Abstract
Hypervisor-based process protection is a novel approach that provides isolated execution environments for applications running on untrusted commodity operating systems. It is based on off-the-shelf hardware and trusted hypervisors while it meets the requirement of security and trust for many cloud computing models, especially third-party data centers and a multi-tenant public cloud, in which sensitive data are out of the control of the users. However, as the hypervisor extends semantic protection to the process granularity, such a mechanism also breaks the platform independency of virtual machines and thus prohibits live migration of virtual machines, which is another highly desirable feature in the cloud. In this paper, we extend hypervisor-based process protection systems with live migration capabilities by migrating the protection-related metadata maintained in the hypervisor together with virtual machines and protecting sensitive user contents using encryption and hashing. We also propose a security-preserving live migration protocol that addresses several security threats during live migration procedures including timing-related attacks, replay attacks and resumption order attacks. We implement a prototype system base on Xen and Linux. Evaluation results show that performance degradation in terms of both total migration time and downtime are reasonably low compared to the unmodified Xen live migration system.
Similar content being viewed by others
References
Heiser, J., Nicolett, M.: Assessing the security risks of cloud computing. http://www.gartner.com/DisplayDocument?id=685308, Jun 2008
Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R.H., Konwinski, A., Lee, G., Patterson, D.A., Rabkin, A., Stoica, I., Zaharia, M.: Above the clouds: a Berkeley view of cloud computing. Technical Report UCB/EECS-2009-28, EECS Department, University of California, Berkeley, Feb 2009. http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.html
Chen, H., Zhang, F., Chen, C., Chen, R., Zang, B., Yew, P., Mao, W.: Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor. Technical Report 2007-08001, Parallel Processing Institute, Fudan University, Aug 2007
Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 2–13. ACM, New York (2008)
Yang, J. Shin, K.G.: Using hypervisor to provide data secrecy for user applications on a per-page basis. In: Proceedings of ACM International Conference on Virtual Execution Environments, pp. 71–80 (2008)
Chen, H., Chen, J., Mao, W., Yan, F.: Daonity–grid security from two levels of virtualization. Inf. Secur. Tech. Rep. 12(3), 123–138 (2007)
Dewan, P., Durham, D., Khosravi, H., Long, M., Nagabhushan, G.: A hypervisor-based system for protecting software runtime memory and persistent storage. In: Proceedings of the Spring Simulation Multiconference. The Society for Computer Simulation, pp. 828–835. International San Diego, CA (2008)
Sailer, R., Zhang, X., Jaeger, X., Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of the USENIX Security Symposium, pp. 223–238 (2004)
Clark, C., Fraser, K., Hand, S., Hansen, J.G., Jul, E., Limpach, C., Pratt, I., Warfield, A.: Live migration of virtual machines. In: Proceedings of the Symposium on Networked Systems Design and Implementation, pp. 273–286 (2005)
Wood, T., Shenoy, P., Venkataramani, A., Yousif, M.: Black-box and gray-box strategies for virtual machine migration. In: Proceedings of Usenix Conference on Networked Systems Design and Implementation, pp. 229–242 (2007)
Nelson, M., Lim, B.H., Hutchins, G.: Fast transparent migration for virtual machines. In: Proceedings of the USENIX Annual Technical Conference, pp. 391–394 (2005)
McPhee, W.S.: Operating system integrity in OS/VS2. IBM J. Res. Dev. 13(3), 230 (1974)
Bishop, M., Dilger, M.: Checking for race conditions in file accesses. Comput. Syst. 2(2), 131–152 (1996)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of the ACM Symposium on Operating Systems Principles, pp. 164–177. ACM, New York (2003)
Zhang, F., Huang, Y., Wang, H., Chen, H., Zang, B.: PALM: security preserving VM live migration for systems with VMM-enforced protection. In: Proceedings of the 2008 Third Asia-Pacific Trusted Infrastructure Technologies Conference, pp. 9–18. IEEE Computer Society (2008)
Bratus, S., D'Cunha, N., Sparks, E., Smith, S.: TOCTOU, Traps, and Trusted Computing. Trusted Computing-Challenges and Applications, pp. 14–32 (2008)
Trusted Computing Group. TPM Specification version 1.2, Revision 103, October 2006. http://www.trustedcomputinggroup.org
Harrison, K., Xu, S.: Protecting cryptographic keys from memory disclosure attacks. In: Proceedings of Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 137–143 (2007)
Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan, Ottawa, Canada, 2005. http://www.daemonology.net/hyperthreading-considered-harmful
Aciiçmez, O.: Yet another microarchitectural attack: exploiting I-Cache. In: Proceedings of ACM Workshop on Computer Security Architecture, pp. 11–18. ACM, New York (2007)
Acıiçmez, O., Koç, Ç.K.: Trace-driven cache attacks on AES. Information and Communications Security, pp. 112–121 (2006)
Acıiçmez, O., Koç, Ç., Seifert, J.P.: Predicting secret keys via branch prediction. Topics in Cryptology–CT-RSA 2007, pp. 225–242 (2007)
Bernstein, D.J.: Cache-timing attacks on AES, 2005. http://cr.yp.to/papers.html#cachetiming
Bonneau, J., Mironov, I.: Cache-collision timing attacks against AES. Cryptographic Hardware and Embedded Systems-CHES 2006, pp. 201–215 (2006)
Osvik, D., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. Topics in Cryptology–CT-RSA 2006, pp. 1–20 (2006)
Tom Espiner: http://news.zdnet.co.uk/security/0,1000000189,39290616,00.htm, 2007
Amazon. Amazon web services customer agreement, Oct 2009. http://aws.amazon.com/agreement/#7
Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold boot attacks on encryption keys. In: Proceedings of the USENIX Security Symposium, pp. 45–60 (2008)
Kauer, B.: OSLO: improving the security of trusted computing. In: Proceedings of the USENIX Security Symposium (2007)
Kursawe, K., Schellekens, D., Preneel, B.: Analyzing trusted platform communication. In: Proccedings of the CRASH Workshop: CRyptographic Advances in Secure Hardware (2005)
Selhorst, M., Stiible, C.: Trusted grub, 2006. http://www.prosec.rub.de/trusted_grub.html
Oberheide, J., Cooke, E., Jahanian, F.: Empirical exploitation of live virtual machine migration. In: Proceedings of BlackHat DC Convention (2008)
EMC Corp. Daoli trust cloud infrastructure. http://www.daoliproject.org/, 2007
Sapuntzakis, C.P., Chandra, R., Pfaff, B., Chow, J., Lam, M.S., Rosenblum, M.: Optimizing the migration of virtual computers. In: Proceedings of the 5th ACM Symposium on Operating Systems Design and Implementation (OSDI), pp. 377–390, Boston, MA Dec 2002
Whitaker, A., Cox, R.S., Shaw, M., Gribble, S.D.: Constructing services with interposable virtual hardware. In: Proceedings of the Usenix Symposium on Networked Systems Design and Implementation (2004)
Hansen, J.G., Henriksen, A.K.: Nomadic operating systems. Master’s thesis, Depaerment of Computer Science, University of Copenhagen, Denmark (2002)
Jin, H., Deng, L., Wu, S., Shi, X., Pan, X.: Live virtual machine migration with adaptive memory compression. In: Proceedings of IEEE International Conference on Cluster Computing. IEEE (2009)
Liu, H., Jin, H., Liao, X., Hu, L., Yu, C.: Live migration of virtual machine based on full system trace and replay. In: Proceedings of the 18th ACM International Symposium on High Performance Distributed Computing, pp. 101–110. ACM, New York (2009)
Liu, P., Yang, Z., Song, X., Zhou, Y., Chen, H., Zang, B.: Heterogeneous live migration of virtual machines. In: Proceedings of International Workshop on Virtualization Technology (2008)
Xianqin, C., Han, W., Sumei, W., Xiang, L.: Seamless virtual machine live migration on network security enhanced hypervisor. In Procceding of IEEE International Conference on Broadband Network and Multimedia Technology, pp. 847–853. IEEE (2009)
VMware Corp. Virtual Infrastructure 3, 2007. http://www.vmware.com/products/vi
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: Proceedings of the ACM Symposium on Operating Systems Principles, pp. 193–206 (2003)
Peinado, M., Chen, Y., England, P., Manferdelli, J.: NGSCB: a trusted open system. In: Proceedings of ACISP, pp. 86–97 (2004)
Kuhlmann, D., Landfermann, R., Ramasamy, H., Schunter, M., Ramunno, G., Vernizzi, D.: An open trusted computing architecture-secure virtual machines enabling user-defined policy enforcement. Technical Report RZ3655, IBM Research, 2006. http://www.opentc.net/activities/otc_HighLevelOverview/OTC_Architecture_High_level_overview.pdf
System Architecture Group. L4Ka::Pistachio Whitepaper. White paper, University of Karlsruhe, Germany (2003)
Murray, D.G., Milos, G., Hand, S.: Improving Xen security through disaggregation. In: Proceedings of ACM International Conference on Virtual Execution Environments, pp. 151–160 (2008)
Sailer, R., Valdez, E., Jaeger, T., Perez, R., van Doorn, L., Griffin, J.L., Berger, S.: sHype: Secure Hypervisor Approach to Trusted Virtualized Systems. Technical Report RC23511, IBM Research, Feb 2005
Intel Corp. Intel Trusted Execution Technology, 2008. http://www.intel.com/technology/security
Intel. LaGrande Technology Architectural Overview. Technical Report 252491-001, Intel Corporation, Sep. 2003
Strongin, G.: Trusted computing using AMD. Inf. Secur. Tech. Rep. 10(2), 120–132 (2005)
Lie, D., Thekkath, C., Mitchell, M., Lincoln, P.: Architectural support for copy and tamper resistant software. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems (2000)
Lie, D., Thekkath, C.A., Horowitz, M.: Implementing an untrusted operating system on trusted hardware. In: Proceedings of ACM Symposium on Operating Systems Principles (2003)
Champagne, D., Lee, R.B.: Scalable architectural support for trusted software. In: Proceedings of IEEE International Symposium on High-Performance Computer Architecture, Bangalore, India (2010)
Lee, R.B., Kwan, P.C.S., McGregor, J.P., Dwoskin, J., Wang, Z.: Architecture for protecting critical secrets in microprocessors. In: Proceedings of International Symposium on Computer Architecture, pp. 2–13 (2005)
Dwoskin, J., Lee, R.B.: Hardware-rooted trust for secure key management and transient trust. In: Proceedings of ACM conference on Computer and Communications Security, pp. 389–400, Alexandria, VA, Oct 2007
Suh, G.E., O’Donnell, C.W., Sachdev, I., Devadas, S.: Design and implementation of the aegis single-chip secure processor using physical random functions. In: Proceedings of International Symposium on Computer Architecture, pp. 25–36 (2005)
Suh, G.E., Clarke, D., Gassend, B., van Dijk, M., Devadas, S.: AEGIS: architecture for tamper-evident and tamper-resistant processing. In: Proceedings of the Annual international conference on Supercomputing, pp. 160–171. ACM Press, New York, NY (2003)
Acknowledgments
This work was funded by Shanghai Science and Technology Development Funds (No. 12QA1401700), China National Natural Science Foundation under grant numbered 61003002 and Fundamental Research Funds for the Central Universities in China.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zhang, F., Chen, H. Security-Preserving Live Migration of Virtual Machines in the Cloud. J Netw Syst Manage 21, 562–587 (2013). https://doi.org/10.1007/s10922-012-9253-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-012-9253-1