Security Quantification of Complex Attacks in Infrastructure as a
Service Cloud Computing
Doudou Fall, Takeshi Okada, Noppawat Chaisamran, Youki Kadobayoshi and Suguru Yamaguchi
Internet Engineering Laboratory, Nara Institute of Science and Technology, Nara, Japan
Keywords:
Cloud Computing, Security, Vulnerability Tree, IaaS, Quantification, Reliability.
Abstract:
It is a truism to single out the inherent security issues of cloud computing as the main hurdle to its adoption.
Particularly, infrastructure clouds are composed of multiple components and applications where vulnerabilities
are regularly discovered. We propose a probabilistic security quantification method, which allows quantifying
the security level of a given Infrastructure as a Service cloud environment. We translate the vulnerable IaaS
environment into a vulnerability tree that we built basing on fault tree analysis, which is a well established
modeling tool. The analysis of the vulnerability tree leads us to the security quantification formula.
1 INTRODUCTION
Cloud computing has revolutionized the way society
uses computing resources. Its faculty to help orga-
nizations reduce their computing resources costs is
undisputed. However, while it has numerous ben-
efits, especially in regards to infrastructure costs, it
also has some disadvantages that must be addressed.
Indeed, users are still reluctant to adopt cloud com-
puting because of its security issues identified in nu-
merous survey papers (Takabi et al., 2010; Vaquero
et al., 2011; Enisa, www.enisa.europa.eu; Zhou et al.,
2010; Pearson and Benameur, 2009). These security
issues range from the security of the multi-tenant as-
pect of cloud computing (Ristenpart et al., 2009) to
loss of control(chow et al., 2009). It is this inherent
multi-tenancy aspect of cloud computing that also dis-
suades customers from utilizing the cloud. In this re-
search, we focalize our attentions on attacks that are
the results of exploited vulnerabilities. In practice,
many vulnerabilities remain in a cloud environment
after they are discovered. This issue is due to envi-
ronmental factors (latency in releasing vulnerability
patches), cost factors (such as money and administra-
tive efforts required for deploying patches), or mis-
sion factors (organizational preference for availabil-
ity and usability over security). Therefore, addressing
the problem of security in cloud computing is a huge
challenge. Cloud computing is widely accepted as
having three preeminent service models: Infrastruc-
ture as a Service (IaaS), Platform as a Service (PaaS),
and Software as a Service (SaaS). In this work, our fo-
cus is on IaaS because not only it is the foundation of
any cloud infrastructure but also it presents the high-
est level of multi-tenancy with the different tenants
sharing storage, CPU, network bandwidth, and mem-
ory. The main contribution in this paper is a novel ap-
proach for quantifying security in cloud computing,
inspired by the Fault Tree Analysis (FTA), which is
commonly used in Probabilistic Risk Analysis (PRA)
(which in turn is used to quantify the risk of failure
in highly mission-critical systems like those of a nu-
clear power plant). Our security quantification con-
sists of representing a vulnerable IaaS system as a
Boolean vulnerability tree. The analysis of the vul-
nerability tree leads to the extraction of the quantifi-
cation formula. The rest of this paper is structured
as follows: section 2 presents our proposal; section 3
explains the how-to use of the Common Vulnerability
Scoring System in our model; section 4 describes the
quantification of multiple vulnerabilities in one com-
ponent; section 5 discusses a theoretical proof of our
proposal; section 6 concludes this paper.
2 QUANTIFYING THE SECURITY
OF AN IaaS
2.1 Establishing a Hypothesis
Computing resources in IaaS cloud computing are
typically consumed using virtual machines. By the
magic of virtualization, a physical machine is sepa-
145
Fall D., Okada T., Chaisamran N., Kadobayoshi Y. and Yamaguchi S..
Security Quantification of Complex Attacks in Infrastructure as a Service Cloud Computing.
DOI: 10.5220/0004406601450148
In Proceedings of the 3rd International Conference on Cloud Computing and Services Science (CLOSER-2013), pages 145-148
ISBN: 978-989-8565-52-5
Copyright
c
2013 SCITEPRESS (Science and Technology Publications, Lda.)
rated between several virtual machines running their
own operating system. The virtual machines are iso-
lated from each other in a multi-tenant environment.
The system providing the abstraction of the hardware
and managing the virtual machines is called Hyper-
visor or Virtual Machine Monitor (VMM). Thus, the
hypervisor plays a pivotal role in IaaS as it repre-
sents the most important link of the entire infrastruc-
ture chain system. The level of security of the shared
resources significantly depends on the correspond-
ing security strength or weakness of the hypervisor.
These factors culminate into the following hypothe-
sis:
Hypothesis 1. In a multi-tenant IaaS cloud, unautho-
rized access occurs if and only if the attacker succeeds
in exploiting a vulnerability on the virtual machine
monitor.
This hypothesis is a pretext that we use to define com-
plex attacks, which are any kind of attacks that in-
volve multiple vulnerabilities (at least two). This hy-
pothesis is the cornerstone of our proposal; most of
the sections we develop further are related to it.
2.2 Typical Vulnerability Tree of an
IaaS
The vulnerability tree explored in this paper, is a
blueprint of a method widely used in reliability called
fault tree analysis (FTA). FTA is a modeling tool that
was developed to assist human being to qualitatively
and quantitatively evaluate the failure of mission-
critical systems such as nuclear power plants, chemi-
cal plants, and aircraft systems. FTA provides a pic-
torial representation of a statement in Boolean logic.
The graphic consists of a top event, which is the fail-
ure of the system, and different basic events that con-
stitute the failures of the different components that
compose the system. The aim is to produce a deter-
ministic description of the occurrence of the top event
in terms of the occurrence or non-occurrence of the
basic events. The vulnerability tree, which we make
use of in our study, represents structure functions of
univocal systems and can be described by only AND
and OR logic. The vulnerability tree is comprised
of a top event, which is the attack of the entire IaaS,
and basic events, which represent exploitable vulner-
abilities in the different components that compose the
IaaS. Figure 1 gives a pictorial description of the ex-
planation. The Vulnerability Tree Analysis (VTA)
aims to provide a probabilistic description of the oc-
currence of the top event in terms of the occurrence
of the basic events (V X
1
...V X
n
), which are vulnera-
bilities in the system. The shape of the schema is dic-
tated by the hypothesis, which states that the hyper-
Figure 1: Vulnerability Tree.
visor or virtual machine monitor (VMM) is the most
critical element in the system.
2.3 Generating the Quantification
Formula
The analysis of the vulnerability tree provides some
insights to derive the quantification formula of the top
event. In order to facilitate an understanding of our
proposal, useful terms are defined below:
Definition 1. A cut set is a collection of basic events
such that if these events occur together then the top
event will certainly occur.
Definition 2. A minimal cut set is a collection of basic
events forming a cut set such that if any of the basic
events is removed, then the remaining set is no longer
a cut set.
Considering the aforementioned definitions and the
fact that the vulnerability tree follows Boolean rules,
the derivation of the quantification formula is straight-
forward. The cut set from our vulnerability tree is
given by Equation 1.
[UA] = [V V MM]
AND
{[V X
1
]
OR
[V X
2
]
OR
[V X
n
]}
(1)
By applying the probability rules to Equation 1, we
obtain Equation 2, which represents our global quan-
tification formula.
Q[UA] =
n
∑
i=1
Q[V VMM ∩V X
i
]
−
∑
i< j
Q[V VMM ∩V X
i
∩V X
j
] + ... +
(−1)
n+1
Q[V VMM ∩V X
1
... ∩V X
n
]
(2)
We assume that the probabilities are independent but
not mutually exclusive. Q denotes quantification.
CLOSER2013-3rdInternationalConferenceonCloudComputingandServicesScience
146
Figure 2: Example of multiple vulnerabilities present in one
component.
2.4 Security Quantification of Multiple
Vulnerabilities in One Component
The nature of cloud computing is reminiscent of that
possibility for attackers to combine multiple vulnera-
bilities. In this section, our attention is on the multiple
vulnerabilities an attacker may combine into a single
entity like a VM, VMM or virtual network. Figure 2
illustrates this concept. In this situation, we opt for the
addition rule of probability for the quantification of
the aforementioned vulnerabilities. The sub-formula
thereon is Equation 3.
Q
MC
=
n
∑
i=1
Q[V
i
]−
∑
i< j
Q[V
i
∩V
j
]+... +(−1)
n+1
Q[V
1
... ∩V
n
]
(3)
This sub-formula resembles to our global formula,
however the construction is inherently different.
3 UTILITY OF THE COMMON
VULNERABILITY SCORING
SYSTEM
The Common Vulnerability Scoring System (CVSS)
is a vendor-neutral open source vulnerability scoring
system. It was established to help organizations to ef-
ficiently plan their responses regarding security vul-
nerabilities. The CVSS is comprised of three metric
groups classified as base, temporal, and environmen-
tal. The base metric group contains the quintessential
characteristics of a vulnerability. The temporal met-
ric group is used for non-constant characteristics of
a vulnerability, and the environmental metric group
defines the characteristics of a vulnerability that are
tightly related to the user’s environment. In this pa-
per, we focus more on the exploitability part of a vul-
nerability. The temporal and environmental base met-
ric groups intervene after a vulnerability is exploited,
therefore they do not feature prominently in our re-
search. The remaining metric group regroups essen-
tial metrics that are used to compute the score of a
vulnerability: Access Vector (AV), Access Complex-
ity (AC), Authentication (Au), Confidentiality Impact
(C), Integrity Impact (I), and Availability Impact (A).
The formula of the score to date is a combination of
two sub-formulas: Impact and Exploitability. The
Impact sub-formula does not factor into our research
because it is related to the damages that occur after
a vulnerability is exploited. The Exploitability sub-
formula of the CVSS is represented by Equation 4.
Exploitability = 20 ∗ AV ∗ AC ∗Au (4)
By default, these values range between 0 and 10 in
the CVSS score guideline. As it pertains to our work,
we are mainly concerned with probability look-alike
values. Therefore, we have divided the original sub-
formula by 10 to obtain our scoring formula defined
in Equation 5.
Q(Exploitability) = 2 ∗ AV ∗ AC ∗Au (5)
The numerical values of the metrics AccessVector, Ac-
cessComplexity, and Authentication are set depending
on different parameters (Mell et al., 2007). Table 1
summarizes the different criteria we apply to our se-
curity quantification formula depending on the values
obtained.
4 A SOMEWHAT ‘PERTINENT’
EXAMPLE
In this case study, we use a cloud infrastructure that
is running XEN-4.1 as hypervisor and has multiple
virtual machines. After a security vulnerability scan-
ner, the administrator discovers the vulnerabilities ex-
posed in Table 2 with their exploitability value com-
puted by using Equation 5. The results of the scan-
ner revealed that there are vulnerabilities in the hy-
pervisor, VM
1
, VM
2
, and VM
7
. The vulnerability
tree of this scenario is shown in Figure 3. The sig-
nificance of this scenario is the presence of multiple
vulnerabilities in some components of the infrastruc-
ture: hypervisor (two), VM
1
(three), and VM
7
(two).
Before applying our global formula to the entire sys-
tem, we perform the partial quantifications for those
specific components by using Equation 3. Finally, we
Table 1: Qualitative and quantitative classification of scor-
ing values.
Low Medium High
0 - 0.399 0.4 - 0.699 0.7 - 1
SecurityQuantificationofComplexAttacksinInfrastructureasaServiceCloudComputing
147
Figure 3: Tree of the concerned vulnerabilities in this ex-
ample.
apply Equation 2 to quantify the security of the en-
tire infrastructure. Table 3 summarizes all the results
we acquired in this experiment. The resulting value,
0.6304, is particularly medium-to-high when we re-
fer to our qualitative classification in Table 1. This
means that the administrator of the system has to take
rapid actions to patch the vulnerabilities, particularly
if the reasons for not updating the system are mission
or cost factors.
5 CONCLUSIONS
We introduced a unique approach for quantifying se-
curity in Infrastructure as a Service cloud computing.
We developed our approach basing on industry and
consumer needs and evaluated its applicability with
the example described in section 5. Currently, many
administrators of cloud systems use the CVSS to eval-
uate potential reported vulnerabilities, with the result-
ing score helping to quantify the severity of the vul-
nerability and to prioritize their response. The differ-
ence is that they do it with single isolated vulnerabil-
ities, they do not have a response in case of mixed
combined vulnerabilities. By contrast, our proposal
is a response in such particular cases. We do not ar-
gue that our proposal is the ultimate security solution
that will solve all the security problems in IaaS cloud
systems. Our method allows quantifying security in
IaaS environment when vulnaribilities are discovered
Table 2: Discovered vulnerabilities and their exploitability
values.
Components Vulnerabilities Renaming Q (Exploitability)
Xen 4.1
CVE-2011-1898 V
X1
0.44
CVE-2011-1583 V
X2
0.34
VM
1
(Apache 2.0)
CVE-2011-3192 V
11
1
CVE-2011-4317 V
12
0.86
CVE-2011-4415 V
13
0.19
VM
2
(MySQL) CVE-2010-1626 V
21
0.39
VM
7
(Bind 9.8.0)
CVE-2011-2465 V
71
0.49
CVE-2011-2464 V
72
1
Table 3: Summary of the results.
Components Partial Quantification
Q[Xen 4.1] 0.6304
Q[VM
1
] 1
Q[VM
7
] 1
Q[IaaS] 0.6304
in the system. In the case of unavailability of vulnari-
bilities, our proposal becomes inept. After the evalua-
tion of the security level of a system, the latter still re-
mains subject to successful attacks until the cloud ad-
ministrator takes necessary measures. Therefore, our
proposal does not technically prevent attacks. Fur-
thermore, it is obvious that our method does not work
for zero-day-attacks as the attacker exploits new vul-
nerabilities that are not referenced yet in any vulnera-
bility databases.
REFERENCES
Enisa cloud computing risk assessment. http://
www.enisa.europa.eu/act/rm/files/deliverables/cloud-
computing- risk-assessment.
chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Ma-
suoka, R., and Molina, J. (2009). Controlling data
in the cloud: Outsourcing computation without out-
sourcing control. In Cloud Computing Security Work-
shop. ACM Press.
Mell, P., Scarfone, K., and Romanosky, S. (2007).
A complete guide to the common vulnerabil-
ity scoring system version 2.0. In FIRST.
http://www.first.org/cvss/cvss-guide.html.
Pearson, S. and Benameur, A. (2009). Privacy, security and
trust issues arising from cloud computing. In 2nd in-
ternational conference on cloud computing technol-
ogy and science. IEEE.
Ristenpart, T., Tromer, E., Shacham, H., and Savage, S.
(2009). Hey you get out off my cloud: Exploring in-
formation leakage in third party compute clouds. In
CCS09. ACM.
Takabi, H., Joshi, J. B. D., and Ahn, G.-J. (2010). Secu-
rity and privacy challenges in cloud environments. In
Security and Privacy. IEEE.
Vaquero, L. M., Merino, L. R., and Moran, D. (2011). Lock-
ing the sky: a survey on iaas cloud security. In In Jour-
nal Computing - Cloud Computing Volume 91 Issue 1.
Springer-Verlag.
Zhou, M., Zhang, R., Xie, W., Qiang, W., and A.Zhou
(2010). Security and privacy in cloud computing: A
survey. In 6th International Conference on semantics,
Knowledge and grids.
CLOSER2013-3rdInternationalConferenceonCloudComputingandServicesScience
148
