April 12, 2019 –
Title: Towards Security Analysis of OpenStack
Ph.D. Candidate: Hoda Maleki
Major Advisor: Prof. Marten van Dijk
Associate Advisors: Prof. Ran Canetti, Prof. Benjamin Fuller
Day/Time: Friday, April 12th, 2019 3 PM
Location: ITE 401
OpenStack is the prevalent open-source, non-proprietary package for managing cloud services and data centers. It is highly complex and consists of multiple inter-related components which are developed by separate, loosely coordinated groups. All of these properties make the security analysis of OpenStack both a crucial mission and a challenging one. In this dissertation, we demonstrate how we can provide a rigorous, perceptible and holistic security analysis of OpenStack. We base our modeling and security analysis in the universally composable (UC) security framework, which has been so far used mainly for analyzing the security of cryptographic protocols.
Our analysis has the following key features:
1- It is user-centric: It stresses the security guarantees given to users of the system, in terms of privacy, correctness, and timeliness of the services.
2- It provides defense in depth: It considers the security of OpenStack even when some of the components are compromised. This departs from the traditional design approach of OpenStack, which assumes that all services are fully trusted.
3- It is modular: It formulates security properties for individual components and uses them to assert the security properties of the overall system.
We formulate ideal functionalities that correspond to several OpenStack modules and then prove the security of the overall OpenStack protocol given the ideal components. The modeling paves the way toward a comprehensive analysis of OpenStack: it is extensible to the addition of new components and modular to an intra-component analysis.
It turns out that some salient issues come up even at this relatively high level of representation and analysis. Specifically, we demonstrate that the scoping of permissions given by users to proxy “tokens” causes the overall security to fail as soon as any one of the components fails. We propose an alternative, more finely scoped token mechanism and assert that the new mechanisms suffice for regaining overall security even when some of the components are faulty.