skip to main content
10.1145/1920261.1920317acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

Always up-to-date: scalable offline patching of VM images in a compute cloud

Published: 06 December 2010 Publication History

Abstract

Patching is a critical security service that keeps computer systems up to date and defends against security threats. Existing patching systems all require running systems. With the increasing adoption of virtualization and cloud computing services, there is a growing number of dormant virtual machine (VM) images. Such VM images cannot benefit from existing patching systems, and thus are often left vulnerable to emerging security threats. It is possible to bring VM images online, apply patches, and capture the VMs back to dormant images. However, such approaches suffer from unpredictability, performance challenges, and high operational costs, particularly in large-scale compute clouds where there could be thousands of dormant VM images.
This paper presents a novel tool named Nüwa that enables efficient and scalable offline patching of dormant VM images. Nüwa analyzes patches and, when possible, converts them into patches that can be applied offline by rewriting the patching scripts. Nüwa also leverages the VM image manipulation technologies offered by the Mirage image library to provide an efficient and scalable way to patch VM images in batch. Nüwa has been evaluated on freshly built images and on real-world images from the IBM Research Compute Cloud (RC2), a compute cloud used by IBM researchers worldwide. When applying security patches to a fresh installation of Ubuntu-8.04, Nüwa successfully applies 402 of 406 patches. It speeds up the patching process by more than 4 times compared to the online approach and by another 2--10 times when integrated with Mirage. Nüwa also successfully applies the 10 latest security updates to all VM images in RC2.

References

[1]
Gautam Altekar, Ilya Bagrak, Paul Burstein, and Andrew Schultz. Opus: online patches and updates for security. In SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium, pages 19--19, Berkeley, CA, USA, 2005. USENIX Association.
[2]
Amazon. Amazon elastic compute cloud (EC2). http://aws.amazon.com/ec2/.
[3]
Jeff Arnold and M. Frans Kaashoek. Ksplice: automatic rebootless kernel updates. In EuroSys '09: Proceedings of the 4th ACM European conference on Computer systems, pages 187--198, New York, NY, USA, 2009. ACM.
[4]
Debian community. Debian Almquist shell. http://en.wikipedia.org/wiki/Debian_Almquist_shell.
[5]
Debian community. Debian package manager. http://www.debian.org/dpkg.
[6]
Debian Community. Debian policy manual. http://www.debian.org/doc/debian-policy/, 2009.
[7]
KVM community. Linux kernel-based virtual machine. http://www.linux-kvm.org/.
[8]
RPM community. RPM package manager. http://www.rpm.org/.
[9]
Ubuntu Community. Ubuntu popularity contest. http://popcon.ubuntu.com/.
[10]
Microsoft Corporation. Offline virtual machine servicing tool 2.1. http://technet.microsoft.com/en-us/library/cc501231.aspx.
[11]
Forbes. Cybersecurity's patching problem. http://www.forbes.com/2009/09/14/sans-institute-software-technology-security-cybersecurity.html. Visited on 2009-11-06.
[12]
Stefan Frei, Thomas Duebendorfer, Gunter Ollmann, and Martin May. Understanding the Web browser threat. Technical Report 288, TIK, ETH Zurich, June 2008. Presented at DefCon 16, Aug 2008, Las Vegas, USA. http://www.techzoom.net/insecurity-iceberg.
[13]
Thomas Gerace and Huseyin Cavusoglu. The critical elements of the patch management process. Commun. ACM, 52(8):117--121, 2009.
[14]
Deepak Gupta and Pankaj Jalote. On line software version change using state transfer between processes. Softw. Pract. Exper., 23(9):949--964, 1993.
[15]
Huseyin Cavusoglu Hasan, Hasan Cavusoglu, and Jun Zhang. Economics of security patch management. In The Fifth Workshop on the Economics of Information Security (WEIS 2006), June 2006.
[16]
Michael Hicks and Scott M. Nettles. Dynamic software updating. ACM Transactions on Programming Languages and Systems (TOPLAS), 27(6):1049--1096, November 2005.
[17]
The IEEE and The Open Group. The single UNIX specification, version 3. http://www.unix.org/version3/online.html, 2004.
[18]
Cloud Market. The cloud market: EC2 statistics. http://thecloudmarket.com/stats.
[19]
Microsoft. The microsoft security update release cycle. http://www.microsoft.com/security/msrc/whatwedo/updatecycle.aspx.
[20]
NC State University. NC State University virtual computing lab (VCL). http://vcl.ncsu.edu/.
[21]
United States General Accounting Office. Effective patch management is critical to mitigating software vulnerabilities. gao-03-1138t, September 2003.
[22]
RedHat. Critical: krb5 security update.
[23]
RedHat. RedHat Security Advisories. http://rhn.redhat.com/errata/rhel-server-errata-security.html.
[24]
D. Reimer, A. Thomas, G. Ammons, T. Mummert, B. Alpern, and V. Bala. Opening black boxes: using semantic information to combat virtual machine image sprawl. In VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 111--120, 2008.
[25]
Kyung Dong Ryu, Xiaolan Zhang, Glenn Ammons, Vasanth Bala, Stefan Berger, Dilma M. Da Silva, Jim Doran, Frank Franco, Alexei Karve, Herb Lee, James A. Lindeman, Ajay Mohindra, Bob Oesterlin, Giovanni Pacifici, Dimitrios Pendarakis, Darrell Reimer, and Mariusz Sabath. RC2 - A Living Lab for Cloud Computing. In Lisa '10: Proceedings of the 24th Large Installation System Administration, 2010. Earlier version available as an IBM technical report at http://domino.watson.ibm.com/library/CyberDig.nsf/Home.
[26]
Miklos Szeredi. Fuse: Filesystem in userspace. http://fuse.sourceforge.net/, 2010.
[27]
Shavlik Technologies. Offline virtual machine image quick start guide. http://www.shavlik.com/documents/qsg-prt-6-1-offline_vm.pdf.
[28]
Ubuntu. Ubuntu security notices. http://www.ubuntu.com/usn/.
[29]
VMware. VMware vcenter update manager. http://www.vmware.com/products/update-manager/.

Cited By

View all
  • (2022)An Empirical Study of Automation in Software Security Patch ManagementProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3556969(1-13)Online publication date: 10-Oct-2022
  • (2022)Security Issues and Defenses in VirtualizationProceedings of International Conference on Information Technology and Applications10.1007/978-981-16-7618-5_52(605-617)Online publication date: 21-Apr-2022
  • (2019)An Exhaustive Survey on Security Concerns and Solutions at Different Components of VirtualizationACM Computing Surveys10.1145/328730652:1(1-38)Online publication date: 13-Feb-2019
  • Show More Cited By

Index Terms

  1. Always up-to-date: scalable offline patching of VM images in a compute cloud

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Other conferences
      ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference
      December 2010
      419 pages
      ISBN:9781450301336
      DOI:10.1145/1920261
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      • ACSA: Applied Computing Security Assoc

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 06 December 2010

      Permissions

      Request permissions for this article.

      Check for updates

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      ACSAC '10
      Sponsor:
      • ACSA

      Acceptance Rates

      Overall Acceptance Rate 104 of 497 submissions, 21%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)5
      • Downloads (Last 6 weeks)1
      Reflects downloads up to 17 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2022)An Empirical Study of Automation in Software Security Patch ManagementProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3556969(1-13)Online publication date: 10-Oct-2022
      • (2022)Security Issues and Defenses in VirtualizationProceedings of International Conference on Information Technology and Applications10.1007/978-981-16-7618-5_52(605-617)Online publication date: 21-Apr-2022
      • (2019)An Exhaustive Survey on Security Concerns and Solutions at Different Components of VirtualizationACM Computing Surveys10.1145/328730652:1(1-38)Online publication date: 13-Feb-2019
      • (2019)Towards Declarative and Data-Centric Virtual Machine Image Management in IaaS CloudsIEEE Transactions on Cloud Computing10.1109/TCC.2017.27280667:4(1124-1138)Online publication date: 1-Oct-2019
      • (2019)Consistent Offline Update of Suspended Virtual Machines in Clouds2019 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/CyberSciTech.2019.00025(58-65)Online publication date: Aug-2019
      • (2018)NitroProceedings of the 18th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing10.1109/CCGRID.2018.00082(553-562)Online publication date: 1-May-2018
      • (2017)A Study of Security Vulnerabilities on Docker HubProceedings of the Seventh ACM on Conference on Data and Application Security and Privacy10.1145/3029806.3029832(269-280)Online publication date: 22-Mar-2017
      • (2017)Securing virtual machine images of cloud by encryption through Kerberos2017 2nd International Conference for Convergence in Technology (I2CT)10.1109/I2CT.2017.8226293(1074-1079)Online publication date: Apr-2017
      • (2016)Handling Boot Storms in Virtualized Data Centers—A SurveyACM Computing Surveys10.1145/293270949:1(1-36)Online publication date: 14-Jun-2016
      • (2016)An Optimized Approach to Protect Virtual Machine Image Integrity in Cloud Computing2016 7th International Conference on Cloud Computing and Big Data (CCBD)10.1109/CCBD.2016.025(75-80)Online publication date: Nov-2016
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media