Towards a Security Stress-Test for Cloud Configurations
Abstract
Securing cloud configurations is an elusive task, which is left up to system administrators who have to base their decisions on ``trial and error'' experimentations or by observing good practices (e.g., CIS Benchmarks). We propose a knowledge, AND/OR, graphs approach to model cloud deployment security objects and vulnerabilities. In this way, we can capture relationships between configurations, permissions (e.g., CAP\_SYS\_ADMIN), and security profiles (e.g., AppArmor and SecComp), as first-class citizens. Such an approach allows us to suggest alternative and safer configurations, support administrators in the study of what-if scenarios, and scale the analysis to large scale deployments. We present an initial validation and illustrate the approach with three real vulnerabilities from known sources.
Cite
@article{arxiv.2205.14498,
title = {Towards a Security Stress-Test for Cloud Configurations},
author = {Francesco Minna and Fabio Massacci and Katja Tuma},
journal= {arXiv preprint arXiv:2205.14498},
year = {2022}
}
Comments
Conference: The IEEE International Conference on Cloud Computing (CLOUD) 2022