skip to main content
10.1145/1655008.1655022acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Cloud security is not (just) virtualization security: a short paper

Published: 13 November 2009 Publication History

Abstract

Cloud infrastructure commonly relies on virtualization. Customers provide their own VMs, and the cloud provider runs them often without knowledge of the guest OSes or their configurations. However, cloud customers also want effective and efficient security for their VMs. Cloud providers offering security-as-a-service based on VM introspection promise the best of both worlds: efficient centralization and effective protection. Since customers can move images from one cloud to another, an effective solution requires learning what guest OS runs in each VM and securing the guest OS without relying on the guest OS functionality or an initially secure guest VM state.
We present a solution that is highly scalable in that it (i) centralizes guest protection into a security VM, (ii) supports Linux and Windows operating systems and can be easily extended to support new operating systems, (iii) does not assume any a-priori semantic knowledge of the guest, (iv) does not require any a-priori trust assumptions into any state of the guest VM. While other introspection monitoring solutions exist, to our knowledge none of them monitor guests on the semantic level required to effectively support both white- and black-listing of kernel functions, or allows to start monitoring VMs at any state during run-time, resumed from saved state, and cold-boot without the assumptions of a secure start state for monitoring.

References

[1]
A. Baliga, X. Chen, and L. Iftode. Paladin: Automated detection and containment of rootkit attacks. Department of Computer Science, Rutgers University, April., 2006.
[2]
Bryan D. Payne and Martim Carbone and Wenke Lee. Secure and flexible monitoring of virtual machines. Computer Security Applications Conference, Annual, 0:385--397, 2007.
[3]
P. M. Chen and B. D. Noble. When virtual is better than real. In HOTOS'01: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, page 133, Washington, DC, USA, 2001. IEEE Computer Society.
[4]
G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. Revirt: enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev., 36(SI):211--224, 2002.
[5]
T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 2003 Network and Distributed System Symposium, 2003.
[6]
A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In SOSP'05: Proceedings of the twentieth ACM symposium on Operating systems principles, pages 91--104, New York, NY, USA, 2005. ACM.
[7]
L. Litty and D. Lie. Manitou: a layer--below approach to fighting malware. In ASID'06: Proceedings of the 1st workshop on Architectural and system support for improving software dependability, pages 6--11, New York, NY, USA, 2006. ACM.
[8]
G. F. Lyon. NMAP Network Scanning. Nmap Project, 2009.
[9]
B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. Security and Privacy, IEEE Symposium on, 0:233--247, 2008.
[10]
N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot -- a coprocessor-based kernel runtime integrity monitor. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, pages 13--13, Berkeley, CA, USA, 2004. USENIX Association.
[11]
N. L. Petroni, Jr. and M. Hicks. Automated detection of persistent kernel control--flow attacks. In CCS'07: Proceedings of the 14th ACM conference on Computer and communications security, pages 103--115, New York, NY, USA, 2007. ACM.
[12]
N. Provos. Honeyd -- A virtual honeypot daemon. In 10th DFN-CERT Workshop, Hamburg, Germany, Feb. 2003.
[13]
N. A. Quynh and Y. Takefuji. Towards a tamper-resistant kernel rootkit detector. In SAC'07: Proceedings of the 2007 ACM symposium on Applied computing, pages 276--283, New York, NY, USA, 2007. ACM.
[14]
J. Rhee, R. Riley, D. Xu, and X. Jiang. Defeating Dynamic Data Kernel Rootkit Attacks via VMM-based Guest-Transparent Monitoring. In Proceedings of ARES 2009 Conference, 2009. To appear.
[15]
R. Riley, X. Jiang, and D. Xu. Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing. In RAID'08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, pages 1--20, Berlin, Heidelberg, 2008. Springer-Verlag.
[16]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In SOSP'07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, pages 335--350, New York, NY, USA, 2007. ACM.

Cited By

View all
  • (2024)Securing Cloud Infrastructure: An In-Depth Analysis of Microsoft Azure SecurityInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-18863(549-555)Online publication date: 13-Jun-2024
  • (2024)Foundations of Information SecurityAI on the Edge with Security10.1007/978-3-031-78272-5_5(95-113)Online publication date: 25-Dec-2024
  • (2024)Information Security and Cloud ComputingIntroduction to Machine Learning with Security10.1007/978-3-031-59170-9_5(215-228)Online publication date: 13-Jul-2024
  • Show More Cited By

Index Terms

  1. Cloud security is not (just) virtualization security: a short paper

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCSW '09: Proceedings of the 2009 ACM workshop on Cloud computing security
      November 2009
      144 pages
      ISBN:9781605587844
      DOI:10.1145/1655008
      • Program Chairs:
      • Radu Sion,
      • Dawn Song
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 13 November 2009

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. cloud computing
      2. integrity
      3. outsourcing
      4. virtualization

      Qualifiers

      • Research-article

      Conference

      CCS '09
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 37 of 108 submissions, 34%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)75
      • Downloads (Last 6 weeks)6
      Reflects downloads up to 25 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Securing Cloud Infrastructure: An In-Depth Analysis of Microsoft Azure SecurityInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-18863(549-555)Online publication date: 13-Jun-2024
      • (2024)Foundations of Information SecurityAI on the Edge with Security10.1007/978-3-031-78272-5_5(95-113)Online publication date: 25-Dec-2024
      • (2024)Information Security and Cloud ComputingIntroduction to Machine Learning with Security10.1007/978-3-031-59170-9_5(215-228)Online publication date: 13-Jul-2024
      • (2023)Virtualization Framework for Securing Cloud to 5G Networks Using Ant Lion Optimization Constructed KGMO for Mobility Supervision2023 International Conference on Sustainable Emerging Innovations in Engineering and Technology (ICSEIET)10.1109/ICSEIET58677.2023.10303443(725-731)Online publication date: 14-Sep-2023
      • (2022)Kurumsal Risk Yönetimi ve Bulut Bilişim SistemiEnterprise Risk Management and Cloud Computing SystemMuhasebe ve Finansman Dergisi10.25095/mufad.1012896(31-52)Online publication date: 17-Jan-2022
      • (2022)Cloud Computing and Information SecurityCloud Computing with Security and Scalability.10.1007/978-3-031-07242-0_7(113-146)Online publication date: 4-Sep-2022
      • (2022)IntroductionCloud Computing with Security and Scalability.10.1007/978-3-031-07242-0_1(1-11)Online publication date: 4-Sep-2022
      • (2021)Exponential Ant-Lion Rider Optimization for Privacy Preservation in Cloud ComputingWeb Intelligence10.3233/WEB-21047319:4(275-293)Online publication date: 28-Dec-2021
      • (2021)Taxonomy of Challenges in Cloud Security2021 8th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2021 7th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)10.1109/CSCloud-EdgeCom52276.2021.00018(42-46)Online publication date: Jun-2021
      • (2021)Information Security and Cloud ComputingIntroduction to Machine Learning in the Cloud with Python10.1007/978-3-030-71270-9_6(143-155)Online publication date: 29-Apr-2021
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media