SECURING THE VIRTUAL MACHINES

S C Rachana1, Dr. H S Guruprasad

2

1 PG Scholar, Dept. of ISE, BMSCE, Bangalore,

2 Professor and Head, Dept. of ISE, BMSCE, Bangalore, drhsguru@gmail.com

Abstract

Cloud Computing provides the computer

resources in an effective manner. Security in

cloud is one of the major drawbacks. Among

many security issues in cloud, the Virtual

Machine Security is one of the very serious

issues.Thus, monitoring of virtual machine is

essential. The survey includes various existing

Virtual Machine security problems and also many

different architectural solutions to overcome

them.

Keywords: Virtual Machine [VM], Introspection,

Virtual Network Introspection [VMI], Intrusion

Detection System [IDS], Virtual Machine

Monitor [VMM], Hypervisor, Infrastructure-as-a-

Service [IaaS], Botnet.

Introduction

A virtual machine mimics the physical

machine as software. Many operating systems and

softwares can be installed in virtual machine.

Virtual machines are accompanied with the

virtualization layer called hypervisor which runs

on client or server operating system. Virtual

machine attacks include VM-to-VM attacks,

Denial-Of-Service attacks, Isolation breakage,

Remote management vulnerabilities etc. Thus,

virtual machine monitors are used to monitor the

virtual machines. The existing popular virtual

machine monitors are Xen, VMware ESX Server

etc.

Chris Benningeret. al. [4]introduces Virtual

Machine Introspection [VMI] and explains the

related work with an example. A light weight

VMI called Maitland is proposed which is a

virtualization based tool. The architecture of

Maitland is given with its detailed explanation

along with its functions. The VMI Maitland is

experimented under various scenarios to evaluate

its performance.Rolandet. al. [11] gives a brief

description on the Virtual Machine security. An

approach is proposed for checking software and

scanning of Virtual Machines for known security

attacks. The proposed approach involves two

components such as Update Checker and Online

Penetration Scheme [OPS]. The design of both

the components is given. These two components

are implemented and experimented for

evaluation.Anaset. al. [16] describes two ways to

implement Virtual Machine Introspection (VMI)

tools and techniques. A proposed system is

implemented using one of the two ways and its

system design is given. The system involves Log

File, ZFS File System, Backup Spooler, Virtual

Machine recovery etc. The system is tested for its

behavior.Ying Wanget. al. [20] gives the

importance of Virtual Machine [VM] Detector

along with some related work. A VM Detector

design is proposed to detect hidden process by

multi-view comparision and its goals are

mentioned. A VM Detector is used to obtain

views of kernel level, Virtual Machine Monitor

[VMM] level and also detects hidden suspicious

S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019

IJCTA | May-June 2014 Available online@www.ijcta.com

1012

ISSN:2229-6093

process. The proposed approach is implemented

and experimented for testing the function and

performance.

Asitet. al. [21] proposes an approach which is a

combination of Virtual Machine Introspection

[VMI], File System Clustering, Malware Activity

Recording. It involves malicious object

correlation, Dependency graph generation, and

malicious object labeling and malware detection.

Experimental results show that the approach

perfectly detects the foreign objects.Bingyuet. al.

[23] explains the Authentication Boot, Remote

attestation of Trusted Computing Group [TCG].

The drawbacks of TCG and goals to overcome the

drawback are mentioned. As a solution, a Trusted

Cloud Infrastructure is proposed which is a dual

verifiable trusted bootstrap. The proposed method

is implemented as Out-Of-Box security

application which is responsible for Virtual

Machine Introspection [VMI].Hanqianet. al [24]

focus on network security for Virtual Machines.

The security problems in virtualization

environment includes Break of isolation, Revert

of snapshot, Denial of service, Remote

management vulnerabilities, Virtual Machine

based rootkit etc., are mentioned. A virtual

network model is proposed using bridge and route

for secure inter virtual machine communication.

The model has three layers such as Routing layer,

Firewall, Shared network. The model uses Xen

hypervisor and can prevent effectively the virtual

machines from attacks such as Sniffing and

Spoofing.Shun-Wenet. al. [25] describesBotnet

attack to virtual machine and its infection

procedure. Related work is included which

explains Botnet Detection and virtual machine

introspection. A system design is proposed which

consists of passive and active detection agent to

protect virtual machine against Botnet. The

system is implemented and experimented for

evaluating its performance.Kenichiet. al. [29]

proposes a new self-protection mechanism called

xFilter for IaaS clouds. xFilter is a packet filter

which is implemented in Xen. The system

architecture of xFilter is explained and

experimented to test the performance.

Lin Chenet. al. [5] describes an intrusion

detection architecture based on VMM along with

the related work. A layered detection model is

proposed for VMI security which has different

layers responsible for VM security. The model

segregates the malware which would attack

detection system in guest Operating System. The

model is implemented to check its performance.

TomohisaEgawaet. al. [7] explains the VMM and

its security issues and also describedependable

remote management of user VM. In order to

overcome the security issue of VM, FBCrypt is

proposed along with its architecture which offers

dependable and secure remote management. Key

management feature is also incorporated into

FBCrypt. FBCrypt is implemented in Xen

environment and experimented.UcmanOktayet.

al. [8] gives an overview of internal and external

attacks for cloud.The paper provides information

about Cloud Computing, Virtualization, Trusted

Computing, and Intrusion Detection System along

with the related works. An Adjoint VM Chain

Protection Model is proposed to overcome the

drawbacks of Adjoint Hybrid Intrusion Detection

System. Adjoint VM Chain Protection Model

increases the resistance and offers flexible

security policy.JieHeet. al. [18] proposes an

architecture of 3D-IDS [Intrusion Detection

System] which consists of a server and multiple

agents. Each agent in it consists of log collection

S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019

IJCTA | May-June 2014 Available online@www.ijcta.com

1013

ISSN:2229-6093

module, host behavior collection module, network

behavior collection module and communication

module. Thus, 3D-IDS system can collect

information about Virtual Machine such as

System log, host behavior, network behavior and

security status of each virtual machine.

Bryanet. al. [12] discusses the requirements for

monitoring of Virtual Machines along with some

related works. The Xen hypervisor is explained

with its input/output architecture. The Xen

architecture must satisfy the requirements for

monitoring Virtual Machines by using Xen

Access Monitoring Library. The Xen Access

architecture is provided along with the detailed

explanation and is implemented.Martinet. al. [17]

proposes a mechanism to alert inside attacker’s

malicious behavior. Transparency mechanism is

provided to the user which gives inside attacker a

non-true sense of security which does not allow

an inside attacker to know the monitoring

facilities of an organization. Based on the few use

cases, an alert is given which prevents modifying

the reporting mechanism.Manabuet. al. [19]

describes the problems of policy enforcement for

distributed computing such as security problems,

policy management problems etc. A secure

Virtual Machine Monitor [VMM] architecture is

proposed and secure VMM software called

BitVisor is developed which offers some security

functions. BitVisor has a feature called

Identification Management framework

incorporated into it. The prototype called Role

Based Access Control [RBAC] is given along

with the security policy.Sylvieet. al. [28]

describes the elements of IaaS infrastructure and

threat monitoring in IaaS. The most common

threats in IaaS include VM-to-VM attacks,

Hypervisor subversion, Network Threats etc. The

Network and host based IDS is explained and the

limitations of traditional IDS are given. A

hypervisor based monitoring system is proposed

which protects user virtual machines from outside

attacks.

Tal Garfinkelet. al. [1] introduces Intrusion

Detection System [IDS] for virtual machines and

explains Virtual Machine Monitor [VMM] and

Virtual Machine Introspection [VMI]. The paper

proposes an architecture for Virtual Machine

Monitor implementation. The Virtual Machine

Introspection (VMI) system possesses three

properties such as Isolation, Inspection, and

Interposition. The prototype is experimented for

security and performance overhead and it has the

ability to detect real time attacks with high

performance.Anthony Roberts et. al. [2] proposes

a framework called Pathogen for analysis and

monitoring of real time systems which use Virtual

Machine Introspection (VMI) for monitoring a

system without the use oflocal agents. Pathogen is

used to monitor multiple Virtual Machines within

an organization and it creates a light weight

Virtual Machine Introspection and fills in the

semantic gap. Pathogen is implemented and

analyzed for the results.SiFanet. al. [10] explains

the concept of risk assessment in cloudalong with

few related works. An architecture of VMRaS

[Virtual Machine Risk Assessment Scheme] is

proposed for Risk assessment. Risk assessment

process, risk assessment criteria such as risk

calculation, risk rating criteria and factors

affecting the rating are also described. The

architecture of VMRaS is implemented and

experimented for analysis.

Fabrizioet. al. [13] proposes an Intrusion

Detection Technique called PsycoVirtwith its

S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019

IJCTA | May-June 2014 Available online@www.ijcta.com

1014

ISSN:2229-6093

architecture. PsycoVirt combines host and

network Intrusion Detection System [IDS] tools

to provide high security assurance. PsycoVirt

architecture consists of a Virtual Machine

Monitor [VMM], an Introspection Virtual

Machine [IVM], and cluster of monitored Virtual

Machines interconnected together by a data and

control network. PsycoVirt is implemented using

Python, C and Xen is used as Virtual Machine

Monitor.Bryanet. al. [14] focus on active

monitoring of virtual machines in virtualized

security environment. An architecture called

Lares is proposed for virtualization based

architecture to protect certain types of security

software’s. The proposed system is implemented

using Xen and tested for security and

performance.Chun-Jenet. al. [15] proposes an

Intrusion Detection framework called Network

Intrusion Detection and Countermeasure

sElection (NICE) in Virtual Network System. The

framework includes Attack Graph Model, Threat

Model and Virtual Machine Protection model.

The detailed system design of NICE is given

along with its system components. Information

about the NICE security measurement metrics,

how NICE mitigates attacks and its

countermeasure for attacks are

described.LiRuanet. al. [22] introduceCloud

Distributed Virtual Machine Monitor [Cloud

DVMM] by comparing with some existing

VMM’s. The theoretical model of DVMM, its

attributes and operations are specified briefly. The

system architecture of DVMM is given with brief

explanation and DVMM is implemented,

evaluated for analysis.Amani Set. al. [30]

describes the key security problems in IaaS

environment. To overcome the security

challenges in IaaS, a high level CloudSec

architecture is proposed which has Virtual

Machine Introspection Layer with the two

components such as Front-end and Back-end

component. CloudSec is implemented using

VMSafe API’s on a VMware hypervisor.

Paul A. Kargeret. al. [3] discusses the issues

with respect to input/output virtualization which

involve system security andinput output

performance.In the first approach called Pure

Isolation, each VM guest has its own devices and

in the second approach, the hypervisor is shared

on the server and the client. Input output

performance is increased by partitioning the

input/output based on special privileges. Virtual

ring concept can also be used for special

input/output partition with input/output

drivers.MiikaKomuet. al. [6] describes the

concepts of cloud computing, data center network

and identity location split. This paper analyzes

few security issues and risks in cloud computing

such as protection of data flows, outsourcing

private data, isolation of subscriber resources,

multitenancy issues etc. A solution based on Host

Identity Protocol [HIP] is proposed to overcome

multitenancy security issues, hybrid IaaS cloud

issues etc. Experiment is carried out with the HIP

and results are provided.

AleksandarDonevskiet. al. [9] describes the

Software architecture of “Folsom” release of

OpenStack cloud with the software components,

software aspects for deployment and networking.

Security assessment is made based on the two

different network deployments of OpenStack

cloud. Test cases and test data are explained for

the security assessment with one network and two

segregated network deployment. Results of

security assessments are also provided.Kara

Nanceet. al. [26] explains the Virtual Machine

S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019

IJCTA | May-June 2014 Available online@www.ijcta.com

1015

ISSN:2229-6093

Introspection [VMI] with related research work.

The VMI tool development, VMI operations,

VMI detection are described briefly. The author

suggests the use of VMI for digital forensics to

overcome some of the existing limitations.PaulA.

Karger [27] introduces Virtual Machine Monitor

[VMM] and its security along with some related

work. The paper describes VMM security

problems and suggests using a small and simple

VMM to assure high security.

Conclusion

This paper surveys the existing security

problems such asprotection of data flows,

outsourcing private data, isolation of subscriber

resources, multitenancy issues in the virtualized

environment etc. The various possible solutions to

overcome these security challenges like

CloudDVMM, CloudSec, NICE, Lares, PsycoVirt

etc. are discussed.

References

[1] Tal Garfinkel, Mendel Rosenblum, “A

Virtual Machine Introspection Based

Architecture for Intrusion

Detection”,Network and Distributed

Systems Security Symposium, 2003, pp

191-206, DOI: 10.1.1.11.8367.

[2] Anthony Roberts, Richard McClatchey,

SaadLiaquat, Nigel Edwards, Mike Wray,

“Introducing Pathogen: A Real Time

Virtual Machine Introspection Framework”,

conference on Computer & communications

security,New York, NY, USA, November

2013, ISBN: 978-1-4503-2477-9,

DOI:10.1145/2508859.2512518.

[3] Paul A. Karger, David R. Safford, “I/O for

Virtual Machine Monitors Security and

Performance Issues”,IEEE Security &

Privacy, Sept.-Oct. 2008, pp. 16-23, ISSN:

1540-7993, DOI:10.1109/MSP.2008.119.

[4] Chris Benninger, Stephen W. Neville,

Yagız Onat Yazır, Chris Matthews, Yvonne

Coady, “Maitland: Lighter-Weight VM

Introspection to Support Cyber-Security in

the Cloud”,IEEE Fifth International

Conference on Cloud Computing,

Honolulu, HI, USA, June 24-29, 2012, pp

471-478, ISBN 978-1-4673-2892-0, DOI:

10.1109/CLOUD.2012.145.

[5] Lin Chen, Bo Liu, Huaping Hu, Qianbing

Zheng, “A layered malware detection model

using VMM”,IEEE 11th International

Conference on Trust, Security and Privacy

in Computing and Communications, 25-27

June 2012, Liverpool, pp 1259 – 1264, Print

ISBN : 978-1-4673-2172-3,

DOI:10.1109/TrustCom.2012.35.

[6] MiikaKomu, MohitSethi,

RamasivakarthikMallavarapu,

HeikkiOirola, Rasib Khan, SasuTarkoma,

“Secure Networking for Virtual Machines

in the Cloud”,IEEE International

Conference on Cluster Computing

Workshops, 24-28 Sept. 2012, Beijing, pp

88-96, Print ISBN: 978-1-4673-2893-7,

DOI 10.1109/ClusterW.2012.29.

[7] TomohisaEgawa, Naoki Nishimura, Kenichi

Kourai, “Dependable and Secure Remote

Management in IaaS Clouds”, 4th IEEE

International Conference on Cloud

Computing Technology and Science

Proceedings, Taipei, 03-06 December 2012,

pp 411-418, Print ISBN:978-1-4673-4511-

8, DOI: 10.1109/CloudCom.2012.6427597.

[8] UcmanOktay, Muhammed Ali Aydin,

OzgurKoraySahingoz, “Circular Chain VM

S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019

IJCTA | May-June 2014 Available online@www.ijcta.com

1016

ISSN:2229-6093

Protection in AdjointVM”, International

Conference on Technological Advances in

Electrical, Electronics and Computer

Engineering (TAEECE), Konya, 9th May

2013, pp 93-97, PrintISBN: 978-1-4673-

5613-8, DOI:

10.1109/TAEECE.2013.6557202.

[9] AleksandarDonevski, SaskoRistov,

MarjanGusev, “Security Assessment of

Virtual Machines in Open Source Clouds”,

20-24 May 2013, 2013 36th International

Convention on Information &

Communication Technology Electronics &

Microelectronics, Opatija, Croatia, pp 1094-

1099, Print ISBN:978-953-233-076-2.

[10] SiFan Liu Jie Wu, ZhiHui Lu HuiXiong,

“VMRaS: A Novel Virtual Machine Risk

Assessment Scheme in the

CloudEnvironment”,IEEE 10th

International Conference on Services

Computing, Santa Clara, CA, June 28-July

3, 2013, pp 384-391, Print ISBN: 978-0-

7695-5026-8, DOI:10.1109/SCC.2013.12.

[11] Roland Schwarzkopf, Matthias Schmidt,

Christian Strack, Simon Martin, Bernd

Freisleben, “Increasing virtual machine

security in cloud environments”, Journal of

Cloud Computing: Advances, Systems and

Applications, July 2012, pp 1-12, Online

ISSN: 2192-113X, DOI: 10.1186/2192-

113X-1-12.

[12] Bryan D. Payne, Martim D. P. de A.

Carbone, Wenke Lee, “Secure and Flexible

Monitoring of Virtual Machines”, 23rd

Annual Computer Security Applications

Conference, 10-14 Dec. 2007, Miami

Beach, FL, pp 385-397, Print ISBN:978-0-

7695-3060-4, DOI

10.1109/ACSAC.2007.10.

[13] FabrizioBaiardi, Daniele Sgandurra,

“Building Trustworthy Intrusion Detection

through VM Introspection”,Third

International Symposium onInformation

Assurance and Security, Manchester, 29-31

Aug. 2007, pp 209-214, Print ISBN: 0-

7695-2876-7, DOI: 10.1109/IAS.2007.36.

[14] Bryan D. Payne, Martim Carbone, Monirul

Sharif, Wenke Lee, “Lares: An Architecture

for Secure Active Monitoring Using

Virtualization”, IEEE Symposium on

Security and Privacy, 2008, Washington,

DC, USA, pp 233-247, ISBN: 978-0-7695-

3168-7, DOI:10.1109/SP.2008.24.

[15] Chun-Jen Chung, PankajKhatkar, Tianyi

Xing, Jeongkeun Lee, Dijiang Huang,

“NICE: Network Intrusion Detection and

Countermeasure Selection in Virtual

Network Systems”, IEEE Transactions on

Dependable and Secure Computing, July-

Aug. 2013, pp. 198-211, ISSN: 1545-

5971/13, DOI: 10.1109/TDSC.2013.8.

[16] AnasAyad, UweDippel, “Agent Based

Monitoring Of Virtual Machines”,

International Symposium on Information

Technology, Kuala Lumpur, 15-17 June

2010, pp 1-6, Print ISBN: 978-1-4244-

6715-0,

DOI:10.1109/ITSIM.2010.5561375.

[17] Martin Crawford, Gilbert Peterson, “Insider

Threat Detection using Virtual Machine

Introspection”, 46th

Hawaii International

Conference on System Sciences,Wailea, HI,

USA 7-10 Jan. 2013,pp 1821-1830, Print

ISBN: 978-1-4673-5933-7, DOI:

10.1109/HICSS.2013.278.

[18] Jie He, Chuan Tang, Yuexiang Yang, Yong

Qiao, Chaobin Liu, “3D-IDS: IaaS user-

oriented Intrusion Detection System”,

S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019

IJCTA | May-June 2014 Available online@www.ijcta.com

1017

ISSN:2229-6093

Fourth International Symposium on

Information Science and Engineering,

Shanghai, 14-16 Dec. 2012, pp 12-15,Print

ISBN:978-1-4673-5680-0, DOI:

10.1109/ISISE.2012.12.

[19] Manabu Hirano, Takahiro Shinagawa,

Hideki Eiraku, Shoichi Hasegawa,

KazumasaOmote, “Introducing Role-based

Access Control to a Secure Virtual Machine

Monitor: Security Policy Enforcement

Mechanism for Distributed Computers”,

IEEE Asia-Pacific Services Computing

Conference,Yilan, 9-12 Dec. 2008, pp

1225-1230, Print ISBN: 978-0-7695-3473-

2/08, DOI: 10.1109/APSCC.2008.14.

[20] Ying Wang, Chunming Hu, Bo Li,

“VMDetector: A VMM-based Platform to

Detect Hidden Process by Multi-

viewComparison”,IEEE 13th

International

Symposium on High-Assurance Systems

Engineering, Boca Raton, FL, 10-12 Nov.

2011, pp 307-312, Print ISBN:978-1-4673-

0107-7, DOI: 10.1109/HASE.2011.41.

[21] Asit More, ShashikalaTapaswi, “Dynamic

malware detection and recording using

virtual machine introspection”, Best

Practices Meet, Chennai, 12 July 2013, pp

1-6, Print ISBN: 978-1-4799-0637-6,

DOI:10.1109/BPM.2013.6615011.

[22] Li Ruan, JinbinPeng, Limin Xiao, Xiang

Wang, “CloudDVMM: Distributed Virtual

Machine Monitor for Cloud Computing”,

IEEE International Conference on

GreenCom and CPSCom, Beijing, 20-23

Aug. 2013, pp 1853-1858, DOI:

10.1109/GreenCom-iThings-

CPSCom.2013.344.

[23] BingyuZou, Huanguo Zhang, “Integrity

Protection and Attestation of Security Critical

Executions on Virtualized Platform in Cloud

Computing Environment”, IEEE

International Conference on GreenCom and

CPSCom, Beijing, 20-23 Aug. 2013, pp

2071-2075, DOI:10.1109/GreenCom-

iThings-CPSCom.2013.388.

[24] Hanqian Wu, Yi Ding, Chuck Winer, Li Yao,

“Network Security for Virtual Machine in

Cloud Computing”,5th

International

Conference on Computer Sciences and

Convergence Information Technology, Seoul,

Nov. 30 2010-Dec. 2 2010, pp 18-21,Print

ISBN:978-1-4244-8567-

3,DOI:10.1109/ICCIT.2010.5711022.

[25] Shun-Wen Hsiaoy, Yi-Ning Chen, Yeali S.

Sun, Meng Chang Chen, “A Cooperative

Botnet Profiling and Detection in Virtualized

Environment”, IEEE Conference on

Communication and Network Security,

National Harbor, MD, 14-16 Oct. 2013, pp

154-162, DOI: 10.1109/CNS.2013.6682703.

[26] Kara Nance and Brian Hay, Matt Bishop,

“Investigating the Implications of Virtual

Machine Introspectionfor Digital Forensics”,

International Conference on Availability,

Reliability and Security,Fukuoka, 16-19

March 2009, pp 1024-1029, Print ISBN: 978-

1-4244-3572-2,

DOI:10.1109/ARES.2009.173.

[27] Paul A. Karger, “Is Your Virtual Machine

Monitor Secure?” , Third Asia-Pacific

Trusted Infrastructure Technologies

Conference, Hubei, 14-17 Oct. 2008, pp 5,

Print ISBN:978-0-7695-3363-6,

DOI:10.1109/APTC.2008.18.

[28] Sylvie Laniepce, Marc Lacoste, Mohammed

Kassi-Lahlou, Fabien Bignon, KahinaLazri,

AurelienWailly, “Engineering Intrusion

Prevention Services for IaaS Clouds: The

S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019

IJCTA | May-June 2014 Available online@www.ijcta.com

1018

ISSN:2229-6093

Way of the Hypervisor”,IEEE International

Symposium On Service Oriented System

Engineering, Redwood City, 25-28 March

2013, pp 25-36, Print ISBN:978-1-4673-

5659-6, DOI:10.1109/SOSE.2013.27.

[29] Kenichi Kourai, Takeshi Azumi, Shigeru

Chiba, “A Self-protection Mechanism against

Stepping-stone Attacks for IaaS Clouds”, 9th

International Conference on Ubiquitous

Intelligence and Computing/Autonomic and

Trusted Computing, Fukuoka, 4-7 Sept.

2012, pp 539-546, Print ISBN: 978-1-4673-

3084-8, DOI: 10.1109/UIC-ATC.2012.139.

[30] Amani S. Ibrahim, James Hamlyn-Harris,

John Grundy, Mohamed Almorsy,

“CloudSec: A Security Monitoring Appliance

for Virtual Machines in the IaaS Cloud

Model”, 5th

International Conference on

Network and System Security, Milan, 6-8

Sept. 2011, pp 113-120,Print ISBN:978-1-

4577-0458-1,

DOI:10.1109/ICNSS.2011.6059967.

S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019

IJCTA | May-June 2014 Available online@www.ijcta.com

1019

ISSN:2229-6093