Systems Security
Security Assurance
Security assurance is a collection of techniques to convince system providers and users that a system fulfills certain security properties.
Security assurance is not so much concerned with the enforcement of security properties itself, but with convincing verifiers that these properties are fulfilled. A verifier can be the system provider or other parties, such as tenants and end users.
The assurance can operate on multiple levels. In host security assurance, one focuses on the trustworthiness and security of a single (physical or virtual) host.
Topology security assurance confirms security properties that are rooted in the system topology, that is, how the system is inter-connected and organized. Most topology security assurance solutions operate on a graph representation of the system.
Host Security Assurance
Host security assurance offers guarantees that a single host fulfills security properties.
The most well-known kind of host assurance is achieved by the Trusted Computing Base, a concept originally introduced by John Rushby, and its current form realized with Trusted Computing and the Trusted Platform Module (TPM).
A central concept of the TPM's method of host assurance is the remote attestation. In this process, a TPM measures and summarizes the configuration of a host including its hardware configuration, boot sequence, operating system and further software configuration.
There are a number of attestation methods available in this context, for which Sfyrakis and Groß offer a review.
Topology Security Assurance
Topology Security Assurance refers to a collection of techniques that are to convince verifiers of the security properties of entire system toplogies, that is how the system is inter-connected and organized.
While there are a range of approaches to pursue topology assurance, most approaches have in common that they use an abstraction of the actual system topology to reason over its properties. In many cases this is a graph representation, which is kept in sync with the actual system and encodes properties of the system relevant for its security in its labels.
There exist specialized approaches for security assurance, for instance for information flow analysis in virtualized infrastructures. One such example is the tool SAFE developed by Bleikertz et al. in 2011.
More general approaches consider a wide range of graph security properties, such as specified in the policy language VALID proposed in 2011.
Topological security assurance systems for virtualized infrastructures can either act proactively, that is, intercept configuration change commands and evaluate their impact on the system's security before they are deployed to the system. Such an example is the tool Wheatherman.
They can also analyse the configuration reactively, that is, while observing the system configuration and maintaining a faithful graph representation of its state. CloudRadar is an example of such a near-real-time detection system.
These different topology security assurance methods share the limitation, however, that they disclose the blueprint of the system and sensitive information to verifiers benefiting from the assurance.