On the universally composable security of OpenStack
Files
First author draft
Date
2018
DOI
Authors
Hogan, Kyle
Maleki, Hoda
Rahaeimehr, Reza
Canetti, Ran
Dijk, Marten van
Hennessey, Jason
Varia, Mayank
Zhang, Haibin
Version
First author draft
OA Version
Citation
Kyle Hogan, Hoda Maleki, Reza Rahaeimehr, Ran Canetti, Marten van Dijk, Jason Hennessey, Mayank Varia, Haibin Zhang. 2018. "On the Universally Composable Security of OpenStack.." IACR Cryptology ePrint Archive, Volume 2018, pp. 602 - 602. https://eprint.iacr.org/2018/602
Abstract
We initiate an effort to demonstrate how we can provide a rigorous, perceptible and holistic
security analysis of a very large scale system. We choose OpenStack to exemplify our approach.
OpenStack is the prevalent open-source, non-proprietary package for managing cloud services
and data centers. It is highly complex and consists of multiple inter-related components which
are developed by separate, loosely coordinated groups. All of these properties make the security
analysis of OpenStack both a crucial mission and a challenging one. We base our modeling
and security analysis in the universally composable (UC) security framework, which has been
so far used mainly for analyzing security of cryptographic protocols. Indeed, demonstrating
how the UC framework can be used to argue about security-sensitive systems which are mostly
non-cryptographic, in nature, is one of the main contributions of this work.
Our analysis has the following key features:
1. It is user-centric: It stresses the security guarantees given to users of the system, in terms
of privacy, correctness, and timeliness of the services.
2. It provides defense in depth: It considers the security of OpenStack even when some of
the components are compromised. This departs from the traditional design approach of
OpenStack, which assumes that all services are fully trusted.
3. It is modular: It formulates security properties for individual components and uses them
to assert security properties of the overall system.
4. It is extendable: Due to the scale of OpenStack, we limit the analysis to some core services
of OpenStack at a high level. The analysis is extendable to more detail of the services,
and other services can be added to the model using the same methodology, without much
conceptual difficulty. Because of the modularity of the analysis, new services can be added
one by one, almost independently of each other.
Although our analysis covers only a number of core components of OpenStack, it formulates
some basic and important security trade offs in the design. It also naturally paves the way to a
more comprehensive analysis of OpenStack. In addition, as a by-product result of our modeling,
we introduce a novel tokening mechanism, RAFT, which is backward compatible with Fernet
Token currently used in OpenStack. By applying the UC framework, we prove that RAFT's
one-time use tokens can realize a more secure OpenStack cloud than bearer tokens do.