Virtualization security for cloud computing service

Virtualization security for cloud computing service

Speaker: 張宗典Date:2012/06/01Advisor ：陳志達教授Type ： Conference

Shengmei Luo ， Zhaoji Lin ， Xiaohua ChenZTE Corporation Shenzhen, China

Zhuolin Yang, Jianyong ChenDept. of Computer Science and Technology

Shenzhen University Shenzhen, ChinaInternational Conference on Cloud and Service Computing 2011

IEEE

Outline

Introduction Security Vulnerabilities in Virtualization Virtualization Security Framework Virtual System Security Virtualization Security Management Conclusion

112/04/20 2

Outline


112/04/20 3

Introduction(1/3)

The menu of services is being enriched.SaaS , Paas , IaaS have been invented as part of

XaaS.XaaS=Anything as a ServiceBusiness as a Service(BaaS) 、 Database as a

Service(DaaS) 、 Voice as a Service(VaaS)…..eveything as a Service

112/04/20 4

Introduction(2/3)

Combing a set of existing techniques, such as SOA and Virtualization.Cloud Computing is regarded as a paradigm.

Data confidential against cloud servers is hence frequently desired when users outsource data for storage in the cloud.

112/04/20 5

Introduction(3/3)

Cloud computing already leverages virtualization for load balancing via dynamic provisioning and migration of VM among physical nodes.

This article Focused on virtualization security.Weaknesses and Attacks

And propose a scheme to solve current problems effectively.Virtual system securityVirtual security managment

112/04/20 6

Outline


112/04/20 7

Security Vulnerabilities in Virtualization Most of security threats identified in a VM

environment are very similar.Attack between VMs or between VMs and VMMVM escapeVirtual machine controlled by Host MachineDenial of ServiceVM sprawl

112/04/20 8

Attack between VMs or between VMs and VMM

Primary benefits that virtualization brings is isolation.

If not carefully deployed will become a threat to the environment.

Poor isolation access control policy will cause the inter-attack between VMs or between VMs and VMM.

112/04/20 9

VM escape

一種應用，攻擊者續允許扣作系統與管理程序直接互動的 VM 運作，使攻擊者進入主機上運行的其他 VM 。

If he attacker can compromise the VMs, they will have control of all of the guests.

Most VMs run with very high privileges on the host because a VM needs comprehensive access to the host’s hardware so it can map the real hardware into virtualized hardware for the guests..

112/04/20 10

Virtual machine controlled by Host Machine

More necessary to strictly protect the host machine than VMs.

If a host is compromised then the security of the VMs is under question.

112/04/20 11

Denial of Service

DoS or DDoS is an attempt to make a computer resource unavailable to its intended user.

Perpetrators of Dos attacks typically target sites or services hosted on high-profile web server.Such as banks, credit card payment gateways…

112/04/20 12

Denial of Service

In VM architecture the guest machines and the underlying host share the physical resources such as CPU, memory, HD…

112/04/20 13

VM sprawl

Inappropriate virtual machine management policy will cause VM sprawl.

112/04/20 14

Outline


112/04/20 15

Virtualization Security Framework Virtualization security could be investigate

from 2aspectsVirtual system securityVirtualization security management

112/04/20 16

Virtualization Security Framework

112/04/20 17

A Virtualization security framework

Outline


112/04/20 18

Virtual System Security

Virtual system security contains 4 parts.VM system architecture securityAccess controlVirtual firewallvIDS/vIPS

112/04/20 19

VM system architecture security

A security VM system should be protected by a robust, efficient and flexible.

Three architecture:PopularAdmin VMSecurity control

112/04/20 20

VM system architecture security

112/04/20 21

Popular Admin VM Security Control

Access Control

112/04/20 22

Virtual firewall

VF is a firewall deployed and running entirely within a virtual environment and which provides the packet filtering and monitoring.

It can be a managed kernel process running within the host VMM.

112/04/20 23

vIDS/vIPS

vIDS and vIPS protects virtual environment through collecting and analyzing information from network and Host to check if there are signs of attacking.

112/04/20 24

Outline


112/04/20 25

Virtualization Security Management Divide the VM management into four parts.

Patch managementVM migration managementVM image managementAudit

112/04/20 26

Patch management

開發及分銷廠商補丁導致無休止循環的安全更新生產系統。

管理安全更新不是一個簡單的任務對於任何組織。修補程序管理過程中必須正式通過文件和接收管理部門批准，以提供最佳的戰略實施這類系統的變化。廠商會經常修復安全問題的軟件或固件通過版本更新。他們可能不說明原因的版本改變或者什麼缺陷得到解決在給定的更新。

112/04/20 27

VM migration management

VM migration is a vulnerable process that is easily to be attacked.

When a VM is going to migrate to somewhere, particular security mechanisms should be taken into account.

112/04/20 28

VM image management

VM Image is a special type of file/data format which is used to instantiate(create) a VM within the virtual environment.

112/04/20 29

Audit

Audit the VM behaviors and sensitive data in order to monitor whether the operation of the virtual system is well or the sensitive data is safe.

112/04/20 30

Outline


112/04/20 31

Conclusion

Propose a virtualization security framework aim at the vulnerabilities.

This framework, VM system architecture can solve the problem of virtualization security effectively, and virtualization security management.

112/04/20 32

Thanks for listening

112/04/20 33

Documents

Virtualization security for cloud computing service