Virtual machines image protection in Cloud computing

Slides:



Advertisements
Similar presentations
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Advertisements

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
BY Muhammad Kazim SUPERVISOR: Dr. Awais Shibli.  Introduction  Literature Survey  Problem Statement  OpenStack  Proposed Solution and Design  Major.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Security Issues and Challenges in Cloud Computing
Fundamentals of Computer Security Geetika Sharma Fall 2008.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security Controls – What Works
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Cloud Usability Framework
M.A.Doman Model for enabling the delivery of computing as a SERVICE.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.
A Seminar on Securities In Cloud Computing Presented by Sanjib Kumar Raul Mtech(ICT) Roll-10IT61B09 IIT Kharagpur Under the supervision of Prof. Indranil.
Self-service Cloud Computing Shakeel Butt Department of Computer Science Rutgers University.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Cloud Computing Why is it called the cloud?.
Sinaia, Romania August, TH Workshop “Software Engineering Education and Reverse Engineering” Dhuratë Hyseni, Betim Çiço South East European University.
INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 7 2/23/2015.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
Introduction to VMware Virtualization
Auditing Cloud Administrators Using Information Flow Tracking Afshar David ACM Scalable Trusted Computing.
+ CS 325: CS Hardware and Software Organization and Architecture Cloud Architectures.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
HPCC 2015, August , New York, USA Wei Chang c Joint work with Qin Liu a, Guojun Wang b, and Jie Wu c a. Hunan University, P. R. China b. Central.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
608D CloudStack 3.0 Omer Palo Readiness Specialist, WW Tech Support Readiness May 8, 2012.
ArcGIS Server for Administrators
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
BY Muhammad Kazim SUPERVISOR: Dr. Awais Shibli.  Introduction  Literature Survey  Problem Statement  OpenStack  Proposed Solution and Design  Major.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Chapter 2 Securing Network Server and User Workstations.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
Windows Azure Virtual Machines Anton Boyko. A Continuous Offering From Private to Public Cloud.
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad KTH Applied Information Security Lab Secure Sharding.
Security Vulnerabilities in A Virtual Environment
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Architecture & Cybersecurity – Module 3 ELO-100Identify the features of virtualization. (Figure 3) ELO-060Identify the different components of a cloud.
Bring Your Own Security (BYOS™): Deploy Applications in a Manageable Java Container with Waratek Locker on Microsoft Azure MICROSOFT AZURE ISV PROFILE:
Challenge and Research in migration. Challenge in VM migration Resource management issues during migration inappropriate access control policies An inappropriate.
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad KTH Applied Information Security Lab Security aspects.
E-Commerce & Bank Security By: Mark Reed COSC 480.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
© 2012 Eucalyptus Systems, Inc. Cloud Computing Introduction Eucalyptus Education Services 2.
Virtual machines image protection in Cloud computing Muhammad Kazim (2011-NUST-MSCCS-23) Thesis Supervisor: Dr. Muhammad Awais Shibli G.E.C Members: Dr.
Microsoft Virtual Academy Module 9 Configuring and Managing the VMM Library.
Computer Science Infrastructure Security for Virtual Cloud Computing Peng Ning 04/08/111BITS/ Financial Services Roundtable Supported by the US National.
ETRIKS Platform for bioinformatics ISGC 17/03/15 Pengfei Liu, CC-IN2P3/CNRS.
Clouding with Microsoft Azure
Prof. Jong-Moon Chung’s Lecture Notes at Yonsei University
Md Baitul Al Sadi, Isaac J. Cushman, Lei Chen, Rami J. Haddad
Chapter 6: Securing the Cloud
Containers as a Service with Docker to Extend an Open Platform
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
Cloud Testing Shilpi Chugh.
SCONE: Secure Linux Containers Environments with Intel SGX
Shielding applications from an untrusted cloud with Haven
Designing IIS Security (IIS – Internet Information Service)
Harrison Howell CSCE 824 Dr. Farkas
Presentation transcript:

Virtual machines image protection in Cloud computing Muhammad Kazim (2011-NUST-MSCCS-23) Thesis Supervisor Dr. Muhammad Awais Shibli G.E.C Members Dr. Abdul Ghafoor Abbasi Dr. Hamid Mukhtar Ms. Rahat Masood Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Agenda Introduction Motivation Research Methodology Problem Statement Research Contributions Implementation Results Evaluation Conclusion Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Virtualization In Cloud computing, Virtualization is the basis of providing Infrastructure as a Service (IaaS). A single system can concurrently run multiple isolated virtual machines (VMs), operating systems or multiple instances of a single operating system (OS). Virtualization maximizes the jobs a single CPU can do. Organizations are using virtualization to gain efficiency in platform and application hosting. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST – Islamabad

Virtualization in Cloud Figure 1: Virtualization in Cloud Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Virtual Disk Image A single file or directory representing the hard drive of a guest operating system. Encapsulates all components of a guest OS, including the applications and virtual resources used by guest OS. Provides the ability to quickly launch and deploy virtual machines across various hosts. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Motivation According to different surveys , virtualization security is one of the most important security issues in Cloud. Disk images in storage can be compromised through attacks such as unauthorized access, data leakage, malware installation and snapshot access in storage. Through attacks integrity, and confidentiality of images and sensitive customer data stored in them can be compromised. Standard bodies (NIST, CSA and PCI DSS) have published security guidelines to emphasize the importance of virtualization and disk images security. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Research Methodology Identifying problem statement Defining research area Develop hypothesis Literature review Framework implementation Testing and evaluation Design framework Figure 2: Thesis research methodology Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Related Work Literature survey Virtual machines security IaaS Security Security analysis of virtualization Virtual machines security Disk images security Security guidelines on virtualization National Institute of Standards and Technology (NIST) Cloud Security Alliance (CSA) Payment Card Industry Data Security Standard (PCI DSS) Industrial solutions Storage Made Easy, Piston Cloud and Metacloud Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Problem Statement Virtual machine images are vulnerable to infrastructure, hypervisor and storage attacks in Cloud. Therefore, VM images must be secured in Cloud storage through best security practices, both for protecting the sensitive customer data and maintaining the integrity of disk images. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Research Contributions Theoretical (Two research publications) Practical (Development of disk image protection framework) Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Conference Papers Muhammad Kazim, Rahat Masood, Muhammad Awais Shibli, Abdul Ghafoor Abbasi, “Security aspects of virtualization in Cloud computing”, 12th International Conference on Computer Information Systems and Industrial Management Applications, CISIM, Springer, Krakow-Poland 2013, September 25-27. Muhammad Kazim, Rahat Masood, Muhammad Awais Shibli, “Securing the virtual machine images in Cloud computing”, 6th International Conference on Security of Information and Networks (SIN 2013), ACM-SIGSAC, Aksaray-Turkey 2013, November 26-28. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Analysis of virtualization security in Cloud The security analysis of Cloud virtualization was done from three different aspects including: General requirements for securing Cloud virtualization components including hypervisor, virtual machines, disk images and service providers. Identification of possible attacks on virtualization components. Analysis of existing techniques for the security of virtualization components. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Virtual machines security analysis Requirements Attacks Solutions Isolation between virtual machines should be properly implemented Malicious programs use covert channels to communicate with other VMs in unauthorized way Vigilant can monitor faults in guest OS of VM Update the OS regularly and use anti-virus software, secure internet and restrict remote access Malicious programs can monitor traffic, steal critical data, and tampering the functionality of VMs Security features such as firewall, HIPS, log monitoring must be provided in guest OS Securely boot the guest VMs Attacker can tamper boot process of guest VMs Security protocol by J. Kong can be to ensure secure boot of guest VMs There must be limit on VMs resource usage Using a malicious VM to consume extra resources of the system, resulting in DOS attack Administrator must deploy a software or application that limits VMs to use authorized resources Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Disk images security analysis Requirements Attacks Solutions Disk images must be secured from storage attacks Attacker can compromise the stored images by installing malware and accessing the contents of images Use encryption and hashing of images before saving them Snapshot access must be prevented from authorized access VM checkpoint attacks Checkpoint attacks can be prevented by encrypting the checkpoints using SPARC Apply updates and patches to maintain images secure Old images are vulnerable to zero day attacks Nuwa is a tool designed to apply efficient patching to VM images in Cloud Backup of the virtual machines images must be maintained Unauthorized access to the backup data can result in leakage of sensitive information Backup of VM images must be encrypted. J. Wei et.al. proposed an image management system to manage Cloud VM images Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Implementation Perspective Implement a framework that that ensures confidentiality of images through encryption. Images are decrypted when required by the VM. Hashing techniques are used to ensure integrity of images. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Encrypted Virtual Disk Images in Cloud (EVDIC) To secure the virtual machine images from storage attacks in Cloud, EVDIC is proposed. EVDIC protects the virtual machine images in Cloud by encrypting them before storage. The images are decrypted only when required by the virtual machine. EVDIC proposes the security of key management and key exchange process. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Disk Image Storage in Cloud Figure 4: Image Encryption in Cloud Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Disk Image Retrieval in Cloud Figure 5: Image Decryption in Cloud Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

OpenStack OpenStack is a highly scalable and elastic cloud computing platform for both large and small public private Clouds. There are currently seven core components of OpenStack: Compute, Object Storage, Identity, Dashboard, Block Storage, Network and Image Service. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Deployment of OpenStack for development Devstack A documented shell script to build complete OpenStack development environments Deployment of Devstack Setup a fresh supported Linux installation Clone devstack Deploy your OpenStack Cloud http://devstack.org/ Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Debugging of source code Debugging of Swift through command line Pdb (Python debugger) Figure 6: Command line debugging using pdb Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Virtual machines in OpenStack Figure 7: Virtual machines cycle in OpenStack Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Integration of Image encryption and decryption with Swift OpenStack Swift API is implemented as a set of ReSTful web services. The proxy server initiates an internal Swift PUT request to the object servers. Object servers processes images chunk by chunk so each chunk gets encrypted and gets stored as part of encrypted file. For decryption object server decrypts each chunk before it sends the image to the proxy server. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Image Encryption Module in Swift Figure 8: Image Encryption in OpenStack Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Image Decryption Module in Swift Figure 9: Image Decryption in OpenStack Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Virtual machines cycle in OpenStack IEM & IDM Figure 10: IEM and IDM in OpenStack Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Results After VM termination, image is stored into Swift encrypted storage. AES is block sized encryption, that adds extra padding to images. Encryption of images maintains their confidentiality in Cloud storage. Hash of image is taken before encryption. During decryption hash of image is calculated again, and compared with the original hash to ensure integrity of image. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Evaluation Various tools can be used to explore and modify the images including CDmage, Daemon tools and Archive Manager. The content of encrypted images cannot be displayed by these tools. Our system provides protection to images from data leakage, data alteration and image modification. Performance evaluation of the system shows ~15% overhead caused on image processing time due to increase of image size after encryption, retrieval of encryption keys during encryption, decryption and applying the cryptographic techniques. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Evaluation Figure 11: Image upload in Swift Figure 12: Image download in Swift Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Conclusion Image encryption module encrypts all virtual disk images before storage in OpenStack. They are decrypted when required by the virtual machine. Integrity and confidentiality of virtual machine images in storage is ensured. They are secure from all possible storage attacks such as data theft, malware installation and hypervisor issues. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Future Directions Encryption of accounts to protect users and images lists in Swift. Integration of Key Management protocol with Swift image encryption. Encryption of persistent storage used by virtual machines during execution. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

References [1] Shubhashis Sengupta, Vikrant Kaulgud, Vibhu Saujanya Sharma, “Cloud Computing Security - Trends and Research Directions”, IEEE World Congress on Services, Washington, DC, USA, 2011. [2] Jakub Szefer, Ruby B. Lee, “A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing”, 31st International Conference on Distributed Computing Systems Workshops, Washington, DC, USA, 2011. [3] Jinzhu Kong, “Protecting the confidentiality of virtual machines against untrusted host”, International Symposium on Intelligence Information Processing and Trusted Computing, Washington, DC, USA, 2010. [4] Farzad Sabahi, “Secure Virtualization for Cloud Environment Using Hypervisor-based Technology”, International Journal of Machine Learning and Computing vol. 2, no. 1, February 2012, pp.39-45. [5] Jenni Susan Reuben, “A Survey on Virtual Machine Security”, TKK T-110.5290 Seminar on Network Security, 2007. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

[6] Seongwook Jin, Jeongseob Ahn, Sanghoon Cha, and Jaehyuk Huh, “Architectural Support for Secure Virtualization under a Vulnerable Hypervisor”, Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture, USA, 2011. [7] Ryan Shea, Jiangchuan Liu, “Understanding the Impact of Denial of Service on Virtual Machines”, IEEE 20th International Workshop on Quality of Service (IWQoS), Burnaby, BC, Canada, 2012. [8] Wu Zhou, Peng Ning, Xiaolan Zhang, “Always up-to-date: scalable offline patching of VM images in a compute cloud”, Proceedings of the 26th Annual Computer Security Applications Conference, New York, USA, 2010, pp. 377-386. [9] J.Wei, X. Zhang, G. Ammons, V. Bala, and P. Ning, “Managing security of virtual machine images in a cloud environment," in Proceedings of the 2009 ACM workshop on Cloud computing security. ACM, 2009, pp. 91- 96. [10] Mikhail I. Gofman, Ruiqi Luo, Ping Yang, Kartik Gopalan, “SPARC: A security and privacy aware Virtual Machine checkpointing mechanism”, Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, New York, USA, 2011, pp. 115-124. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

THANKYOU THANKYOU Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.