Virtualization Security in Data Centers and Clouds
Minjie Zheng, mzheng@go.wustl.edu (A project report written under the guidance of Prof. Raj Jain) DownloadPDF
Abstract
In the past decade, with the unprecedented growth in tech companies and advances in cloud computing, it has become increasingly common for companies to incorporate virtualization in their data centers to fully utilize their hardware resources. As a result, virtualization and virtualization security have gone through major transforms in the recent years. Virtualization and its unique architecture have many characteristics and advantages over traditional non-virtualized machines. However, these new characteristics create new vulnerabilities and possible attacks on a
…show more content…
According to a research done by Nemertes Research, nearly 93% of the organizations it surveyed in 2009 have deployed virtualization in their servers [Ritter09]. However, with the vast benefits that come with adoption of virtualization, new challenges and vulnerabilities also arise at the same time.
This survey paper first provides an overview on the current state of virtualization. Although many forms of virtualization exist, this paper will primarily focus on virtualization techniques that are used in modern data centers and clouds. In addition, this paper will discuss the security vulnerabilities brought about by different virtualization techniques. Specifically, the paper will address the forms of possible attacks on a virtualized machine, the advantages of using virtualization, and some current challenges. Lastly, the paper will present plausible solutions to the security vulnerabilities of virtualization. The solutions will incorporate theoretical defense mechanisms on the architecture and infrastructure, and examples of current virtualization security products developed by security firms.
2. Virtualization Overview
Virtualization is the abstraction of a hardware or software system that lets applications run on top of the virtualized environment without the need of knowing the underlying resources available. The virtualized environment is otherwise known as the virtual machine
Virtualization is a combination of software and hardware engineering that creates Virtual Machines (VMs) - an abstraction of the computer hardware that allows a single machine to act as if it were many machines, or a computer that does not physically exist as a piece of hardware. The hardware that is seen by the operating system is emulated in an effort to separate the physical hardware from operating system. This allows the virtual machine to be moved and hosted on any machine independent of hardware. Virtualization technology is possibly the single most important issue in IT and has started a top to bottom overhaul of the computing industry which is why many companies around the world have are using its softwares to enhance their business opportunities.
Virtual Machine Security - Full Virtualization and Para Virtualization are two kinds of virtualization in a cloud computing paradigm. In full virtualization, entire hardware architecture is replicated virtually. However, in para virtualization, an operating system is modified so that it can be run concurrently with other operating systems. VMM Instance Isolation ensures that different instances running on the same physical machine are isolated from each other. However, current VMMs do not offer perfect isolation. Many bugs have been found in all popular VMMs that allow escaping from VM (Virtual machine). Vulnerabilities have been found in all virtualization software, which can be exploited by malicious users to bypass certain security restrictions or/and gain escalated privileges. ation software running on or being developed for cloud computing platforms presents different security challenges. It is depending on the delivery model of that particular platform. Flexibility, openness and public availability of cloud infrastructure are threats for application security. The existing vulnerabilities like Presence of trap doors, overflow problems, poor quality code etc. are threats for various attacks. Multi-tenant environment of cloud platforms, the lack of direct control over the environment, and access to data by the cloud platform vendor; are the key issues for using a cloud application. Preserving integrity of applications being executed in remote machines is an open
The security concerns for IaaS and PaaS models are described collectively because of their reliance over each other. The attacks on these two layers are of three types: attacks on the cloud services, attacks on virtualization and attacks on utility computing. Hardware virtualization, software virtualization, cloud software, utilitycomputing and Service Level Agreement (SLA) are considered some of the common security concerns for IaaS and PaaS.
The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware - be it computing, storage or even networking. This introduces an additional layer -
Virtualization’s rate of adoption is completely characterized by the five characteristics described in the framework for the concepts of innovation (Luftman & Bullen, 2004, p. 189). It is perceived to be better than physical servers in its ability to host multiple operating systems and share the host’s resource. Its encapsulation of resources allows it to operate as if it was a physical machine yet it is totally virtual giving it a relative advantage. It is compatible with all baseline operating systems on the market. Complexity in implementation is minimal making it more attractive to adopt. The vendors allows for free downloads and trials. Its visibility in competition with Microsoft’s Hyper-V has shown multiple advantages. (Luftman & Bullen, 2004, p. 190)
Network Based Virtualization is abstract storage of data applications from the host machine. This is well achieved through fibre channels connection between the machines and the servers running virtualization. The respective operating systems on the separate machines are not a factor to consider as they work independently. For it to achieve its expectations, the following services must be provided as below:
Serverless computing is the ultimate reduction in security attack surface. There is no computer, virtual machine, container infrastructure or network service to attack - just your code and the potential of a security issue introduced by mostly human configuration errors. As is tradition with our portfolio companies, I conducted an interview with the CTO of our serverless security investment, Protego Labs about how monitoring the security of a serverless infrastructure is different than traditional cyber security paradigms.
Virtualization is being able to give a physical device the power, through the use of software, to do more than that physical device was technically designed and able to do (Santana, 2014, p. 12). For example, a server can only run one operating system at a time. However, when a hypervisor is used in a server, the hypervisor is a layer of software that acts like the server itself so that many operating systems can be run from that one server. The hardware, in this case a server, has been virtualized. The goal is to use all of the computer’s resources all of the time, and the only way to do that is to have enough things running that the resources are being used consistently and efficiently. An analogy for this could be online classes. If each teacher only had one student, the teacher’s resources of time and expertise would not be utilized efficiently because that one student will not need help all day, every day. If the teacher is assigned to fifteen students, the students can still get help when needed from the teacher, and they would not even be aware that they are not alone in the class. Because it is an online class, the teacher does not need any more physical resources to teach an entire class than was needed for one student. The students are receiving the benefits of being taught by that teacher without needing to be with him or her physically.
Virtualization in a network is the most interesting thing I have learned about. In full virtualization, the virtual machine completely simulates a real physical host. This allows most operating systems and applications to run within the virtual machine without being modified in anyway. I would envision using virtualization when testing a new service or application in the development stages, testing the product on different operating systems. I think virtualization is brilliant, a problem that arises is security and how you go about protecting your data in the virtual machine. Placing a virtual firewall is a good way to protect your machine of routing the memory through physical machines that have a firewall to protect them. A benefit of cloud
As we all know virtualization is the requirement of future. We have evolved from the age of traditional environment to virtual environment.We have grown accustomed to almost all things virtual from virtual memory to virtual networks to virtual storage.The most widely leveraged benefit of virtualization technology is server consolidation, enabling one server to take on the workloads of multiple servers. For example, by consolidating a branch office’s print server, fax server, exchange server, and web server on a single windows server, businesses reduce the costs of hardware, maintenance, and staffing.
VMware provides the vSphere application and similarly Microsoft provides Hyper-V application for the purpose of virtualization. Most of the major datacenter in the world use the VMware as their solution for virtualization. VMware dominates the server virtualization market in world due to its innovations, strategic partnerships and rock-solid products [2]. We shall be using VMware products to virtualize the hypothetical organization. The reasons for choosing VMware [3] are:
In this article, we discuss about the different cloud types and models, threats and vulnerabilities of cloud, and how to manage them. The main aim of this literature review is to identify the weak points in cloud computing, minimize the threats and improve the security system. We will also discuss two of the main concepts of cloud – virtualization and multi-tenancy (Mishra, Mathur, Jain, & Rathore, 2013). A brief analysis of each of the threat and security measure is described in the literature review.
Cloud technologies revolve heavily around virtual machines that reside on physical servers (Talbot, 2009). One physical server could be the home of a slew of virtual machines; should an attacker interrupt the normal operations of a physical server it could result in the inoperability of the virtual machines also. One of the techniques can be used is an attacker implanting a virtual machine on a physical server (Talbot, 2009). Once the
Trust Computing Platform (TCP) comprises of two components namely Trusted Virtual Machine Monitors (TVMM) and Trusted Coordinator. As the name suggests, TVMM is responsible for hosting the user’s virtual machines (VM) and protects their VM’s modifications and inspections. While, the Trusted Coordinator uses certain set of nodes that are
Cloud computing has become so famous; there is much widespread news about the cloud these days. This is mainly because of the exponential shift of the business applications from traditional models of software towards the Internet, and now through mobile devices. Cloud computing is a model that uses the network of remote servers that has been hosted on the internet rather than on a specific hardware. This would enable a better shared pool for storing, accessing and processing of data. With the huge information being available in the internet, the security for cloud computing has been challenging and this paper would elucidates the security threats of cloud computing also stating the possible countermeasures for them.