The Meta Attack Language or MAL is part of the field of model-driven se-curity and attack graphs. Two approaches in this field are UMLSec and Se-cureUML which emerged to further aid developers creating security-critical systems, they are both based on the Unified Modelling Language (UML) that is a standardised modelling language used in object-oriented programming projects to provide system specifications. UMLSec was developed as an ex-tension to UML and provides a tool to add expressions regarding security in the UML-diagrams of a system specification. The focus of SecureUML is modelling access control policies based on Role-based access Control ex-tended with constraints and integrates into a model-driven software develop-ment process.
MAL supports probabilistic threat modelling, threat modelling which is a pro-cess of finding potential threats to a system or lack of safeguards in certain parts of a system. Relevant to this thesis is the survey conducted by Rajendra Patil and Chirag Modi, which is an in-depth survey covering various vul-nerabilities, security threats and attacks related to the two hypervisors XEN and KVM+QEMU. The vulnerabilities are also classified to the compo-nents of the virtualisation infrastructure they are tied to. Also the work by Diego Perez-Botero, Jakub Szefer, and Ruby Lee has been relevant to this thesis. In this paper vulnerabilities tied to the Hypervisor are characterized to the aﬀected component.
MAL uses the concept of attack graphs to visualise the diﬀerent attack scenar-ios and many diﬀerent approaches which are based on graphs has been pro-posed, and several tools based on attack graphs have been developed. The purpose of these tools has been to collect information regarding the structure of a system or infrastructure, and automatically generate attack-graphs based on the data. Attack trees is a diﬀerent concept which is often mentioned with attack-graphs and were popularized in 1999 when the paper written by Bruce Schneier regarding modelling security threats in computer systems by using Attack Trees was released. The paper was later on extended by Kordy et al. who further added defences to the Attack Trees. One example of such a tool that uses Attack-graphs is MulVAL, which is a framework for determining the security impacts of software exploits on a network. MulVAL uses informa-tion from a vulnerability database together with configuration data from each machine on the scanned network, then derives logical attack graphs from the combined data. Another tool is NetSPA – a Network Security Planning Architecture, which outputs worst-case attack-graphs from the use of network configuration information.
A sub-domain in the field of attack graphs are Probabilistic attack graphs were the steps involved in the graph are assigned with a probability, thus creating a Bayesian network. In  the authors use the Bayesian attack graphs to assess the security risks of a network system at various levels, the information can then be used to form a security mitigation and management plan. Most relevant for this thesis project is the works of Johnson et al. in creating the Meta At-tack Language, which support the creation of domain-specific languages for probabilistic threat modelling and attack simulations. MAL has previously been used to create domain-specific languages which also is relevant for the creation of HypervisorLang, Corelang which models a large abstract do-main of IT and AWSlang which is a domain-specific language to the AWS cloud platform.
This chapter will cover relevant background information connected to Hyper-visorLang. 3.1 Covers cloud computing and Deployment models for cloud applications. 3.2 Covers Probabilistic Threat modelling and mathematical for-malism of MAL, in 3.3 MAL is introduced.
Cloud computing can be described as a resource on demand, or pay as you go for the consumer. To the provider cloud computing can be used to maximise resource utilisation, since multiple tenants can share the resources.
The National Institute of Standards and Technology (NIST) definition of cloud computing: Cloud computing is a model for enabling ubiquitous, con-venient, on-demand network access to a shared pool of configurable comput-ing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management eﬀort or service provider interaction. The cloud model is composed into five essential characteristics, three service models and four deployment models[p.2, 24].
The five essential characteristics are:
On-demand self-service. The consumer can independently provision computing capabilities, such as server time and network storage. This can be done without requiring human interaction with each service provider.
Broad network access. The resources hosted by the provider are ac-cessible from a broad range of devices, such as mobile phones, tablets, laptops, and workstations.
Resource pooling. The providers computing resources are pooled to serve multiple consumers using a multi-tenant model, with diﬀerent physical and virtual resources dynamically assigned and reassigned ac-cording to a consumers demand. Examples of resources include storage, network bandwidth, memory and processing power. The re-source pooling enables optimisation of resource usage since many con-sumers can make use of the same resources.
Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically.
To the consumer, resources can appear unlimited or infinite, unlike the era before cloud computing when storage and computing power lim-its were visible to the consumer.
Measured service. Cloud systems automatically control and optimise resources by leveraging a metering capability at some level of abstrac-tion appropriate of the type of service provided (storage, processing power, network bandwidth, and active user accounts). The measure-ment tools can provide both the consumer and provider with an account on the utilisation of the services.
The three diﬀerent types of service models described by NIST:
Software as a Service (SaaS) is a software delivery model which can be described as a software licensing model or « software on demand », instead of the traditional way where the consumer installs the software on their computer.
With SaaS, the consumer makes use of the provider’s software which is executed on a cloud infrastructure. The access is usually provided via the web-browser or a client program. The provider takes care of configurations, updates, cloud infrastructure and since the software is hosted this way it is also possible to provide the service via a subscrip-tion model.
Platform as a Service (PaaS) is a step further to the left, as shown in Figure 3.1. PaaS lets the consumer deploy their software on a cloud ser-vice. The consumer takes part in managing the code and configurations of the application-hosting environment, the programming languages, li-braries, services, tools, and all the underlying infrastructure such as net-work, operating system, storage and servers are all provided by the cloud provider.
Figure 3.1: Depiction of service models, the blue colour describes the modules managed by the cloud-vendor. The gray areas are the parts managed by the consumer.
With Infrastructure as a Service (IaaS), the cloud provider oﬀers ’raw’ access to the infrastructure which consist of processing, storage, network and other fundamental computing resources . The consumer is re-sponsible for the application software, operating system and has control over storage.
The way of deploying a cloud infrastructure can be done in various ways, and could be described as the ’configuration’ of the infrastructure and are based on the needs of a consumer.
Private cloud is when the infrastructure is operated by one exclusive organi-sation, which also may be divided into several diﬀerent business units using the same infrastructure. The infrastructure may be owned, managed and op-erated by the organisation, or by a third party. It may also reside on or oﬀ premises. Traditionally private clouds ran on-premise, but currently organizations are building private clouds on rented, vendor owned data enters which are resided oﬀ-premise.
The community cloud infrastructure is provisioned and shared by the members of an exclusive community. The infrastructure might be owned, managed, and operated by one or more of the members in the community.
The public cloud infrastructure is managed by the cloud vendor and resides on the premises of the same vendor. The pooling of resources is done automatically by a self-service interface. The infrastructure is provisioned for the use of the general public.
The hybrid cloud is a mix between the former deployment models (public, private or community cloud), for example, some parts may reside on the private infrastructure, while other parts are deployed in the public infrastruc-ture.
Probabilistic Threat modelling
Threat modelling is a process of assessing the security of a system or an in-frastructure in a structured way and help identify threats, vulnerabilities and countermeasures in the evaluated system. Preferably security engineering should be integrated as early as possible in the software development pro-cess, it is also possible to implement threat modelling on an existing sys-tem, but this is generally more time consuming and costly when incorporating security fixes at a later stage. When the security requirements are formed, the threats are analysed concerning likelihood and criticality, based on the out-come the threat could either be mitigated or the risk is accepted. The ben-efits of using threat modelling when developing security requirements are that the process helps define realistic and meaningful requirements by looking at the system as a whole and taking threats and vulnerabilities into consider-ation. This is especially important since the security definition of the system would be flawed if the security requirements were to be picked at random.
Myagmar et al describe the process of threat modelling in three steps. Characterizing the System, describing dataflows in a software or a network model. Which could be a description of computers in a network that are con-nected. This step emphasising extracting the main characteristics of a system. The second step is to Identify assets and access points, an asset is an ab-stract description of a resource in the system that needs to be protected from an adversary. One example of an asset would be customer-related data or a system used to provide services, in the threat model the assets are targeted by an adversary. Access points are the ways into the systems that an attacker could exploit, such as ports, web-services or an SSH connection. When these two steps have been completed the third step is to identify the threats to the system. Depending on what type of system that is modelled, the threat would diﬀer, examples of threats are denial of service, information disclosure or el-evation of privileges.
Attack-graphs is a valuable tool in the threat modelling process and visualise the path an attacker could perform through the system. Thus the Attack-graphs oﬀer both detection of vulnerabilities in a system and mitigations. The attack tree represents the identified vulnerabilities and each node is one pos-sible attack designed according to the attacker’s perspective. The edges connecting the nodes represent relations between attacks, where one attack is connected to another succeeding attack. The constructed attack tree can then be analysed by the assessor, according to parameters specified by the said as-sessor. The chosen parameters could diﬀer depending on the system, but one parameter, being used in this thesis, is time to compromise where each attack step would have a local time to compromise, and the tree as a whole would have a global time to compromise.
Mathematical formalism of the Meta attack lan-guage
Let X express an object or domain entity. For example, an object could be a Laptop or an Application. Objects are divided into a set of classes
X = X1; :::; Xn, e.g.
Each class is linked with a set of attack steps A(Xi), X:A is used to denote the attack step from an object A in class X. For example, an application could be infected with malicious code which performs some sort of code-execution. Examples of attack steps of the previously mentioned class could be Applica-tion.codeExecution or Laptop.fullaccess.
The representation of relationships between objects are denoted by links and associations in MAL. A link relationship is denoted by , and consist of a binary tuple of objects, each taken from a class, such that = (Xi; Xj ). For instance, an application needs to be installed on a laptop.
Table of contents :
1.1 Problem definition
1.1.1 Research Question
1.1.2 Delimitations and scope
1.1.3 Ethics and sustainability
1.1.4 Thesis outline
2 Related work
3.1 Cloud computing
3.1.1 Deployments models
3.2 Probabilistic Threat modelling
3.2.1 Mathematical formalism of the Meta attack language
3.3 The Meta attack language
4.1 Domain Survey
4.1.1 Attack Lists
4.1.2 Creation of Domain-specific language
5 Domain Survey
5.3 SELinux & sVirt
5.3.1 Secure Virtualisation
6.1 Feature Matrix and Attack Lists
6.1.1 Feature Matrix
6.1.2 Attack and defence lists
7.1 Evaluation of Testcases
7.1.1 Example test case 1 – Access to Instance
7.1.2 Example test case 2 – Breakout from Instance
7.1.3 Example test case 3 – Access to host
8.1 Completness of HypervisorLang
8.2 Completness of Attack Lists and Defenses
8.3 Completeness of testing
8.4 Using MAL as a base for HypervisorLang
8.5 Regarding the works of HypervisorLang
9 Conclusion and future work
9.2 Future work
D.1 TestCase1 in Result