Abstract
Security and privacy concern is still one of the major issues that prevent users from moving to public clouds. Introduction of security services based on virtual machine introspection into cloud does not relieve this situation, because these services are inflexible and untrusted by tenants. The root cause of the problem is that the cloud administrator has more privilege over the security services, which leaves no options for the tenants to protect their virtual machines. In this paper, we propose a technique to decouple security services from cloud platform via remote virtual machine introspection. It enables remote trusted managed security services to protect tenants’ virtual machines stealthily. We have implemented a proof-of-concept prototype with Xen hypervisor, called SE-Cloud. With the separation of introspection and security-business code, the security services can not be abused by administrators and have little impact on the management virtual machine. Our preliminary experimental results show that SE-Cloud can provide more robust and flexible protections for tenant virtual machines with acceptable overhead.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
XEN: http://www.xen.org.
- 2.
- 3.
VMware: http://www.vmware.com/.
- 4.
Available online, https://github.com/volatilityfoundation/volatility.
- 5.
Available online, http://ebtables.sourceforge.net/.
References
Ahmed, I., Richard, G.G., Zoranic, A., Roussev, V.: Integrity checking of function pointers in kernel pools via virtual machine introspection. In: Desmedt, Y. (ed.) ISC 2013. LNCS, vol. 7807, pp. 3–19. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27659-5_1
Baek, H.W., Srivastava, A., Van der Merwe, J.: Cloudvmi: virtual machine introspection as a cloud service. In: Proceedings of the 2014 IEEE International Conference on Cloud Engineering (IC2E), pp. 153–158. IEEE (2014)
Baliga, A., Kamat, P., Iftode, L.: Lurking in the shadows: identifying systemic threats to kernel data. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), pp. 246–251. IEEE (2007)
Bhattasali, T., Chaki, N.: Poster: exploring security as a service for IoT enabled remote application framework. In: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services Companion (MobiSys Companion), p. 15. ACM (2016)
Butt, S., Lagar-Cavilla, H.A., Srivastava, A., Ganapathy, V.: Self-service cloud computing. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS), pp. 253–264. ACM (2012)
Daniel, J., Dimitrakos, T., El-Moussa, F., Ducatel, G., Pawar, P., Sajjad, A.: Seamless enablement of intelligent protection for enterprise cloud applications through service store. In: Proceedings of the 2014 IEEE 6th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 1021–1026. IEEE (2014)
Fu, Y., Lin, Z.: Bridging the semantic gap in virtual machine introspection via online kernel data redirection. ACM Trans. Inf. Syst. Secur. 16(2), 1–29 (2013)
Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Conference on Network and Distributed System Security Symposium (NDSS), pp. 191–206. Internet Society (2003)
Harrison, C., Cook, D., McGraw, R., Hamilton, J.: Constructing a cloud-based IDS by merging VMI with FMA. In: Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 163–169. IEEE (2012)
Hurel, G., Badonnel, R., Lahmadi, A., Festor, O.: Outsourcing mobile security in the cloud. In: Sperotto, A., Doyen, G., Latré, S., Charalambides, M., Stiller, B. (eds.) AIMS 2014. LNCS, vol. 8508, pp. 69–73. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43862-6_9
Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP), pp. 605–620. IEEE (2014)
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 128–138. ACM (2007)
King, S.T., Dunlap, G.W., Chen, P.M.: Debugging operating systems with time-traveling virtual machines. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference (ATEC), pp. 1–15. USENIX Association (2005)
Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC), pp. 386–395. ACM (2014)
Payne, B.D.: Simplifying virtual machine introspection using LibVMI. Technical report SAND2012-7818, Sandia National Laboratories (2012)
Shi, J., Yang, Y., He, J., Tang, C., Li, Q.: Design of a comprehensive virtual machine monitoring system. In: Proceedings of the IEEE 3rd International Conference on Cloud Computing and Intelligence Systems (CCIS), pp. 510–513. IEEE (2014)
Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-87403-4_3
Suneja, S., Isci, C., Bala, V., De Lara, E., Mummert, T.: Non-intrusive, out-of-band and out-of-the-box systems monitoring in the cloud. In: Proceedings of the 2014 ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS), pp. 249–261. ACM (2014)
Varadharajan, V., Tupakula, U.: Security as a service model for cloud environment. IEEE Trans. Netw. Serv. Manage. 11(1), 60–75 (2014)
Wang, J., Stavrou, A., Ghosh, A.: HyperCheck: a hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158–177. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_9
Acknowledgments
We would like to thank the anonymous reviewers for their insightful comments and suggestions on improving this paper. In this paper, the research was supported by the National Natural Science Foundation of China under Grant Nos. 61402508 and 61303191. The research also supported by National High Technology Research and Development Program of China (863) under Grant No. 2015AA016010.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zhou, H., Ba, H., Ren, J., Wang, Y., Wang, Z., Li, Y. (2017). Decoupling Security Services from IaaS Cloud Through Remote Virtual Machine Introspection. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, KK. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2017. Lecture Notes in Computer Science(), vol 10656. Springer, Cham. https://doi.org/10.1007/978-3-319-72389-1_41
Download citation
DOI: https://doi.org/10.1007/978-3-319-72389-1_41
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72388-4
Online ISBN: 978-3-319-72389-1
eBook Packages: Computer ScienceComputer Science (R0)