Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Virtualization Technologies and Cloud Security: Advantages, Issues, and Perspectives

  • Chapter
  • First Online:
From Database to Cyber Security

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11170))

  • 2523 Accesses

Abstract

Virtualization technologies allow multiple tenants to share physical resources with a degree of security and isolation that cannot be guaranteed by mere containerization. Further, virtualization allows protected transparent introspection of Virtual Machine activity and content, thus supporting additional control and monitoring. These features provide an explanation, although partial, of why virtualization has been an enabler for the flourishing of cloud services. Nevertheless, security and privacy issues are still present in virtualization technology and hence in Cloud platforms. As an example, even hardware virtualization protection/isolation is far from being perfect and uncircumventable, as recently discovered vulnerabilities show. The objective of this paper is to shed light on current virtualization technology and its evolution from the point of view of security, having as an objective its applications to the Cloud setting.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Instruction Set Architecture(s).

  2. 2.

    Virtual Function I/O.

  3. 3.

    Software Guard Extensions.

  4. 4.

    Secure Encrypted Virtualization.

References

  1. AMD: Secure virtual machine architecture reference manual. http://www.0x04.net/doc/amd/33047.pdf. Accessed 02 Feb 2018 (2005)

  2. Baiardi, F., Maggiari, D., Sgandurra, D., Tamberi, F.: Transparent process monitoring in a virtual environment. Electr. Notes Theor. Comput. Sci. 236, 85–100 (2009). https://doi.org/10.1016/j.entcs.2009.03.016

    Article  Google Scholar 

  3. Bijon, K., Krishnan, R., Sandhu, R.: Mitigating multi-tenancy risks in IaaS cloud through constraints-driven virtual resource scheduling. In: Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, SACMAT 2015, pp. 63–74. ACM, New York (2015)

    Google Scholar 

  4. Brasser, F., et al.: DR.SGX: hardening SGX enclaves against cache attacks with data location randomization. CoRR abs/1709.09917 (2017)

    Google Scholar 

  5. Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.: Software grand exposure: SGX cache attacks are practical. CoRR abs/1702.07521 (2017)

    Google Scholar 

  6. Canlar, E.S., Conti, M., Crispo, B., Di Pietro, R.: Windows mobile livesd forensics. J. Netw. Comput. Appl. 36(2), 677–684 (2013)

    Article  Google Scholar 

  7. Carbone, M., Conover, M., Montague, B., Lee, W.: Secure and robust monitoring of virtual machines through guest-assisted introspection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 22–41. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_2

    Chapter  Google Scholar 

  8. Cazalas, J., McDonald, J.T., Andel, T.R., Stakhanova, N.: Probing the limits of virtualized software protection. In: Proceedings of the 4th Program Protection and Reverse Engineering Workshop. PPREW-4, pp. 5:1–5:11. ACM, New York (2014)

    Google Scholar 

  9. Chakrabarti, S., et al.: Intel software guard extensions (Intel; SGX) architecture for oversubscription of secure memory in a virtualized environment. In: Proceedings Hardware and Architectural Support for Security and Privacy. HASP 2017, pp. 7:1–7:8. ACM, New York (2017)

    Google Scholar 

  10. Combe, T., Martin, A., Di Pietro, R.: To docker or not to docker: a security perspective. IEEE Cloud Comput. 3(5), 54–62 (2016)

    Article  Google Scholar 

  11. Costan, V., Lebedev, I., Devadas, S.: Secure processors part I: background, taxonomy for secure enclaves and intel SGX architecture. Found. Trends\(\textregistered \) Electron. Des. Autom. 11(1–2), 1–248 (2017)

    Article  Google Scholar 

  12. Costan, V., Lebedev, I.A., Devadas, S.: Sanctum: minimal hardware extensions for strong software isolation. In: USENIX Security Symposium, pp. 857–874 (2016)

    Google Scholar 

  13. Dall, C., Nieh, J.: KVM/ARM: the design and implementation of the Linux arm hypervisor. SIGARCH Comput. Archit. News 42(1), 333–348 (2014)

    Google Scholar 

  14. Di Pietro, R., Franzoni, F., Lombardi, F.: HyBIS: advanced introspection for effective windows guest protection. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 189–204. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58469-0_13

    Chapter  Google Scholar 

  15. Di Pietro, R., Lombardi, F., Signorini, M.: CloRExPa: cloud resilience via execution path analysis. Future Gener. Comput. Syst. 32, 168–179 (2014)

    Article  Google Scholar 

  16. Di Pietro, R., Lombardi, F., Villani, A.: CUDA leaks: a detailed hack for CUDA and a (partial) fix. ACM Trans. Embed. Comput. Syst. 15(1), 15:1–15:25 (2016)

    Article  Google Scholar 

  17. Dowty, M., Sugerman, J.: GPU virtualization on VMware’s hosted I/O architecture. SIGOPS Oper. Syst. Rev. 43(3), 73–82 (2009)

    Article  Google Scholar 

  18. Dua, R., Raja, A.R., Kakadia, D.: Virtualization vs containerization to support PaaS. In: 2014 IEEE International Conference on Cloud Engineering, pp. 610–614, March 2014

    Google Scholar 

  19. By Hertzsprung at English Wikipedia, C.B.S.: Execution rings. https://commons.wikimedia.org/w/index.php?curid=8950144

  20. Fernandes, D.A.B., Soares, L.F.B., Freire, M.M., Inácio, P.R.M.: Randomness in virtual machines. In: 2013 IEEE/ACM 6th International Conference on Utility and Cloud Computing, pp. 282–286, December 2013

    Google Scholar 

  21. Gruss, D., Lettner, J., Schuster, F., Ohrimenko, O., Haller, I., Costa, M.: Strong and efficient cache side-channel protection using hardware transactional memory. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 217–233. USENIX Association, Vancouver, BC (2017)

    Google Scholar 

  22. Gupta, V., et al.: GViM: GPU-accelerated virtual machines. In: Proceedings of the 3rd ACM Workshop on System-level Virtualization for High Performance Computing. HPCVirt 2009, pp. 17–24. ACM, New York (2009)

    Google Scholar 

  23. Hetzelt, F., Buhren, R.: Security analysis of encrypted virtual machines. SIGPLAN Not. 52(7), 129–142 (2017)

    Article  Google Scholar 

  24. Hong, C.H., Spence, I., Nikolopoulos, D.S.: GPU virtualization and scheduling methods: a comprehensive survey. ACM Comput. Surv. 50(3), 35:1–35:37 (2017)

    Article  Google Scholar 

  25. Intel: Intel virtualization technology specification for the ia-32 intel architecture (2005). http://dforeman.cs.binghamton.edu/~foreman/550pages/Readings/intel05virtualization.pdf. Accessed 02 Feb 2018

  26. Geffner, J.: VENOM: Virtualized Environment Neglected Operations Manipulation. Available from MITRE, CVE-ID CVE-2015-3456, May 2015

    Google Scholar 

  27. Jia, L., Zhu, M., Tu, B.: T-VMI: trusted virtual machine introspection in cloud environments. In: Proceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing. CCGrid 2017, pp. 478–487. IEEE Press, Piscataway, NJ, USA (2017)

    Google Scholar 

  28. Jian, Z., Chen, L.: A defense method against Docker escape attack. In: Proceedings of the 2017 International Conference on Cryptography, Security and Privacy. ICCSP 2017, pp. 142–146. ACM, New York (2017)

    Google Scholar 

  29. Kaplan, D., Powell, J., Woller, T.: AMD memory encryption. White paper (2016). https://developer.amd.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf

  30. Kocher, P., et al.: Spectre attacks: Exploiting speculative execution. ArXiv e-prints 1801.01203, January 2018

  31. Lee, R.B.: Hardware-enhanced access control for cloud computing. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. SACMAT 2012, pp. 1–2. ACM, New York (2012)

    Google Scholar 

  32. Lee, S., Shih, M., Gera, P., Kim, T., Kim, H., Peinado, M.: Inferring fine-grained control flow inside SGX enclaves with branch shadowing. CoRR abs/1611.06952 (2016)

    Google Scholar 

  33. Lengyel, T.K.: Malware collection and analysis via hardware virtualization. Doctoral dissertations, 964 (2015). https://opencommons.uconn.edu/dissertations/964

  34. Lipp, M., et al.: Meltdown. ArXiv e-prints 1801.01207 (2018)

  35. Lombardi, F., Di Pietro, R.: Secure virtualization for cloud computing. J. Netw. Comput. Appl. 34(4), 1113–1122 (2011)

    Article  Google Scholar 

  36. Lombardi, F., Pietro, R.D., Soriente, C.: Crew: cloud resilience for windows guests through monitored virtualization. In: Proceedings of the 2010 29th IEEE Symposium on Reliable Distributed Systems. SRDS 2010, pp. 338–342. IEEE Computer Society, Washington, DC, USA (2010)

    Google Scholar 

  37. Joy, A.M.: Performance comparison between Linux containers and virtual machines. In: International Conference on Advances in Computer Engineering and Applications, pp. 342–346, March 2015

    Google Scholar 

  38. Madhavapeddy, A., et al.: Unikernels: library operating systems for the cloud. SIGPLAN Not. 48(4), 461–472 (2013)

    Article  Google Scholar 

  39. Manu, A.R., Patel, J.K., Akhtar, S., Agrawal, V.K., Murthy, K.N.B.S.: A study, analysis and deep dive on cloud PAAS security in terms of Docker container security. In: 2016 International Conference on Circuit, Power and Computing Technologies (ICCPCT), pp. 1–13, March 2016

    Google Scholar 

  40. Martin, A., Raponi, S., Combe, T., Di Pietro, R.: Docker ecosystem - vulnerability analysis. Comput. Commun. 122, 30–43 (2018)

    Article  Google Scholar 

  41. Maurice, C., Neumann, C., Heen, O., Francillon, A.: Confidentiality issues on a GPU in a virtualized environment. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 119–135. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_9

    Chapter  Google Scholar 

  42. Merkel, D.: Docker: lightweight Linux containers for consistent development and deployment. Linux J. 2014(239) (2014). Article no. 2. http://dl.acm.org/citation.cfm?id=2600239.2600241

  43. Moghimi, A., Irazoqui, G., Eisenbarth, T.: CacheZoom: how SGX amplifies the power of cache attacks. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 69–90. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_4

    Chapter  Google Scholar 

  44. Pan, Z., He, Q., Jiang, W., Chen, Y., Dong, Y.: Nestcloud: towards practical nested virtualization. In: Proceedings of the 2011 International Conference on Cloud and Service Computing. CSC 2011, pp. 321–329. IEEE Computer Society, Washington, DC, USA (2011)

    Google Scholar 

  45. Payer, M., Gross, T.R.: Fine-grained user-space security through virtualization. SIGPLAN Not. 46(7), 157–168 (2011)

    Article  Google Scholar 

  46. Perez-Botero, D., Szefer, J., Lee, R.B.: Characterizing hypervisor vulnerabilities in cloud computing servers. In: Proceedings of the 2013 International Workshop on Security in Cloud Computing. Cloud Computing 2013, pp. 3–10. ACM, New York (2013)

    Google Scholar 

  47. Ray, E., Schultz, E.: Virtualization security. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies. CSIIRW 2009, pp. 42:1–42:5. ACM (2009)

    Google Scholar 

  48. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. CCS 2009, pp. 199–212. ACM, New York (2009)

    Google Scholar 

  49. Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: NDSS, pp. 212–224 (2010)

    Google Scholar 

  50. Sabahi, F.: Cloud computing security threats and responses. In: 2011 IEEE 3rd International Conference on Communication Software and Networks, pp. 245–249, May 2011

    Google Scholar 

  51. Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. CoRR abs/1702.08719 (2017)

    Google Scholar 

  52. Sfyrakis, I., Grosß, T.: Virtuscap: capability-based access control for unikernels. In: 2017 IEEE International Conference on Cloud Engineering (IC2E), pp. 226–237. IEEE (2017)

    Google Scholar 

  53. Shi, L., Chen, H., Sun, J.: vCUDA: GPU accelerated high performance computing in virtual machines. In: IEEE International Symposium on Parallel Distributed Processing, pp. 1–11, May 2009

    Google Scholar 

  54. Strackx, R., Jacobs, B., Piessens, F.: ICE: a passive, high-speed, state-continuity scheme. In: Proceedings of the 30th Annual Computer Security Applications Conference. ACSAC 2014, pp. 106–115. ACM, New York (2014)

    Google Scholar 

  55. Suzaki, K., Yagi, T., Tanaka, A., Oiwa, Y., Shibayama, E.: Rollback mechanism of nested virtual machines for protocol fuzz testing. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing. SAC 2014, pp. 1484–1491. ACM, New York (2014)

    Google Scholar 

  56. Tian, K., Dong, Y., Cowperthwaite, D.: A full GPU virtualization solution with mediated pass-through. In: 2014 USENIX Annual Technical Conference (USENIX ATC 14), pp. 121–132. USENIX Association, Philadelphia, PA (2014)

    Google Scholar 

  57. Waterman, A., Asanovic, K.: The RISC-V instruction set manual. https://riscv.org/specifications. Accessed 02 Feb 2018

  58. Wong, T.: AMD multiuser GPU (2016). https://www.amd.com/Documents/Multiuser-GPU-White-Paper.pdf

  59. Xiao, S., et al.: VOCL: an optimized environment for transparent virtualization of graphics processing units. In: Innovative Parallel Computing, pp. 1–12, May 2012

    Google Scholar 

  60. Zhang, F., Chen, J., Chen, H., Zang, B.: Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. SOSP 2011, pp. 203–216. ACM, New York (2011)

    Google Scholar 

  61. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in paas clouds. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. CCS 2014, pp. 990–1003. ACM, New York (2014)

    Google Scholar 

Download references

Acknowledgements

Roberto Di Pietro would like to thank Sushil Jajodia for the guidance and support received when he was a young PhD student visiting his Center for Secure Information Systems at GMU—a pivotal experience in Roberto’s professional life—and, above all, for Sushil’s life-long example of dedication and commitment to pursue research excellence.

Author information

Authors and Affiliations

  1. Information and Computing Technology Division, College of Science and Engineering, Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  2. Istituto per le Applicazioni del Calcolo, Consiglio Nazionale delle Ricerche, Rome, Italy

    Flavio Lombardi

Authors
  1. Roberto Di Pietro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Flavio Lombardi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Roberto Di Pietro .

Editor information

Editors and Affiliations

  1. Università degli Studi di Milano, Milano, Italy

    Pierangela Samarati

  2. Colorado State University, Fort Collins, CO, USA

    Indrajit Ray

  3. Colorado State University, Fort Collins, CO, USA

    Indrakshi Ray

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Di Pietro, R., Lombardi, F. (2018). Virtualization Technologies and Cloud Security: Advantages, Issues, and Perspectives. In: Samarati, P., Ray, I., Ray, I. (eds) From Database to Cyber Security. Lecture Notes in Computer Science(), vol 11170. Springer, Cham. https://doi.org/10.1007/978-3-030-04834-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-04834-1_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-04833-4

  • Online ISBN: 978-3-030-04834-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation