azureLang: Cyber Threat Modelling in Microsoft Azure cloud computing environment

(1)

DEGREE PROJECT IN TECHNOLOGY, SECOND CYCLE, 30 CREDITS

STOCKHOLM, SWEDEN 2020

azureLang

Cyber Threat Modelling in

Microsoft Azure cloud computing environment

Ningyao Geng

(2)

Abstract

When assessing network systems, security has always been one of the priorities.

Cyber threat modelling is one of the most suitable methods. From a starting point to each valuable asset, the simulation can enable the users to explore certain security weaknesses alongside the attack path. In the end, the time to compromise shows the security level of the whole system.

In principle, most cyber threat models can be built and simulated by attack graphs where each point in the graph can stand for a certain asset in the network system.

However, different systems have different infrastructures and implementations.

As a result, it will be more suitable if engineers can develop a domain specific language (DSL) which can be associated with a specific attack graph in order to improve accuracy and efficiency.

In this master thesis work, the final outcome is azureLang, a cyber threat modeling language based on Meta Attack Language (MAL) for Microsoft Azure cloud computing environment. Compatible with securiCAD®, a CAD tool developed by Foreseeti AB, a threat model can be built and then be simulated.

Keywords

Threat modelling, Microsoft Azure, MAL, Cloud computing, azureLang

(3)

Abstract

Vid bedömning av nätverkssystem har säkerhet alltid varit en av prioriteringarna.

Bland tusentals metoder är cyberhotsmodellering en av de mest lämpliga. Från en startpunkt till varje värdefull tillgång kan simuleringen göra det möjligt för användare att utforska vissa säkerhetssvagheter längs attackvägen. I slutändan visar tiden för kompromiss säkerhetsnivån för hela systemet.

I princip kan de flesta cyberhotsmodeller byggas och simuleras med attackgrafer där varje punkt i diagrammet kan stå för en viss tillgång i nätverkssystemet. Men olika system har olika infrastrukturer och implementationer. Som ett resultat kommer det att vara mer lämpligt om ingenjörer kan utveckla ett domänspecifikt språk (DSL) som kan associeras med en specifik attackgrafik för att förbättra noggrannhet och effektivitet.

I det här examensarbetet är slutresultatet azureLang, ett språk för modellering av hothot baserat på Meta Attack Language (MAL) för Microsoft Azure cloud computing-miljö. Kompatibel med securiCAD ®, ett CAD-verktyg utvecklat av Foreseeti AB, en hotmodell kan byggas och sedan simuleras.

Nyckelord

Hotmodellering, Microsoft Azure, MAL, Cloud computing, azureLang

(4)

Acknowledgements

I would like to thank my examiner Robert and my supervisor Pontus for their continuous guidance and help. I would also like to thank Mr. Per Eliason for giving this chance to do my thesis work at Foreseeti AB. My colleagues at Foreseeti also gave me a lot of help and advice and I really appreciate their kindness. Thanks to my friend Gokul Panneerselvam, his proof reading makes this report a lot better. Also I would like to thank my friends, especially Yiyang Tai and Zihao Zhao. They are my closest people in Sweden and whenever I am down, I know they are always there for me. Finally, I would like to thank my parents and my family. Without them, there would have been no chance for me to study abroad and they have always supported me both physically and emotionally.

(5)

Author

Ningyao Geng <ningyao@kth.se>

Information and Communication Technology KTH Royal Institute of Technology

Place for Project

Stockholm, Sweden Foreseeti AB

Examiner

Robert Lagerström

KTH Royal Institute of Technology

Supervisor in KTH

Pontus Johnson

KTH Royal Institute of Technology

Supervisor in company

Per Eliason foreseeti AB

(6)

List of Figures

2.1 Cloud computing metaphor [34] . . . 7

2.2 Cloud Service Model [15] . . . 8

2.3 AWS [7] . . . 10

2.4 Microsoft Azure [29] . . . 11

2.5 Google Cloud Platform [8] . . . 12

2.6 Aliyun [13] . . . 12

3.1 Basic Attack Tree [2] . . . 16

3.2 Possible Attack Tree [2] . . . 17

3.3 Attack Value [2] . . . 18

3.4 Meta model of pwnPr3d [17] . . . 19

3.5 Blob storage structure [38] . . . 22

4.1 core.mal . . . 27

4.2 Scope level in Azure . . . 28

4.3 RBAC.mal . . . 29

4.4 vnet.mal . . . 30

4.5 vm.mal . . . 31

4.6 storageaccount.mal . . . 32

5.1 Simple login test . . . 41

5.2 Effectiveness of RBAC - Hierarchy test scenario . . . 42

5.3 Access to Storage services . . . 43

(10)

List of Tables

2.1 Characteristics of cloud computing . . . 9

5.1 Attack steps in asset Subscription . . . 35

5.2 Attack steps in asset ResourceGroup . . . 35

5.3 Attack steps in asset Data . . . 35

5.4 Attack steps in asset ADUser . . . 36

5.5 Attack steps in asset Reader . . . 36

5.6 Attack steps in asset Owner . . . 37

5.7 Attack steps in asset NetworkInterface . . . 37

5.8 Attack steps in asset Application . . . 38

5.9 Attack steps in asset VirtualMachine . . . 38

5.10 Attack steps in asset OSDisk . . . 39

5.11 Attack steps in asset DataDisk . . . 39

5.12 Attack steps in StorageAccount asset . . . 39

5.13 Attack steps in BlobContainer asset . . . 40

5.14 Attack steps in Blob asset . . . 40

5.15 Attack steps in FileShare asset . . . 40

5.16 Attack steps in File asset . . . 40

(11)

List of Abbreviations

AD User Active Directory User DSL Domain Specific Language IaaS Infrastructure as a Service MAL Meta Attack Language NIC Network Interface

NIST National Institute of Standards and Technology PaaS Platform as a Service

POM Project of Model

RBAC Role Based Access Control RDP Remote Desktop Protocol SaaS Software as a Service

SCDA Supervisory Control and Data Acquisition SSH Secure Shell

VM Virtual Machine Vnet Virtual Network

UML Unified Modeling Language

(12)

Chapter 1 Introduction

As IT professionals, it is very beneficial if engineers can have the following properties in a system: large data storage, high performance computing services, high speed network connection, etc. Luckily, cloud computing environment offers all of these. Among other benefits, the cloud itself can provide the user with highly useful, agile, redundant and easy ways to access environment for its users. However, when companies and organizations migrate their services and businesses into a cloud computing environment, security is a major concern.

In modern society, in terms of protecting data centers, companies and organizations are facing different kinds of challenges that include hiring and keeping security experts, implementing and utilizing analytical tools etc. When transferring computing environments from conventional on-premise data centers into the cloud, the security responsibilities are also being transferred at the same time. Because of the huge expansion of information technology (IT) and global access to IT resources, the chances of hackers and terrorists to attack network systems and important IT infrastructure are also high[25]. In cloud computing environments, the security issue is rather a joint responsibility than an individual responsibility. It relies both on cloud vendors and customers to maintain a secure cloud environment.

A very useful and efficient method to maintain a secure cloud computing environment is to perform attack simulations in advance, but the implementation of suitable attack simulations for specific network systems has never been a easy

(13)

task because it requires security expertise. To simplify the procedure of attack simulations, the Meta Attack Language (MAL) [18], has been created. More details regarding MAL will be discussed in chapter 3.

The major outcome of this master thesis work, azureLang, is a domain-specific language (DSL) [11]. It is developed on the basis of MAL and the aim of azureLang is to help Azure administrators to easily run attack simulations, in other words, to imitate an attacker. As a result, Azure administrators should be able to figure out how risky the current Azure infrastructure implementation is. It can help them to prioritize network security vulnerabilities and run possible test cases in attack simulations.

In this master thesis work, the azureLang specifications are written in MAL.

Assets in each certain specification are transformed into a set of classes in the object-oriented language, in this case, Java [18]. The tool to generate corresponding Java code is called MAL compiler which is developed by foreseeti AB.

1.1 Problem Definition

The study of cyber threat modeling is a promising field of interest as it has great potential for network services in sectors like commercial marketplace, government, military and so on. From the perspective of economical efficiency, human resource and sustainability issues, there are many companies and organizations that are starting to migrate their network infrastructures into cloud computing environments. If we combine these two ideas together, it is easy to assert that creating a DSL will bring significant benefits. The cloud computing vendors claim that their IT solution will offer better services than traditional ones with a higher security level. It is obvious that cloud computing can protect systems from physical theft but that is only a small aspect. Cloud security is a mutual responsibility and the obligation should be shared by both cloud vendors and customers.

Azure by Microsoft, which holds the slogan of ”Invent with purpose” [9], has become one of the most famous and biggest cloud computing providers .

(14)

During past several years, Azure has attracted enormous amount of organizations and individuals to use its services. For security related risks with Azure cloud computing adoption can be a crucial issue. These challenges require an efficient and cost effective solution to monitor such network systems. In other words, threat modeling is a suitable method for these issues and azureLang is the primary outcome of this thesis work.

1.2 Research Objectives

The main goal of this project is to develop a DSL for the Microsoft Azure cloud computing environment. In this thesis project, my objective is to do threat modeling of the Azure cloud services, components and infrastructures. To fulfill this goal, a few essential objectives are identified:

First, I begin with studying the concept of cloud computing and probabilistic threat modeling. I signed up for an Microsoft Azure account and also finished the related literature study.

Next objective of this thesis is to familiarize myself with structure of an Apache Maven project[28], which defines the format and structure of azureLang by editing Project Of Model (POM) file. Apache Maven is an open source tool which can easily finish the software project management.

The core objective of the this project is the development of azureLang, in other words, its MAL specifications. These specifications include Azure cloud computing infrastructures such as Role-Based-Access-Control (RBAC) system, Virtual Network (Vnet), Virtual Machine (VM), storage service and so on [12].

From my personal perspective, the content of azureLang is the major outcome of this master thesis work.

The final objective is to validate the model and evaluate the quality of MAL specifications. It is important to see if the azureLang performs properly to fulfill requirements.

(15)

1.3 Research Methodology

This project uses an analytical and empirical research approach to obtain results, latency and throughput, and it is based on observed results of tests from the command line which are in turn evaluated to asses quality of the source code.

The initial procedure is important because sufficient literature study and domain survey in cloud computing area, especially Azure, allows me to clearly define my thesis work. After that, thanks to the existence of MAL [18], the method of threat modeling can be implemented from a theoretical attack-path graph model into a software executable level. In the end, in order to validate and evaluate the MAL specifications, it is important to build JUnit test cases [20] to if the MAL specifications of Azure infrastructures perform as we expect. Asserting whether certain attack steps are compromised or not can indicate the correctness of the language. If test cases fail and themselves have errors and problems, MAL specification will have to be modified and improved. Detailed description of these methodologies and methods are presented in Chapter 3.

1.4 Ethical and sustainability issue

Since I finished my thesis work in Foreseeti AB as a project employee, I strictly followed my project contract and all the code I have written is a Foreseeti AB copyright asset. Even though the current version of azureLang is not mature and may have drawbacks, I always follow the virtue of integrity from the start to the end.

1.5 Delimitations

Under scope of this master thesis work, there are still some delimitations. First of all, due to the regulations of Microsoft, the time period of Azure subscription free trail is just one month and after that, if the individual or company wishes to study by further subscribing to Azure services, more budget is expected.

Second, due the huge number of cloud computing services that Azure provides, this project will only cover certain core services which are essential. However,

(16)

refinement and development of azureLang can still continue in the future until it is commercialized.

Another limitation of this project may be the lack of time. More models and test cases can be built in the future in order to better validate and evaluate the azureLang.

In the end, Microsoft azure itself is not a perfect system. Compared to cloud computing services such as AWS, Aliyun and Google cloud, Azure has its own advantages and shortcomings. Based on my experience, the design complexity of the system may be a obstacle for new users, especially for those who are not so familiar with the cloud computing concept. Learning azure requires a certain time cost.

1.6 Outline of the Report

This report is further organized as follows. Chapter 2 gives the fundamental background of cloud computing, introductions of major cloud vendors, especially Microsoft Azure. History of threat modeling and related work are also included.

Chapter 3 presents the details of methodologies used in this project like probabilistic threat modeling, domain survey, MAL language and so on. Chapter 4 describes the major outcome, azureLang, MAL specifications of Azure. Chapter 5 gives the validation and evaluation of my specification by JUnit tests. It shows how to build models and test if they perform as expected. In the end, chapter 6 concludes this master thesis project and discusses some future work.

(17)

Chapter 2 Background

In this chapter, detailed description about background of the project is presented together with related work.

The intention to build up a high performance and reliable network system has always been the major focus for IT engineers. After decades of development, cloud computing seems to be the answer. It has become a major IT solution for modern industries and individuals. In the first three sections of this chapter, we will first take a look into the holistic view and related security issues, also basic introductions of some popular cloud vendors. We focus especially on Microsoft Azure.

Meanwhile, the chapter will also talk about the history of threat modeling, since it is the main method of the project and it is helpful to know how it is developed and why it is useful and popular. After that, the following section will present the related work in this area of research and in the end, we use the last section to summarize the background knowledge.

2.1 Cloud computing and security

The earliest reference of the term ”cloud computing” can be traced up to 1996. It appears with the first known mention in an internal document of Compaq [9]. The history of using a symbol to represent a network equipment is even earlier and can be traced up to 1977, in the original APARNET [16].

(18)

Unlike traditional network systems, current cloud computing is when users access computing services like servers, storage, networking, software and so on over the internet (”the cloud”). For example, people choose to store personal documents online rather than to store them on the personal computer’s hard drive [14].

Figure 2.1 below is the cloud computing metaphor and it presents the basic components.

Figure 2.1: Cloud computing metaphor [34]

2.1.1 Cloud Computing Service Model

Generally, cloud computing provides three kinds of service model to satisfy the demand of cloud users. Different service models have different features and the privileges of users to gain access to certain cloud resources are also different.

As shown in figure 2.2, the general three service model are Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

1. SaaS. SaaS enable cloud users to use applications running on the cloud end.

It usually can be utilized easily on web browsers. Some most popular online text editors like Google doc, overleaf, are typical examples of SaaS. Microsoft Office365 is also categorized as SaaS.

(19)

Figure 2.2: Cloud Service Model [15]

2. PaaS. PaaS is a place where cloud vendors provides a platform for IT engineers to implement IT solutions best suited for their company or organization on the cloud. It gives users the privilege to develop and manage their own cloud applications.

3. IaaS. IaaS gives its consumers the lowest access level on various types of network infrastructures such as virtual machine, gateway, container instances etc. Consumers are suppose to be capable of installing and executing software on virtual servers. Before initializing a certain network infrastructure, for example a virtual machine, a cloud user will have the rights to determine the performance parameters of the VM. Famous IaaS such as Elastic Compute Cloud (EC2) by Amazon has been leading the revolution of cloud computing over the last several years.

2.1.2 Cloud computing features

According to the National Institute of Standards and Technology (NIST), the definition of cloud computing contains ”five essential characteristics” as shown in the following table 2.1. These five features are On-demand-self-Service, broad network access, resource pooling, rapid elasticity and measured services.

(20)

Characteristics Description

On-demand- self-Service A consumer can unilaterally provision computing capabilities.

Broad network access Heterogeneous client platforms to provide capabilities over network.

Resource pooling Computing resources are pooled to serve multiple consumers.

Rapid elasticity Capabilities can elastically provisioned and also scaled rapidly

Measured service System automatically control and optimize resources

Table 2.1: Characteristics of cloud computing

2.1.3 Cloud security

Although cloud computing is getting more and more popular and powerful in recent times, industries trying to migrate their network system into the cloud, they still face a huge amount of challenges. Among all those challenges, cloud security has always been a major concern. Here follows some importance aspects regrading the cloud security:

1. Insecure Interfaces and API. According to a new study by Imperva, over a half of the organizations expose their APIs to the outside world. External developers thus can gain access to the software platforms [37]. The benefit is obvious: more developers can contribute to their efforts, however, even it is not on purpose, there is still a chance of raising unknown risks.

2. Data Loss and Leakage Data loss and data leakage are two different terms but have similarity. Data leakage means the confidentiality of information has been compromised whereas data loss is loss of date due deletion, system crash etc. Both of them can lead to serious results and have been one of the most important cloud security issues [32].

3. Hardware failure Even if cloud computing always holds the view of

”virtual”, giant cloud vendors like Amazon and Microsoft still have a lot of data centers globally. Because of the complexity of environment where these

(21)

underlying infrastructure is located, sometimes carefully engineered data centers can still endure a large amount of failures [22].

4. Configuration complexity In 2019, the notorious Capital One data breach raised up people’s concern about cloud security [39]. The reason behind this story is the misconfiguration of the AWS firewall. Thousands of user data are exposed in the end.

2.2 Cloud Vendors

We are living in a world of rapid economic growth and because cloud computing is getting more and more popular,the commercialization of cloud computing service happens naturally. The competition among big cloud vendors is also getting more intensive. Major cloud technology companies invest huge amount of money every year in cloud Research and Development (R&D). Taking Microsoft as an instance, in 2011, it committed 90 percent of its 9.6 billion dollars R&D budget to its cloud services [29].

2.2.1 Amazon Web Services (AWS)

Amazon Web Services presents a cloud computing platform based on paid subscriptions. Amazon firstly launched AWS in July 2002, and in 2006. it launched the S3 bucket storage service besides EC2 service [7]. Nowadays AWS is still leading the industry in the cloud computing field and still has the highest adoption rate.

Figure 2.3: AWS [7]

(22)

2.2.2 Azure

According to the introduction on the Microsoft official website, Azure is an ever-expanding set of cloud computing services to help organizations meet their business challenges [9]. Azure users have the freedom to build, manage and deploy applications as well as massive global networks using existing or customed tools and framework. It claims that Azure is secure, global and has advantages over AWS such as more competitive pricing, enhanced proactive security and more open source to developers.

Figure 2.4: Microsoft Azure [29]

2.2.3 Google Cloud Platform (GCP)

Intentionally designed for its bundled products such as Gmail, Youtube and etc, Google cloud platform is a compatible cloud service platform for its end users.

Compared to AWS and Azure, GCP focuses efforts on PaaS and IaaS.

2.2.4 Aliyun

As a quickly rising IT company in China, Alibaba also has its own corresponding cloud service, Aliyun. The cloud based solution is a fit for business within the Alibaba ecosystem to reach a new level of creativity, inclusivity and success [13]. Since the Chinese government always supports its local industry, Aliyun may have a continuously increasing marketing share for the foreseeable future.

(23)

Figure 2.5: Google Cloud Platform [8]

Figure 2.6: Aliyun [13]

2.3 History of threat modeling

The earliest idea of threat modeling came up in 1977 by Christopher Alexander [35]. In his best known book <A Pattern Language>, he initially analyzed threats and risks from a system architecture perspective [1]. During decades of development, the threat modeling method has been proved to be a scientific way to asses the security level of a system, especially in the IT research field. In 1999, two Microsoft cyber security professionals Loren Kohnfelder and Praerit Garg developed a model for considering attacks relevant to the Microsoft Windows development environment, the STRIDE model [4]. STRIDE represents the most typical cyber attacks which are spoofing identity, tampering with data, repudiation, information disclosure, denial of service and elevation of privilege.

Up to now, threat modeling is a relatively mature method and gives the theory support behind this project. Details of threat modeling will be discussed in chapter 3.

(24)

2.4 Related Work

AzureLang is a DSL which focuses on the research field of probabilistic threat modeling and cloud computing services. Following subsections will introduce some important and meaningful related work.

2.4.1 Developed Languages

UMLsec developed by Jan Jürjens [21] and secureUML developed by Torsten Lodderstedt et al.[24] are very good examples of extending the Unified Modeling Language (UML) for secure systems development.

Meanwhile, The Meta Attack Language proposed by Johnson et al. [18] is an important contribution in this area and it is the basis of this thesis project. The agility that MAL provides makes it easier for developers to design a DSL, more specially for a well-defined system.

2.4.2 Threat Modeling Software

There are also a bunch of threat modeling software on the market to meet the requirement of companies to analyze the possible cyber risks. Following are some typical instances:

1. Microsoft’s free threat modeling tool [30] – the Threat Modeling Tool (formerly SDL Threat Modeling Tool). This tool is based on the aforementioned STRIDE model developed by IT security professionals of Microsoft. It helps in finding threats in the design phase of software projects.

2. Threat modeler - it is a threat modeling tool by MyAppSecurity [40]. It identifies the threat based on customizable comprehensive threat library.

3. securiCAD® - a threat modeling software developed by the Scandinavian company foreseeti [6]. It conducts attack simulations on current and future IT architectures and analyzes the vulnerability at essential choke points.

A security report based on attack simulations run on the model will be generated in order to help users better understand the weakness in their systems and find out the possibility of compromisation of their high value

(25)

assets.

(26)

Chapter 3 Methodology

The purpose of this chapter is to provide an overview of the methods used in this thesis project. First, we will take a look into the concept of probabilistic threat modeling. This is the mathematical theory behind MAL and also this project.

Second, we proceed with the domain survey. The Microsoft Azure products within the scope of this project will be described including Virtual Network (Vnet), Virtual Machine (VM), Role-Based-Access-Control (RBAC) and so on. The corresponding MAL specifications will be presented in chapter 4. Later, we take a look into the definition of Meta Attack Language, MAL. In the end this chapter is conclude with the presentation of the validation and evaluation method, the Junit tests.

3.1 Probabilistic threat modeling

While modeling a specific network system, threat modeling is one of the best methods to assess the security level of network components by establishing a system-structured model. Generally, these models assist in seeking existing and possible risks and vulnerabilities. Theoretically, threat modeling method enables the IT engineers to optimize their network systems without any actual risk of data leak or economic loss.

(27)

3.1.1 Basic Attack Trees

The core idea of threat modeling are attack graphs, which are also known as attack trees. It is a formal, methodical way of evaluating the security of systems.

Generally, the attack steps are presented in a tree-like structure. In an attack tree, the root node is the goal of the attack and it has various methods which are shown as leaf nodes to accomplish the ultimate goal. Back to 1999, security expert Bruce Schneier proposed this efficient method to do threat modeling [2].

Figure 3.1: Basic Attack Tree [2]

Figure 3.1 is a example of a basic model against a physical safe box. In order to open the safe box, attacker can pick a lock, learn the combination, cut it open or install improperly. In order to learn the combination of code, attacker can either find the written code or get the combo from a target. Still, there are still several subgoals to achieve.

After finishing the fundamental structure, we can assign values I (Impossible ) and P (possible) for the model. Once the values are assigned, it is obvious which attack path can be used to open the safe. Meanwhile, we also define each node as AND nodes or OR nodes. An AND nodes means different attacks lead to achieve the common goal and need all subgoals to be accomplished in advance. Attacker

(28)

can not achieve the goal unless all subgoals are satisfied. On the other hand, an OR nods means that, if one of its sub-node is compromised, the OR node will be compromised. As a result, the I or P value of an AND is possible only if all children nodes are possible and impossible otherwise. Figure 3.2 shows the improved version of the model presented in figure 3.1.

Figure 3.2: Possible Attack Tree [2]

The dotted lines in figure 3.2 show the attack paths. The paths are composed of possible attack nodes, from leaf to the ultimate goal. Finding the possible attack paths helps the system structure constructor to be aware of how to defend this system against possible attacks.

3.1.2 Attack values

In reality, attackers must consider the cost of execution. The cost does not only consider the economical aspect but also considers how much effort that an attacker will have to put in. Therefore, each node will have different attack values.

For instance, figure 3.3 typically show the cheapest attack path without any special equipment. At the same time, it is also to find the different attack paths with different values such as attack path with highest possibility to break out the safe or the best low-skill attack and etc.

(29)

Figure 3.3: Attack Value [2]

In order to deduce the possible attack path, security engineers must correlate the attack trees with the knowledge level of attackers. Different attackers have different resources. It will also help us to implement counter measures based on demands.

3.1.3 Calculation of TTC using probability distribution

Considering the concept of attack values we discussed in last section, it is usually not just money that constitutes the cost of an attack step but it can also be the time to compromise (TTC) of an attack step. In 2016, Johnson P. et al. presented the pwnePr3d (”Pwn Prediction” pronounced) model which clearly describe how to calculate the TTC using probabilistic distribution [17]. Figure 3.4 shows the basic meta model.

Essentially, this model is also an attack tree, G = (V, I, E, ω) where:

• V is a set of attack steps;

• I is a subset of V which means the starting point of attack;

• E is as set of directed edges E ⊆ V × V . It defines the possible progression that an attacker can perform through different steps.

(30)

Figure 3.4: Meta model of pwnPr3d [17]

• The weight function ω : (A, B) ∈ E → P (T T CA) defines the probability distribution, such as exponential distribution, bernoulli distribution, log- normal distribution and so on, over the time the attacker perform on an attack step. In short, the TTC.

The calcualtion of TTC follows a two-steps process:

1. Each edge of the attack tree is ”concretized” by drawing a sample from its TTC probability distribution. The sampled value becomes the weight of the edge and represents the TTC of the edge’s target step.

2. For the smallest TTC value, an adapted version of Dijkstra’s shortest path algorithm is used.

3.2 Domain survey

The domain survey of this project is focused on the Microsoft Azure. First we must know what is Azure. Azure is Microsoft’s cloud computing platform. Azure is a series of continually expanding cloud services that can help organizations meet current and future business challenges. Azure gives you the ability to generate, manage and deploy applications on a massive global network at will using your favorite tools and frameworks.

In the first few weeks, this project started by reading related research papers and familiarizing with the threat modeling concept from scratch. Meanwhile, since I proceeded my thesis work in Foreseeti AB, and securiCAD®is already a

(31)

mature software product developed by my host company, learning how to use it and reading through its documentations was also very helpful. I have found out that carrying out attack simulations on securiCAD®not only gives me insights into the general security concepts and terminologies, but also is very interesting and satisfying. After that, based on the problem definition of my thesis work, this work continues with related official documentation of Microsoft Azure. Most of these documentations are comprehensive and user-friendly. In a nutshell, before the actual development, domain survey work is sufficient and very helpful.

Subsections below present some most important core cloud services provided by Azure.

3.2.1 Computing

High performance cloud computing is the main reason why many industries migrate their servers into the cloud. Azure offer a range of options for hosting applications [31].

1. Azure Virtual Machine. Windows or Linux virtual machines hosted in Azure.

2. Azure Kubernets Service. Enables you to manage VM clusters running containerized services.

3. Azure Container Instances. Containerized applications without preassigned servers or VMs.

4. Azure Function. Event-driven serverless computing services.

3.2.2 Networking

The key function of the Azure network is to link computing resources and provides access to applications. Networking features in Azure include a range of options to connect the outside world to the services and capabilities of Microsoft Azure data center [31]. Azure networking facilities have the following services:

(32)

1. Azure Virtual Networking. Connects VMs to an incoming virtual private network (VPN) connection.

2. Azure Load Balancer. Balancing inbound and outbound connections at the application or service endpoint.

3. Azure VPN Gateway. Accessing Azure Virtual Networks through a high performance VPN Gateway.

4. Azure Content Delivery Network (CDN). Delivering high-bandwidth content to customers on a global scale.

5. Azure ExpressRoute. Connect to Azure over a dedicated, high- bandwidth, secure connection.

6. Azure Network Watcher. User programme-based analysis to monitor and diagnose network problems.

3.2.3 Storage

Azure also provides storage services which are durable and highly available with redundancy and replication. Using automatic encryption and role-based access control (RBAC), the storage remains secure. Moreover, it is easily accessible from anywhere in the world over HTTP or HTTPS protocol. [31].

1. Azure Blob storage. Services for storing large objects (such as videos files or bitmaps).

2. Azure File storage. File shares that you can access and manage like a file server.

3. Azure Queue storage. Data storage for queuing and reliably passing messages between applications.

4. Azure Table storage. NoSQL storage that hosts unstructured data independent of any architecture.

(33)

Figure 3.5: Blob storage structure [38]

3.3 MAL specifications development

The Meta Attack Language, or MAL in short, is a language to create cyber threat modeling systems for specific domains such as Supervisory Control and Data Acquisition (SCADA), automotive and cloud. In total, the fundamental benefit of an universal attack defense language for domain is that it decreases the required expertise to generate attack models every time. On the other hand, system constructors can encode assets, attack step and association in certain scenario. A reusable solution from an instantiated model can benefit many people.

Moreover, MAL is open source under a permissive Apache 2.0 license and based on a decade of research at KTH Royal Institute of Technology [26] [18].

MAL is composed of 4 parts of declaration. An asset definition, attack steps and defense step which reside in an asset definition and finally the association relationship between two assets. With these parts, a security system engineer is able to develop a DSL for a specific domain which in this thesis work, the azureLang.

As mentioned earlier in section 3.1, attack steps in MAL refer to the attack nodes in the attack graphs. Attack steps can be categorized into either AND attack step, or OR attack step. A attack step requires certain cost to be compromised and in MAL, it is referred as Time To Compromise (TTC). Every attack step has it local time to compromised, noted as TTC_local. After attack simulation, the total time to compromise the whole model is calculated, noted as TTC_global. TTC_globalindicates how secure the network system is. The method used to calculate TTC is described in section 3.1.3.

In order to better understand concepts and syntax of MAL, simple examples

(34)

of code will be presented below. We will gradually start from scratch to define an asset.

1 a s s e t Host {

2 | connect

3 −> access 4 | a u t h e n t i c a t e 5 −> access

6 | guessPassword

7 −> guessedPassword

8 | guessedPassword [ E x p o n e n t i a l ( 0 . 0 2 ) ] 9 −> a ut he n t i c a t e

10 & a c c e s s 11 }

The word asset begins the asset definition and in this piece of code, Host is the name of this asset. The notation ’|’ indicates this attack step is an OR attack step and the notation ’&’ indicates it is an AND attack step. ’->’ means ”leads to”.

A parent attack step can lead to a child attack step. In this Host asset, we notice that guessedP assword is OR type attack type. If guesseP assword is compromised, guessedP asswordwill be compromised immediately. In the opposite, since access is an AND attack type, all its parent attack steps, connect, authenticate needs to be compromised. If there are more attack steps in other asset definitions which lead to access, they need to be compromised at first as well.

Furthermore, we noticed that the attack step guessedP assword is followed by [Exponential(0.02)]. The fact is that password to be guessed is probabilistic and the probability of successfully guessing the password if converted into time regulated by an exponential probability distribution with mean value of 0.02 minutes.

1 a s s e t Network { 2 | a c c e s s

3 −> hosts . connect

4 }

(35)

Asset definition above shows that it is also feasible that an attack step is led by an attack step in another asset. Attack step access in asset N etwork will lead to connect in host. As long as developer includes the MAL specifications, attack step in assets of other MAL file can also lead to attack step in this file. However, for reaching an attack step defined in another asset, there must be an association relationship defined between two assets.

1 a s s o c i a t i o n s {

2 Network [ networks ]

*

^<−− NetworkAccess −−>

*

[ h o s t s ] Host 3 Host [ h o s t ] 1 <−− Cr ede n ti als −−>

*

[ passwords ] Password 4 User [ u s e r ] 1 <−− Cr ede n tia ls −−>

*

[ passwords ] Password 5 }

As shown above, the asset Host and asset N etwork has an associaition named

”NetworkAccess”. In the brackets, they are defined as the field of the asset. As field name indicates, they describe the asset of each association relationship. In asset definition, attack steps can actually lead to the attack steps in the field which defined in the association. The cardinality like traditional UML diagrams, can be 1-to-1, many-to-many or 1-to-many.

To summarize, the MAL allows security engineers and network system designers to model a structured system. With such model, it is easy to find out and analyze threats and weakness. This attack logic is also useful and can be easily adopted in the cloud environment. This subsection only explains the core content of MAL language, for more details of the syntax, please kindly refer to the documentation of MAL [27].

3.4 Validations and evaluations by Junit tests

JUnit is a Java framework used for developing source code. It can be used for developing and running repeatable tests. It’s an instance of the unit testing framework architecture xUnit (for the Java language). It includes the following features [19]:

1. Assertion for testing desired results

(36)

2. Test tools for sharing common test data

3. Test suite for easy organization and operation of tests 4. Test runner for graphics and text.

It should be noted that Junit is generally used for unit testing, so it is necessary to understand the internal structure of the code under test. This method is also called white box testing [42]. Junit is a highly recommended tool for XP programming and refactoring, as it can greatly increase development efficiency when automated unit testing is implemented.

(37)

Chapter 4 MAL specifications of azureLang

In this chapter, the Domain specific language of probabilistic threat modeling for Microsoft Azure cloud computing environment will be presented. The development of each MAL specification will be shown as diagrams.

This chapter begins with an overview of azureLang and is followed by the introduction of each service or concept separately.

4.1 Overview of azureLang

The current version of azureLang is a thesis project which has five MAL specifications and their corresponding test cases. In each mal specification, related assets, attack steps and associations are defined. However, different services and network infrastructures of Azure need to be constructed together in order to organize a whole cloud computing environment. For example, a virtual machine must exist in a virtual network so these two services cannot be split.

This situation also applies to azureLang. An attack step in one specification may lead to an attack step in another one and an asset would have more than one connection/association with other assets as well.

AzureLang for now is still in a relatively abstract level. However, if it is presented in one UML diagram, it is still complicated and hard to understand.

(38)

Instead, I choose to introduce them separately.

4.2 core

The first MAL specification is named core. This specification covers some of the most important aspects in Azure. The core specification is described in the following figure 4.1.

Figure 4.1: core.mal

The development of core specification is inspired by the overall access scopes of Azure. The access scope level of Azure is hierarchical and it provides four levels:

management groups, subscriptions, resource group and resources. In Azure, we can consider a scope as a container which grant actual cloud administrators access to perform actions on it. For example, each resource is under a resource group and cannot exist in another. Multiple resource groups are under an Azure subscription. The hierarchical structure according to the official documentation of Microsoft is shown in following figure 4.2 .

Compared with figure 4.1 and figure 4.2, there are two differences. The concept of management groups is not included in azureLang because generally they are barely used and subscription is the scope that is closely connected to an account. The type of subscription also determines the exact bill invoice to

(39)

Figure 4.2: Scope level in Azure

the Azure account. The second difference is that in core.mal, resource and AzureResource are defined separately. Asset AzureResource is an abstract asset mainly served for the general testing for RBAC system. Asset Resource on the other hand is a null asset which has no attack steps in it which is convenient to extend in other specifications. Finally, asset Data and Information are defined.

Information can be stored as data. Data is syntactic forms of the semantics represented by the Information asset. Thus, multiple data assets can contain the same information.

4.3 Role Based Access Control

To evaluate the cloud services that a vendor provides, one of the most important things to consider is the quality of access control system. In Azure, it is called Role Based Access Control (RBAC) and in azureLang, this specification is essential as well. The following figure 4.3 shows how it looks like.

In azureLang, most of the MAL specifications which present different services are relatively independent of each other, however, the RBAC system is closely attached to every scope which makes it very crucial. Figure 4.3, it shows security principal, generally an Active Directory user assigned a role. The role assignment has three types which are the most common cases, reader, contributor, and

(40)

Figure 4.3: RBAC.mal

owner. The roles can execute actions on different azure scopes. These actions are either determined by the role assignment, for example, a reader certainly has less privileges than a owner on a certain asset which leads to limited actions. In general, actions on cloud resources can be categorized as three types: read, write, delete. As mentioned before in section 4.2, asset AzureResource is defined, which contains these three attack steps. The main goal of AzureResource is to test the capability of RBAC and more details of test cases will be included in the next chapter.

4.4 Virtual Network

In order to model how different types of resources in the Azure cloud computing environment to communicate with each other, Virtual Network MAL specification is developed. Virtual network service provides communication between Azure resources and the connection to the internet and on-premises networks. The MAL specification describes the model as shown in figure 4.4.

In an Azure private network, users are allowed to create different subnets. It is always recommended that the address space of subnets do not cover the whole range of the virtual network because it is wiser to plan ahead and reserve spaces

(41)

Figure 4.4: vnet.mal

for potential future allocations. An instance, typically a virtual machine, will be assigned an IPv4 address when created. This address is attached to the network interface (NIC) of this instance and if it lies in the address space of a certain subnet, then we can say this instance belongs to this subnet.

To connect between two different networks, Azure provides the Virtual network peering. Users can do the peering either within or without an Azure region. Peering between Azure virtual networks uses the Microsoft backbone infrastructure [3].

Routing is also an important aspect of a virtual network. Route tables is a defined asset in this specification that can be assigned to subnets and virtual networks. Routes exist in route tables and specify the sources and destinations.

Meanwhile, the peering route also belongs to a routing table so it could also be associated with a virtual network [23].

How to handle private and public IP addresses is another important topic.

In Azure, public addresses are used for communication with the Internet while private addresses are used for communication within an Azure virtual network

(42)

[5]. In azureLang, no matter which type, an IP address always lays in a range and can be attached to a virtual machine network interface or a gateway.

4.5 Virtual Machine

In azureLang, virtual machine MAL specification reflects the corresponding part in Azure cloud service. In this specification, a service model of different types of VMs has been built. The following figure 4.5 presents this service model.

Figure 4.5: vm.mal

Like physical machines, the virtual machine also requires an installed operating system either Windows, Linux, or MacOS, or any other systems. In azureLang, only the Linux system and Windows are defined and modeled. MacOS is not covered currently but since MacOs is Linux are both Unix based operating system and they share similarities, an asset of MacOs should be easy to define in the future. The operating system needs permanent storage, as a result, each virtual machine has disks. In a virtual machine in Azure, disks are categorized into two types, OS disk, and data disk [10].

In addition to the operating systems, applications are also available on virtual machines. In azureLang, the application is defined as an asset as well. Applications also have various types such as shell application or non-shell

(43)

application. Secure Shell (SSH) is one of the most common and famous shell application.

Considering the real cloud user usage environment, if a user wants to connect to a Linux VM or a Windows VM separately, an SSH key or a Remote Desktop Protocol (RDP) file is mandatory. With an SSH key, a local host can connect to a Linux VM and with an RDP file that contains the user name and password, a local host can connect to the Windows VM through different TCP ports. SSH protocol uses TCP port 22 [36] and RDP protocol uses TCP port 3389 [41].

4.6 Storage service

In addition to a virtual network which connects things and virtual machine to provide computing service, storage service is also included in azureLang. The following figure 4.6 presents the structure of this mal specification.

Figure 4.6: storageaccount.mal

The first step of using Azure storage service is to create an Azure Storage account that contains all of the users’ data objects such as blobs, files, queues, tables, and disks. In Azure, there are three kinds of storage accounts which are Blob storage account, StorageV1, and StorageV2. A blob storage account can only store blob containers but the other two types can store other kinds of data.

The difference between StorageV1 and StorageV2 is the capability of redundancy

(44)

and performance. Currently, Microsoft always encourages Azure users to choose StorageV2 type when creating a new storage account. For every storage account, users need to provide a unique namespace so that the data is accessible worldwide over the internet which follows the description we mentioned earlier in chapter 3.

In the asset definition of azureLang, the storage service part, a blob object always belongs to a blob container, and a file always belongs to a file share. Since we already defined a basic asset class called data in core.mal, file, and blob objects asset are extended from that data asset with its attack steps. It needs to be noted that data disk and OS disk are in the scope of storage service, however, since they are always attached to a virtual machine, for the interest of convenience, I choose to define them in the virtual machine specification.

For the current version of azureLang, as it is shown in the figure, it only contains Blob storage service and File share service. More services like queue, table storage will be added in the future.

(45)

Chapter 5 Results

In this chapter, the result of this thesis work will be presented. Since the overall structure has been introduced in the chapter, we have a general knowledge of azureLang. To be more specific, the result is supposed to give what kinds of essential attack steps can be performed. The first section will present these attack steps in tables and in the second section introduces the validation and evaluation result by showing some example test cases. Note that since azureLang may have many help attack steps, for example, perform and performAction attack step in an Action asset these help attack steps will not be presented in this report and only essential attack steps are reflected.

5.1 Essential Attack Steps

Generally, some most important attack steps are generic, for example, read, write and delete. These attacks may apply to many assets. On the opposite, there are also specific attack steps.

5.1.1 Attack steps in core.mal

The following tables present the essential attack steps of various assets defined in core.mal. There are attack steps in asset subscription, resource group, and a general definition of data and information.

(46)

Attack Name Attack Type Leads to access AND resourcegroup.access cancel AND resourcegroup.delete

read AND resourcegroup.read

write AND resourcegroup.write

Table 5.1: Attack steps in asset Subscription

Attack Name Attack Type Leads to

access AND azureResource.access

resource[VirtualMahince].connect

write AND azureResources.write

delete AND azureResource.delete

resource[VirtualMachine].terminate

read AND azureResources.read

Table 5.2: Attack steps in asset ResourceGroup

requestAccess OR

authenticatedRead authenticatedWrite authenticatdeDelete readPermission OR authenticatedRead writePermission OR authenticatedWrite deletePermssion OR authenticatedDelete

authenticatedRead AND read

authenticatedWrite AND write

authenticatedDelete AND delete

read OR information.read

containedData.read

write OR information.write

containedData.write

delete OR information.write

containedData.write Table 5.3: Attack steps in asset Data

(47)

5.1.2 Attack steps in RBAC.mal

The following tables present the essential attack steps of various assets defined in core.mal. There are attack steps in asset Active Directory User (AD User), Reader, Contributor, and Owner.

In the Reader asset shown in table 5.5, it can only compromise attacks relevant to read actions, however, the Contributor and Owner will have higher privileges on scopes. Table 5.6 shows other attack steps in Owner like write, delete and according to document [33], the access privilege of Owner and Contributor which affect on different scopes or resources are nearly equal so the attack steps of Contributor are not shown. The only difference between the Owner role and Contributor role is that the Owner will have the right to create, update, or delete a login profile for an AD User.

assume OR

principalReader.readeraccess principalOwner.owneraccess principaContributor.contributoraccess

attemptAddLoginProfile OR createLoginProfile

attemptUpdateLoginPorfile OR updateLoginProfile attemptDeleteLoginProfile OR deleteLoginProfile

createLoginProfile OR updateLoginProfile OR deleteLoginProfile OR

Table 5.4: Attack steps in asset ADUser

readeraccess OR

scopes[Subscription].read

executees[SubscriptionRead].performAction scopes[ResourceGroup].read

executees[ResourceGroupRead].performAction scopes[AzureServiceResource].read executees[AzureServiceRead].performAction Table 5.5: Attack steps in asset Reader

(48)

owneraccess OR

all read relevant steps in Reader asset scopes[Subscription].write executees[SubscriptionWrite].perform

scopes[ResourceGroup].write

executees[ResourceGroupWrite].performAction scopes[AzureServiceResource].write executees[AzureServiceWrite].performAction

scopes[Subscription].cancel

executees[CancelSubscription].performAction scopes[ResourceGroup].delete

executees[ResourceGroupDelete].performAction scopes[AzureServiceResource].delete executees[AzureServiceDelete].performAction

executees[AddLoginProfile].performAction executees[UpdateLoginProfile].performAction

executees[DeleteLoginProfile].performAction Table 5.6: Attack steps in asset Owner

5.1.3 Attack steps in vnet.mal

As a matter of fact, there are not so many attack steps in vnet.mal. The design is to emphasize the network logic such as routing, the connection from Azure virtual network to on-premise network and network interface (NIC). This part has been discussed in section 4.4. Table 5.7 shows attack steps in NIC asset which is responsible for all transmission purpose that connects everything together.

transmit OR transmitRequest

transmitResponse

transmitRequest OR

reachableServices().networkRequestConnect services.networkRequest

externalNetwork[Internet].restAPIs.invoke privateSubnets().network[Internat].restAPIs.invoke transmitResponse OR

Table 5.7: Attack steps in asset NetworkInterface

(49)

5.1.4 Attack steps in vm.mal

The following tables are started with asset Application which is the most important asset of this specification. Then it will be followed by attack steps in asset OSDisk, DataDisk. In the future, for the extension and improvement of azureLang, more attack steps will be added in this specification.

localConnect OR localAccess

networkRequestConnect OR networkAccess

networkRespondConnect [Exponential(0.01)] OR

authenticate OR localAccess

networkAccess

localAccess AND access

networkAccess AND access

access OR

read modify

deny

shellInstance.connect

codeExecution OR access

executionAccount.getaccount

read OR

modify OR

deny OR

Table 5.8: Attack steps in asset Application

connect OR highPrivilegdeAccess

lowPrivilegeAccess highPrivilegeAccess AND

applications().access networkInterface.transmit

terminate

lowPrivilegeAccess AND applications().localConnect networkInterfaces.transmit

terminate OR applications().deny

runVirtualMachine OR connect

networkAccess AND access

Table 5.9: Attack steps in asset VirtualMachine

(50)

attach OR operatingSystem.create Table 5.10: Attack steps in asset OSDisk

attach OR data.read

data.write

detach OR data.delete

Table 5.11: Attack steps in asset DataDisk

5.1.5 Attack steps in storageaccount.mal

As the last mal specification of this thesis scope, its current version mainly reflects the blob storage service. Services like file share, table and queue are also parts of storage services that Microsoft provides [31]. However, even if more services will be extended, they will always be included in the scope of a storage account. Note that the blob and the file asset are extended from data asset defined in the core MAL specification so they will inherit all attack steps from data asset.

The following several tables present current essential attack steps in this specification.

access OR blobContainer.connect fileShares.upload Table 5.12: Attack steps in StorageAccount asset

(51)

connect OR

blobs.requestAccess listBlobContainer

deleteContainer listBlobContainerPermission OR listBlobContainer

deleteContainerPermission OR deleteContainer listBlobContainer AND blobs.listPermission

deleteContainer AND blobs.deletePermission

readBlob OR

writeBlob OR

deleteBlob OR

listBlob OR

Table 5.13: Attack steps in BlobContainer asset

authenticatedRead AND blobContainer.readBlob authenticatedWrite AND blobContainer.writeBlob authenticatedDelete AND blobContainer.deleteBlob

authenticatedList AND blobContainer.listBlob Table 5.14: Attack steps in Blob asset

upload OR files.uploaded

Table 5.15: Attack steps in FileShare asset

uploaded OR

Table 5.16: Attack steps in File asset

(52)

5.2 Validation and evaluation

To see if these attack steps match the expected result in an implementation scenario, as we previously introduced in section 3.4. As the primary adopted method, building test cases is beneficial for finding errors, checking misleading logic, and also validating the quality of MAL code developments.

In this section, three typical test cases will be presented, from a simple level to a complicated level. They will test the ability of azureLang to simulate a realistic system where has threats and risks are not much opposed for the first time.

5.2.1 Example test case 1 - Simple login test

The first example test case is a classical, simple login test that any IT system can adopt. In this test, an attacker is trying to login into an Azure account to access Azure subscriptions under this account. Similar to dictionary attacks, the attacker might have or have not known the password of the account so this connection in figure 5.1 is a dotted line. Whether the attacker successfully access to the subscription or not depends on if he has got the password. Because of subscription.access shown in table 5.1 is an AND attack step, it requires all its parent steps to be successfully compromised.

Figure 5.1: Simple login test

(53)

5.2.2 Example test case 2 - Effectiveness of RBAC

As one of the most important parts of azureLang, it is very necessary to test the effectiveness of RBAC, to see if it really works as expected. As described early on, RBAC systems are responsible for the access control and distribute roles to User.

There are two aspects required to test. First, different roles have different rights to perform certain actions. The Reader Role can only perform read related actions and definitely can not create a new login profile for another AD user. Second, the RBAC system also has a hierarchical structure. It means that if a user is assigned a reader role at a Subscription scope, his reader role will be inherited at a lower scope level. In other words, he can read every resource group and all Azure resources. However, if he is only the reader of a resource group, he can not read anything in another resource group.

Figure 5.2: Effectiveness of RBAC - Hierarchy test scenario

5.2.3 Example test case 3 - Access to Storage services

The last example is the access attempt to storage service. As aforementioned, there are three access scopes particularly in Azure Blob Storage service: storage account, Blob container, and Blob data object. Figure 5.3 presents a scenario of one storage account, two Blob containers, two Blob objects, and one AD user.

(54)

Since the user is assigned as the owner of the first Blob container, he will have full privilege of this container and its Blob data objects, however, he is not granted any access to another one.

Figure 5.3: Access to Storage services

(55)

Chapter 6 Conclusions

Compared with the conventional network system, migrating real network infrastructures into the cloud is an inevitable trend. Along with this trend, associated security and privacy concerns continue to grow. In this master thesis project, I present azureLang based on MAL. In the following sections, conclusions and some future work are discussed, and in the end, there are some final words.

6.1 Conclusions

To conclude this master thesis project, I developed azureLang, a DSL for the Microsoft Azure cloud computing environment. It is a probabilistic threat modeling language. AzureLang aims to utilize security analysis and attack simulation in the Microsoft Azure. The basis of azureLang is the Meta Attack Language (MAL) [18].

The biggest use of azureLang is to help cloud administrators analyze network security issues. Meanwhile, for software engineers with MAL programming expertise, azureLang is convenient to be expanded to suit more complex infrastructure implementation.

In this thesis project, validation and evaluation of azureLang are accomplished by building test cases. These tests aim at executing unit and integration testing of azureLang. During the process of my development, my supervisors and colleagues

(56)

have also given me valuable reviews.

6.2 Future Work

In the current version of azureLang, the scope only contains some most common services that Microsoft provides. In fact, Microsoft Azure provides a very wide range of network services. Some other services like Azure Kubernets, IoT, Databases service, and so on are not covered. In other words, azureLang can be extended largely in the near future.

Due to the time limit, some test cases of azureLang are not very complete and well designed. More complex and more reasonable test cases can be designed in the future in order to improve the reliability of azureLang.

6.3 Final Words

My graduation thesis work is the first time in my life that I have independently developed a project. There have been smooth times and difficult times in the process. But for several months, I have remained calm and worked hard from beginning to end, and finally reached the level of graduation. I have learned a lot of knowledge and gained a lot of insights. I am grateful for two years of studying at Royal Institute of Technology and hope that my future life will be a brand new chapter.

azureLang: Cyber Threat Modelling in Microsoft Azure cloud computing environment

azureLang

Cyber Threat Modelling in

Microsoft Azure cloud computing environment

Ningyao Geng

Abstract

Keywords

Abstract

Nyckelord

Acknowledgements

Author

Place for Project

Examiner

Supervisor in KTH

Supervisor in company

Contents

List of Figures

List of Tables

List of Abbreviations

Chapter 1

Introduction

1.1 Problem Definition

1.2 Research Objectives

1.3 Research Methodology

1.4 Ethical and sustainability issue

1.5 Delimitations

1.6 Outline of the Report

Chapter 2 Background

2.1 Cloud computing and security

2.1.1 Cloud Computing Service Model

2.1.2 Cloud computing features

2.1.3 Cloud security

2.2 Cloud Vendors

2.2.1 Amazon Web Services (AWS)

2.2.2 Azure

2.2.3 Google Cloud Platform (GCP)

2.2.4 Aliyun

2.3 History of threat modeling

2.4 Related Work

2.4.1 Developed Languages

2.4.2 Threat Modeling Software

Chapter 3

Methodology

3.1 Probabilistic threat modeling

3.1.1 Basic Attack Trees

3.1.2 Attack values

3.1.3 Calculation of TTC using probability distribution

3.2 Domain survey

3.2.1 Computing

3.2.2 Networking

3.2.3 Storage

3.3 MAL specifications development

*

*

*

*

3.4 Validations and evaluations by Junit tests

Chapter 4

MAL specifications of azureLang

4.1 Overview of azureLang

4.2 core

4.3 Role Based Access Control

4.4 Virtual Network

4.5 Virtual Machine

4.6 Storage service

Chapter 5 Results

5.1 Essential Attack Steps

5.1.1 Attack steps in core.mal

5.1.2 Attack steps in RBAC.mal

5.1.3 Attack steps in vnet.mal

5.1.4 Attack steps in vm.mal

5.1.5 Attack steps in storageaccount.mal

5.2 Validation and evaluation

5.2.1 Example test case 1 - Simple login test

5.2.2 Example test case 2 - Effectiveness of RBAC

5.2.3 Example test case 3 - Access to Storage services

Chapter 6 Conclusions

6.1 Conclusions

6.2 Future Work

6.3 Final Words