1 / 35

Virtual machines image protection in Cloud computing

Virtual machines image protection in Cloud computing. Muhammad Kazim (2011-NUST-MSCCS-23) Thesis Supervisor: Dr. Muhammad Awais Shibli G.E.C Members: Dr. Abdul Ghafoor Abbasi Dr. Hamid Mukhtar Ms. Rahat Masood. Agenda. Introduction Motivation Research Methodology

velvet
Download Presentation

Virtual machines image protection in Cloud computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtual machines image protection in Cloud computing Muhammad Kazim (2011-NUST-MSCCS-23) Thesis Supervisor: Dr. Muhammad AwaisShibli G.E.C Members: Dr. Abdul GhafoorAbbasi Dr. Hamid Mukhtar Ms. RahatMasood

  2. Agenda • Introduction • Motivation • Research Methodology • Problem Statement • Research Contributions • Implementation • Results • Conclusion

  3. Introduction The core of Cloud services, Infrastructure-as-a-Service (IaaS) model provides the capability to provision; • Processing • Storage • Networks

  4. Virtualization • In Cloud computing, Virtualization is the basis of providing IaaS. • A single system can concurrently run multiple isolated virtual machines (VMs), operating systems or multiple instances of a single operating system (OS). • Virtualization maximizes the jobs a single CPU can do. • Organizations are using virtualization to gain efficiency in platform and application hosting.

  5. Virtualization in Cloud Figure 1: Virtualization in Cloud

  6. Virtual Disk Image • A single file or directory representing the hard drive of a guest operating system. • Encapsulates all components of a guest OS, including the applications and virtual resources used by guest OS. • Provides the ability to quickly launch and deploy virtual machines across various hosts.

  7. Motivation • Virtualization security is one of the most important security issues related to Cloud computing. • Disk images in Cloud storage can be compromised through attacks such as data leakage, malware installation on images and snapshot access in storage. • NIST, CSA and PCI DSS in their security guidelines for virtualization have emphasized the importance of virtualization and disk images security. • Only commercial solutions (Storage Made Easy, Piston Cloud) are available to secure virtual machine images in Cloud storage.

  8. Research Methodology Analysis of virtualization security Literature Survey Problem Statement Research Publication Framework Implementation Design Framework Testing Research Publication

  9. Problem Statement Virtual machine images are vulnerable to different attacks in Cloud storage. In order to secure virtual machines images from infrastructure, hypervisor and storage attacks, we have proposed a security mechanism that encrypts virtual machines images during storage.

  10. Contributions • Theoretical (Two Research Publications) • Practical (Development of OpenStack Disk Image Encryption framework)

  11. Conference Paper 1 Muhammad Kazim, RahatMasood, Muhammad AwaisShibli, Abdul GhafoorAbbasi, “Security Aspects of Virtualization in Cloud Computing”, 12th International Conference on Computer Information Systems and Industrial Management Applications, Krakow-Poland 2013, September 25-27. http://home.agh.edu.pl/~saeed/cisim2013/

  12. Conference Paper 2 Muhammad Kazim, Rahat Masood, Muhammad Awais Shibli, “Securing the virtual machine images in Cloud computing”, 6th International Conference on Security of Information and Networks (SIN 2013), ACM, November 26-28, 2013, Aksaray/Turkey. http://sinconf.org/sin2013/index.php

  13. Virtual Machines

  14. Disk Images

  15. Implementation Perspective • Implement a framework that that ensures confidentiality of images through encryption. • Images are decrypted when required by the VM. • Use of hashing techniques to ensure integrity.

  16. OpenStack • Used in 178 different countries and more than 850 organizations • Collection of open source components • Modular design • IaaSCloud Services allows users to manage: VMs, Virtual networks, storage resources

  17. OpenStack Components • Swift • Glance • Nova • Horizon • Keystone • Quantum • Cinder

  18. Virtual Machines in OpenStack

  19. OpenStack Swift • Swift is a highly available, distributed, eventually consistent object/blob store. • Is maintained and developed by one of the largest open-source teams in the world. • Has 53,605 lines of code and is written in Python.

  20. Components • Proxy Servers: Handles all incoming API requests. • Accounts & Containers: Each Account and Container are individual databases that are distributed across the cluster. An Account database contains the list of Containers in that Account. A Container database contains the list of Objects in that Container • Objects: The data itself. • Partitions: A Partition stores Objects, Account databases and Container databases.

  21. Deployment of OpenStack for development • Devstack • A documented shell script to build complete OpenStack development environments. • Deployment of Devstack • Setup a fresh supported Linux installation • Clone devstack from devstack • Deploy your OpenStack Cloud http://devstack.org/

  22. Debugging of source code • Debugging of Swift through command line • Pdb (Python debugger)

  23. Image Encryption Module In Swift

  24. Image Decryption Module In Swift

  25. Virtual Machines in OpenStack IEM & IDM

  26. Integration of Image Encryption and Decryption with Swift • OpenStackSwift API is implemented as a set of ReSTful web services • The proxy server initiates an internal Swift PUT request to the object servers • Object servers processes images chunk by chunk so each chunk gets encrypted using AES-256 (M2crypto library). • For decryption object server decrypts each chunk before it sends the image to the proxy server

  27. Demonstration • Devstack running environment • Add a custom bootable image

  28. Demonstration • Launch a VM

  29. Demonstration • After VM termination, image is located into Swift encrypted storage • The image is automatically decrypted using by Swift when required by VM

  30. Future Directions • Encryption of accounts to protect users and images lists in Swift. • Protection of data after secure VM live migration. • Encryption of persistent storage used by virtual machines during execution.

  31. Conclusion • Virtual machines images present many security issues in Cloud computing. • We have implemented Image Encryption Module that encrypts all virtual disk images before storage in OpenStack. They are decrypted when required by the virtual machine. • Confidentiality of virtual machine images in storage is ensured. They are secure from all possible storage attacks such as data theft, malware installation and hypervisor issues.

  32. References [1] Shubhashis Sengupta, Vikrant Kaulgud, Vibhu Saujanya Sharma, “Cloud Computing Security - Trends and Research Directions”, IEEE World Congress on Services, Washington, DC, USA, 2011. [2] Jakub Szefer, Ruby B. Lee, “A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing”, 31st International Conference on Distributed Computing Systems Workshops, Washington, DC, USA, 2011. [3] Jinzhu Kong, “Protecting the confidentiality of virtual machines against untrusted host”, International Symposium on Intelligence Information Processing and Trusted Computing, Washington, DC, USA, 2010. [4] Farzad Sabahi, “Secure Virtualization for Cloud Environment Using Hypervisor-based Technology”, International Journal of Machine Learning and Computing vol. 2, no. 1, February 2012, pp.39-45. [5] Jenni Susan Reuben, “A Survey on Virtual Machine Security”, TKK T-110.5290 Seminar on Network Security, 2007.

  33. [6] Seongwook Jin, Jeongseob Ahn, Sanghoon Cha, and Jaehyuk Huh, “Architectural Support for Secure Virtualization under a Vulnerable Hypervisor”, Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture, USA, 2011. [7] Ryan Shea, Jiangchuan Liu, “Understanding the Impact of Denial of Service on Virtual Machines”, IEEE 20th International Workshop on Quality of Service (IWQoS), Burnaby, BC, Canada, 2012. [8] Wu Zhou, Peng Ning, Xiaolan Zhang, “Always up-to-date: scalable offline patching of VM images in a compute cloud”, Proceedings of the 26th Annual Computer Security Applications Conference, New York, USA, 2010, pp. 377-386. [9] Trent Jaegar, Reiner Sailer, Yogesh Sreenivasan, “Managing the Risk of Covert Information Flows in Virtual Machine Systems”, Proceedings of the 12th ACM symposium on Access control models and technologies, New York, USA, pp. 81-90, 2007. [10] Mikhail I. Gofman, Ruiqi Luo, Ping Yang, Kartik Gopalan, “SPARC: A security and privacy aware Virtual Machine checkpointing mechanism”, Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, New York, USA, 2011, pp. 115-124.

  34. [11] Zhi Wang, Xuxian Jiang, “HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity” IEEE Symposium on Security and Privacy, Oakland, CA, USA, 2010, pp. 380-385. [12] Mohamad Rezaei et al., “TCvisor: a Hypervisor Level Secure Storage”, TCvisor: a Hypervisor Level Secure Storage”, Internet Technology and Secured Transactions (ICITST), London, 2010, pp. 1-9. [13] Dan Pelleg, Muli Ben-Yehuda, Rick Harper, “Vigilant—Out-of-band Detection of Failures in Virtual Machines”, ACM SIGOPS Operating Systems Review, New York, NY, USA, Volume 42 Issue 1, 2008, pp. 26-31. [14] Sandra Rueda, Rogesh Sreenivasan, Trent Jaeger, “Flexible Security Configuration for Virtual Machines”, Proceedings of the 2nd ACM workshop on Computer Security Architectures, New York, NY, USA, 2008, pp. 35-44. [15] Koichi Onone, Yoshihiro Oyama, Akinori Yonezawa, “Control of System Calls from Outside of Virtual Machines”, Proceedings of the 2008 ACM symposium on Applied Computing, New York, NY, USA, 2008, pp. 2116-2221.

  35. THANKYOU

More Related