Paper Info
Title
TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation.
Abstract
The multi-tenancy of a cloud usually leads to security concerns over network isolation around each cloud tenantu0027s virtual resources. However, verifying network isolation in cloud virtual networks poses several unique challenges. Thesheer size of virtual networks implies a prohibitive complexity, whereas the constant changes in virtual resources demand a short response time. To make things worse, such networks typically allow fine-grained (e.g., VM-level) and distributed (e.g., security groups) network access control. Those challenges can either invalidate existing approaches or cause an unacceptable delay which prevents runtime applications. In this thesis, we present TenantGuard, a scalable system for verifying cloud-wide, VM-level network isolation at runtime. We take advantage of the hierarchical nature of virtual networks, efficient data structures, incremental verification, and parallel computation to reduce theperformance overhead of security verification. We implement our approach based on OpenStack and evaluate its performance both in-house and on Amazon EC2, which confirms its scalability and efficiency (13 seconds for verifying 168 millions of VM pairs). We further integrate TenantGuard with Congress, an OpenStackpolicy service, to verify the compliance of isolation results againsttenant-specific high level security policies.
Year
Venue
Field
2017
NDSS
Data structure,Computer science,Computer security,Response time,Network isolation,Runtime verification,Security policy,Network Access Control,Cloud computing,Scalability,Distributed computing
DocType
Citations 
PageRank 
Conference
1
0.35
References 
Authors
0
8
Name
Order
Citations
PageRank
Yu-shun Wang114031.90
Taous Madi2935.51
Suryadipta Majumdar3265.26
Yosr Jarraya417314.52
Amir Alimohammadifar510.35
Makan Pourzandi621628.31
Lingyu Wang71440121.43
Mourad Debbabi81467144.47