security aspects of virtualization in cloud computing

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Security aspects of virtualization in Cloud computing

Muhammad Kazim, Rahat Masood, Muhammad Awais Shibli, and Abdul Ghafoor Abbasi



KTH Applied


Lab

Outline

Introduction Virtualization in Cloud Security Analysis

– Hypervisor– Virtual Machines– Disk Images

Conclusion



KTH Applied


Lab

1. Introduction1. Introduction

Cloud computing is becoming popular among IT businesses due to its services being offered at Software, Platform and Infrastructure level.

Infrastructure as a Service (IaaS) model offers services such as computing, network, storage and databases via internet.



KTH Applied


Lab

1. Introduction1. Introduction

IaaS is the base of all Cloud services with SaaS and PaaS built upon it.



KTH Applied


Lab

2. 2. Virtualization in Cloud Computing

Virtualization enables a single system to concurrently run multiple isolated virtual machines (VMs), operating systems or multiple instances of a single operating system (OS).

Virtualization is benefiting companies by reducing their operating costs and increasing the flexibility of their own infrastructures.



KTH Applied


Lab

3. Full Virtualization

Figure 1: Full virtualization architecture



KTH Applied


Lab

4. Security Analysis

Attacks on various virtualization components.

Solutions for security of virtualization components.



KTH Applied


Lab

5. Hypervisor

Hyperjacking: BLUEPILL and SubVir.

Virtual Machine Escape attack.

Figure 2: VM Escape attacks



KTH Applied


Lab

5. Hypervisor

Hypersafe [Wang:2010] is a system designed to maintain the integrity of Hypervisor.

Use techniques to harden the hypervisor security.

Properly configure the interaction between guest machines and host.



KTH Applied


Lab

6. Virtual machines

Malicious programs can monitor traffic and tamper the functionality of guest VMs.

Attacks through worms, viruses, botnets can be used to exploit the VMs. Examples include Conficker and command and control botnet.

Attacker can compromise the integrity and confidentiality of the saved state of guest virtual machine.



KTH Applied


Lab

6. Virtual machines

Security features such as firewall, HIPS, log monitoring must be provided in guest OS.

Advanced Cloud Protection System [Flavio:2011] can monitor and protect the integrity of guest OS by periodic monitoring of executable system files. In this way, any suspicious activity can be blocked.

Use encryption and hashing of VMs state before saving VM.



KTH Applied


Lab

7. Disk images

VM checkpoint attacks.

Old images are vulnerable to zero day attacks.

VM image sprawl issue.

Attackers can access and recover data from old disks and by unauthorized access to image backup.



KTH Applied


Lab

7. Disk images

J. Wei et al. [Wei:2009] proposed an image management system to manage images in Cloud.

Checkpoint attacks can be prevented by encrypting the checkpoints using SPARC [Gofman:2011].

Apply updates and patches to maintain images secure.

After VM migration, Cloud admin must ensure that data is removed from old disks.



KTH Applied


Lab

9. Conclusion

The enterprises while shifting to Cloud must deal with security issues related to virtualized environments.

An assessment criteria needs to be proposed by which we can analyze the effectiveness of security solutions of virtualization against the specific attacks.



KTH Applied


Lab

10. References

Shubhashis Sengupta, Vikrant Kaulgud, Vibhu Saujanya Sharma, “Cloud Computing Security - Trends and Research Directions”, IEEE World Congress on Services, Washington, DC, USA, 2011.

Jakub Szefer, Ruby B. Lee, “A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing”, 31st International Conference on Distributed Computing Systems Workshops, Washington, DC, USA, 2011.

Jinzhu Kong, “Protecting the confidentiality of virtual machines against untrusted host”, International Symposium on Intelligence Information Processing and Trusted Computing, Washington, DC, USA, 2010.



KTH Applied


Lab

10. References

Wu Zhou, Peng Ning, Xiaolan Zhang, “Always up-to-date: scalable offline patching of VM images in a compute cloud”, Proceedings of the 26th Annual Computer Security Applications Conference, New York, USA, 2010, pp. 377-386.

Wang, Z., Jiang, X.: Hypersafe: A lightweight approach to provide lifetime hypervisor control- ow integrity. In: Security and Privacy (SP), 2010 IEEE Symposium on, IEEE (2010).

Mikhail I. Gofman, Ruiqi Luo, Ping Yang, Kartik Gopalan, “SPARC: A security and privacy aware Virtual Machine checkpointing mechanism”, Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, New York, USA, 2011, pp. 115-124.



KTH Applied


Lab

10. References

Dan Pelleg, Muli Ben-Yehuda, Rick Harper, “Vigilant—Out-of-band Detection of Failures in Virtual Machines”, ACM SIGOPS Operating Systems Review, New York, NY, USA, Volume 42 Issue 1, 2008, pp. 26-31.

Lombardi, F., Di Pietro, R.: Secure virtualization for cloud computing. Journal of Network and Computer Applications 34(4) (2011) 1113 -1122.

Koichi Onone, Yoshihiro Oyama, Akinori Yonezawa, “Control of System Calls from Outside of Virtual Machines”, Proceedings of the 2008 ACM symposium on Applied Computing, New York, NY, USA, 2008, pp. 2116-2221.



KTH Applied


Lab

security aspects of virtualization in cloud computing

Documents