Kinmick T, Cor
K 23
Sept
9630 Kearney L 50 F
24
149 Oct
10335 Kerr B
B 4
101 Oct
10367 Kirby J A
E 5
184 Oct
10439 Kline Ross
F 6
152 Oct
10502 Kennedy J
A 8
Oct
10698 King M 11 K
11
101 Oct
10747 Kirkwood H
C 11
Oct
10926 Knieper C 89 F
14
Oct
11238 Kurtz J 55 K
21
Oct
11332 King J R 55 K
23
Oct
11384 Kelley E Cav 7F
24
11463 King R 6E Oct
26
116 Oct
11645 Kramer Geo, Cor
G 30
184 Feb
12695 Knox J, S’t 65
A 23
July
8676 Kerer H N 63 E 64
20
Mch
88 Liesen Lewis Cav 13 A
21
Mch
243 Lancaster E “ 14 F
30
April
297 Luck W “ 11 H
1
April
549 Lynch Adam “ 6L
14
May
1403 Levy Frank “ 3H
27
May
1429 Liesine Wm, Cor 13 E
28
June
1579 Lindine J Art 3A
3
106 June
1588 Little M
F 3
145 June
1621 Luhaus Melter
A 4
183 June
2250 Lackey Jas
D 21
June
2379 Leach J Cav 3D
23
July
3091 Larimer J 11 E
9
July
3734 Ladbeater Jas 7K
21
3305 Link P 98 H July
14
118 July
3306 Long A
H 14
July
3369 Lanigan N, S’t Cav 13 L
15
101 July
3403 Lewis Ed
I 16
49 July
3448 Leonard Geo
G 17
July
3489 Logan B 90 B
17
July
3545 Lee Jas Cav 13 B
18
101 July
4312 Long D F B
I 30
July
4434 Lambert W Cav 4K
31
Aug
4696 Larrison Wallace C 14 C
4
Aug
4818 Lewis A Cav 3D
5
101 Aug
4857 Laughlin J, S’t
E 6
Aug
4907 Lahman C 73 C
6
Aug
4929 Livingston J K 2B
6
Aug
5199 Long Augustus 55 H
10
Aug
5225 Loudin H N 14 H
10
116 Aug
5314 Lacock Hugh
E 11
Aug
6252 Lodiss H 90 A 64
20
6636 Leach Jas 49 E Aug
23
143 Aug
6783 Light S, Cor
H 25
Aug
7145 LaBelt J 21 F
29
Sept
7938 Lemon Jno E Cav 4 I
6
145 Sept
7950 Lockhard J
B 8
103 Sept
8405 Lepley Chas
E 10
Sept
8754 Layman F 49 B
10
Sept
8833 Laughlin J L 1H
15
Sept
8895 Lester W H Cav 7 I
16
Sept
8904 Lippoth J 5E
16
Sept
9085 Logne S 26 A
18
Sept
9291 Leary C 83 K
19
Sept
9647 Loden J Cav 4C
24
110 Sept
10066 Laytin P
D 30
21 Sept
10086 Lutz P M
G 30
116 Sept
10091 Lebos C
D 30
140 Oct
10273 Limar W
- 3
10298 Long W 67 Oct
G 4
Oct
10372 Long P, Cor Cav 11 C
5
119 Oct
10548 Lancaster C
B 8
Oct
10572 Lynch W J Cav 3 I
9
Oct
10580 Labor R 7F
10
143 Oct
10687 Luchford R
F 11
110 Oct
10873 Lang I
C 13
Oct
11604 Leuchlier J 5 -
16
Oct
11255 Lantz Wm 7C
21
Oct
11465 Lewis J Cav 4L
26
Nov
11728 Luther I “ 4L
1
Nov
11869 Lego Geo 12 A
6
53 Nov
11907 Ladd A
M 7
Nov
12192 Lape J 18 K
28
Dec
12210 Lewis D S 53 K
2
77 Jan
12489 Linsey D 65
G 19
139 Aug
5699 Ledwick F M 64
C 15
Aug
7084 Latchem David Cav 4K
28
7307 Lochery A “ 14 E Aug
30
Aug
5985 Logan W 97 A
17
101 Aug
6030 Loudon S
A 18
181 Aug
6053 Layton Samuel
A 18
Aug
6071 Lamb C 71 B
18
Aug
6082 Lane Amos Cav 6E
18
Aug
6152 Lehnich Jno Art 2F
19
April
753 Lenard M Cav 13 D
26
141 April
761 Lord G W
E 27
Loudon Samuel, May
871 2F
Cor 4
105 Mar
183 Maynard Jno
G 27
Mar
208 Missile Val 47 C
28
Mar
225 Miller Daniel Cav 13 H
29
April
361 Martin J F “ 14 K
2
April
461 McEntire W 51 F
9
April
538 Mine Josh, Cor 54 F
14
April
586 Marple S L 14 A
17
605 McKissick Jno 23 F April
18
April
667 Myers G Cav 1E
22
April
736 McKeever E L, S’t 71 F
25
April
773 McDonald R 23 C
28
April
780 McCarthy Jas Cav 18 E
28
May
969 McQueeny W 79 B
9
May
1006 Meyer Jno Cav 2E
10
May
1128 McKey J “ 1 I
15
May
1139 McMahon J 73 F
16
May
1147 McKnight J E 57 B
16
May
1151 McHale J Cav 14 D
16
May
1185 Moser Jno “ 13 B
18
May
1273 McCollen W, S’t “ 4L
22
May
1287 Milligan J 61 F
22
May
1308 McCartney M 73 B 64
23
May
1460 Murray Jno Cav 13 E
29
June
1586 Miles Lewis “ 4 I
3
13 June
1643 Myers J R, Cor “
M 5
1722 Marshall M M 78 E June
8
103 June
1748 Moyer Thos
E 9
118 June
1792 Miller M
A 10
June
1858 McHose J Cav 4A
12
June
1907 Miller Henry 8G
13
101 June
1982 Muchollans J
K 15
June
2056 Monny W H Cav 3A
16
101 June
2058 Matchell J J
K 16
101 June
2159 Monan J
C 19
June
2265 McCutchen J Cav 4C
21
June
2278 Milton Wm “ 19 H
21
June
2333 Myers F, S’t 27 H
22
76 June
2364 Myers Peter
G 23
June
2388 Morton T 79 I
24
June
2409 McCabe J Cav 3L
24
103 June
2411 McKay M J
B 24
June
2493 Merry Jas 67 E
26
2503 Martin A J, Cor Cav 4E June
26
June
2508 Morris J “ 18 A
26
June
2653 McManes —— 77 B
29
101 June
2684 Mipes J
B 30
77 June
2690 Morris G
G 30
July
2798 Marsh D 50 D
2
July
2831 McCane Chas 14 C
3
July
3017 McRath J 48 C
7
July
3065 Morris Calvin 53 D
9
McCalasky J E, July
3133 Cav 4K
S’t 10
July
3151 Mattiser B 57 F
11
149 July
3172 Madden Daniel
G 11
103 July
3250 Myers M
E 13
July
3374 Mink H Art 3A
16
155 July
3467 Meaker E N
H 17
101 July
3481 McKeon Jno
H 17
138 July
3488 Mihan J
D 17
July
3939 Maroney Jno Cav 1D
20
3690 McCarron J Cav 4A July
21
116 July
3766 Myers Jno
D 22
July
3971 Martin G 45 I
25
July
4016 McDermott J M 70 F
26
103 July
4123 McGee Jas
I 28
July
4197 Moore M G Art 1A
29
July
4341 Marquet M 6M
30
100 July
4407 McKever Jno
A 31
July
4414 McFarland Jas 55 E
31
101 Aug
4546 Moan Jas
K 2
Aug
4607 Martin Bryant 7F
3
Aug
4635 McKeral Jas 14 K
3
Mathews C W, 145 Aug
4710
Cor B 4
Aug
4734 Moore 71 I
4
Aug
4796 McDevitt J Art 3D
5
Aug
4824 Miller H Cav 14 I
5
150 Aug
4876 Mills Wm
G 6
4898 Muldany M 96 K Aug
6
103 Aug
5068 Martain Jno
E 8
103 Aug
5069 Measler Jas
E 8
McCaffrey Jno, h Aug
5139 Art 3A
s 9
Aug
5159 Martin C Cav 8A
9
103 Aug
5266 Marey H F
F 10
14 Aug
5291 Mohr J R
G 11
101 Aug
5415 McCarty Dennis
K 12
Aug
5433 McGee J 14 H
12
Aug
5595 Mickelson B Cav 16 B
14
Aug
5642 McClough L C 18 C
14
101 Aug
5704 Miller Jno 64
G 15
Aug
5723 McCann Jno Art 3A
15
143 Aug
5781 Miller S
B 15
Aug
5809 Montgomery R 62 A
16
Aug
5868 McQuillen A Art 6L
16
Aug
5893 McCuller S Cav 4B
16
Aug
5926 Mulchey J A 50 D
17
5988 Mann Jas, Cor 119 Aug
G 17
103 Aug
6014 McPherson D
F 17
103 Aug
6038 Moore C
G 18
Aug
6148 McCracker J 53 K
19
Aug
6294 McLaughlin Jas C 4A
20
Aug
6441 McWilliams H 82 I
22
103 Aug
5480 Martin Jno
D 22
Aug
6532 McGan J Cav 18 -
23
144 Aug
6664 McKee ——
C 24
Aug
6689 Manner M 73 K
24
143 Aug
6910 McGlann H
B 26
Aug
6925 McGuigan H C 7K
26
143 Aug
7026 Marks P
B 27
107 Aug
7061 Moore M J
- 28
Aug
7107 Moyer Wm H 55 H
28
Aug
7119 Miller Jno L 53 K
28
Aug
7127 McAffee Jas 72 F
28
7175 Moore Thos 69 D Aug
29
Aug
7263 Martin Jno 77 C
30
Aug
7265 Musser Jno 77 D
30
103 Aug
7305 Moser S
E 30
183 Aug
7333 Morris Jno
G 30
Aug
7407 Marchin Wm 50 E
31
Sept
7512 Millinger Jno H 7C
1
103 Sept
7602 Moorhead J S
D 2
Sept
7719 Myers H 9A
3
Sept
7875 Mayer W 8M
5
103 Sept
7925 Mays N J
H 5
Sept
8027 Murphy A Cav 13 I
6
Sept
8047 McKnight J Cav 18 I
6
101 Sept
8122 Miller J, Cor
C 8
145 Sept
8123 Mullings W
G 8
Sept
8128 Munager W Cav 13 L
8
Sept
8134 Mehaffey J M Cav 16 B
8
Sept
8153 McCantley W Art 2A
8
8158 McLane T 12 E Sept
8
119 Sept
8194 McKink J, Cor
D 8
101 Sept
8216 Mansfield J
G 8
118 Sept
8322 Myers A
I 10
103 Sept
8469 Magill H
I 11
146 Sept
8596 Morrison J
E 12
Sept
8627 McKinney D 90 C
13
118 Sept
8691 Moritze A
D 14
101 Sept
8802 McCullogh ——
E 15
Sept
9071 Maynard A Art 3 -
17
Sept
9090 McCall Wm Cav 22 B
18
138 Sept
9228 McCullough S
K 19
Sept
9270 Mayhan F Cav 20 -
19
149 Sept
9315 Marsh W
K 20
138 Sept
9339 Meyers J A
C 20
101 Sept
9526 McQuigley Jno
C 22
184 Sept
9583 Mead H J
B 23
9598 Martin J Cav 17 C Sept
23
Sept
9644 Morris J 54 I
24
Sept
9646 Morgan J E 2A
24
118 Sept
9651 McCook B
A 24
Sept
9761 McMurray Wm C 1 I
25
112 Sept
9871 Mason Jno
A 27
Aug
4578 McKerner S 73 E
2
Sept
10050 Mesin Jas, S’t 90 F
30
Sept
10060 Morgan C 45 A 64
30
101 Oct
10119 McClany J
C 1
Oct
10154 McElroy Wm Cav 13 L
1
Oct
10306 Meese J 48 A
4
Oct
10396 McGraw Jno Art 3A
6
Oct
10407 Miller H 79 K
6
Oct
10486 Miller Wash’gton C 18 C
7
118 Oct
10610 McKearney J W
K 10
Oct
10620 McClief Wm 7A
10
118 Oct
10641 Marker W H
D 10
10678 Martin J P 7 I Oct
11
Oct
10684 Miller Jas 7 I
11
138 Oct
10803 Mattis Aaron
- 12
Oct
10825 Moore C H Cav 13 C
13
108 Oct
10929 Martin Geo H
I 14
Oct
10981 Maxwell S Cav 14 B
15
Oct
10991 Moses W “ 16 H
16
118 Oct
10993 McKnight Jas
K 16
Oct
11081 Mitchell J O 55 H
18
101 Oct
11142 Mansfield Geo
I 19
Oct
11229 McClay J H Cav 11 D
20
Oct
11305 McBride —— “ 2H
22
184 Oct
11326 Marshall L
A 23
101 Oct
11387 Moore S
F 24
Oct
11459 Moore J Cav 13 B
25
100 Sept
11464 McNelse J H, Cor
E 26
Oct
11542 Miller F 54 K
27
11655 Midz J Cav 20 A Oct