securing the virtual machines - Semantic Scholar

ISSN:2229-6093

S C Rachana et al, Int.J.Computer Technology & Applications,Vol 5 (3),1012-1019

SECURING THE VIRTUAL MACHINES S C Rachana1 , Dr. H S Guruprasad2 PG Scholar, Dept. of ISE, BMSCE, Bangalore, 2 Professor and Head, Dept. of ISE, BMSCE, Bangalore, [email protected] 1

Abstract Cloud Computing provides the computer resources in an effective manner. Security in cloud is one of the major drawbacks. Among many security issues in cloud, the Virtual Machine Security is one of the very serious issues.Thus, monitoring of virtual machine is essential. The survey includes various existing Virtual Machine security problems and also many different architectural solutions to overcome them. Keywords: Virtual Machine [VM], Introspection, Virtual Network Introspection [VMI], Intrusion Detection System [IDS], Virtual Machine Monitor [VMM], Hypervisor, Infrastructure-as-aService [IaaS], Botnet. Introduction A virtual machine mimics the physical machine as software. Many operating systems and softwares can be installed in virtual machine. Virtual machines are accompanied with the virtualization layer called hypervisor which runs on client or server operating system. Virtual machine attacks include VM-to-VM attacks, Denial-Of-Service attacks, Isolation breakage, Remote management vulnerabilities etc. Thus, virtual machine monitors are used to monitor the virtual machines. The existing popular virtual machine monitors are Xen, VMware ESX Server etc.

IJCTA | May-June 2014 Available [email protected]

Chris Benningeret. al. [4]introduces Virtual Machine Introspection [VMI] and explains the related work with an example. A light weight VMI called Maitland is proposed which is a virtualization based tool. The architecture of Maitland is given with its detailed explanation along with its functions. The VMI Maitland is experimented under various scenarios to evaluate its performance.Rolandet. al. [11] gives a brief description on the Virtual Machine security. An approach is proposed for checking software and scanning of Virtual Machines for known security attacks. The proposed approach involves two components such as Update Checker and Online Penetration Scheme [OPS]. The design of both the components is given. These two components are implemented and experimented for evaluation.Anaset. al. [16] describes two ways to implement Virtual Machine Introspection (VMI) tools and techniques. A proposed system is implemented using one of the two ways and its system design is given. The system involves Log File, ZFS File System, Backup Spooler, Virtual Machine recovery etc. The system is tested for its behavior.Ying Wanget. al. [20] gives the importance of Virtual Machine [VM] Detector along with some related work. A VM Detector design is proposed to detect hidden process by multi-view comparision and its goals are mentioned. A VM Detector is used to obtain views of kernel level, Virtual Machine Monitor [VMM] level and also detects hidden suspicious

1012

ISSN:2229-6093


process. The proposed approach is implemented and experimented for testing the function and performance. Asitet. al. [21] proposes an approach which is a combination of Virtual Machine Introspection [VMI], File System Clustering, Malware Activity Recording. It involves malicious object correlation, Dependency graph generation, and malicious object labeling and malware detection. Experimental results show that the approach perfectly detects the foreign objects.Bingyuet. al. [23] explains the Authentication Boot, Remote attestation of Trusted Computing Group [TCG]. The drawbacks of TCG and goals to overcome the drawback are mentioned. As a solution, a Trusted Cloud Infrastructure is proposed which is a dual verifiable trusted bootstrap. The proposed method is implemented as Out-Of-Box security application which is responsible for Virtual Machine Introspection [VMI].Hanqianet. al [24] focus on network security for Virtual Machines. The security problems in virtualization environment includes Break of isolation, Revert of snapshot, Denial of service, Remote management vulnerabilities, Virtual Machine based rootkit etc., are mentioned. A virtual network model is proposed using bridge and route for secure inter virtual machine communication. The model has three layers such as Routing layer, Firewall, Shared network. The model uses Xen hypervisor and can prevent effectively the virtual machines from attacks such as Sniffing and Spoofing.Shun-Wenet. al. [25] describesBotnet attack to virtual machine and its infection procedure. Related work is included which explains Botnet Detection and virtual machine introspection. A system design is proposed which consists of passive and active detection agent to


protect virtual machine against Botnet. The system is implemented and experimented for evaluating its performance.Kenichiet. al. [29] proposes a new self-protection mechanism called xFilter for IaaS clouds. xFilter is a packet filter which is implemented in Xen. The system architecture of xFilter is explained and experimented to test the performance. Lin Chenet. al. [5] describes an intrusion detection architecture based on VMM along with the related work. A layered detection model is proposed for VMI security which has different layers responsible for VM security. The model segregates the malware which would attack detection system in guest Operating System. The model is implemented to check its performance. TomohisaEgawaet. al. [7] explains the VMM and its security issues and also describedependable remote management of user VM. In order to overcome the security issue of VM, FBCrypt is proposed along with its architecture which offers dependable and secure remote management. Key management feature is also incorporated into FBCrypt. FBCrypt is implemented in Xen environment and experimented.UcmanOktayet. al. [8] gives an overview of internal and external attacks for cloud.The paper provides information about Cloud Computing, Virtualization, Trusted Computing, and Intrusion Detection System along with the related works. An Adjoint VM Chain Protection Model is proposed to overcome the drawbacks of Adjoint Hybrid Intrusion Detection System. Adjoint VM Chain Protection Model increases the resistance and offers flexible security policy.JieHeet. al. [18] proposes an architecture of 3D-IDS [Intrusion Detection System] which consists of a server and multiple agents. Each agent in it consists of log collection

1013

ISSN:2229-6093


module, host behavior collection module, network behavior collection module and communication module. Thus, 3D-IDS system can collect information about Virtual Machine such as System log, host behavior, network behavior and security status of each virtual machine. Bryanet. al. [12] discusses the requirements for monitoring of Virtual Machines along with some related works. The Xen hypervisor is explained with its input/output architecture. The Xen architecture must satisfy the requirements for monitoring Virtual Machines by using Xen Access Monitoring Library. The Xen Access architecture is provided along with the detailed explanation and is implemented.Martinet. al. [17] proposes a mechanism to alert inside attacker’s malicious behavior. Transparency mechanism is provided to the user which gives inside attacker a non-true sense of security which does not allow an inside attacker to know the monitoring facilities of an organization. Based on the few use cases, an alert is given which prevents modifying the reporting mechanism.Manabuet. al. [19] describes the problems of policy enforcement for distributed computing such as security problems, policy management problems etc. A secure Virtual Machine Monitor [VMM] architecture is proposed and secure VMM software called BitVisor is developed which offers some security functions. BitVisor has a feature called Identification Management framework incorporated into it. The prototype called Role Based Access Control [RBAC] is given along with the security policy.Sylvieet. al. [28] describes the elements of IaaS infrastructure and threat monitoring in IaaS. The most common threats in IaaS include VM-to-VM attacks, Hypervisor subversion, Network Threats etc. The


Network and host based IDS is explained and the limitations of traditional IDS are given. A hypervisor based monitoring system is proposed which protects user virtual machines from outside attacks. Tal Garfinkelet. al. [1] introduces Intrusion Detection System [IDS] for virtual machines and explains Virtual Machine Monitor [VMM] and Virtual Machine Introspection [VMI]. The paper proposes an architecture for Virtual Machine Monitor implementation. The Virtual Machine Introspection (VMI) system possesses three properties such as Isolation, Inspection, and Interposition. The prototype is experimented for security and performance overhead and it has the ability to detect real time attacks with high performance.Anthony Roberts et. al. [2] proposes a framework called Pathogen for analysis and monitoring of real time systems which use Virtual Machine Introspection (VMI) for monitoring a system without the use oflocal agents. Pathogen is used to monitor multiple Virtual Machines within an organization and it creates a light weight Virtual Machine Introspection and fills in the semantic gap. Pathogen is implemented and analyzed for the results.SiFanet. al. [10] explains the concept of risk assessment in cloudalong with few related works. An architecture of VMRaS [Virtual Machine Risk Assessment Scheme] is proposed for Risk assessment. Risk assessment process, risk assessment criteria such as risk calculation, risk rating criteria and factors affecting the rating are also described. The architecture of VMRaS is implemented and experimented for analysis. Fabrizioet. al. [13] proposes an Intrusion Detection Technique called PsycoVirtwith its

1014

ISSN:2229-6093


architecture. PsycoVirt combines host and network Intrusion Detection System [IDS] tools to provide high security assurance. PsycoVirt architecture consists of a Virtual Machine Monitor [VMM], an Introspection Virtual Machine [IVM], and cluster of monitored Virtual Machines interconnected together by a data and control network. PsycoVirt is implemented using Python, C and Xen is used as Virtual Machine Monitor.Bryanet. al. [14] focus on active monitoring of virtual machines in virtualized security environment. An architecture called Lares is proposed for virtualization based architecture to protect certain types of security software’s. The proposed system is implemented using Xen and tested for security and performance.Chun-Jenet. al. [15] proposes an Intrusion Detection framework called Network Intrusion Detection and Countermeasure sElection (NICE) in Virtual Network System. The framework includes Attack Graph Model, Threat Model and Virtual Machine Protection model. The detailed system design of NICE is given along with its system components. Information about the NICE security measurement metrics, how NICE mitigates attacks and its countermeasure for attacks are described.LiRuanet. al. [22] introduceCloud Distributed Virtual Machine Monitor [Cloud DVMM] by comparing with some existing VMM’s. The theoretical model of DVMM, its attributes and operations are specified briefly. The system architecture of DVMM is given with brief explanation and DVMM is implemented, evaluated for analysis.Amani Set. al. [30] describes the key security problems in IaaS environment. To overcome the security challenges in IaaS, a high level CloudSec architecture is proposed which has Virtual


Machine Introspection Layer with the two components such as Front-end and Back-end component. CloudSec is implemented using VMSafe API’s on a VMware hypervisor. Paul A. Kargeret. al. [3] discusses the issues with respect to input/output virtualization which involve system security andinput output performance.In the first approach called Pure Isolation, each VM guest has its own devices and in the second approach, the hypervisor is shared on the server and the client. Input output performance is increased by partitioning the input/output based on special privileges. Virtual ring concept can also be used for special input/output partition with input/output drivers.MiikaKomuet. al. [6] describes the concepts of cloud computing, data center network and identity location split. This paper analyzes few security issues and risks in cloud computing such as protection of data flows, outsourcing private data, isolation of subscriber resources, multitenancy issues etc. A solution based on Host Identity Protocol [HIP] is proposed to overcome multitenancy security issues, hybrid IaaS cloud issues etc. Experiment is carried out with the HIP and results are provided. AleksandarDonevskiet. al. [9] describes the Software architecture of “Folsom” release of OpenStack cloud with the software components, software aspects for deployment and networking. Security assessment is made based on the two different network deployments of OpenStack cloud. Test cases and test data are explained for the security assessment with one network and two segregated network deployment. Results of security assessments are also provided.Kara Nanceet. al. [26] explains the Virtual Machine

1015

ISSN:2229-6093


Introspection [VMI] with related research work. The VMI tool development, VMI operations, VMI detection are described briefly. The author suggests the use of VMI for digital forensics to overcome some of the existing limitations.PaulA. Karger [27] introduces Virtual Machine Monitor [VMM] and its security along with some related work. The paper describes VMM security problems and suggests using a small and simple VMM to assure high security.

[4]

Conclusion This paper surveys the existing security problems such asprotection of data flows, outsourcing private data, isolation of subscriber resources, multitenancy issues in the virtualized environment etc. The various possible solutions to overcome these security challenges like CloudDVMM, CloudSec, NICE, Lares, PsycoVirt etc. are discussed.

[5]

[6] References [1]

[2]

[3]

Tal Garfinkel, Mendel Rosenblum, “A Virtual Machine Introspection Based Architecture for Intrusion Detection”,Network and Distributed Systems Security Symposium, 2003, pp 191-206, DOI: 10.1.1.11.8367. Anthony Roberts, Richard McClatchey, SaadLiaquat, Nigel Edwards, Mike Wray, “Introducing Pathogen: A Real Time Virtual Machine Introspection Framework”, conference on Computer & communications security,New York, NY, USA, November 2013, ISBN: 978-1-4503-2477-9, DOI:10.1145/2508859.2512518. Paul A. Karger, David R. Safford, “I/O for Virtual Machine Monitors Security and


[7]

[8]

Performance Issues”,IEEE Security & Privacy, Sept.-Oct. 2008, pp. 16-23, ISSN: 1540-7993, DOI:10.1109/MSP.2008.119. Chris Benninger, Stephen W. Neville, Yagız Onat Yazır, Chris Matthews, Yvonne Coady, “Maitland: Lighter-Weight VM Introspection to Support Cyber-Security in the Cloud”,IEEE Fifth International Conference on Cloud Computing, Honolulu, HI, USA, June 24-29, 2012, pp 471-478, ISBN 978-1-4673-2892-0, DOI: 10.1109/CLOUD.2012.145. Lin Chen, Bo Liu, Huaping Hu, Qianbing Zheng, “A layered malware detection model using VMM”,IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, 25-27 June 2012, Liverpool, pp 1259 – 1264, Print ISBN : 978-1-4673-2172-3, DOI:10.1109/TrustCom.2012.35. MiikaKomu, MohitSethi, RamasivakarthikMallavarapu, HeikkiOirola, Rasib Khan, SasuTarkoma, “Secure Networking for Virtual Machines in the Cloud”,IEEE International Conference on Cluster Computing Workshops, 24-28 Sept. 2012, Beijing, pp 88-96, Print ISBN: 978-1-4673-2893-7, DOI 10.1109/ClusterW.2012.29. TomohisaEgawa, Naoki Nishimura, Kenichi Kourai, “Dependable and Secure Remote Management in IaaS Clouds”, 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings, Taipei, 03-06 December 2012, pp 411-418, Print ISBN:978-1-4673-45118, DOI: 10.1109/CloudCom.2012.6427597. UcmanOktay, Muhammed Ali Aydin, OzgurKoraySahingoz, “Circular Chain VM

1016

ISSN:2229-6093


Protection in AdjointVM”, International Conference on Technological Advances in Electrical, Electronics and Computer Engineering (TAEECE), Konya, 9th May 2013, pp 93-97, PrintISBN: 978-1-46735613-8, DOI: 10.1109/TAEECE.2013.6557202. [9] AleksandarDonevski, SaskoRistov, MarjanGusev, “Security Assessment of Virtual Machines in Open Source Clouds”, 20-24 May 2013, 2013 36th International Convention on Information & Communication Technology Electronics & Microelectronics, Opatija, Croatia, pp 10941099, Print ISBN:978-953-233-076-2. [10] SiFan Liu Jie Wu, ZhiHui Lu HuiXiong, “VMRaS: A Novel Virtual Machine Risk Assessment Scheme in the CloudEnvironment”,IEEE 10th International Conference on Services Computing, Santa Clara, CA, June 28-July 3, 2013, pp 384-391, Print ISBN: 978-07695-5026-8, DOI:10.1109/SCC.2013.12. [11] Roland Schwarzkopf, Matthias Schmidt, Christian Strack, Simon Martin, Bernd Freisleben, “Increasing virtual machine security in cloud environments”, Journal of Cloud Computing: Advances, Systems and Applications, July 2012, pp 1-12, Online ISSN: 2192-113X, DOI: 10.1186/2192113X-1-12. [12] Bryan D. Payne, Martim D. P. de A. Carbone, Wenke Lee, “Secure and Flexible Monitoring of Virtual Machines”, 23rd Annual Computer Security Applications Conference, 10-14 Dec. 2007, Miami Beach, FL, pp 385-397, Print ISBN:978-07695-3060-4, DOI 10.1109/ACSAC.2007.10.


[13] FabrizioBaiardi, Daniele Sgandurra, “Building Trustworthy Intrusion Detection through VM Introspection”,Third International Symposium onInformation Assurance and Security, Manchester, 29-31 Aug. 2007, pp 209-214, Print ISBN: 07695-2876-7, DOI: 10.1109/IAS.2007.36. [14] Bryan D. Payne, Martim Carbone, Monirul Sharif, Wenke Lee, “Lares: An Architecture for Secure Active Monitoring Using Virtualization”, IEEE Symposium on Security and Privacy, 2008, Washington, DC, USA, pp 233-247, ISBN: 978-0-76953168-7, DOI:10.1109/SP.2008.24. [15] Chun-Jen Chung, PankajKhatkar, Tianyi Xing, Jeongkeun Lee, Dijiang Huang, “NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems”, IEEE Transactions on Dependable and Secure Computing, JulyAug. 2013, pp. 198-211, ISSN: 15455971/13, DOI: 10.1109/TDSC.2013.8. [16] AnasAyad, UweDippel, “Agent Based Monitoring Of Virtual Machines”, International Symposium on Information Technology, Kuala Lumpur, 15-17 June 2010, pp 1-6, Print ISBN: 978-1-42446715-0, DOI:10.1109/ITSIM.2010.5561375. [17] Martin Crawford, Gilbert Peterson, “Insider Threat Detection using Virtual Machine Introspection”, 46th Hawaii International Conference on System Sciences,Wailea, HI, USA 7-10 Jan. 2013,pp 1821-1830, Print ISBN: 978-1-4673-5933-7, DOI: 10.1109/HICSS.2013.278. [18] Jie He, Chuan Tang, Yuexiang Yang, Yong Qiao, Chaobin Liu, “3D-IDS: IaaS useroriented Intrusion Detection System”,

1017

ISSN:2229-6093


Fourth International Symposium on Information Science and Engineering, Shanghai, 14-16 Dec. 2012, pp 12-15,Print ISBN:978-1-4673-5680-0, DOI: 10.1109/ISISE.2012.12. [19] Manabu Hirano, Takahiro Shinagawa, Hideki Eiraku, Shoichi Hasegawa, KazumasaOmote, “Introducing Role-based Access Control to a Secure Virtual Machine Monitor: Security Policy Enforcement Mechanism for Distributed Computers”, IEEE Asia-Pacific Services Computing Conference,Yilan, 9-12 Dec. 2008, pp 1225-1230, Print ISBN: 978-0-7695-34732/08, DOI: 10.1109/APSCC.2008.14. [20] Ying Wang, Chunming Hu, Bo Li, “VMDetector: A VMM-based Platform to Detect Hidden Process by MultiviewComparison”,IEEE 13th International Symposium on High-Assurance Systems Engineering, Boca Raton, FL, 10-12 Nov. 2011, pp 307-312, Print ISBN:978-1-46730107-7, DOI: 10.1109/HASE.2011.41. [21] Asit More, ShashikalaTapaswi, “Dynamic malware detection and recording using virtual machine introspection”, Best Practices Meet, Chennai, 12 July 2013, pp 1-6, Print ISBN: 978-1-4799-0637-6, DOI:10.1109/BPM.2013.6615011. [22] Li Ruan, JinbinPeng, Limin Xiao, Xiang Wang, “CloudDVMM: Distributed Virtual Machine Monitor for Cloud Computing”, IEEE International Conference on GreenCom and CPSCom, Beijing, 20-23 Aug. 2013, pp 1853-1858, DOI: 10.1109/GreenCom-iThingsCPSCom.2013.344. [23] BingyuZou, Huanguo Zhang, “Integrity Protection and Attestation of Security Critical


Executions on Virtualized Platform in Cloud Computing Environment”, IEEE International Conference on GreenCom and CPSCom, Beijing, 20-23 Aug. 2013, pp 2071-2075, DOI:10.1109/GreenComiThings-CPSCom.2013.388. [24] Hanqian Wu, Yi Ding, Chuck Winer, Li Yao, “Network Security for Virtual Machine in Cloud Computing”,5th International Conference on Computer Sciences and Convergence Information Technology, Seoul, Nov. 30 2010-Dec. 2 2010, pp 18-21,Print ISBN:978-1-4244-85673,DOI:10.1109/ICCIT.2010.5711022. [25] Shun-Wen Hsiaoy, Yi-Ning Chen, Yeali S. Sun, Meng Chang Chen, “A Cooperative Botnet Profiling and Detection in Virtualized Environment”, IEEE Conference on Communication and Network Security, National Harbor, MD, 14-16 Oct. 2013, pp 154-162, DOI: 10.1109/CNS.2013.6682703. [26] Kara Nance and Brian Hay, Matt Bishop, “Investigating the Implications of Virtual Machine Introspectionfor Digital Forensics”, International Conference on Availability, Reliability and Security,Fukuoka, 16-19 March 2009, pp 1024-1029, Print ISBN: 9781-4244-3572-2, DOI:10.1109/ARES.2009.173. [27] Paul A. Karger, “Is Your Virtual Machine Monitor Secure?” , Third Asia-Pacific Trusted Infrastructure Technologies Conference, Hubei, 14-17 Oct. 2008, pp 5, Print ISBN:978-0-7695-3363-6, DOI:10.1109/APTC.2008.18. [28] Sylvie Laniepce, Marc Lacoste, Mohammed Kassi-Lahlou, Fabien Bignon, KahinaLazri, AurelienWailly, “Engineering Intrusion Prevention Services for IaaS Clouds: The

1018

ISSN:2229-6093


Way of the Hypervisor”,IEEE International Symposium On Service Oriented System Engineering, Redwood City, 25-28 March 2013, pp 25-36, Print ISBN:978-1-46735659-6, DOI:10.1109/SOSE.2013.27. [29] Kenichi Kourai, Takeshi Azumi, Shigeru Chiba, “A Self-protection Mechanism against Stepping-stone Attacks for IaaS Clouds”, 9th International Conference on Ubiquitous Intelligence and Computing/Autonomic and Trusted Computing, Fukuoka, 4-7 Sept. 2012, pp 539-546, Print ISBN: 978-1-46733084-8, DOI: 10.1109/UIC-ATC.2012.139. [30] Amani S. Ibrahim, James Hamlyn-Harris, John Grundy, Mohamed Almorsy, “CloudSec: A Security Monitoring Appliance for Virtual Machines in the IaaS Cloud Model”, 5th International Conference on Network and System Security, Milan, 6-8 Sept. 2011, pp 113-120,Print ISBN:978-14577-0458-1, DOI:10.1109/ICNSS.2011.6059967.


1019