client to client attacks protection in cloud … · port scanning is to find the open ports that...
Post on 28-Apr-2019
227 Views
Preview:
TRANSCRIPT
CLIENT TO CLIENT ATTACKS PROTECTION IN CLOUD
COMPUTING BY A SECURE VIRTUALIZATION MODEL
AHAD AKBAR ABADI
UNIVERSITI TEKNOLOGI MALAYSIA
CLIENT TO CLIENT ATTACKS PROTECTION IN CLOUD COMPUTING
BY A SECURE VIRTUALIZATION MODEL
AHAD AKBAR ABADI
A thesis submitted in partial fulfillment of
the requirements for the award of the degree of
Master of Computer Science (Information Security)
Faculty of Computer Science and Information Systems
Universiti Teknologi Malaysia
January 2013
iv
ACKNOWLEDGEMENT
First and foremost, I would like to thank God for giving me the ability to
accomplish this project. Apart from the efforts of me, the success of any project
depends largely on the encouragement and guidelines of many others. I take this
opportunity to express my sincere gratitude to the people who have been helpful in
the successful completion of this project. I would like to show my greatest
appreciation to Dr. Mazdak Zamani. Saying thank you is not enough for his
tremendous support and help. I feel motivated and encouraged every time I attend his
meeting. Without his encouragement and guidance this project would not have
materialized. The guidance and support received from all of my friends who
contributed was vital for the success of the project. I am grateful for their constant
support and help. I am sincerely thanking to my examiners, Dr. Bharanidharan
Shanmugam and Dr. Teddy Mantoro, for their appropriate comments.
Last but not least I wish to express a sense of gratefulness to my beloved
parents and my dear sisters for their manual support, strength, and help and for
everything. I always feel them beside myself in all good times, bad times.
vi
ABSTRACT
Cloud computing was the long held dream of computing which has the
potential to transform a large part of the IT industry, shaping the way that IT
hardware designed and purchased and making software even more attractive as a
service. Without Virtualization cloud computing cannot achieve to its incredible
goals. VMware, Xen and KVM are some hypervisor software which provides server
Virtualization ability for cloud computing structure. Although cloud computing
brings gigantic advantages, the security issues still the considerable difficulties for
customers. This means the attacks which can threat the computer networks also can
be threats for cloud computing environment.VM to VM attack is one of the common
types of attacks that classified into two different groups such as VM hopping and
VM mobility. Port scanning comes in the first step of a computer attack. The aim of
port scanning is to find the open ports that can be exploited by attackers, in addition,
in attacker view getting information about the other port's status can be useful for
further exploitation. The goal of this project is to propose a new model for achieving
the better method to realize port scanning attempts and find out the information about
suspicious port scanner virtual machine in cloud computing.
vii
ABSTRAK
Pengkomputeran awan adalah impian yang lama dipegang pengkomputeran
yang mempunyai potensi untuk mengubah sebahagian besar daripada industri IT,
membentuk cara bahawa IT perkakasan yang direka dan dibeli dan membuat perisian
lebih menarik sebagai pengkomputeran awan service.Without virtualisasi tidak boleh
mencapai untuk yangmatlamat yang luar biasa. VMware, Xen dan KVM adalah
beberapa hypervisor perisian yang menyediakan virtualisasi pelayan keupayaan
untuk struktur perkomputeran awan. Walaupun pengkomputeran awan membawa
kelebihan gergasi, isu-isu keselamatan yang masih menjadi masalah besar bagi
pelanggan. Ini bermakna serangan yang boleh ancaman rangkaian komputer juga
boleh menjadi ancaman untuk persekitaran pengkomputeran awan. VM serangan
VM adalah salah satu jenis biasa serangan yang dikelaskan kepada dua kumpulan
yang berbeza seperti VM melompat dan VM mobility.Port pengimbasan datang
dalam langkah pertama serangan komputer. Tujuan imbasan pelabuhan adalah untuk
mencari pelabuhan terbuka yang boleh dieksploitasi oleh penyerang, di samping itu,
memandangkan penyerang mendapat maklumat mengenai pelabuhan status lain
boleh menjadi berguna untuk matlamat lanjut exploitation.The projek ini adalah
untuk mencadangkan satu model baru bagi mencapai kaedah yang lebih baik untuk
menyedari percubaan pengimbasan pelabuhan dan mengetahui maklumat tentang
pengimbas port mencurigakan mesin maya dalam perkomputeran awan.
viii
TABLE OF CONTENTS
CHAPTER TITLE PAGE
DECLARATION ii
DEDICATION iii
AKNOWLEDGEMENT iv
ABSTRACT vi
ABSTRAK vii
TABLE OF CONTENTS viii
LIST OF TABLES xiv
LIST OF FIGURES xv
LIST OF ABBREVIATIONS xvii
LIST OF APPENDIX xix
1 INTRODUCTION ......................................................................................1
1.1 Overview ...................................................................................................1
1.2 Background of the problem .......................................................................6
1.3 Problem Statements ...................................................................................8
1.4 Project Objectives.................................................................................... 10
1.5 Research Questions ................................................................................. 11
1.6 Project Aim ............................................................................................. 11
1.7 Project Scope ........................................................................................... 11
1.8 Summary ................................................................................................. 12
2 LITERATURE REVIEW ........................................................................ 13
2.1 Introduction ............................................................................................. 13
2.2 Cloud ...................................................................................................... 14
2.2.1 Types of Cloud .................................................................................... 14
ix
2.2.1.1 Public Cloud .................................................................................... 15
2.2.1.2 Private Cloud ................................................................................... 16
2.2.1.3 Hybrid Cloud ................................................................................... 16
2.2.1.4 Community Cloud ........................................................................... 17
2.2.2 Types of Cloud Services ...................................................................... 17
2.2.2.1 Infrastructure as a Service ................................................................ 19
2.2.2.2 Platform as a Service ....................................................................... 19
2.2.2.3 Software as a Service ....................................................................... 20
2.2.3 Specific Characteristics / Capabilities of Clouds .................................. 20
2.2.4 Nonfunctional aspects .......................................................................... 21
2.2.4.1 Elasticity .......................................................................................... 21
2.2.4.2 Reliability ........................................................................................ 22
2.2.4.3 Reducing Run Time and Response Time .......................................... 22
2.2.4.4 Quality of Services .......................................................................... 22
2.2.4.5 Agility and adaptability .................................................................... 23
2.2.4.6 Availability ...................................................................................... 23
2.2.5 Economic Consideration ...................................................................... 24
2.2.5.1 Cost Reduction ................................................................................ 24
2.2.5.2 Pay Per Use ..................................................................................... 25
2.2.5.3 Increased Speed of Innovation ......................................................... 26
2.2.5.4 Return of Investment ....................................................................... 26
2.2.5.5 Turning CAPEX into OPEX ............................................................ 26
2.2.5.6 Going Green .................................................................................... 27
2.2.6 Technological challenges ..................................................................... 27
2.2.6.1 Virtualization ................................................................................... 28
2.2.6.2 Multi tenancy ................................................................................... 28
2.2.6.3 Data Management ............................................................................ 29
2.2.6.4 APIs and Programming Enhancements ............................................ 29
2.3 Virtualization .......................................................................................... 30
2.3.1 Types of Virtualization ........................................................................ 31
2.3.1.1 Full Virtualization ............................................................................ 31
2.3.1.2 Paravirtualization ............................................................................. 32
2.3.1.3 Application Virtualization ................................................................ 33
x
2.3.1.4 Hardware Support Virtualization...................................................... 34
2.3.1.5 Resource Virtualization.................................................................... 34
2.3.1.6 Storage Virtualization ...................................................................... 35
2.3.2 Advantages of Virtualization ............................................................... 35
2.3.2.1 Transparency ................................................................................... 36
2.3.2.2 Legacy Support ................................................................................ 36
2.3.2.3 Simplicity ........................................................................................ 36
2.3.2.4 Monitoring ....................................................................................... 37
2.3.2.5 Security ........................................................................................... 37
2.3.3 Evaluation Criteria ............................................................................... 38
2.3.3.1 Performance..................................................................................... 38
2.3.3.2 Trust ................................................................................................ 38
2.3.3.3 Portability ........................................................................................ 39
2.3.3.4 Multiplicity ...................................................................................... 39
2.4 Virtualization Environment Threats ......................................................... 40
2.4.1 Isolation Between Virtual Machines .................................................... 41
2.4.2 Information Theft Through Malicious use of Hypervisor ..................... 41
2.4.3 Untrusted Hypervisors ......................................................................... 43
2.4.4 Untrusted Virtual Machines ................................................................. 43
2.4.5 Untrusted virtual machines misusing hardware Virtualization
functionality .................................................................................................... 43
2.4.6 Insecure Network Transfer on Inter Device Migrations ........................ 44
2.5 Related Work .......................................................................................... 44
2.5.1 Protection Models Against VM to VM Attacks .................................... 45
2.5.1.1 Independent Hypervisor From Operating System ............................. 45
2.5.1.2 Co-Resident Virtual Machine ........................................................... 46
2.5.1.3 Home Alone .................................................................................... 47
2.5.1.4 Alternative Approach For Home Alone ............................................ 48
2.5.1.5 NoHype ........................................................................................... 49
2.5.2 Detecting and Protecting Against Port Scanning .................................. 50
2.5.2.1 Using Time Independent Feature Set (TIFS) .................................... 50
2.5.2.2 Using Packet Counts and Neural Network........................................ 52
2.5.2.3 Detection Mechanism Based on Fuzzy Logic and a Stepwise Policy 52
xi
2.5.2.4 CREDOS ......................................................................................... 53
2.5.2.5 Classification of IP .......................................................................... 53
2.5.2.6 Capturing Packets ............................................................................ 53
2.5.2.7 Using Network Forensic System ...................................................... 54
2.5.2.8 Evolving TCP/IP Packets ................................................................. 55
2.5.2.9 TF-IDF (Term Frequency-Inverse Document Frequency) ................ 55
2.5.2.10 EPSD (Embedded Port Scan Detector) ............................................. 56
2.6 Summary ................................................................................................. 57
3 RESEARCH METHODOLOGY............................................................. 58
3.1 Introduction ............................................................................................. 58
3.2 Operational framework ............................................................................ 58
3.2.1 Phase 1: Investigating Existing Protecting Models of Virtualization
Against VM to VM Attacks in Cloud Computing ............................................ 60
3.2.2 Phase 2: Model a New Protection Layer by Analyzing Existing Models
in Order to Achieve The Appropriate Solution Against VM to VM Attacks ..... 61
3.2.3 Phase 3: Implementing and Testing The Proposal Protection Model and
Analyzing The Different Characteristics .......................................................... 62
3.3 Tools and Equipment ............................................................................... 64
3.4 Summary ................................................................................................. 64
4 DESIGN AND IMPLEMENTATION ..................................................... 65
4.1 Introduction ............................................................................................. 65
4.2 Design Phase ........................................................................................... 67
4.3 Proposed Model....................................................................................... 67
4.3.1 Pre Processes ....................................................................................... 70
4.3.2 Virtual Machine Side Steps:................................................................. 70
4.3.2.1 Step1: Port Scanning ........................................................................ 70
4.3.2.2 Step2: Log File Report ..................................................................... 73
4.3.2.3 Step 3: Introducing Agent ................................................................ 74
4.3.3 Hypervisor side steps: .......................................................................... 75
4.3.3.1 Step 4: Using vCLI .......................................................................... 76
4.3.3.2 Step5: vSphere ESXi Monitoring Part .............................................. 76
4.3.3.3 Step 6: Decision Making .................................................................. 77
4.3.3.4 Step 7: Quarantined Zone................................................................. 78
xii
4.3.3.5 Step 8: vMotion and Live Migration ................................................ 78
4.4 Hardware and Software Specification ...................................................... 79
4.5 Implementation Phase.............................................................................. 80
4.5.1 Running VMware Platform .................................................................. 80
4.5.2 Installing VMware ESXi 5.0 and VMware vSphere Client ................... 81
4.5.3 Installing Attacker and Victim Windows ............................................. 85
4.5.3.1 Creating the Agent (Plugin for VMs) ............................................... 85
4.6 Summary ................................................................................................. 89
5 TEST AND EVALUATION..................................................................... 90
5.1 Introduction ............................................................................................. 90
5.2 Testing .................................................................................................... 90
5.3 Report ..................................................................................................... 91
5.3.1 Requirements ....................................................................................... 92
5.3.2 Main Process ....................................................................................... 93
5.3.3 Extra Tests ........................................................................................... 95
5.4 Analyze of Testing .................................................................................. 97
5.5 Comparison with Other Related Works .................................................. 100
5.5.1 Soniya B and M Wiscy’s method analysis ......................................... 100
5.5.2 Mohair Dabbagh and Ali J. Ghandour’s Method Analysis.................. 101
5.5.3 Atul Kant Kaushik and Emmanuel S. Pill’s Method Analysis ............ 102
5.5.4 Patrick LaRoche and Nur Zincir-Heywood’s Method Analysis .......... 102
5.5.5 Hiroaki Kikuchi and Tomohiro Kobori’s Method Analysis ................ 103
5.6 Proposed Model Evaluation ................................................................... 104
5.7 Summary ............................................................................................... 105
6 CONCLUSION AND FUTURE WORK ............................................... 106
6.1 Introduction ........................................................................................... 106
6.2 Project Summary and Conclusion .......................................................... 107
6.3 Contributions and Related Achievement ................................................ 109
6.4 Limitations ............................................................................................ 110
6.5 Future works ......................................................................................... 111
6.5.1 Using vTPM instead IP address ......................................................... 112
REFERENCES ................................................................................................... 114
APPENDIX A-C ....................................................................................... 119-123
LIST OF TABLES
TABLE NO. TITLE
PAGE
1.1 Security Impacts of Virtualization(Tsai, et al., 2011) 10
2.1 Nonfunctional Aspects (Sultan, 2010) 24
2.2 Economic Aspects (Sultan, 2010) 27
2.3 Technological Aspects (Sultan, 2010) 30
2.4 Types of VM to VM Attacks 40
2.5 Existed Models for Protecting Against VM to VM Attacks 45
2.6 Existed Models for Detecting Port Scanning 50
4.1 Hardware and Software Specification 79
5.1 Results of Remote VM Scanning 96
5.2 Results of Inside VM Scanning 97
LIST OF FIGURES
FIGURE NO. TITLE
PAGE
1.1 Overall View of Cloud Computing (Armbrust et al., 2010) 2
1.2 Benefits of Cloud Computing (Jansen, 2011) 4
1.3 Cloud Computing Services (Jin et al., 2010) 7
1.4 VM Hopping 9
1.5 VM Mobility 9
2.1 Literature Review Flowchart 14
2.2 Cloud Computing (Sultan, 2010) 15
2.3 Details of Cloud Services (L. J. Zhang & Zhou, 2009) 18
2.4 Full Virtualization (Reuben, 2009) 32
2.5 Paravirtualization (Sahoo, et al.,2010) 33
2.6 Resource Virtualization (Owens, 2009) 35
2.7 Virtualization Environment Threats (Schoo, et al., 2011) 41
2.8 Physical network Cards Sharing (Endo, et al., 2010) 42
2.9 Independent Hype, visor From Operating System Architecture
(Sundararajan, et al., 2011,Berger, et al., 2009)
46
2.10 Co-Resident Virtual Machine (Ristenpart, Tromer, Shacham,
& Savage, 2009)
47
2.11 Home Alone (Y. Zhang, Juels, Oprea, & Reiter, 2011) 48
2.12 No Hype (Li, Raghunathan, & Jha, 2010) 49
2.13 TIFS (Baig & Kamran, 2007) 51
2.14 Packet Counts and Neural Networks (Soniya & Wiscy, 2008) 52
xv
2.15 Capturing Packets (Gadge & Patil, 2008) 54
2.16 Network Forensic System (Kaushik, Pilli, & Joshi, 2010) 55
2.17 TF-IDF (Kikuchi, Kobori, & Terada, 2009) 56
2.18 EPSD (Ahmed, Khalib, Ahmad, Sudin, & Asi, 2008) 57
3.1 General View of Operational Framework 59
3.2 Phases of Operational Framework 60
3.3 Expected Aspects of Proposed Model 63
4.1 Overall View of Proposed Model 68
4.2 The Proposed Model 69
4.3 Port Scanning Report 73
4.4 vMotion 79
4.5 VMware workstation 8.0 81
4.6 ESXi 5.1 82
4.7 Authentication Page of vSphere Client 84
4.8 VMware vSphere Client Console 84
4.9 Attacker and Victim vSphere Client Windows 85
4.10 Agent Processes 86
4.11 Main Page of Agent 87
4.12 Log File Checker 87
4.13 Output Report Part 88
4.14 Counter Part 89
4.15 Catching IP Address 89
5.1 Nessus 91
5.2 Type of Testing 92
5.3 Created Project Policy 93
5.4 Nessus Remote Scan 94
5.5 Output Report of Agent Program 95
5.6 Chart of Remote Scan Results 98
5.7 Chart of Inside VM Scanning 98
LIST OF ABBREVIATIONS
SOA Service Oriented Architecture
VM Virtual Machine
NIST National Institute of Standards and Technology
IPS Intrusion Prevention System
SaaS Software as a Service
PaaS Platform as a Service
IaaS Infrastructure as a Service
DaaS Data as a Service
API Application Programming Interface
ROI Return of Investment
CAPEX Capital Expenditure
OPEX Operational Expenditure
VMM Virtual Machine Manager
NAT Network Address Translation
DDoS Distributed Denial of Services
TIFS Time Independent Feature Set
ICMP Internet Control Message Protocol
DHCP Dynamic Host Configuration Protocol
QoS Quality of Services
TFIDF Term Frequency Inverse Document Frequency
EPSD Embedded Port Scan Detector
SBC Single Board Computer
TCP Transmission Control Protocol
xvii
UDP User Datagram Protocol
IANA Internet Assigned Numbers Authority
vTPM Virtual Trusted Platform Module
TC Trusted Computing
TCG Trusted Computing Group
TCB Trusted Computing Base
LIST OF APPENDICES
APPENDIX TITLE PAGE
A Gantt chart 118
B Plagiarism Percentage and Turnitin Report 120
C Source Code of The Programm 122
CHAPTER 1
1. INTRODUCTION
1.1 Overview
Cloud computing has become a controversial subject in the next generation of
computing. Cloud computing is driven from two research areas such as Service
Oriented Architecture (SOA) and Virtualization. It is a computing paradigm in order
to various resources such as computing, software, infrastructure, and storage are
provided as paid services over the Internet as it shows in Figure 1.1. The cloud has a
capability which provides the users elastic and scalable resources in the pay-as-you-
use fashion at relatively low prices as Figure 1.2 shows. Also with its infrastructure,
company able to cut down expenditures. Although cloud provides saving in terms of
finance and manpower, new security risks are coming along with it. The main
security concern is loss of control over sensitive and confidential data. Few amount
of research has been done with specific focus on insider attacks on the cloud
environment (Sundararajan, Narayanan, Pavithran, Vorungati, & Achuthan, 2011).
Cloud computing should include all the different types of applications and
computer programs from little data processing programs to email services. Usually
servers do not run with the same operating systems. In fact they work independent of
operating systems. Central management such as cloud provider should monitor VMs
and provide the services that everything runs well without any problem of
confliction. Therefore cloud middleware software is created for this purpose in order
to follow the rules that called protocols. By using the perfect middleware cloud
2
computing activities will be as normal as a single computer program run (Jose &
Sajeev, 2011).
Figure 1.1: Overall View of Cloud Computing (Armbrust et al., 2010)
The data and applications which exist in the cloud are stored and run on pools
of web servers. Another categorization of cloud computing is separate it into two
parts. First part is the front end and the second one is back end. Front end contains all
the stuff that a tenant or a computer user can see, in contrast the back end include
different types of server pools, data storage pools and infrastructure that creates
clouds computing and services and connect throughout the internet to each other
(Kramer, Goré, & Okamoto, 2010).
Cloud computing use pools of storages and servers to distribute the services
and stored data such as a list of clients, clients’ information. These several copies
enable servers to gain access to backup data in various locations. Thus clients can
access to their data from anywhere which linked to the Internet (Sundararajan, et al.,
2011).
3
Reducing cost and hardware dependency is an aim in network technology and
business. With cloud computing system need for hardware on client side sharply
decreased. Tenants do not need for advanced hardware such as fast computer with a
bigger size of memory because cloud system prepares these requirements (Jose &
Sajeev, 2011).
Cloud is an Internet-based and tries to cover the difficulties for users.
Virtualization plays a pivotal role in cloud computing infrastructure that combined
with self-service abilities computing resources. Due to its ability to decrease the
amount of spending time, energy, installing and maintaining racks of servers many
organizations using Virtualization to satisfy their requirements with fewer resources
and costs (Turner, 2008).
The logic behind the Virtualization is the abstraction of physical resources
into many separate virtual computing environments which called a virtual machine.
The permission of the users in a virtual environment is created copy, save, read,
modify, share, migrate and roll back the running VMs. By allocating these abilities
administrator of the system can easily manage the system (Garfinkel & Rosenblum,
2010; Li, Raghunathan, & Jha, 2011).
Multiple Virtual Machines (VM) hosted on the same physical server in a
cloud environment. Applications delivered as a service over the Internet and
hardware in data centers provides these services. Companies try to provide benefits
like energy efficiency and performance without compromising security to achieve
successful fertilization. Although virtualization provides intrusion isolation,
accessing to share storages that contain sensitive personal or corporate data typically
possible for VMs. In other word, VMs still are vulnerable for the cloud. The vital
role of Virtualization makes it a prime target for attacks (Kirch, 2007).
Virtualization layer is based on a large complex trusted computing. Most of
the listed reports in NIST’s National Vulnerability Database show the difficulty of
transferring bug-free hypervisor code. Therefore, an attacker can achieve these bugs
and exploit Virtualization software. This is just the first step, after exploiting, the
4
attacker gets the ability to thwart or access other VMs and poison confidentiality,
integrity, and availability of data (Reuben, 2009).
One of the most sufficient points of Virtualization is the elasticity.
Virtualization technology provides the scalable computing capacity environment for
tenants which need the lower cost in contrast to physical one as Figure1.2 shows.
Virtualization also provides load balancing via provisioning and migration of virtual
machines among physical parts (Li, et al., 2011).
Figure 1.2: Benefits of Cloud Computing (Jansen, 2011)
Two basic types of Virtualization architecture are introduced in cloud
computing. In the first type, the virtual machine monitor put on the hardware and
captures the communication between the guest VMs and hardware. On top of the
virtual machine monitor there is a VM which manages the other virtual machines.
This virtual machine is responsible for all the communication between VMs. In the
second type the virtual machine monitor executes as an application within the host
operating system. In other word the host operating system place above the hardware
and the virtual machine monitor place on above host operating system. Even though
these two architectures are different, how VM can trust to execution environment is
the same security concern in both of them (Li, et al., 2011).
5
Although the managing of the cloud system is becoming easier through the
Virtualization environment, the security concerns are appearing. If the hacker attacks
the VM that manage the system attacker can easily copy, modify and compromised
all the VMs. In addition when attacker compromise the management of the
environment by getting a high level of permissions, can bypass the mechanisms in
guest VMs (Borders, Weele, Lau, & Prakash, 2009).
The cloud provides an environment which is completely huge and internet
base, therefore the vulnerabilities for cyber-attacks are more than traditional
solutions. If the environment has some limitation in scaling then the services,
applications and also the users who got access control are under complete controlling
and monitoring but cloud computing environment are built on the internet
connection, so all the services which contain in internet is running in the same
condition. In addition the cyber-attacks on the internet are becoming a potential
threat in cloud computing (Lombardi & DI Pietro, 2010).
One of the most harmful attacks is Man-in-the-Middle. It is an active
overheard in order to make an independent connection with the victim. The attacker
makes the victims believe that they have a straight connection with servers in private
zone, however in fact the total connection is controlled by the attacker. Attackers
significantly affect the security of organization by injecting new messages. Owing to
these problems it is vital to use the techniques in order to protect against those
attacks (Whalen, Engle, & Romeo, 2009).
Patching offline VMs are security vulnerability in Virtualization
environment. Some patch management tools are introduced but they cannot patch
offline VM images. Also making updating signature and protecting offline VMs and
VM appliance images become a problem for providers. VMs may be off, on,
suspended or allocated in storage; so, information about the life cycle of VMs and
their changes is essential for providers to access the VMs’ vulnerabilities in order to
apply security patches to VMs (Owens, 2009).
6
Because of the loss of virtual network discovery approaches, model the
configuration of a virtual server has become a considerable problem. In the
optimistic viewpoint the virtual devices, virtual network, all VMs and services
should be discoverable follows by their relationship to other ones. The system should
gather the information about the devices and their configuration, then confirm the
correct configuration and create a baseline. Because of the loss of configuration
baseline it is not possible yet (Owens, 2009).
Most of the attacks on cloud computing are using the detrimental
vulnerability which is the lack of traffic monitor in a virtual environment. The inter
VM traffic movement are not visible to intrusion prevention system (IPS) and other
traditional security devices through the network based environment. To secure the
virtual infrastructures virtualized security capabilities should place between the guest
operating system and virtual network to protect against attacks (Owens, 2009).
1.2 Background of the problem
Virtualization is the most essential technology aspect in cloud computing,
however its security vulnerabilities and potential threats which can compromised by
attackers has not been enough studies (Kirch, 2007). As Figure 1.3 shows cloud
computing services categorized into three types of layers such as Software as a
Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a service (IaaS).
SaaS presents an application-level interface. PaaS offers development environment
for applications. IaaS provides shared infrastructures without accessing for upper
layers. Nowadays attackers focus on IaaS on access to the forbidden environment of
infrastructures (L. J. Zhang & Zhou, 2009).
7
Figure 1.3: Cloud Computing Services (Jin et al., 2010)
Generally IaaS made resources available in the form of VMs instances.
Tenants have full control over these VMs; however they do not have visibility into
the lower level of the infrastructure like hypervisors (virtual machine monitor) or
data center manager systems (Hyde, 2009).
Hypervisors create to present a view which appears both operating system
and application inside a VM running on the same hardware to the guest VM.
Hypervisors gain this by matching the original hardware and referring access to it.
Requirements for this purpose are a complex body of software and significant
interaction between VM and hypervisor. Hence the interaction is the basic security
threat. Malicious VM can operate to attack the hypervisor via exploiting its bugs or
supporting Virtualization software to attack another VM (Fish et al., 2010).
Although the security vulnerabilities do not exist in one type of cloud, the
main security concern is in public cloud. Multi-tenancy creates sharing of resources.
As clouds implement logical isolation through tenants, they multiplex tenants across
the infrastructure. Realistic threat of data theft in public clouds presents via this
practice (Christodorescu, Sailer, Schales, Sgandurra, & Zamboni, 2009). One of the
8
biggest questions from cloud providers is even they offer assurance of physical
isolation for their tenants how tenants can verify that their VMs and resources are
physically isolated?
1.3 Problem Statements
The main security concern is loss of control over sensitive and confidential
data. One malicious virtual machine could poison all existed virtual machines in the
physical server. The intruder who attacks a VM can simply transfer to another hosted
VM in the same physical server. Attackers have to access one VM for contaminating
other VMs and escaping the hypervisor that legitimacy is not accessible from VM
level (Sabahi, 2011).
Attack from one VM to another VM can categorize in two different types
such as VM Hopping and VM Mobility.
VM hopping is the action of jumping from one VM to another one on the
same host. To achieve this hopping the attacker should know the IP address of the
second VM or gaining access over the host as Figure 1.4 shows. Because of
deploying on the same host, if attacker monitors the network traffic going to the
victim could violate the traffic and attack as Table 1.1 illustrates. In addition, an
attacker can change the configuration file, thus change the files of the victim. An
attacker can stop the ongoing communication, so when the connection resumed, the
whole connection should start again (Hyde, 2009; Tsai, Siebenhaar, Miede, Huang,
& Steinmetz, 2011).
9
Figure 1.4: VM Hopping
Another type of VM to VM attack is VM Mobility. VMs are portable, so
clients can move them from one location to another one. Also they can copy VMs
through a network or move them via USB disks. VMs are not inherently present on
the physical machine therefore the potential of the threats is suddenly increased.
Hypervisor has a file which contains the content of the stored VMs. When the VM
moves the virtual disk should be recreated, this is the best situation for an attacker to
modify the configuration file of the VM as Table 1.1 shows. Also as Figure 1.5
illustrates, if the VM is offline the attacker gain the access to virtual disk and get the
sufficient time to break all the security walls. As this VM is a copy of real VM,
tracing the attacker with this threat is difficult (Hyde, 2009; Tsai, et al., 2011).
Figure 1.5: VM Mobility
10
Table 1.1: Security Impacts of Virtualization(Tsai, et al., 2011)
Port scanning is one of the VM to VM attacks which provides useful
information for attackers to compromise the VMs. Normally port scan does not do
direct damage just by port scanning in cloud computing . Potentially a port scan
helps the attacker find which ports are available to launch various attacks. By
compromising the target VM port scanning can break the confidentiality, by
performing further attacks such as DDoS it can break the availability and by
changing the compromised data it can break the integrity (Tsai, et al., 2011).
1.4 Project Objectives
The objective of this study is as below:
i. To investigate existing models of virtualization in cloud computing
ii. To propose a model for cloud computing against port scanning in Client to
Client attack field in cloud comuting
iii. To test the proposed model against port scanning in Client to Client attack
field.
11
1.5 Research Questions
The main questions this research motivates to answer are as follows:
i. What are the potential attacks for Virtualization in a cloud computing
environment?
ii. What are the secure models to defend against port scanning in Client to Client
attack fields?
iii. How to test and validate the proposed secure model against port scanning in
Client to Client attack fields?
1.6 Project Aim
The aim of this project is to investigate the existing models with currently
examined by providers. Then analyze the types of attacks which affect the cloud
environment from a VM to another VM. In addition, identify the vulnerabilities that
can be a window for port scanning attackers to achieve unexpected access and violate
the target VM. After that propose a model for cloud computing environment against
port scanning in Client to Client field and test the proposed model. Although
confidentiality is the main goal of this project, availability and performance is vital to
a cloud environment.
1.7 Project Scope
The scope of the project is focused on the lowest layer of cloud computing
architecture which is an Infrastructure as a Service (IaaS). Tenants do not have
visibility on this level. VM to VM attacks is the family of attacks that discussed in
this project. VM hopping is the main type of VM to VM attacks that will explain
during this project. The specific attacks of VM to VM in VM hopping field is port
scanning. In the port scanning type the focused will be on the vertical scans which
12
explained as a single IP scanner for multiple ports in a cloud environment. The
proposed model will build to detect the port scanning which is performed on VM.
VMware is the platform which will be used for simulation in this project. ESXi and
vSphere client are the products which prepare cloud environment are using through
simulation.
In addition, some areas which are excluded from the scope of this project are:
VM mobility attacks (attack from one VM to another one on the different
hypervisors).
Horizontal port scanning ( group of IP scans for single port)
Pre detection of port scanning
1.8 Summary
Overall view of cloud computing and its business characteristics which make
the cloud environment as an undeniable environment for use by organizations and
enterprises were introduced in this chapter.
Actually this chapter was classified into different aspects such as the
background of the problem which review the creation of problems, problem
statement that states the problem, project objectives, project aim and final project
scope. Security vulnerabilities are the main concern in a cloud environment. Using
Virtualization in this area brings some attacks which related to virtual machines. The
main problem in cloud environment is about attacking from one virtual machine to
another one that called VM to VM attack.
114
REFERENCES
Ahmed, N., Khalib, Z., Ahmad, R., Sudin, S., & Asi, S. (2008). Low-End Embedded
Linux Platform for Network Security Application–Port Scanning Detector.
Paper presented at the Advanced Computer Theory and Engineering, 2008.
ICACTE'08. International Conference on.
Andrzejak, A., Kondo, D., & Yi, S. (2010). Decision model for cloud computing
under sla constraints.
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., et al.
(2010). A view of cloud computing. Communications of the ACM, 53(4), 50-
58.
Baig, H. U., & Kamran, F. (2007). Detection of Port and Network Scan Using Time
Independent Feature Set. Paper presented at the Intelligence and Security
Informatics, 2007 IEEE.
Baumann, A., Barham, P., Dagand, P. E., Harris, T., Isaacs, R., Peter, S., et al.
(2009). The multikernel: a new OS architecture for scalable multicore
systems.
Berger, S., Cáceres, R., Goldman, K., Pendarakis, D., Perez, R., Rao, J. R., et al.
(2009). Security for the cloud infrastructure: Trusted virtual data center
implementation. IBM Journal of Research and Development, 53(4), 6: 1-6:
12.
Borders, K., Weele, E. V., Lau, B., & Prakash, A. (2009). Protecting confidential
data on personal computers with storage capsules.
Briscoe, G., & Marinos, A. (2009). Digital ecosystems in the clouds: towards
community cloud computing.
Chen, J. Q., Williams, B., & Samake, A. A. (2009). Teaching Intrusion Detection
and Intrusion Prevention on the Virtual Platform: Hands-On Laboratory
Exercises.
Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009).
Cloud security is not (just) virtualization security: a short paper.
115
Dabbagh, M., Ghandour, A. J., Fawaz, K., Hajj, W., & Hajj, H. (2011). Slow port
scanning detection. Paper presented at the Information Assurance and
Security (IAS), 2011 7th International Conference on.
Das, T., Padala, P., Padmanabhan, V. N., Ramjee, R., & Shin, K. G. (2010).
Litegreen: Saving energy in networked desktops using virtualization.
Endo, P. T., Gonçalves, G. E., Kelner, J., & Sadok, D. (2010). A survey on open-
source cloud computing solutions.
Fish, T. E., Blumberg, B., Mathis, A., Theobald, K., Busco, J., Makarick, L., et al.
(2010). FUTURE ISSUES Winter 2009-2010.
Gadge, J., & Patil, A. A. (2008). Port scan detection. Paper presented at the
Networks, 2008. ICON 2008. 16th IEEE International Conference on.
Garfinkel, T., & Rosenblum, M. (2010). When virtual is harder than real: Security
challenges in virtual machine based computing environments.
Harold, D., Abraham, R., Hollingworth, P., Sims, R., Gerrish, A., Hamshere, M. L.,
et al. (2009). Genome-wide association study identifies variants at CLU and
PICALM associated with Alzheimer's disease. Nature genetics, 41(10), 1088-
1093.
Hyde, D. (2009). A Survey on the Security of Virtual Machines. Dept. of Comp.
Science, Washington Univ. in St. Louis, Tech. Rep.
Jansen, W. A. (2011). Cloud Hooks: Security and Privacy Issues in Cloud
Computing.
Jin, H., Ibrahim, S., Bell, T., Gao, W., Huang, D., & Wu, S. (2010). Cloud types and
services. Handbook of Cloud Computing, 335-355.
Jose, G. J. A., & Sajeev, C. (2011). Implementation of Data Security in Cloud
Computing.
Kaushik, A. K., Pilli, E. S., & Joshi, R. (2010). Network forensic system for port
scanning attack. Paper presented at the Advance Computing Conference
(IACC), 2010 IEEE 2nd International.
Khajeh-Hosseini, A., Sommerville, I., & Sriram, I. (2010). Research challenges for
enterprise cloud computing. Arxiv preprint arXiv:1001.3257.
Kifayat, K., Merabti, M., & Shi, Q. (2010). Future security challenges in cloud
computing. International Journal of Multimedia Intelligence and Security,
1(4), 428-442.
116
Kikuchi, H., Kobori, T., & Terada, M. (2009). Orthogonal Expansion of Port-
scanning Packets. Paper presented at the Network-Based Information
Systems, 2009. NBIS'09. International Conference on.
Kim, J., & Lee, J. H. (2008). A slow port scan attack detection mechanism based on
fuzzy logic and a stepwise p1olicy. Paper presented at the Intelligent
Environments, 2008 IET 4th International Conference on.
Kirch, J. (2007). Virtual machine security guidelines. The Center for Internet
Security.
Kiyanclar, N. (2008). A survey of virtualization techniques focusing on secure on-
demand cluster computing. Arxiv preprint cs/0511010.
Kotsovinos, E. (2009). Method and system for automatic and remote server
provisioning using virtual machine appliances: EP Patent 2,043,320.
Kramer, S., Goré, R., & Okamoto, E. (2010). Formal definitions and complexity
results for trust relations and trust domains fit for TTPs, the Web of Trust,
PKIs, and ID-Based Cryptography. ACM SIGACT News, 41(1), 75-98.
LaRoche, P., Zincir-Heywood, N., & Heywood, M. I. (2009). Evolving tcp/ip
packets: a case study of port scans. Paper presented at the Computational
Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE
Symposium on.
Li, C., Raghunathan, A., & Jha, N. (2011). A Trusted Virtual Machine in an
Untrusted Management Environment. Services Computing, IEEE
Transactions on(99), 1-1.
Li, C., Raghunathan, A., & Jha, N. K. (2010). Secure virtual machine execution
under an untrusted management OS.
Lombardi, F., & Di Pietro, R. (2010). Secure virtualization for cloud computing.
Journal of Network and Computer Applications.
Louridas, P. (2010). Up in the Air: Moving Your Applications to the Cloud.
Software, IEEE, 27(4), 6-11.
Luo, Y. (2010). Network I/O Virtualization for Cloud Computing. IT Professional,
12(5), 36-41.
Motika, G., & Weiss, S. (2012). Virtio network paravirtualization driver:
Implementation and performance of a de-facto standard. Computer Standards
& Interfaces, 34(1), 36-47.
117
Owens, K. (2009). Securing Virtual Compute Infrastructure in the Cloud. white
paper, Savvis Communications Corporation.
Reuben, J. S. (2009). A survey on virtual machine security. Helsinki University of
Technology.
Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, you, get off of my
cloud: exploring information leakage in third-party compute clouds.
Sabahi, F. (2011). Cloud computing security threats and responses.
Sahoo, J., Mohapatra, S., & Lath, R. (2010). Virtualization: A survey on concepts,
taxonomy and associated security issues.
Santos, J. R., Turner, Y., Janakiraman, G., & Pratt, I. (2008). Bridging the gap
between software and hardware techniques for i/o virtualization.
Scarfone, K. (2011). Guide to Security for Full Virtualization Technologies: DIANE
Publishing.
Schoo, P., Fusenig, V., Souza, V., Melo, M., Murray, P., Debar, H., et al. (2011).
Challenges for Cloud Networking Security. Mobile Networks and
Management, 298-313.
Smith, M. A., Pieper, J., Gruhl, D., & Real, L. V. (2008). IZO: applications of large-
window compression to virtual machine management.
Soniya, B., & Wiscy, M. (2008). Detection of TCP SYN Scanning Using Packet
Counts and Neural Network. Paper presented at the Signal Image Technology
and Internet Based Systems, 2008. SITIS'08. IEEE International Conference
on.
SUBASISH, M., & PRASANNA, P. S. (2010). A SECURITY FRAMEWORK FOR
VIRTUALIZATION BASED COMPUTING ENVIRONMENT.
Sultan, N. (2010). Cloud computing for education: A new dawn? International
Journal of Information Management, 30(2), 109-116.
Sundararajan, S., Narayanan, H., Pavithran, V., Vorungati, K., & Achuthan, K.
(2011). Preventing Insider Attacks in the Cloud. Advances in Computing and
Communications, 488-500.
Tsai, H., Siebenhaar, M., Miede, A., Huang, Y., & Steinmetz, R. (2011). Threat as a
Service? The Impact of Virtualization on Cloud Security. IT
Professional(99), 1-1.
118
Turner, A. (2008). Andy Turner's Blog 2008-04 Web Page@ School of Geography,
University of Leeds. Thought, 2008, 04-24.
Wang, G., & Ng, T. S. E. (2010). The impact of virtualization on network
performance of amazon ec2 data center.
Whalen, S., Engle, S., & Romeo, D. (2009). An Introduction to Arp Spoofing., 2001.
Zeng, W., Zhao, Y., Ou, K., & Song, W. (2009). Research on cloud storage
architecture and key technologies.
Zhang, L. J., & Zhou, Q. (2009). CCOA: Cloud computing open architecture.
Zhang, Y., Juels, A., Oprea, A., & Reiter, M. K. (2011). Homealone: Co-residency
detection in the cloud via side-channel analysis.
top related