Documente Academic
Documente Profesional
Documente Cultură
protection in Cloud
computing
Muhammad Kazim (2011-NUST-MSCCS-23)
Thesis Supervisor
Dr. Muhammad Awais Shibli
G.E.C Members
Dr. Abdul Ghafoor Abbasi
Dr. Hamid Mukhtar
Ms. Rahat Masood
Department of Computing, School of
Electrical Engineering and Computer
Sciences, NUST - Islamabad
Agenda
Introduction
Motivation
Research Methodology
Problem Statement
Research Contributions
Implementation
Results
Evaluation
Conclusion
Department of Computing, School of
Electrical Engineering and Computer
Sciences, NUST - Islamabad
Virtualization
A single system can concurrently run multiple isolated virtual machines (VMs), operating
systems or multiple instances of a single operating system (OS).
Organizations are using virtualization to gain efficiency in platform and application hosting.
Virtualization in Cloud
A single file or directory representing the hard drive of a guest operating system.
Provides the ability to quickly launch and deploy virtual machines across various
hosts.
Motivation
According to different surveys , virtualization security is one of the most important security issues in
Cloud.
Disk images in storage can be compromised through attacks such as unauthorized access, data
leakage, malware installation and snapshot access in storage.
Through attacks integrity, and confidentiality of images and sensitive customer data stored in them
can be compromised.
Standard bodies (NIST, CSA and PCI DSS) have published security guidelines to emphasize the
importance of virtualization and disk images security.
Research Methodology
Defining
research area
Literature review
Testing and
evaluation
Identifying
problem
statement
Framework
implementation
Develop
hypothesis
Design framework
Related Work
Literature survey
IaaS Security
Security analysis of virtualization
Industrial solutions
Problem Statement
Virtual machine images are vulnerable to infrastructure,
hypervisor and storage attacks in Cloud. Therefore, VM images
must be secured in Cloud storage through best security
practices, both for protecting the sensitive customer data and
maintaining the integrity of disk images.
Research Contributions
Theoretical (Two research publications)
Practical (Development of disk image protection framework)
Conference Papers
Muhammad Kazim, Rahat Masood, Muhammad Awais Shibli, Abdul Ghafoor Abbasi,
Security aspects of virtualization in Cloud computing, 12th International
Conference on Computer Information Systems and Industrial Management
Applications, CISIM, Springer, Krakow-Poland 2013, September 25-27.
Muhammad Kazim, Rahat Masood, Muhammad Awais Shibli, Securing the virtual
machine images in Cloud computing, 6th International Conference on Security
of Information and Networks (SIN 2013), ACM-SIGSAC, Aksaray-Turkey 2013,
November 26-28.
Attacks
Solutions
Security protocol by J.
Kong can be to ensure
secure boot of guest
VMs
Using a malicious VM to
Administrator must
consume extra
deploy a software or
Department
of Computing,
Schoolapplication
of Electrical
resources
of the
system,
that limits
Engineering and Computer Sciences, NUST resulting in DOS Islamabad
attack
VMs to use authorized
Attacks
Attacker can compromise
the stored images by
installing malware and
accessing the contents of
images
VM checkpoint attacks
Solutions
Use encryption and
hashing of images before
saving them
Unauthorized access to
the backup data can
result in leakage of
sensitive
Department of Computing, School of
information
Implementation Perspective
Implement a framework that that ensures confidentiality of
images through encryption.
16
OpenStack
OpenStack is a highly scalable and elastic cloud computing
platform for both large and small public private Clouds.
Deployment of Devstack
http://devstack.org/
For decryption object server decrypts each chunk before it sends the image
to the proxy server.
The proxy server initiates an internal Swift PUT request to the object servers.
Object servers processes images chunk by chunk so each chunk gets
encrypted and gets stored as part of encrypted file.
Results
After VM termination, image is stored into Swift encrypted storage.
AES is block sized encryption, that adds extra padding to images.
Encryption of images maintains their confidentiality in Cloud storage.
Hash of image is taken before encryption. During decryption hash of
image is calculated again, and compared with the original hash to
ensure integrity of image.
Evaluation
Evaluation
Conclusion
Image encryption module encrypts all virtual disk images before
storage in OpenStack. They are decrypted when required by the
virtual machine.
Future Directions
Encryption of accounts to protect users and images lists in
Swift.
References
[1] Shubhashis Sengupta, Vikrant Kaulgud, Vibhu Saujanya Sharma, Cloud Computing Security - Trends and Research Directions, IEEE
World Congress on Services, Washington, DC, USA, 2011.
[2] Jakub Szefer, Ruby B. Lee, A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing, 31st
International Conference on Distributed Computing Systems Workshops, Washington, DC, USA, 2011.
[3] Jinzhu Kong, Protecting the confidentiality of virtual machines against untrusted host, International Symposium on Intelligence
Information Processing and Trusted Computing, Washington, DC, USA, 2010.
[4] Farzad Sabahi, Secure Virtualization for Cloud Environment Using Hypervisor-based Technology, International Journal of Machine
Learning and Computing vol. 2, no. 1, February 2012, pp.39-45.
[5] Jenni Susan Reuben, A Survey on Virtual Machine Security, TKK T-110.5290 Seminar on Network Security, 2007.
[6] Seongwook Jin, Jeongseob Ahn, Sanghoon Cha, and Jaehyuk Huh, Architectural Support for Secure Virtualization under a Vulnerable
Hypervisor, Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture, USA, 2011.
[7] Ryan Shea, Jiangchuan Liu, Understanding the Impact of Denial of Service on Virtual Machines, IEEE 20 th International Workshop on Quality of
Service (IWQoS), Burnaby, BC, Canada, 2012.
[8] Wu Zhou, Peng Ning, Xiaolan Zhang, Always up-to-date: scalable offline patching of VM images in a compute cloud, Proceedings of the 26 th
Annual Computer Security Applications Conference, New York, USA, 2010, pp. 377-386.
[9] J.Wei, X. Zhang, G. Ammons, V. Bala, and P. Ning, Managing security of virtual machine images in a cloud environment," in Proceedings of the
2009 ACM workshop on Cloud computing security. ACM, 2009, pp. 91- 96.
[10] Mikhail I. Gofman, Ruiqi Luo, Ping Yang, Kartik Gopalan, SPARC: A security and privacy aware Virtual Machine checkpointing mechanism,
Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, New York, USA, 2011, pp. 115-124.