View
12
Download
0
Category
Preview:
Citation preview
SECURING THE VIRTUAL MACHINES
S C Rachana1, Dr. H S Guruprasad
2
1 PG Scholar, Dept. of ISE, BMSCE, Bangalore,
2 Professor and Head, Dept. of ISE, BMSCE, Bangalore, drhsguru@gmail.com
Abstract
Cloud Computing provides the computer
resources in an effective manner. Security in
cloud is one of the major drawbacks. Among
many security issues in cloud, the Virtual
Machine Security is one of the very serious
issues.Thus, monitoring of virtual machine is
essential. The survey includes various existing
Virtual Machine security problems and also many
different architectural solutions to overcome
them.
Keywords: Virtual Machine [VM], Introspection,
Virtual Network Introspection [VMI], Intrusion
Detection System [IDS], Virtual Machine
Monitor [VMM], Hypervisor, Infrastructure-as-a-
Service [IaaS], Botnet.
Introduction
A virtual machine mimics the physical
machine as software. Many operating systems and
softwares can be installed in virtual machine.
Virtual machines are accompanied with the
virtualization layer called hypervisor which runs
on client or server operating system. Virtual
machine attacks include VM-to-VM attacks,
Denial-Of-Service attacks, Isolation breakage,
Remote management vulnerabilities etc. Thus,
virtual machine monitors are used to monitor the
virtual machines. The existing popular virtual
machine monitors are Xen, VMware ESX Server
etc.
Chris Benningeret. al. [4]introduces Virtual
Machine Introspection [VMI] and explains the
related work with an example. A light weight
VMI called Maitland is proposed which is a
virtualization based tool. The architecture of
Maitland is given with its detailed explanation
along with its functions. The VMI Maitland is
experimented under various scenarios to evaluate
its performance.Rolandet. al. [11] gives a brief
description on the Virtual Machine security. An
approach is proposed for checking software and
scanning of Virtual Machines for known security
attacks. The proposed approach involves two
components such as Update Checker and Online
Penetration Scheme [OPS]. The design of both
the components is given. These two components
are implemented and experimented for
evaluation.Anaset. al. [16] describes two ways to
implement Virtual Machine Introspection (VMI)
tools and techniques. A proposed system is
implemented using one of the two ways and its
system design is given. The system involves Log
File, ZFS File System, Backup Spooler, Virtual
Machine recovery etc. The system is tested for its
behavior.Ying Wanget. al. [20] gives the
importance of Virtual Machine [VM] Detector
along with some related work. A VM Detector
design is proposed to detect hidden process by
multi-view comparision and its goals are
mentioned. A VM Detector is used to obtain
views of kernel level, Virtual Machine Monitor
[VMM] level and also detects hidden suspicious
S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019
IJCTA | May-June 2014 Available online@www.ijcta.com
1012
ISSN:2229-6093
process. The proposed approach is implemented
and experimented for testing the function and
performance.
Asitet. al. [21] proposes an approach which is a
combination of Virtual Machine Introspection
[VMI], File System Clustering, Malware Activity
Recording. It involves malicious object
correlation, Dependency graph generation, and
malicious object labeling and malware detection.
Experimental results show that the approach
perfectly detects the foreign objects.Bingyuet. al.
[23] explains the Authentication Boot, Remote
attestation of Trusted Computing Group [TCG].
The drawbacks of TCG and goals to overcome the
drawback are mentioned. As a solution, a Trusted
Cloud Infrastructure is proposed which is a dual
verifiable trusted bootstrap. The proposed method
is implemented as Out-Of-Box security
application which is responsible for Virtual
Machine Introspection [VMI].Hanqianet. al [24]
focus on network security for Virtual Machines.
The security problems in virtualization
environment includes Break of isolation, Revert
of snapshot, Denial of service, Remote
management vulnerabilities, Virtual Machine
based rootkit etc., are mentioned. A virtual
network model is proposed using bridge and route
for secure inter virtual machine communication.
The model has three layers such as Routing layer,
Firewall, Shared network. The model uses Xen
hypervisor and can prevent effectively the virtual
machines from attacks such as Sniffing and
Spoofing.Shun-Wenet. al. [25] describesBotnet
attack to virtual machine and its infection
procedure. Related work is included which
explains Botnet Detection and virtual machine
introspection. A system design is proposed which
consists of passive and active detection agent to
protect virtual machine against Botnet. The
system is implemented and experimented for
evaluating its performance.Kenichiet. al. [29]
proposes a new self-protection mechanism called
xFilter for IaaS clouds. xFilter is a packet filter
which is implemented in Xen. The system
architecture of xFilter is explained and
experimented to test the performance.
Lin Chenet. al. [5] describes an intrusion
detection architecture based on VMM along with
the related work. A layered detection model is
proposed for VMI security which has different
layers responsible for VM security. The model
segregates the malware which would attack
detection system in guest Operating System. The
model is implemented to check its performance.
TomohisaEgawaet. al. [7] explains the VMM and
its security issues and also describedependable
remote management of user VM. In order to
overcome the security issue of VM, FBCrypt is
proposed along with its architecture which offers
dependable and secure remote management. Key
management feature is also incorporated into
FBCrypt. FBCrypt is implemented in Xen
environment and experimented.UcmanOktayet.
al. [8] gives an overview of internal and external
attacks for cloud.The paper provides information
about Cloud Computing, Virtualization, Trusted
Computing, and Intrusion Detection System along
with the related works. An Adjoint VM Chain
Protection Model is proposed to overcome the
drawbacks of Adjoint Hybrid Intrusion Detection
System. Adjoint VM Chain Protection Model
increases the resistance and offers flexible
security policy.JieHeet. al. [18] proposes an
architecture of 3D-IDS [Intrusion Detection
System] which consists of a server and multiple
agents. Each agent in it consists of log collection
S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019
IJCTA | May-June 2014 Available online@www.ijcta.com
1013
ISSN:2229-6093
module, host behavior collection module, network
behavior collection module and communication
module. Thus, 3D-IDS system can collect
information about Virtual Machine such as
System log, host behavior, network behavior and
security status of each virtual machine.
Bryanet. al. [12] discusses the requirements for
monitoring of Virtual Machines along with some
related works. The Xen hypervisor is explained
with its input/output architecture. The Xen
architecture must satisfy the requirements for
monitoring Virtual Machines by using Xen
Access Monitoring Library. The Xen Access
architecture is provided along with the detailed
explanation and is implemented.Martinet. al. [17]
proposes a mechanism to alert inside attacker’s
malicious behavior. Transparency mechanism is
provided to the user which gives inside attacker a
non-true sense of security which does not allow
an inside attacker to know the monitoring
facilities of an organization. Based on the few use
cases, an alert is given which prevents modifying
the reporting mechanism.Manabuet. al. [19]
describes the problems of policy enforcement for
distributed computing such as security problems,
policy management problems etc. A secure
Virtual Machine Monitor [VMM] architecture is
proposed and secure VMM software called
BitVisor is developed which offers some security
functions. BitVisor has a feature called
Identification Management framework
incorporated into it. The prototype called Role
Based Access Control [RBAC] is given along
with the security policy.Sylvieet. al. [28]
describes the elements of IaaS infrastructure and
threat monitoring in IaaS. The most common
threats in IaaS include VM-to-VM attacks,
Hypervisor subversion, Network Threats etc. The
Network and host based IDS is explained and the
limitations of traditional IDS are given. A
hypervisor based monitoring system is proposed
which protects user virtual machines from outside
attacks.
Tal Garfinkelet. al. [1] introduces Intrusion
Detection System [IDS] for virtual machines and
explains Virtual Machine Monitor [VMM] and
Virtual Machine Introspection [VMI]. The paper
proposes an architecture for Virtual Machine
Monitor implementation. The Virtual Machine
Introspection (VMI) system possesses three
properties such as Isolation, Inspection, and
Interposition. The prototype is experimented for
security and performance overhead and it has the
ability to detect real time attacks with high
performance.Anthony Roberts et. al. [2] proposes
a framework called Pathogen for analysis and
monitoring of real time systems which use Virtual
Machine Introspection (VMI) for monitoring a
system without the use oflocal agents. Pathogen is
used to monitor multiple Virtual Machines within
an organization and it creates a light weight
Virtual Machine Introspection and fills in the
semantic gap. Pathogen is implemented and
analyzed for the results.SiFanet. al. [10] explains
the concept of risk assessment in cloudalong with
few related works. An architecture of VMRaS
[Virtual Machine Risk Assessment Scheme] is
proposed for Risk assessment. Risk assessment
process, risk assessment criteria such as risk
calculation, risk rating criteria and factors
affecting the rating are also described. The
architecture of VMRaS is implemented and
experimented for analysis.
Fabrizioet. al. [13] proposes an Intrusion
Detection Technique called PsycoVirtwith its
S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019
IJCTA | May-June 2014 Available online@www.ijcta.com
1014
ISSN:2229-6093
architecture. PsycoVirt combines host and
network Intrusion Detection System [IDS] tools
to provide high security assurance. PsycoVirt
architecture consists of a Virtual Machine
Monitor [VMM], an Introspection Virtual
Machine [IVM], and cluster of monitored Virtual
Machines interconnected together by a data and
control network. PsycoVirt is implemented using
Python, C and Xen is used as Virtual Machine
Monitor.Bryanet. al. [14] focus on active
monitoring of virtual machines in virtualized
security environment. An architecture called
Lares is proposed for virtualization based
architecture to protect certain types of security
software’s. The proposed system is implemented
using Xen and tested for security and
performance.Chun-Jenet. al. [15] proposes an
Intrusion Detection framework called Network
Intrusion Detection and Countermeasure
sElection (NICE) in Virtual Network System. The
framework includes Attack Graph Model, Threat
Model and Virtual Machine Protection model.
The detailed system design of NICE is given
along with its system components. Information
about the NICE security measurement metrics,
how NICE mitigates attacks and its
countermeasure for attacks are
described.LiRuanet. al. [22] introduceCloud
Distributed Virtual Machine Monitor [Cloud
DVMM] by comparing with some existing
VMM’s. The theoretical model of DVMM, its
attributes and operations are specified briefly. The
system architecture of DVMM is given with brief
explanation and DVMM is implemented,
evaluated for analysis.Amani Set. al. [30]
describes the key security problems in IaaS
environment. To overcome the security
challenges in IaaS, a high level CloudSec
architecture is proposed which has Virtual
Machine Introspection Layer with the two
components such as Front-end and Back-end
component. CloudSec is implemented using
VMSafe API’s on a VMware hypervisor.
Paul A. Kargeret. al. [3] discusses the issues
with respect to input/output virtualization which
involve system security andinput output
performance.In the first approach called Pure
Isolation, each VM guest has its own devices and
in the second approach, the hypervisor is shared
on the server and the client. Input output
performance is increased by partitioning the
input/output based on special privileges. Virtual
ring concept can also be used for special
input/output partition with input/output
drivers.MiikaKomuet. al. [6] describes the
concepts of cloud computing, data center network
and identity location split. This paper analyzes
few security issues and risks in cloud computing
such as protection of data flows, outsourcing
private data, isolation of subscriber resources,
multitenancy issues etc. A solution based on Host
Identity Protocol [HIP] is proposed to overcome
multitenancy security issues, hybrid IaaS cloud
issues etc. Experiment is carried out with the HIP
and results are provided.
AleksandarDonevskiet. al. [9] describes the
Software architecture of “Folsom” release of
OpenStack cloud with the software components,
software aspects for deployment and networking.
Security assessment is made based on the two
different network deployments of OpenStack
cloud. Test cases and test data are explained for
the security assessment with one network and two
segregated network deployment. Results of
security assessments are also provided.Kara
Nanceet. al. [26] explains the Virtual Machine
S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019
IJCTA | May-June 2014 Available online@www.ijcta.com
1015
ISSN:2229-6093
Introspection [VMI] with related research work.
The VMI tool development, VMI operations,
VMI detection are described briefly. The author
suggests the use of VMI for digital forensics to
overcome some of the existing limitations.PaulA.
Karger [27] introduces Virtual Machine Monitor
[VMM] and its security along with some related
work. The paper describes VMM security
problems and suggests using a small and simple
VMM to assure high security.
Conclusion
This paper surveys the existing security
problems such asprotection of data flows,
outsourcing private data, isolation of subscriber
resources, multitenancy issues in the virtualized
environment etc. The various possible solutions to
overcome these security challenges like
CloudDVMM, CloudSec, NICE, Lares, PsycoVirt
etc. are discussed.
References
[1] Tal Garfinkel, Mendel Rosenblum, “A
Virtual Machine Introspection Based
Architecture for Intrusion
Detection”,Network and Distributed
Systems Security Symposium, 2003, pp
191-206, DOI: 10.1.1.11.8367.
[2] Anthony Roberts, Richard McClatchey,
SaadLiaquat, Nigel Edwards, Mike Wray,
“Introducing Pathogen: A Real Time
Virtual Machine Introspection Framework”,
conference on Computer & communications
security,New York, NY, USA, November
2013, ISBN: 978-1-4503-2477-9,
DOI:10.1145/2508859.2512518.
[3] Paul A. Karger, David R. Safford, “I/O for
Virtual Machine Monitors Security and
Performance Issues”,IEEE Security &
Privacy, Sept.-Oct. 2008, pp. 16-23, ISSN:
1540-7993, DOI:10.1109/MSP.2008.119.
[4] Chris Benninger, Stephen W. Neville,
Yagız Onat Yazır, Chris Matthews, Yvonne
Coady, “Maitland: Lighter-Weight VM
Introspection to Support Cyber-Security in
the Cloud”,IEEE Fifth International
Conference on Cloud Computing,
Honolulu, HI, USA, June 24-29, 2012, pp
471-478, ISBN 978-1-4673-2892-0, DOI:
10.1109/CLOUD.2012.145.
[5] Lin Chen, Bo Liu, Huaping Hu, Qianbing
Zheng, “A layered malware detection model
using VMM”,IEEE 11th International
Conference on Trust, Security and Privacy
in Computing and Communications, 25-27
June 2012, Liverpool, pp 1259 – 1264, Print
ISBN : 978-1-4673-2172-3,
DOI:10.1109/TrustCom.2012.35.
[6] MiikaKomu, MohitSethi,
RamasivakarthikMallavarapu,
HeikkiOirola, Rasib Khan, SasuTarkoma,
“Secure Networking for Virtual Machines
in the Cloud”,IEEE International
Conference on Cluster Computing
Workshops, 24-28 Sept. 2012, Beijing, pp
88-96, Print ISBN: 978-1-4673-2893-7,
DOI 10.1109/ClusterW.2012.29.
[7] TomohisaEgawa, Naoki Nishimura, Kenichi
Kourai, “Dependable and Secure Remote
Management in IaaS Clouds”, 4th IEEE
International Conference on Cloud
Computing Technology and Science
Proceedings, Taipei, 03-06 December 2012,
pp 411-418, Print ISBN:978-1-4673-4511-
8, DOI: 10.1109/CloudCom.2012.6427597.
[8] UcmanOktay, Muhammed Ali Aydin,
OzgurKoraySahingoz, “Circular Chain VM
S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019
IJCTA | May-June 2014 Available online@www.ijcta.com
1016
ISSN:2229-6093
Protection in AdjointVM”, International
Conference on Technological Advances in
Electrical, Electronics and Computer
Engineering (TAEECE), Konya, 9th May
2013, pp 93-97, PrintISBN: 978-1-4673-
5613-8, DOI:
10.1109/TAEECE.2013.6557202.
[9] AleksandarDonevski, SaskoRistov,
MarjanGusev, “Security Assessment of
Virtual Machines in Open Source Clouds”,
20-24 May 2013, 2013 36th International
Convention on Information &
Communication Technology Electronics &
Microelectronics, Opatija, Croatia, pp 1094-
1099, Print ISBN:978-953-233-076-2.
[10] SiFan Liu Jie Wu, ZhiHui Lu HuiXiong,
“VMRaS: A Novel Virtual Machine Risk
Assessment Scheme in the
CloudEnvironment”,IEEE 10th
International Conference on Services
Computing, Santa Clara, CA, June 28-July
3, 2013, pp 384-391, Print ISBN: 978-0-
7695-5026-8, DOI:10.1109/SCC.2013.12.
[11] Roland Schwarzkopf, Matthias Schmidt,
Christian Strack, Simon Martin, Bernd
Freisleben, “Increasing virtual machine
security in cloud environments”, Journal of
Cloud Computing: Advances, Systems and
Applications, July 2012, pp 1-12, Online
ISSN: 2192-113X, DOI: 10.1186/2192-
113X-1-12.
[12] Bryan D. Payne, Martim D. P. de A.
Carbone, Wenke Lee, “Secure and Flexible
Monitoring of Virtual Machines”, 23rd
Annual Computer Security Applications
Conference, 10-14 Dec. 2007, Miami
Beach, FL, pp 385-397, Print ISBN:978-0-
7695-3060-4, DOI
10.1109/ACSAC.2007.10.
[13] FabrizioBaiardi, Daniele Sgandurra,
“Building Trustworthy Intrusion Detection
through VM Introspection”,Third
International Symposium onInformation
Assurance and Security, Manchester, 29-31
Aug. 2007, pp 209-214, Print ISBN: 0-
7695-2876-7, DOI: 10.1109/IAS.2007.36.
[14] Bryan D. Payne, Martim Carbone, Monirul
Sharif, Wenke Lee, “Lares: An Architecture
for Secure Active Monitoring Using
Virtualization”, IEEE Symposium on
Security and Privacy, 2008, Washington,
DC, USA, pp 233-247, ISBN: 978-0-7695-
3168-7, DOI:10.1109/SP.2008.24.
[15] Chun-Jen Chung, PankajKhatkar, Tianyi
Xing, Jeongkeun Lee, Dijiang Huang,
“NICE: Network Intrusion Detection and
Countermeasure Selection in Virtual
Network Systems”, IEEE Transactions on
Dependable and Secure Computing, July-
Aug. 2013, pp. 198-211, ISSN: 1545-
5971/13, DOI: 10.1109/TDSC.2013.8.
[16] AnasAyad, UweDippel, “Agent Based
Monitoring Of Virtual Machines”,
International Symposium on Information
Technology, Kuala Lumpur, 15-17 June
2010, pp 1-6, Print ISBN: 978-1-4244-
6715-0,
DOI:10.1109/ITSIM.2010.5561375.
[17] Martin Crawford, Gilbert Peterson, “Insider
Threat Detection using Virtual Machine
Introspection”, 46th
Hawaii International
Conference on System Sciences,Wailea, HI,
USA 7-10 Jan. 2013,pp 1821-1830, Print
ISBN: 978-1-4673-5933-7, DOI:
10.1109/HICSS.2013.278.
[18] Jie He, Chuan Tang, Yuexiang Yang, Yong
Qiao, Chaobin Liu, “3D-IDS: IaaS user-
oriented Intrusion Detection System”,
S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019
IJCTA | May-June 2014 Available online@www.ijcta.com
1017
ISSN:2229-6093
Fourth International Symposium on
Information Science and Engineering,
Shanghai, 14-16 Dec. 2012, pp 12-15,Print
ISBN:978-1-4673-5680-0, DOI:
10.1109/ISISE.2012.12.
[19] Manabu Hirano, Takahiro Shinagawa,
Hideki Eiraku, Shoichi Hasegawa,
KazumasaOmote, “Introducing Role-based
Access Control to a Secure Virtual Machine
Monitor: Security Policy Enforcement
Mechanism for Distributed Computers”,
IEEE Asia-Pacific Services Computing
Conference,Yilan, 9-12 Dec. 2008, pp
1225-1230, Print ISBN: 978-0-7695-3473-
2/08, DOI: 10.1109/APSCC.2008.14.
[20] Ying Wang, Chunming Hu, Bo Li,
“VMDetector: A VMM-based Platform to
Detect Hidden Process by Multi-
viewComparison”,IEEE 13th
International
Symposium on High-Assurance Systems
Engineering, Boca Raton, FL, 10-12 Nov.
2011, pp 307-312, Print ISBN:978-1-4673-
0107-7, DOI: 10.1109/HASE.2011.41.
[21] Asit More, ShashikalaTapaswi, “Dynamic
malware detection and recording using
virtual machine introspection”, Best
Practices Meet, Chennai, 12 July 2013, pp
1-6, Print ISBN: 978-1-4799-0637-6,
DOI:10.1109/BPM.2013.6615011.
[22] Li Ruan, JinbinPeng, Limin Xiao, Xiang
Wang, “CloudDVMM: Distributed Virtual
Machine Monitor for Cloud Computing”,
IEEE International Conference on
GreenCom and CPSCom, Beijing, 20-23
Aug. 2013, pp 1853-1858, DOI:
10.1109/GreenCom-iThings-
CPSCom.2013.344.
[23] BingyuZou, Huanguo Zhang, “Integrity
Protection and Attestation of Security Critical
Executions on Virtualized Platform in Cloud
Computing Environment”, IEEE
International Conference on GreenCom and
CPSCom, Beijing, 20-23 Aug. 2013, pp
2071-2075, DOI:10.1109/GreenCom-
iThings-CPSCom.2013.388.
[24] Hanqian Wu, Yi Ding, Chuck Winer, Li Yao,
“Network Security for Virtual Machine in
Cloud Computing”,5th
International
Conference on Computer Sciences and
Convergence Information Technology, Seoul,
Nov. 30 2010-Dec. 2 2010, pp 18-21,Print
ISBN:978-1-4244-8567-
3,DOI:10.1109/ICCIT.2010.5711022.
[25] Shun-Wen Hsiaoy, Yi-Ning Chen, Yeali S.
Sun, Meng Chang Chen, “A Cooperative
Botnet Profiling and Detection in Virtualized
Environment”, IEEE Conference on
Communication and Network Security,
National Harbor, MD, 14-16 Oct. 2013, pp
154-162, DOI: 10.1109/CNS.2013.6682703.
[26] Kara Nance and Brian Hay, Matt Bishop,
“Investigating the Implications of Virtual
Machine Introspectionfor Digital Forensics”,
International Conference on Availability,
Reliability and Security,Fukuoka, 16-19
March 2009, pp 1024-1029, Print ISBN: 978-
1-4244-3572-2,
DOI:10.1109/ARES.2009.173.
[27] Paul A. Karger, “Is Your Virtual Machine
Monitor Secure?” , Third Asia-Pacific
Trusted Infrastructure Technologies
Conference, Hubei, 14-17 Oct. 2008, pp 5,
Print ISBN:978-0-7695-3363-6,
DOI:10.1109/APTC.2008.18.
[28] Sylvie Laniepce, Marc Lacoste, Mohammed
Kassi-Lahlou, Fabien Bignon, KahinaLazri,
AurelienWailly, “Engineering Intrusion
Prevention Services for IaaS Clouds: The
S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019
IJCTA | May-June 2014 Available online@www.ijcta.com
1018
ISSN:2229-6093
Way of the Hypervisor”,IEEE International
Symposium On Service Oriented System
Engineering, Redwood City, 25-28 March
2013, pp 25-36, Print ISBN:978-1-4673-
5659-6, DOI:10.1109/SOSE.2013.27.
[29] Kenichi Kourai, Takeshi Azumi, Shigeru
Chiba, “A Self-protection Mechanism against
Stepping-stone Attacks for IaaS Clouds”, 9th
International Conference on Ubiquitous
Intelligence and Computing/Autonomic and
Trusted Computing, Fukuoka, 4-7 Sept.
2012, pp 539-546, Print ISBN: 978-1-4673-
3084-8, DOI: 10.1109/UIC-ATC.2012.139.
[30] Amani S. Ibrahim, James Hamlyn-Harris,
John Grundy, Mohamed Almorsy,
“CloudSec: A Security Monitoring Appliance
for Virtual Machines in the IaaS Cloud
Model”, 5th
International Conference on
Network and System Security, Milan, 6-8
Sept. 2011, pp 113-120,Print ISBN:978-1-
4577-0458-1,
DOI:10.1109/ICNSS.2011.6059967.
S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019
IJCTA | May-June 2014 Available online@www.ijcta.com
1019
ISSN:2229-6093
Recommended