Securing Virtual Machines in Cloud
description
Transcript of Securing Virtual Machines in Cloud
![Page 1: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/1.jpg)
Securing Virtual Machines in Cloud
BY Muhammad Kazim
SUPERVISOR: Dr. Awais Shibli
![Page 2: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/2.jpg)
Introduction Literature Survey Problem Statement OpenStack Proposed Solution and Design Major Challenges Roadmap References
Agenda
![Page 3: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/3.jpg)
The core of Cloud services, Infrastructure-as-a-Service (IaaS) model provides the capability to provision;
Processing Storage Networks
Introduction
![Page 4: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/4.jpg)
In Cloud computing, Virtualization is the basis of providing IaaS.
Virtualization is benefiting companies by reducing their operating costs and increasing the flexibility of their own infrastructures.
Virtualization
![Page 5: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/5.jpg)
Virtual machine (VM) is a software container that has its own OS, virtual CPU, RAM and behaves like a physical machine.
Cloud usually contains a large number of VMs.
Every 6 seconds a new VM in Cloud is born.
Virtual Machines
![Page 6: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/6.jpg)
Literature Survey
![Page 7: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/7.jpg)
Compromised Hypervisor Malicious OS in attackers VM can modify
source code of hypervisor. Hyperjacking VMs can be protected from compromised
hypervisor by encrypting the VMs.
Attacks on Virtual Machines
Hardware
HypervisorVM VM
Ap2Ap1 Ap1 Ap2
Jakub Szefer, Ruby B. Lee, “A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing”, 31st International Conference on Distributed Computing Systems Workshops, Washington, DC, USA, 2011.
![Page 8: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/8.jpg)
Communication between Virtual Machines Shared clipboard transfers data between
virtual machine and host.◦ Could be used by malicious programs in VMs to
communicate. VM Escape attack Covert channels Implement proper isolation for protection
Jenni Susan Reuben, “A Survey on Virtual Machine Security”, TKK T-110.5290 Seminar on Network Security, 2007.
Attacks on Virtual Machines
![Page 9: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/9.jpg)
VM Storage and Restore Attacks VM state can be stored in a disk file to be
restored later. Attacker can compromise the integrity of saved
VM. Take hash of stored VM state and encrypt VM
before saving.
Jinzhu Kong, “Protecting the confidentiality of virtual machines against untrusted host”, International Symposium on Intelligence Information Processing and Trusted Computing, Washington, DC, USA, 2010.
Attacks on Virtual Machines
![Page 10: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/10.jpg)
Sensitive data left on broken and sold disks.
People with access to the storage hosts can compromise integrity and data confidentiality of stored images.
Compromising the Cloud infrastructure can result in customers data accessible to the attackers.
Cloud administrators such as network admin, storage admin, virtualization admin with physical access to Cloud can access customer data.
Attacks on Stored VM Images
![Page 11: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/11.jpg)
In order to secure virtual machines from infrastructure, hypervisor and virtualization level storage attacks, we intend to provide security mechanism by proposing virtual machines image encryption based on the proposed security architecture.
Problem Statement
![Page 12: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/12.jpg)
OpenStack is collection of open source technology that provides massively scalable open source cloud computing software.
Currently a large number of organizations around 87 different countries have deployed their Cloud on OpenStack.
OpenStack technology is written in Python with SDKs available for java and php developers by jcloud.
OpenStack
![Page 13: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/13.jpg)
OpenStack Conceptual Architecture
![Page 14: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/14.jpg)
Dashboard ("Horizon") provides a web front end to the other OpenStack services.
Compute ("Nova") stores and retrieves virtual disks ("images") and associated metadata in Image.
Network ("Quantum") provides virtual networking for Compute.
Block Storage ("Cinder") provides storage volumes for Compute.
Image ("Glance") provides catalog and repository for disk images.
All the services authenticate with Identity ("Keystone").
OpenStack Components
![Page 15: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/15.jpg)
Disk Images and Instances Images are disk images which are templates for
virtual machine file systems. The image service, Glance, is responsible for the storage and management of images within OpenStack.
Instances are the individual virtual machines running on physical compute nodes. The compute service, Nova, manages instances. Each instance is run from a copy of the base image.
![Page 16: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/16.jpg)
Virtual Machine Life Cycle in OpenStack
![Page 17: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/17.jpg)
Launching an instance The image store fronted by the image
service, Glance, has some number of predefined images.
To launch an instance the user selects an image, a flavor (resources) and optionally other attributes.
![Page 18: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/18.jpg)
Procedure of Encryption
![Page 19: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/19.jpg)
Qcow2 QEMU Copy-on-write
QEMU can use a base image which is read-only, and store all writes to the qcow2 image.Its major features include
Smaller images AES encryption zlib based compression Support of multiple VM snapshots.
![Page 20: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/20.jpg)
Issues in VM Encryption
Encryption will result in increase in image size and performance overhead on the Cloud system.
Key management is another major issue.
Virtual Machine Size
CPU Cores Memory
Small 1 2 GBMedium 2 3.5 GBLarge 4 7 GBExtra Large 8 14 GB
![Page 21: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/21.jpg)
Feedback from OpenStack
![Page 22: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/22.jpg)
Feedback from OpenStack
![Page 23: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/23.jpg)
MileStones DurationPreliminary study and Research DoneImplementation1. Python Development 2 Weeks2. OpenStack Configuration 2 Weeks3. Image encryption 1 month 4. Loading, executing, storing encrypted image with VM instances
2 months
5. Key Management Policy implementation
1 month
Performance Analysis and Evaluation
1 month
Final Documentation 1 month
Roadmap
![Page 24: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/24.jpg)
[1] Shubhashis Sengupta, Vikrant Kaulgud, Vibhu Saujanya Sharma, “Cloud Computing Security - Trends and Research Directions”, IEEE World Congress on Services, Washington, DC, USA, 2011.
[2] Jakub Szefer, Ruby B. Lee, “A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing”, 31st International Conference on Distributed Computing Systems Workshops, Washington, DC, USA, 2011.
[3] Jinzhu Kong, “Protecting the confidentiality of virtual machines against untrusted host”, International Symposium on Intelligence Information Processing and Trusted Computing, Washington, DC, USA, 2010.
[4] Farzad Sabahi, “Secure Virtualization for Cloud Environment Using Hypervisor-based Technology”, International Journal of Machine Learning and Computing vol. 2, no. 1, February 2012, pp.39-45.
[5] Jenni Susan Reuben, “A Survey on Virtual Machine Security”, TKK T-110.5290 Seminar on Network Security, 2007.
References
![Page 25: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/25.jpg)
[6] Seongwook Jin, Jeongseob Ahn, Sanghoon Cha, and Jaehyuk Huh, “Architectural Support for Secure Virtualization under a Vulnerable Hypervisor”, Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture, USA, 2011.
[7] Ryan Shea, Jiangchuan Liu, “Understanding the Impact of Denial of Service on Virtual Machines”, IEEE 20th International Workshop on Quality of Service (IWQoS), Burnaby, BC, Canada, 2012.
[8] Wu Zhou, Peng Ning, Xiaolan Zhang, “Always up-to-date: scalable offline patching of VM images in a compute cloud”, Proceedings of the 26th Annual Computer Security Applications Conference, New York, USA, 2010, pp. 377-386.
[9] Trent Jaegar, Reiner Sailer, Yogesh Sreenivasan, “Managing the Risk of Covert Information Flows in Virtual Machine Systems”, Proceedings of the 12th ACM symposium on Access control models and technologies, New York, USA, pp. 81-90, 2007.
[10] Mikhail I. Gofman, Ruiqi Luo, Ping Yang, Kartik Gopalan, “SPARC: A security and privacy aware Virtual Machine checkpointing mechanism”, Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, New York, USA, 2011, pp. 115-124.
![Page 26: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/26.jpg)
[11] Zhi Wang, Xuxian Jiang, “HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity” IEEE Symposium on Security and Privacy, Oakland, CA, USA, 2010, pp. 380-385.
[12] Mohamad Rezaei et al., “TCvisor: a Hypervisor Level Secure Storage”, TCvisor: a Hypervisor Level Secure Storage”, Internet Technology and Secured Transactions (ICITST), London, 2010, pp. 1-9.
[13] Dan Pelleg, Muli Ben-Yehuda, Rick Harper, “Vigilant—Out-of-band Detection of Failures in Virtual Machines”, ACM SIGOPS Operating Systems Review, New York, NY, USA, Volume 42 Issue 1, 2008, pp. 26-31.
[14] Sandra Rueda, Rogesh Sreenivasan, Trent Jaeger, “Flexible Security Configuration for Virtual Machines”, Proceedings of the 2nd ACM workshop on Computer Security Architectures, New York, NY, USA, 2008, pp. 35-44.
[15] Koichi Onone, Yoshihiro Oyama, Akinori Yonezawa, “Control of System Calls from Outside of Virtual Machines”, Proceedings of the 2008 ACM symposium on Applied Computing, New York, NY, USA, 2008, pp. 2116-2221.
![Page 27: Securing Virtual Machines in Cloud](https://reader036.fdocuments.in/reader036/viewer/2022062501/568161e2550346895dd1f88a/html5/thumbnails/27.jpg)
THANKYOU