Computer Science Infrastructure Security for Virtual Cloud Computing Peng Ning 04/08/111BITS/ Financial Services Roundtable Supported by the US National Science Foundation (NSF) grant # and an IBM Open Collaboration Research (OCR) Award.

Computer Science Outline Background Security threats to virtual cloud computing Security architecture for virtual cloud computing –Hypervisor-based security services –VM image security services –Hypervisor integrity services –Bypassing hypervisor control Conclusion 04/08/112

Computer Science What is Cloud Computing Wikipedia –Cloud computing is a paradigm of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet –Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them Virtualization is a key to cloud computing –Scalability –Ease of use –Affordable pricing 04/08/113

Computer Science Virtual Cloud Computing Virtual cloud computing is emerging as a promising solution to IT management –Reduction in hardware, operational, and administrative costs Examples –Amazon’s Elastic Compute Cloud (EC2) –IBM Research Compute Cloud (RC2) –Microsoft Azure –NCSU Virtual Computing Lab (VCL) 04/08/114

Computer Science Requested webserver running Access requested webserver Amazon EC2 management consoleSelect a VM imageLaunch requested webserverEC2 starting the requested webserver Industry Example: Amazon Elastic Compute Cloud (EC2) 04/08/115

Computer Science Request reservationGet reservation Academic Example: NC State Virtual Computing Lab (VCL) 04/08/116 Use reserved computer

Computer Science Security of Virtual Cloud Computing Need for security –Customers Their workloads will not be subject to attacks –Cloud service providers Their cloud services will work normally –Other users Compute clouds will not be used as stepping stones to attack them 04/08/117

Computer Science Security Threats in Virtual Cloud Computing External threats Guest-to-guest threats Guest-to-cloud threats Cloud-to-guest threats 04/08/118

Computer Science Security of Virtual Cloud Computing Our proposal –A security architecture for virtual cloud computing Addition of security architecture components –Main context: platform as a service 04/08/119

Computer Science A Typical Virtual Compute Cloud 04/08/1110

Computer Science Virtualization-based Runtime Security Services 04/08/1111

Computer Science Virtualization-based Runtime Security Services (Cont’d) Goals –System integrity and application data confidentiality Strategy –Exploit the isolation and higher privilege of the hypervisor to protect the guest OS Technical problems being addressed –Semantic gap –Overhead of “world changes” 04/08/1112

Computer Science An Example Technique – HIMA HIMA –A Hypervisor based Integrity Measurement Agent –Measure all applications loaded into guest VMs –Actively monitor all guest events that could change measured applications Time of Check to Time of Use (TOCTTOU) consistency Prototype –Prototypes for both Xen and Linux/KVM 04/08/1113

Computer Science Some Evaluation Results 04/08/11 Application-benchmark 14

Computer Science VM Image Security Services 04/08/1115

Computer Science Nüwa – Offline Patching of VM Images Motivation –Dormant VM images usually contain vulnerabilities –Offline security updates: Security service by Olive Challenge –Current patching system: Designed for running systems –Pre- and post-processing scripts –Examples: Stop/start daemons; conditional updates Nüwa approach –Script rewriting Offline patching of individual images in emulated environments Batched offline patching using Mirage –Leftovers: Resort to online updates Nüwa automated online update utility 04/08/1116

Computer Science Some Evaluation Results Performance gain by standalone Nüwa 04/08/1117 * 99% of patches can be applied offline * “Average” refers to the average of all 402 packages.

Computer Science Some Evaluation Results (Cont’d) Additional speedup by Mirage-based Nüwa –Another 2 – 10 times –Speedup increases as # images grows 04/08/1118

Computer Science Hypervisor Integrity Services 04/08/1119

Computer Science Why Hypervisor Integrity Services? Many virtualization-based security mechanisms assume the hypervisor is trusted –Examples: Lares, SIM, HookSafe, Patagonix, HIMA, … Hypervisors cannot be blindly trusted –Example #1 Two backdoors in Xen [BlackHat 2008] –Example #2 VM Ware ESX 3.x: 50 Secunia advisories; 368 vulnerabilities; 10% Secunia advisories not patched (Visited on 10/14/10) –Existing hypervisor's code base is growing More vulnerabilities are likely It is necessary to ensure hypervisor integrity 04/08/1120

Computer Science HyperSentry A generic framework to stealthily measure the integrity of a hypervisor in its context Key ideas –Allow the measurement software to gain the highest privilege temporarily –Measurement is triggered stealthily Scrubbing attacks –Isolate measurement results from the hypervisor 04/08/1121

Computer Science Some Evaluation Results IBM HS21XM blade server Measuring the Xen hypervisor –End-to-end execution time: 35 ms –Periodical measurement: Every 8 seconds: 2.4% overhead; every 16 seconds: 1.3% overhead 2204/08/11

Computer Science Isolated Execution to Bypass Hypervisor Control 04/08/1123

Computer Science Why Bypassing Hypervisor Control? Cloud service provider can see everything in guest workloads –How to process sensitive data in customers’ workloads? It is desirable to allow customers to have isolated execution bypassing hypervisor control –On-going work… 04/08/1124

Computer Science Conclusion Security of virtual cloud computing –Necessary for new research –Potentially fruitful research area Security architecture for virtual cloud computing –Hypervisor-based runtime security services –VM image security services –Integrity of hypervisors –Isolated execution bypassing hypervisor control –Not necessarily complete 04/08/1125

Computer Science Questions? Thank You! 04/08/1126