research-article

Cloud security is not (just) virtualization security: a short paper

Authors:

Mihai Christodorescu,

Douglas Lee Schales,

Daniele Sgandurra,

Diego ZamboniAuthors Info & Claims

CCSW '09: Proceedings of the 2009 ACM workshop on Cloud computing security

Pages 97 - 102

https://doi.org/10.1145/1655008.1655022

Published: 13 November 2009 Publication History

Abstract

Cloud infrastructure commonly relies on virtualization. Customers provide their own VMs, and the cloud provider runs them often without knowledge of the guest OSes or their configurations. However, cloud customers also want effective and efficient security for their VMs. Cloud providers offering security-as-a-service based on VM introspection promise the best of both worlds: efficient centralization and effective protection. Since customers can move images from one cloud to another, an effective solution requires learning what guest OS runs in each VM and securing the guest OS without relying on the guest OS functionality or an initially secure guest VM state.

We present a solution that is highly scalable in that it (i) centralizes guest protection into a security VM, (ii) supports Linux and Windows operating systems and can be easily extended to support new operating systems, (iii) does not assume any a-priori semantic knowledge of the guest, (iv) does not require any a-priori trust assumptions into any state of the guest VM. While other introspection monitoring solutions exist, to our knowledge none of them monitor guests on the semantic level required to effectively support both white- and black-listing of kernel functions, or allows to start monitoring VMs at any state during run-time, resumed from saved state, and cold-boot without the assumptions of a secure start state for monitoring.

References

[1]

A. Baliga, X. Chen, and L. Iftode. Paladin: Automated detection and containment of rootkit attacks. Department of Computer Science, Rutgers University, April., 2006.

[2]

Bryan D. Payne and Martim Carbone and Wenke Lee. Secure and flexible monitoring of virtual machines. Computer Security Applications Conference, Annual, 0:385--397, 2007.

[3]

P. M. Chen and B. D. Noble. When virtual is better than real. In HOTOS'01: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, page 133, Washington, DC, USA, 2001. IEEE Computer Society.

Digital Library

[4]

G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. Revirt: enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev., 36(SI):211--224, 2002.

Digital Library

[5]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 2003 Network and Distributed System Symposium, 2003.

[6]

A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In SOSP'05: Proceedings of the twentieth ACM symposium on Operating systems principles, pages 91--104, New York, NY, USA, 2005. ACM.

Digital Library

[7]

L. Litty and D. Lie. Manitou: a layer--below approach to fighting malware. In ASID'06: Proceedings of the 1st workshop on Architectural and system support for improving software dependability, pages 6--11, New York, NY, USA, 2006. ACM.

Digital Library

[8]

G. F. Lyon. NMAP Network Scanning. Nmap Project, 2009.

[9]

B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. Security and Privacy, IEEE Symposium on, 0:233--247, 2008.

Digital Library

[10]

N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot -- a coprocessor-based kernel runtime integrity monitor. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, pages 13--13, Berkeley, CA, USA, 2004. USENIX Association.

Digital Library

[11]

N. L. Petroni, Jr. and M. Hicks. Automated detection of persistent kernel control--flow attacks. In CCS'07: Proceedings of the 14th ACM conference on Computer and communications security, pages 103--115, New York, NY, USA, 2007. ACM.

Digital Library

[12]

N. Provos. Honeyd -- A virtual honeypot daemon. In 10th DFN-CERT Workshop, Hamburg, Germany, Feb. 2003.

[13]

N. A. Quynh and Y. Takefuji. Towards a tamper-resistant kernel rootkit detector. In SAC'07: Proceedings of the 2007 ACM symposium on Applied computing, pages 276--283, New York, NY, USA, 2007. ACM.

Digital Library

[14]

J. Rhee, R. Riley, D. Xu, and X. Jiang. Defeating Dynamic Data Kernel Rootkit Attacks via VMM-based Guest-Transparent Monitoring. In Proceedings of ARES 2009 Conference, 2009. To appear.

[15]

R. Riley, X. Jiang, and D. Xu. Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing. In RAID'08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, pages 1--20, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[16]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In SOSP'07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, pages 335--350, New York, NY, USA, 2007. ACM.

Digital Library

Cited By

Praveen Borra (2024)Securing Cloud Infrastructure: An In-Depth Analysis of Microsoft Azure SecurityInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-18863(549-555)Online publication date: 13-Jun-2024
https://doi.org/10.48175/IJARSCT-18863
Sehgal NSaxena MShah DSehgal NSaxena MShah D(2024)Foundations of Information SecurityAI on the Edge with Security10.1007/978-3-031-78272-5_5(95-113)Online publication date: 25-Dec-2024
https://doi.org/10.1007/978-3-031-78272-5_5
Gupta PSehgal NAcken JGupta PSehgal NAcken J(2024)Information Security and Cloud ComputingIntroduction to Machine Learning with Security10.1007/978-3-031-59170-9_5(215-228)Online publication date: 13-Jul-2024
https://doi.org/10.1007/978-3-031-59170-9_5
Show More Cited By

Index Terms

Cloud security is not (just) virtualization security: a short paper
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Security Challenges of Virtualization in Cloud Computing
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies

Recent years have been advanced in cloud computing technology. Virtualization supports cloud computing to virtualize the resources to provide software-as-a-service, infrastructure-as-a-service and platform-as-a-service mainly. Many Virtual Machines are ...
Architectural support for hypervisor-secure virtualization
ASPLOS '12

Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...
Architectural support for hypervisor-secure virtualization
ASPLOS '12

Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCSW '09: Proceedings of the 2009 ACM workshop on Cloud computing security

November 2009

144 pages

ISBN:9781605587844

DOI:10.1145/1655008

Program Chairs:
Radu Sion
Stony Brook University, USA
,
Dawn Song
University of California, Berkeley, USA

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '09

Sponsor:

SIGSAC

CCS '09: 16th ACM Conference on Computer and Communications Security 2009

November 13, 2009

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 37 of 108 submissions, 34%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

137
Total Citations
View Citations
6,437
Total Downloads

Downloads (Last 12 months)75
Downloads (Last 6 weeks)6

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Praveen Borra (2024)Securing Cloud Infrastructure: An In-Depth Analysis of Microsoft Azure SecurityInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-18863(549-555)Online publication date: 13-Jun-2024
https://doi.org/10.48175/IJARSCT-18863
Sehgal NSaxena MShah DSehgal NSaxena MShah D(2024)Foundations of Information SecurityAI on the Edge with Security10.1007/978-3-031-78272-5_5(95-113)Online publication date: 25-Dec-2024
https://doi.org/10.1007/978-3-031-78272-5_5
Gupta PSehgal NAcken JGupta PSehgal NAcken J(2024)Information Security and Cloud ComputingIntroduction to Machine Learning with Security10.1007/978-3-031-59170-9_5(215-228)Online publication date: 13-Jul-2024
https://doi.org/10.1007/978-3-031-59170-9_5
Sarala LMahalakshmi TKandarkar SSriramam YArun MSuresh Varma K(2023)Virtualization Framework for Securing Cloud to 5G Networks Using Ant Lion Optimization Constructed KGMO for Mobility Supervision2023 International Conference on Sustainable Emerging Innovations in Engineering and Technology (ICSEIET)10.1109/ICSEIET58677.2023.10303443(725-731)Online publication date: 14-Sep-2023
https://doi.org/10.1109/ICSEIET58677.2023.10303443
ÖZYİĞİT H(2022)Kurumsal Risk Yönetimi ve Bulut Bilişim SistemiEnterprise Risk Management and Cloud Computing SystemMuhasebe ve Finansman Dergisi10.25095/mufad.1012896(31-52)Online publication date: 17-Jan-2022
https://doi.org/10.25095/mufad.1012896
Sehgal NBhatt PAcken JSehgal NBhatt PAcken J(2022)Cloud Computing and Information SecurityCloud Computing with Security and Scalability.10.1007/978-3-031-07242-0_7(113-146)Online publication date: 4-Sep-2022
https://doi.org/10.1007/978-3-031-07242-0_7
Sehgal NBhatt PAcken JSehgal NBhatt PAcken J(2022)IntroductionCloud Computing with Security and Scalability.10.1007/978-3-031-07242-0_1(1-11)Online publication date: 4-Sep-2022
https://doi.org/10.1007/978-3-031-07242-0_1
Pamarthi NRao N(2021)Exponential Ant-Lion Rider Optimization for Privacy Preservation in Cloud ComputingWeb Intelligence10.3233/WEB-21047319:4(275-293)Online publication date: 28-Dec-2021
https://doi.org/10.3233/WEB-210473
Eltaeib TIslam N(2021)Taxonomy of Challenges in Cloud Security2021 8th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2021 7th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)10.1109/CSCloud-EdgeCom52276.2021.00018(42-46)Online publication date: Jun-2021
https://doi.org/10.1109/CSCloud-EdgeCom52276.2021.00018
Gupta PSehgal NGupta PSehgal N(2021)Information Security and Cloud ComputingIntroduction to Machine Learning in the Cloud with Python10.1007/978-3-030-71270-9_6(143-155)Online publication date: 29-Apr-2021
https://doi.org/10.1007/978-3-030-71270-9_6
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten