Virtual Machines | Science of Security Virtual Organization

Virtual Machines

Arguably, virtual machines are more secure than actual machines. This idea is based on the notion that an attacker cannot jump the gap between the virtual and the actual. The growth of interest in cloud computing suggest it is time for a fresh look at the vulnerabilities in virtual machines. In the articles presented below, security concerns are addressed in some interesting ways. The articles cited below show how competition between I/O workloads could be exploited, describe a “gathering storm” for V/M security issues, and discuss digital forensics issues in the cloud.

Chiang, R.; Rajasekaran, S.; Zhang, N.; Huang, H., "Swiper: Exploiting Virtual Machine Vulnerability in Third-Party Clouds with Competition for I/O Resources," Parallel and Distributed Systems, IEEE Transactions on, vol.PP, no.99, pp.1,1, June 2014. (ID#:14-1836) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6824231&isnumber=4359390 The emerging paradigm of cloud computing, e.g., Amazon Elastic Compute Cloud (EC2), promises a highly flexible yet robust environment for large-scale applications. Ideally, while multiple virtual machines (VM) share the same physical resources (e.g., CPUs, caches, DRAM, and I/O devices), each application should be allocated to an independently managed VM and isolated from one another. Unfortunately, the absence of physical isolation inevitably opens doors to a number of security threats. In this paper, we demonstrate in EC2 a new type of security vulnerability caused by competition between virtual I/O workloads - i.e., by leveraging the competition for shared resources, an adversary could intentionally slow down the execution of a targeted application in a VM that shares the same hardware. In particular, we focus on I/O resources such as hard-drive throughput and/or network bandwidth - which are critical for data-intensive applications. We design and implement Swiper, a framework which uses a carefully designed workload to incur significant delays on the targeted application and VM with minimum cost (i.e., resource consumption). We conduct a comprehensive set of experiments in EC2, which clearly demonstrates that Swiper is capable of significantly slowing down various server applications while consuming a small amount of resources. Keywords: Cloud computing; Delays; IP networks; Security; Synchronization; Throughput; Virtualization

Soni, G.; Kalra, M., "A Novel Approach For Load Balancing In Cloud Data Center," Advance Computing Conference (IACC), 2014 IEEE International , vol., no., pp.807,812, 21-22 Feb. 2014. (ID#:14-1837) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6779427&isnumber=6779283 In a large-scale cloud computing environment the cloud data centers and end users are geographically distributed across the globe. The biggest challenge for cloud data centers is how to handle and service the millions of requests that are arriving very frequently from end users efficiently and correctly. In cloud computing, load balancing is required to distribute the dynamic workload evenly across all the nodes. Load balancing helps to achieve a high user satisfaction and resource utilization ratio by ensuring an efficient and fair allocation of every computing resource. Proper load balancing aids in minimizing resource consumption, implementing fail-over, enabling scalability, avoiding bottlenecks and over-provisioning etc. In this paper, we propose “Central Load Balancer” a load balancing algorithm to balance the load among virtual machines in cloud data center. Results show that our algorithm can achieve better load balancing in a large-scale cloud computing environment as compared to previous load balancing algorithms. Keywords: cloud computing; computer centers; resource allocation; virtual machines; central load balancer algorithm; cloud data center; dynamic workload; large-scale cloud computing environment; load balancing; resource allocation; resource utilization; virtual machines; Algorithm design and analysis; Cloud computing; Computational modeling; Heuristic algorithms; Load management; Resource management; Virtual machining; Cloud Data Center; CloudAnalyst; Live Virtual Machine Migration; Load balancing; Virtualization

Vijay Varadharajan, Udaya Tupakula, “Counteracting Security Attacks In Virtual Machines In The Cloud Using Property Based Attestation,” Journal of Network and Computer Applications, Volume 40, April, 2014, (Pages 31-45). (ID#:14-1838) Available at: http://dl.acm.org/citation.cfm?id=2608850.2608932&coll=DL&dl=GUIDE&CFID=376780186&CFTOKEN=34932578 This paper expounds on the emergence of embedded Trusted Platform Modules in devices like PCs and smartphones. A trust-enhanced security model for cloud services is proposed, which aims to detect and prevent attacks, using trusted attestation methods. For this model, a multi-tenant virtualized system is considered, for which the proposed model will allow cloud service providers to certify certain tenant security properties. If a deviation from normal behavior for the tenant virtual machines occurs, such that it does not correspond with the certified properties, the model may dynamically isolate the suspicious cause. Keywords: Cloud, Malware, Rootkits, TPM attestation, Trusted computing, Virtual machine monitors, Zero day attacks

Gábor Pék, Andrea Lanzi, Abhinav Srivastava, Davide Balzarotti, Aurélien Francillon, Christoph Neumann, “On the Feasibility Of Software Attacks On Commodity Virtual Machine Monitors Via Direct Device Assignment,” ASIA CCS '14 Proceedings of the 9th ACM Symposium On Information, Computer And Communications Security, June 2014, (Pages 305-316). (ID#:14-1839) Available at: http://dl.acm.org/citation.cfm?id=2590296.2590299&coll=DL&dl=GUIDE&CFID=376780186&CFTOKEN=34932578 The security of virtual machine monitors (VMMs) is a challenging and active field of research. In particular, due to the increasing significance of hardware virtualization in cloud solutions, it is important to clearly understand existing and arising VMM-related threats. Unfortunately, there is still a lot of confusion around this topic as many attacks presented in the past have never been implemented in practice or tested in a realistic scenario. In this paper, we shed light on VM related threats and defenses by implementing, testing, and categorizing a wide range of known and unknown attacks based on directly assigned devices. We executed these attacks on an exhaustive set of VMM configurations to determine their potential impact. Our experiments suggest that most of the previously known attacks are ineffective in current VMM setups. We also developed an automatic tool, called PTFuzz, to discover hardware-level problems that affects current VMMs. By using PTFuzz, we found several cases of unexpected hardware behavior, and a major vulnerability on Intel platforms that potentially impacts a large set of machines used in the wild. These vulnerabilities affect unprivileged virtual machines that use a directly assigned device (e.g., network card) and have all the existing hardware protection mechanisms enabled. Such vulnerabilities either allow an attacker to generate a host-side interrupt or hardware faults, violating expected isolation properties. These can cause host software (e.g., VMM) halt as well as they might open the door for practical VMM exploitations. We believe that our study can help cloud providers and researchers to better understand the limitations of their current architectures to provide secure hardware virtualization and prepare for future attacks. Keywords: DMA attack, I/O virtualization, MMIO, PIO, interrupt attack, passthrough, virtual machine monitor

Fangzhou Yao, Read Sprabery, Roy H. Campbell, “CryptVMI: a Flexible And Encrypted Virtual Machine Introspection System In The Cloud,” SCC '14 Proceedings of the 2nd international workshop on Security in cloud computing, June 2014, (Pages 11-18). (ID#:14-1840) Available at: http://dl.acm.org/citation.cfm?id=2600075.2600078&coll=DL&dl=GUIDE&CFID=376780186&CFTOKEN=34932578 Virtualization has demonstrated its importance in both public and private cloud computing solutions. In such environments, multiple virtual instances run on the same physical machine concurrently. Thus, the isolation in the system is not guaranteed by the physical infrastructure anymore. Reliance on logical isolation makes a system vulnerable to attacks. Thus, Virtual Machine Introspection techniques become essential, since they simplify the process to acquire evidence for further analysis in this complex system. However, Virtual Machine Introspection tools for the cloud are usually written specifically for a single system and do not provide a standard interface to work with other security monitoring systems. Moreover, this technique breaks down the borders of the segregation between multiple tenants, which should be avoided in a public cloud computing environment. In this paper, we focus on building a flexible and encrypted Virtual Machine Introspection system, CryptVMI, to address the above concerns. Our approach maintains a client application on the user end to send queries to the cloud, as well as parse the results returned in a standard form. We also have a handler that cooperates with an introspection application in the cloud infrastructure to process queries and return encrypted results. This work shows our design and implementation of this system, and the benchmark results prove that it does not incur much performance overhead. Keywords: cloud computing, confidentiality, virtual machine introspection, virtualization

Nanavati M., Colp P., Aiello B., Warfield A., “Cloud Security: A Gathering Storm,” Communications of the ACM, Volume 57 Issue 5, May 2014, (Pages 70-79) (ID#:14-1841) Available at: http://dl.acm.org/citation.cfm?id=2594413.2593686&coll=DL&dl=GUIDE&CFID=376780186&CFTOKEN=34932578 Users' trust in cloud systems is undermined by the lack of transparency in existing security policies. Keywords: (not provided)

Junghwan Rhee; Riley, R.; Zhiqiang Lin; Xuxian Jiang; Dongyan Xu, "Data-Centric OS Kernel Malware Characterization," Information Forensics and Security, IEEE Transactions on , vol.9, no.1, pp.72,87, Jan. 2014. (ID#:14-1842) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6671356&isnumber=6684617 Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world kernel rootkits demonstrate the effectiveness of data-centric malware signatures. Keywords: data encapsulation; digital signatures; invasive software; operating system kernels; attack patterns; c ode-centric approach; data access patterns; data object manipulation; data-centric OS kernel malware characterization architecture; dynamic data object hiding; low level data access behavior modeling; malware attack characterization; malware signatures; real-world kernel rootkits; runtime kernel object mapping system; Data structures; Dynamic scheduling; Kernel; Malware; Monitoring; Resource management; Runtime; OS kernel malware characterization; data-centric malware analysis; virtual machine monitor

Nikolai, J.; Yong Wang, "Hypervisor-based Cloud Intrusion Detection System," Computing, Networking and Communications (ICNC), 2014 International Conference on , vol., no., pp.989,993, 3-6 Feb. 2014. (ID#:14-1843) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6785472&isnumber=6785290 Shared resources are an essential part of cloud computing. Virtualization and multi-tenancy provide a number of advantages for increasing resource utilization and for providing on demand elasticity. However, these cloud features also raise many security concerns related to cloud computing resources. In this paper, we propose an architecture and approach for leveraging the virtualization technology at the core of cloud computing to perform intrusion detection security using hypervisor performance metrics. Through the use of virtual machine performance metrics gathered from hypervisors, such as packets transmitted/received, block device read/write requests, and CPU utilization, we demonstrate and verify that suspicious activities can be profiled without detailed knowledge of the operating system running within the virtual machines. The proposed hypervisor-based cloud intrusion detection system does not require additional software installed in virtual machines and has many advantages compared to host-based and network based intrusion detection systems which can complement these traditional approaches to intrusion detection. Keywords: cloud computing; computer network security; software architecture; software metrics; virtual machines; virtualization; CPU utilization; block device read requests; block device write requests; cloud computing resources; cloud features; hypervisor performance metrics; hypervisor-based cloud intrusion detection system; intrusion detection security; ultitenancy; operating system; packet transmission; received packets; shared resource utilization; virtual machine performance metrics; virtualization; virtualization technology; Cloud computing; Computer crime; Intrusion detection; Measurement; Virtual machine monitors; Virtual machining; Cloud Computing ;hypervisor; intrusion detection

Thethi, N.; Keane, A., "Digital Forensics Investigations in the Cloud," Advance Computing Conference (IACC), 2014 IEEE International , vol., no., pp.1475,1480, 21-22 Feb. 2014. (ID#:14-1844) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6779543&isnumber=6779283 The essentially infinite storage space offered by Cloud Computing is quickly becoming a problem for forensics investigators in regards to evidence acquisition, forensic imaging and extended time for data analysis. It is apparent that the amount of stored data will at some point become impossible to practically image for the forensic investigators to complete a full investigation. In this paper, we address these issues by determining the relationship between acquisition times on the different storage capacities, using remote acquisition to obtain data from virtual machines in the cloud. A hypothetical case study is used to investigate the importance of using a partial and full approach for acquisition of data from the cloud and to determine how each approach affects the duration and accuracy of the forensics investigation and outcome. Our results indicate that the relation between the time taken for image acquisition and different storage volumes is not linear, owing to several factors affecting remote acquisition, especially over the Internet. Performing the acquisition using cloud resources showed a considerable reduction in time when compared to the conventional imaging method. For a 30GB storage volume, the least time was recorded for the snapshot functionality of the cloud and dd command. The time using this method is reduced by almost 77 percent. FTK Remote Agent proved to be most efficient showing an almost 12 percent reduction in time over other methods of acquisition. Furthermore, the timelines produced with the help of the case study, showed that the hybrid approach should be preferred to complete approach for performing acquisition from the cloud, especially in time critical scenarios. Keywords: cloud computing; data analysis; digital forensics; operating systems (computers);virtual machines; FTK remote agent; cloud computing; data analysis; digital forensics investigations; evidence acquisition; extended time; forensic imaging; image acquisition; remote acquisition; storage capacities; virtual machines; Cloud computing; Conferences; Digital forensics; Imaging; Virtual machining; Cloud evidence acquisition; Cloud forensics

Sheng-Wei Lee; Fang Yu, "Securing KVM-Based Cloud Systems via Virtualization Introspection," System Sciences (HICSS), 2014 47th Hawaii International Conference on , vol., no., pp.5028,5037, 6-9 Jan. 2014. (ID#:14-1845) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6759220&isnumber=6758592 Linux Kernel Virtual Machine (KVM) is one of the most commonly deployed hypervisor drivers in the IaaS layer of cloud computing ecosystems. The hypervisor provides a full-virtualization environment that intends to virtualize as much hardware and systems as possible, including CPUs, network interfaces and chipsets. With KVM, heterogeneous operating systems can be installed in Virtual Machines (VMs) in an homogeneous environment. However, it has been shown that various breaches due to software defects may cause damages on such a cloud ecosystem. We propose a new Virtualization Introspection System (VIS) to protect the host as well as VMs running on a KVM-based cloud structure from malicious attacks. VIS detects and intercepts attacks from VMs by collecting their static and dynamic status. We then replay the attacks on VMs and leverage artificial intelligence techniques to derive effective decision rules with unsupervised learning nature. The preliminary result shows the promise of the presented approach against several modern attacks on CVE-based vulnerabilities. Keywords: Linux; cloud computing; computer network security; device drivers; operating system kernels; unsupervised learning; virtual machines; virtualization; CVE-based vulnerabilities; IaaS layer; KVM-based cloud structure; KVM-based cloud system security ;Linux kernel virtual machine; artificial intelligence techniques; cloud computing ecosystems; cloud ecosystem; decision rules; dynamic status; full-virtualization environment; heterogeneous operating systems; homogeneous environment; hypervisor drivers; malicious attacks; software defects; static status; unsupervised learning; virtualization introspection system; Analytical models; Computer hacking; Monitoring; Software; Virtual machine monitors; Virtualization; GHSOM; cloud systems; monitor; security; virtualization

Datta, E.; Goyal, N., "Security Attack Mitigation Framework For The Cloud," Reliability and Maintainability Symposium (RAMS), 2014 Annual , vol., no., pp.1,6, 27-30 Jan. 2014. (ID#:14-1846) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6798457&isnumber=6798433 Cloud computing brings in a lot of advantages for enterprise IT infrastructure; virtualization technology, which is the backbone of cloud, provides easy consolidation of resources, reduction of cost, space and management efforts. However, security of critical and private data is a major concern which still keeps back a lot of customers from switching over from their traditional in-house IT infrastructure to a cloud service. Existence of techniques to physically locate a virtual machine in the cloud, proliferation of software vulnerability exploits and cross-channel attacks in-between virtual machines, all of these together increases the risk of business data leaks and privacy losses. This work proposes a framework to mitigate such risks and engineer customer trust towards enterprise cloud computing. Everyday new vulnerabilities are being discovered even in well-engineered software products and the hacking techniques are getting sophisticated over time. In this scenario, absolute guarantee of security in enterprise wide information processing system seems a remote possibility; software systems in the cloud are vulnerable to security attacks. Practical solution for the security problems lies in well-engineered attack mitigation plan. At the positive side, cloud computing has a collective infrastructure which can be effectively used to mitigate the attacks if an appropriate defense framework is in place. We propose such an attack mitigation framework for the cloud. Software vulnerabilities in the cloud have different severities and different impacts on the security parameters (confidentiality, integrity, and availability). By using Markov model, we continuously monitor and quantify the risk of compromise in different security parameters (e.g.: change in the potential to compromise the data confidentiality). Whenever, there is a significant change in risk, our framework would facilitate the tenants to calculate the Mean Time to Security Failure (MTTSF) cloud and allow - hem to adopt a dynamic mitigation plan. This framework is an add-on security layer in the cloud resource manager and it could improve the customer trust on enterprise cloud solutions. Keywords: Markov processes; cloud computing; security of data; virtualization; MTTSF cloud; Markov model; attack mitigation plan; availability parameter; business data leaks; cloud resource manager; cloud service; confidentiality parameter; cross-channel attacks; customer trust; enterprise IT infrastructure; enterprise cloud computing; enterprise cloud solutions; enterprise wide information processing system; hacking techniques; information technology; integrity parameter; mean time to security failure; privacy losses; private data security; resource consolidation; security attack mitigation framework; security guarantee; software products; software vulnerabilities; software vulnerability exploits; virtual machine; virtualization technology; Cloud computing; Companies; Security; Silicon; Virtual machining; Attack Graphs; Cloud computing; Markov Chain; Security; Security Administration

Wang, L.; Kalbarczyk, Z.; Iyer, R.; Iyengar, A., "VM-μCheckpoint: Design, Modeling, and Assessment of Lightweight In-Memory VM Checkpointing," Dependable and Secure Computing, IEEE Transactions on, vol. PP, no.99, pp.1,1, June 2014. (ID#:14-1847) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6824750&isnumber=4358699 Checkpointing and rollback techniques enhance reliability and availability of virtual machines and their hosted IT services. This paper proposes VM-μCheckpoint, a lightweight pure-software mechanism for high-frequency checkpointing and rapid recovery for VMs. Compared with existing techniques of VM checkpointing, VM-μCheckpoint tries to minimize checkpoint overhead and speed up recovery by means of copy-on-write, dirty-page prediction and in-place recovery, as well as saving incremental checkpoints in volatile memory. Moreover, VM- μCheckpoint deals with the issue that latency in error detection potentially results in corrupted checkpoints, particularly when checkpointing frequency is high. We also constructed Markov models to study the availability improvements provided by VM-μCheckpoint (from 99% to 99.98% on reasonably reliable hypervisors). We designed and implemented VM-μCheckpoint in the Xen VMM. The evaluation results demonstrate that VM-μCheckpoint incurs an average of 6.3% overhead (in terms of program execution time) for 50ms checkpoint intervals when executing the SPEC CINT 2006 benchmark. Error injection experiments demonstrate that VM-μCheckpoint, combined with error detection techniques in RMK, provides high coverage of recovery. Keywords: Availability; Checkpointing; Computer crashes; Pins; Transient analysis; Virtual machine monitors

Bakshi, Kapil, "Secure Hybrid Cloud Computing: Approaches And Use Cases," Aerospace Conference, 2014 IEEE , vol., no., pp.1,8, 1-8 March 2014. (ID#:14-1848) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6836198&isnumber=6836156 Hybrid cloud is defined as a cloud infrastructure composed of two or more cloud infrastructures (private, public, and community clouds) that remain unique entities, but are bound together via technologies and approaches for the purposes of application and data portability. This paper will review a novel approach for implementing a secure hybrid cloud. Keywords: Cloud computing; Computer architecture; Switches; Virtual machine monitors; Virtual machining

Guenane, Fouad; Boujezza, Hajer; Nogueira, Michele; Pujolle, Guy, "An Architecture To Manage Performance And Reliability On Hybrid Cloud-Based Firewalling," Network Operations and Management Symposium (NOMS), 2014 IEEE , vol., no., pp.1,5, 5-9 May 2014. (ID#:14-1849) Available at:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6838334&isnumber=6838210 Firewalls are the first defense line for the networking services and applications. With the advent of virtualization and Cloud Computing, the explosive growth of network-based services, investigations have emphasized the limitations of conventional firewalls. However, despite of being impressively significant to improve security, cloud-based firewalling approaches still experience severe performance and reliability issues that can lead to non use of these services by companies. Hence, our work presents an efficient architecture to manage performance and reliability on a hybrid cloud-based firewalling service. Being composed of a physical and a virtual part, the architecture follows an approach that supports and complements basic physical firewall functionalities with virtual ones. The architecture was deployed and experimental results show that the proposed approach improve the computational power of traditional firewall with the support of cloud-based firewalling service. Keywords: Authentication; Cloud computing; Computer architecture; Firewalls (computing); Monitoring; Virtual machining; Firewall; Network security; Secaas; Security as a Service

Himmel, M.A.; Grossman, F., "Security on Distributed Systems: Cloud Security Versus Traditional IT," IBM Journal of Research and Development , vol.58, no.1, pp.3:1,3:13, Jan.-Feb. 2014. (ID#:14-1850) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6717051&isnumber=6717043 Cloud computing is a popular subject across the IT (information technology) industry, but many risks associated with this relatively new delivery model are not yet fully understood. In this paper, we use a qualitative approach to gain insight into the vectors that contribute to cloud computing risks in the areas of security, business, and compliance. The focus is on the identification of risk vectors affecting cloud computing services and the creation of a framework that can help IT managers in their cloud adoption process and risk mitigation strategy. Economic pressures on businesses are creating a demand for an alternative delivery model that can provide flexible payments, dramatic cuts in capital investment, and reductions in operational cost. Cloud computing is positioned to take advantage of these economic pressures with low-cost IT services and a flexible payment model, but with certain security and privacy risks. The frameworks offered by this paper may assist IT professionals obtain a clearer understanding of the risk tradeoffs associated with cloud computing environments. Keywords: Automation; Cloud computing; Computer security; Information technology; Risk management; Virtual machine monitors

Mapp, Glenford; Aiash, Mahdi; Ondiege, Brian; Clarke, Malcolm, "Exploring a New Security Framework for Cloud Storage Using Capabilities," Service Oriented System Engineering (SOSE), 2014 IEEE 8th International Symposium on , vol., no., pp.484,489, 7-11 April 2014. (ID#:14-1851) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6830953&isnumber=6825948 We are seeing the deployment of new types of networks such as sensor networks for environmental and infrastructural monitoring, social networks such as facebook, and e-Health networks for patient monitoring. These networks are producing large amounts of data that need to be stored, processed and analysed. Cloud technology is being used to meet these challenges. However, a key issue is how to provide security for data stored in the Cloud. This paper addresses this issue in two ways. It first proposes a new security framework for Cloud security which deals with all the major system entities. Secondly, it introduces a Capability ID system based on modified IPv6 addressing which can be used to implement a security framework for Cloud storage. The paper then shows how these techniques are being used to build an e-Health system for patient monitoring. Keywords: Cloud computing; Companies; Monitoring; Protocols; Security; Servers; Virtual machine monitors; Capability Systems; Cloud Storage; Security Framework; e-Health Monitoring

Lin, Ying-Dar; Lee, Chia-Yin; Wu, Yu-Sung; Ho, Pei-Hsiu; Wang, Fu-Yu; Tsai, Yi-Lang, "Active versus Passive Malware Collection," Computer , vol.47, no.4, pp.59,65, Apr. 2014. (ID#:14-1852) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6544525&isnumber=6798540 An exploration of active and passive malware honeypots reveals that the two systems yield vastly different malware collections and that peer-to-peer file sharing is an important, but often overlooked, malware source. Keywords: Databases; Malware; Peer-to-peer computing; Telecommunication traffic; Trojan horses; Virtual machining; honeypots; malware collection and detection; network security; network vulnerability

Elwell, Jesse; Riley, Ryan; Abu-Ghazaleh, Nael; Ponomarev, Dmitry, "A Non-Inclusive Memory Permissions Architecture For Protection Against Cross-Layer Attacks," High Performance Computer Architecture (HPCA), 2014 IEEE 20th International Symposium on , vol., no., pp.201,212, 15-19 Feb. 2014. (ID#:14-1853) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6835931&isnumber=6835920 Protecting modern computer systems and complex software stacks against the growing range of possible attacks is becoming increasingly difficult. The architecture of modern commodity systems allows attackers to subvert privileged system software often using a single exploit. Once the system is compromised, inclusive permissions used by current architectures and operating systems easily allow a compromised high-privileged software layer to perform arbitrary malicious activities, even on behalf of other software layers. This paper presents a hardware-supported page permission scheme for the physical pages that is based on the concept of non-inclusive sets of memory permissions for different layers of system software such as hypervisors, operating systems, and user-level applications. Instead of viewing privilege levels as an ordered hierarchy with each successive level being more privileged, we view them as distinct levels each with its own set of permissions. Such a permission mechanism, implemented as part of a processor architecture, provides a common framework for defending against a range of recent attacks. We demonstrate that such a protection can be achieved with negligible performance overhead, low hardware complexity and minimal changes to the commodity OS and hypervisor code. Keywords: Hardware; Memory management; Permission; System software; Virtual machine monitors

Weng, C.; Zhan, j.; Luo, Y., "TSAC: Enforcing Isolation of Virtual Machines in Clouds," Computers, IEEE Transactions on, vol. PP, no.99, pp.1,1, May 2014. (ID#:14-1854) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6812169&isnumber=4358213 Virtualization plays a vital role in building the infrastructure of Clouds, and isolation is considered as one of its important features. However, we demonstrate with practical measurements that there exist two kinds of isolation problems in current virtualized systems, due to cache interference in a multi-core processor. That is, one virtual machine could degrade the performance or obtain the load information of another virtual machine, which running on a same physical machine. Then we present a time-sensitive contention management approach (TSAC) for allocating resources dynamically in the virtual machine monitor, in which virtual machines are controlled to share some physical resources (e.g., CPU or page color) in a dynamical manner, in order to enforce isolation between the virtual machines without sacrificing performance of the virtualized system. We have implemented a working prototype based on Xen, evaluated the implemented prototype with experiments, and experimental results show that TSAC could significantly improve isolation of virtualization. Specifically, compared to the default Xen, TSAC could improve the performance of the victim virtual machine by up to about 78%, and perform well in blocking its cache-based load information leakage. Keywords: Access control; Central Processing Unit; Operating systems; Resource management; Virtual machine monitors; Virtual machining; Virtualization

Aiash, Mahdi; Mapp, Glenford; Gemikonakli, Orhan, "Secure Live Virtual Machines Migration: Issues and Solutions," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on , vol., no., pp.160,165, 13-16 May 2014. (ID#:14-1855) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6844631&isnumber=6844560 In recent years, there has been a huge trend towards running network intensive applications, such as Internet servers and Cloud-based service in virtual environment, where multiple virtual machines (VMs) running on the same machine share the machine's physical and network resources. In such environment, the virtual machine monitor (VMM) virtualizes the machine's resources in terms of CPU, memory, storage, network and I/O devices to allow multiple operating systems running in different VMs to operate and access the network concurrently. A key feature of virtualization is live migration (LM) that allows transfer of virtual machine from one physical server to another without interrupting the services running in virtual machine. Live migration facilitates workload balancing, fault tolerance, online system maintenance, consolidation of virtual machines etc. However, live migration is still in an early stage of implementation and its security is yet to be evaluated. The security concern of live migration is a major factor for its adoption by the IT industry. Therefore, this paper uses the X.805 security standard to investigate attacks on live virtual machine migration. The analysis highlights the main source of threats and suggests approaches to tackle them. The paper also surveys and compares different proposals in the literature to secure the live migration. Keywords: (not provided)

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.