Paper at ESORICS 2011: Automated Information Flow Analysis of Virtualized Infrastructures

Today, we received an acceptance note for our submission to ESORICS 2011:

Sören Bleikertz, Thomas Gross, Matthias Schunter, Konrad Eriksson: Automated Information Flow Analysis of Virtualized Infrastructures, European Symposium on Research in Computer Security (ESORICS 2011)

You can download the paper (PDF)

Abstract
The use of server virtualization has been growing steadily, but many enterprises are still reluctant to migrate critical workloads to such infrastructures. One key inhibitor is the complexity of correctly configuring virtualized cloud infrastructures, and in particular, of isolating workloads or subscribers across all potentially shared physical and virtual resources. Imagine analyzing systems with half a dozen virtualization platforms, thousands of virtual machines and hundreds of thousands of inter-resource connections by hand: large topologies demand tool support.
We study the automated information flow analysis of heterogeneous virtualized infrastructures. We propose an analysis system that performs a static information
flow analysis based on graph traversal. The system discovers the actual configurations of diverse virtualization environments and unifies them in a graph representation. It computes the transitive closure of information flow and isolation rules over the graph and diagnoses isolation breaches from that. The system effectively reduces the analysis complexity for humans from checking the entire infrastructure, to checking a few well-designed trust rules on components’ information flow.

Read more of this post