I found this recent paper on IEEE, it has very good information about cloud security, privacy challenges, latest threats and vulnerabilities. Solution to overcome cloud security and privacy issues are also discussed in this paper. It also discusses the virtualized cloud infrastructures, attack surface and how they are designed or developed.
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
This document summarizes security vulnerabilities in the Xen hypervisor virtualization platform. It describes two attacks:
1) A denial of service attack where a malicious domain can pad a large file to its kernel image, consuming significant system resources during booting and preventing other domains from accessing resources.
2) An attack where an insider with dom0 privileges can use the "dump-core" command to take a memory snapshot of a target domain, allowing extraction of plaintext passwords and sensitive data from the domain's memory.
The document analyzes these issues and argues that Xen's architecture, with the dom0 control domain having elevated privileges, is the root cause of vulnerabilities. It suggests the privileges of dom0 should be reduced to
Security challenges for adoption of virtualization for effective e governanceAdam Bert Lacay
This document summarizes a research paper about security challenges for adopting virtual machine monitors (VMMs)/hypervisors to support effective e-governance. The paper aims to present different hypervisor threats that could lead a virtualized environment to collapse from a single point of failure (SPOF). It conducts a descriptive analysis of VMM attacks and vulnerabilities, categorizing five issues: intrusion, distributed denial of service attacks, non-control data attacks, hypervisor-based fault tolerance failures, and malware/rootkit attacks. The paper examines potential solutions to prevent SPOF issues and discusses challenges in implementing them for e-governance. The research contributes to studying solutions to effectively prevent SPOF in hypervisor-running
A SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTINGijcsit
Virtualization has become a widely and attractive employed technology in cloud computing environments. Sharing of a single physical machine between multiple isolated virtual machines leading to a more optimized hardware usage, as well as make the migration and management of a virtual system more efficiently than its physical counterpart. Virtualization is a fundamental technology in a cloud environment. However, the presence of an additional abstraction layer among software and hardware causes new security issues. Security issues related to virtualization technology have become a significant concern for organizations due to arising some new security challenges.
A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULENexgen Technology
bulk ieee projects in pondicherry,ieee projects in pondicherry,final year ieee projects in pondicherry
Nexgen Technology Address:
Nexgen Technology
No :66,4th cross,Venkata nagar,
Near SBI ATM,
Puducherry.
Email Id: praveen@nexgenproject.com.
www.nexgenproject.com
Mobile: 9751442511,9791938249
Telephone: 0413-2211159.
NEXGEN TECHNOLOGY as an efficient Software Training Center located at Pondicherry with IT Training on IEEE Projects in Android,IEEE IT B.Tech Student Projects, Android Projects Training with Placements Pondicherry, IEEE projects in pondicherry, final IEEE Projects in Pondicherry , MCA, BTech, BCA Projects in Pondicherry, Bulk IEEE PROJECTS IN Pondicherry.So far we have reached almost all engineering colleges located in Pondicherry and around 90km
This document discusses industry trends in virtual machine (VM) technologies and how they compare to current VM standards. It addresses virtualization opportunities and challenges related to security, networking, and storage. Specific issues discussed include a lack of standardization across operating systems, limitations in network and security capabilities, and questions around licensing and chargeback models for virtual instances. The document proposes several approaches to address these issues, such as establishing a center of excellence for networking and security and restricting VM transfers between network segments.
This paper is a technology preview that describes a new hardware-based capability known as Intel® Virtual Machine Control Structure (Intel® VMCS) Shadowing, which will be available with 4th generation Intel® CoreTM vProTM processor and describes the hardware-assisted security provided by XenClient, Deep Defender. Intel VMCS Shadowing can enable faster performance for multi-VMM usage models. Both Citrix and McAfee are evaluating this capability for inclusion in future product releases.
The document proposes the Cloud Terminal architecture, which uses a Secure Thin Terminal (STT) client and Cloud Rendering Engine (CRE) to securely access applications hosted in the cloud. The STT isolates itself from the untrusted host OS using a microvisor and communicates with the CRE over an encrypted channel. Evaluations show the Cloud Terminal can securely run applications like banking with reasonable performance and scalability.
This document discusses virtualization concepts and provides definitions and background information. It begins with references and sources on virtualization. It then defines virtualization and key terms like virtual machine monitor and guest/host. It covers the origins and principles of virtualization, how virtualization was rediscovered, and discusses various virtualization architectures, interfaces, types of virtual machine monitors, and strategies for virtualizing systems like the IA-32 architecture. It concludes by discussing memory management challenges in virtualization.
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
This document summarizes security vulnerabilities in the Xen hypervisor virtualization platform. It describes two attacks:
1) A denial of service attack where a malicious domain can pad a large file to its kernel image, consuming significant system resources during booting and preventing other domains from accessing resources.
2) An attack where an insider with dom0 privileges can use the "dump-core" command to take a memory snapshot of a target domain, allowing extraction of plaintext passwords and sensitive data from the domain's memory.
The document analyzes these issues and argues that Xen's architecture, with the dom0 control domain having elevated privileges, is the root cause of vulnerabilities. It suggests the privileges of dom0 should be reduced to
Security challenges for adoption of virtualization for effective e governanceAdam Bert Lacay
This document summarizes a research paper about security challenges for adopting virtual machine monitors (VMMs)/hypervisors to support effective e-governance. The paper aims to present different hypervisor threats that could lead a virtualized environment to collapse from a single point of failure (SPOF). It conducts a descriptive analysis of VMM attacks and vulnerabilities, categorizing five issues: intrusion, distributed denial of service attacks, non-control data attacks, hypervisor-based fault tolerance failures, and malware/rootkit attacks. The paper examines potential solutions to prevent SPOF issues and discusses challenges in implementing them for e-governance. The research contributes to studying solutions to effectively prevent SPOF in hypervisor-running
A SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTINGijcsit
Virtualization has become a widely and attractive employed technology in cloud computing environments. Sharing of a single physical machine between multiple isolated virtual machines leading to a more optimized hardware usage, as well as make the migration and management of a virtual system more efficiently than its physical counterpart. Virtualization is a fundamental technology in a cloud environment. However, the presence of an additional abstraction layer among software and hardware causes new security issues. Security issues related to virtualization technology have become a significant concern for organizations due to arising some new security challenges.
A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULENexgen Technology
bulk ieee projects in pondicherry,ieee projects in pondicherry,final year ieee projects in pondicherry
Nexgen Technology Address:
Nexgen Technology
No :66,4th cross,Venkata nagar,
Near SBI ATM,
Puducherry.
Email Id: praveen@nexgenproject.com.
www.nexgenproject.com
Mobile: 9751442511,9791938249
Telephone: 0413-2211159.
NEXGEN TECHNOLOGY as an efficient Software Training Center located at Pondicherry with IT Training on IEEE Projects in Android,IEEE IT B.Tech Student Projects, Android Projects Training with Placements Pondicherry, IEEE projects in pondicherry, final IEEE Projects in Pondicherry , MCA, BTech, BCA Projects in Pondicherry, Bulk IEEE PROJECTS IN Pondicherry.So far we have reached almost all engineering colleges located in Pondicherry and around 90km
This document discusses industry trends in virtual machine (VM) technologies and how they compare to current VM standards. It addresses virtualization opportunities and challenges related to security, networking, and storage. Specific issues discussed include a lack of standardization across operating systems, limitations in network and security capabilities, and questions around licensing and chargeback models for virtual instances. The document proposes several approaches to address these issues, such as establishing a center of excellence for networking and security and restricting VM transfers between network segments.
This paper is a technology preview that describes a new hardware-based capability known as Intel® Virtual Machine Control Structure (Intel® VMCS) Shadowing, which will be available with 4th generation Intel® CoreTM vProTM processor and describes the hardware-assisted security provided by XenClient, Deep Defender. Intel VMCS Shadowing can enable faster performance for multi-VMM usage models. Both Citrix and McAfee are evaluating this capability for inclusion in future product releases.
The document proposes the Cloud Terminal architecture, which uses a Secure Thin Terminal (STT) client and Cloud Rendering Engine (CRE) to securely access applications hosted in the cloud. The STT isolates itself from the untrusted host OS using a microvisor and communicates with the CRE over an encrypted channel. Evaluations show the Cloud Terminal can securely run applications like banking with reasonable performance and scalability.
This document discusses virtualization concepts and provides definitions and background information. It begins with references and sources on virtualization. It then defines virtualization and key terms like virtual machine monitor and guest/host. It covers the origins and principles of virtualization, how virtualization was rediscovered, and discusses various virtualization architectures, interfaces, types of virtual machine monitors, and strategies for virtualizing systems like the IA-32 architecture. It concludes by discussing memory management challenges in virtualization.
IRJET- Detection and Isolation of Zombie Attack under Cloud ComputingIRJET Journal
1) Cloud computing allows on-demand access to computing resources over the internet. However, this architecture is vulnerable to security attacks like zombie attacks.
2) A zombie attack occurs when an unauthorized user takes control of a virtual machine and uses it to launch denial-of-service attacks by sending useless traffic. This degrades network performance.
3) The paper proposes a technique for detecting malicious users and isolating zombie attacks in cloud computing networks using strong authentication. It aims to improve security in cloud architectures.
IT Security Risk Mitigation Report: Virtualization SecurityBooz Allen Hamilton
Security is a major area of concern for any organization deploying a virtual environment. The introduction of VMs has created security considerations unheard of just a few years ago. This report provides insight into managing these new risks, and shows how Booz Allen’s expertise helps organizations develop comprehensive and secure virtualization solutions that comply with federal security standards.
Ramnit is a worm that spreads through removable drives by infecting files. The worm (W32.Ramnit) was first discovered in early 2010 and later that year, a second variant of Ramnit (W32.Ramnit.B) was identified. Since then, Ramnit’s operators have made considerable upgrades to the threat, including implementing the use of modules, which was borrowed from the leaked source code of the Zeus banking Trojan (Trojan.Zbot) in May 2011.
Currently, Ramnit’s operators are primarily focused on information-stealing tactics, targeting data such as passwords and online banking login credentials. They also install remote access tools on affected computers in order to maintain back door connectivity. It is estimated that the Ramnit botnet may consist of up to 350,000 compromised computers worldwide.
Chromium's security architecture separates the browser into two modules that run in separate protection domains: a browser kernel module and a sandboxed rendering engine module. This architecture aims to mitigate high-severity attacks by restricting an attacker who exploits a vulnerability in the rendering engine to using the browser kernel interface, rather than allowing arbitrary access to the user's system. The paper evaluates this architecture and finds that it would mitigate approximately 70% of past browser vulnerabilities that allowed arbitrary code execution.
The Design of Convoluted Kernel Architectural Framework for Trusted Systems –...rahulmonikasharma
This paper presents the overview of the Convoluted Kernel Architectural framework and a comparative study with the traditional Linux kernel. The architecture is specially designed for trusted sever environment. It has an integrated layer of a customized Unified Threat Management (UTM) and Stealth-Obfuscation OK Authentication algorithm, which is a highly improved and novel zero knowledge authentication algorithm, for secure web gateway to the kernel mode. The framework used is a combined monolithic and microkernel based (hybrid) architecture code-named – the integrated approach, to trade in the benefits of both designs. The architecture serves as the base framework for the Trust Resilient Enhanced Network Defense Operating System (TREND-OS) currently being experimented in the lab. The aim is to develop an architecture that can protect the kernel against itself and applications.
This document describes a distributed virtual machine monitor (DVMM) that provides single system image (SSI) capabilities on clusters. The DVMM contains symmetrical and cooperative virtual machine monitors (VMMs) distributed across nodes that detect, integrate, and virtualize physical resources to present a global view to the operating system. This allows an unmodified operating system to run transparently across the entire cluster.
The document proposes a method called "login authentication multiplexing" to strengthen login authentication security by enforcing multiple authentications rather than a single authentication. It involves placing extra authentication programs after the initial login that must be passed before accessing protected resources. This approach reduces vulnerabilities, allows flexible policies, and prevents damage until all authentications are passed. Practical issues like restricting shell access and remote access programs are also discussed.
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
This document summarizes a session on security challenges and approaches for designing and developing secure applications on the Microsoft Windows Azure platform. It discusses threats that are handled by Windows Azure like physical attacks and those that remain the customer's responsibility like attacks on a customer's tenant. It also outlines various security measures implemented in Windows Azure like certifications, penetration testing, access controls, and role-based access.
Vmware Seminar Security & Compliance for the cloud with Trend MicroGraeme Wood
The document discusses security and compliance requirements for cloud computing. It provides an overview of key compliance standards and regulations that affect customers. It then discusses some of the unique security challenges that virtualized and cloud environments can present compared to traditional IT environments. Specifically, it notes that system boundaries are less clear in virtual systems and that more components and complexity are involved. Finally, it outlines some of the foundations that VMware and its partners are providing to help address these challenges, such as security hardening guides, virtual trust zones, and network segmentation controls.
Get free Software patches and get rid of vulnerability attacks by using free patch management software from Comodo. Know more: https://one.comodo.com/rmm.php
IRJET-Virtualization Technique for Effective Resource Utilization and Dedicat...IRJET Journal
This document discusses virtualization techniques for effective resource utilization and dedicated resource management. It describes how virtualization with commodity hypervisors can logically partition resources in a single system but cannot create dedicated partitions. The document then introduces secured partitions which can create guest partitions with dedicated non-shared CPU, memory, and I/O resources through hardware assistance. It provides details on the architecture and advantages of secured partitions, including improved security, error containment and performance compared to traditional logical partitioning.
This PhD proposal outlines a system to provide rapid recovery from attacks and increased resistance to malware, viruses, and system errors. The system uses virtualization techniques to isolate user data, applications, and system components. User data is stored in a file system virtual machine to protect it from corruption. Applications are isolated in separate virtual machine appliances to limit their ability to interfere with other components. A network virtual machine incorporates intrusion detection and firewalls. The proposal discusses the design, implementation, and evaluation of the system to improve both performance and security compared to existing approaches.
Virtually Secure: Uncovering the risks of virtualizationSeccuris Inc.
Virtually Secure: Uncovering the risks of virtualization
Organizations have been quickly leveraging the benefits of virtualized platforms in their datacenters, often unknowingly increasing the exposure of their most prized assets.
Michael will highlight the key concerns around virtualization technologies including the answers to questions such as are virtualized servers PCI compliant and what minimum controls must exist to protect the hypervisor? He will walk the audience through the latest technical threats and shed light on the solutions and controls available to secure your virtual environments.
Virtualisation: Pitfalls in Corporate VMware ImplementationsJason Edelstein
Discusses virtualisation security threats and countermeasures with a specific focus on the VMware virtualisation platform.
Additional information can be found at: http://www.senseofsecurity.com.au
This document discusses security issues related to cloud computing. It begins by defining cloud computing and describing common cloud service and deployment models. It then outlines traditional security problems like data loss, downtime, and malware that still apply in cloud environments. New issues introduced by cloud characteristics like virtualization, multi-tenancy, and elastic scaling are also examined, such as virtualization vulnerabilities and lack of network perimeter control. The document concludes by focusing on data security challenges involving confidentiality, integrity and availability of data in transit, at rest, and in use within cloud platforms. Homomorphic encryption is presented as a potential solution for securely outsourcing computation on encrypted data.
This document discusses planning a secure Windows Server 2003 network. It covers selecting server and desktop computers, operating systems, and security features. Some key points include categorizing computers by role, standardizing hardware, selecting an operating system based on applications and costs, and configuring security permissions for files, folders, and the registry. Domain controllers require additional security as the failure of one could disrupt the whole network. The document also discusses infrastructure servers like DNS and DHCP and how to secure them.
Virtualization has become a widely and attractive employed technology in cloud computing environments. Sharing of a single physical machine between multiple isolated virtual machines leading to a more optimized hardware usage, as well as make the migration and management of a virtual system more efficiently than its physical counterpart. Virtualization is a fundamental technology in a cloud environment. However, the presence of an additional abstraction layer among software and hardware causes new security issues. Security issues related to virtualization technology have become a significant concern for organizations due to arising some new security challenges. This paper aims to identify the main challenges and risks of virtualization in cloud computing environments. Furthermore, it focuses on some common virtual-related threats and attacks affect the security of cloud computing. The survey was conducted to obtain the views of the cloud stakeholders on virtualization vulnerabilities, threats, and approaches that can be used to overcome them. Finally, we propose recommendations for improving security, and mitigating risks encounter virtualization that necessary to adopt secure cloud computing.
The document discusses various attacks targeting virtualization systems, including guest hopping, VM deletion/control attacks, code/file injection, VM migration attacks, and hyperjacking. It describes how hyperjacking involves installing a rogue hypervisor beneath the original one to gain control of the host operating system without being detected by guest VMs or applications. The VENOM vulnerability allowed this by exploiting a buffer overflow in the virtual floppy disk controller driver included in many virtualization platforms like KVM and Xen. Mitigations for hyperjacking include hypervisor self-protection, validation of the running hypervisor, and preventing direct external modification.
A Trusted IaaS Environment with Hardware Security Modulenexgentechnology
bulk ieee projects in pondicherry,ieee projects in pondicherry,final year ieee projects in pondicherry
Nexgen Technology Address:
Nexgen Technology
No :66,4th cross,Venkata nagar,
Near SBI ATM,
Puducherry.
Email Id: praveen@nexgenproject.com.
www.nexgenproject.com
Mobile: 9751442511,9791938249
Telephone: 0413-2211159.
NEXGEN TECHNOLOGY as an efficient Software Training Center located at Pondicherry with IT Training on IEEE Projects in Android,IEEE IT B.Tech Student Projects, Android Projects Training with Placements Pondicherry, IEEE projects in pondicherry, final IEEE Projects in Pondicherry , MCA, BTech, BCA Projects in Pondicherry, Bulk IEEE PROJECTS IN Pondicherry.So far we have reached almost all engineering colleges located in Pondicherry and around 90km
A Trusted IaaS Environment with Hardware Security Modulenexgentechnology
bulk ieee projects in pondicherry,ieee projects in pondicherry,final year ieee projects in pondicherry
Nexgen Technology Address:
Nexgen Technology
No :66,4th cross,Venkata nagar,
Near SBI ATM,
Puducherry.
Email Id: praveen@nexgenproject.com.
www.nexgenproject.com
Mobile: 9751442511,9791938249
Telephone: 0413-2211159.
NEXGEN TECHNOLOGY as an efficient Software Training Center located at Pondicherry with IT Training on IEEE Projects in Android,IEEE IT B.Tech Student Projects, Android Projects Training with Placements Pondicherry, IEEE projects in pondicherry, final IEEE Projects in Pondicherry , MCA, BTech, BCA Projects in Pondicherry, Bulk IEEE PROJECTS IN Pondicherry.So far we have reached almost all engineering colleges located in Pondicherry and around 90km
IRJET- Detection and Isolation of Zombie Attack under Cloud ComputingIRJET Journal
1) Cloud computing allows on-demand access to computing resources over the internet. However, this architecture is vulnerable to security attacks like zombie attacks.
2) A zombie attack occurs when an unauthorized user takes control of a virtual machine and uses it to launch denial-of-service attacks by sending useless traffic. This degrades network performance.
3) The paper proposes a technique for detecting malicious users and isolating zombie attacks in cloud computing networks using strong authentication. It aims to improve security in cloud architectures.
IT Security Risk Mitigation Report: Virtualization SecurityBooz Allen Hamilton
Security is a major area of concern for any organization deploying a virtual environment. The introduction of VMs has created security considerations unheard of just a few years ago. This report provides insight into managing these new risks, and shows how Booz Allen’s expertise helps organizations develop comprehensive and secure virtualization solutions that comply with federal security standards.
Ramnit is a worm that spreads through removable drives by infecting files. The worm (W32.Ramnit) was first discovered in early 2010 and later that year, a second variant of Ramnit (W32.Ramnit.B) was identified. Since then, Ramnit’s operators have made considerable upgrades to the threat, including implementing the use of modules, which was borrowed from the leaked source code of the Zeus banking Trojan (Trojan.Zbot) in May 2011.
Currently, Ramnit’s operators are primarily focused on information-stealing tactics, targeting data such as passwords and online banking login credentials. They also install remote access tools on affected computers in order to maintain back door connectivity. It is estimated that the Ramnit botnet may consist of up to 350,000 compromised computers worldwide.
Chromium's security architecture separates the browser into two modules that run in separate protection domains: a browser kernel module and a sandboxed rendering engine module. This architecture aims to mitigate high-severity attacks by restricting an attacker who exploits a vulnerability in the rendering engine to using the browser kernel interface, rather than allowing arbitrary access to the user's system. The paper evaluates this architecture and finds that it would mitigate approximately 70% of past browser vulnerabilities that allowed arbitrary code execution.
The Design of Convoluted Kernel Architectural Framework for Trusted Systems –...rahulmonikasharma
This paper presents the overview of the Convoluted Kernel Architectural framework and a comparative study with the traditional Linux kernel. The architecture is specially designed for trusted sever environment. It has an integrated layer of a customized Unified Threat Management (UTM) and Stealth-Obfuscation OK Authentication algorithm, which is a highly improved and novel zero knowledge authentication algorithm, for secure web gateway to the kernel mode. The framework used is a combined monolithic and microkernel based (hybrid) architecture code-named – the integrated approach, to trade in the benefits of both designs. The architecture serves as the base framework for the Trust Resilient Enhanced Network Defense Operating System (TREND-OS) currently being experimented in the lab. The aim is to develop an architecture that can protect the kernel against itself and applications.
This document describes a distributed virtual machine monitor (DVMM) that provides single system image (SSI) capabilities on clusters. The DVMM contains symmetrical and cooperative virtual machine monitors (VMMs) distributed across nodes that detect, integrate, and virtualize physical resources to present a global view to the operating system. This allows an unmodified operating system to run transparently across the entire cluster.
The document proposes a method called "login authentication multiplexing" to strengthen login authentication security by enforcing multiple authentications rather than a single authentication. It involves placing extra authentication programs after the initial login that must be passed before accessing protected resources. This approach reduces vulnerabilities, allows flexible policies, and prevents damage until all authentications are passed. Practical issues like restricting shell access and remote access programs are also discussed.
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
This document summarizes a session on security challenges and approaches for designing and developing secure applications on the Microsoft Windows Azure platform. It discusses threats that are handled by Windows Azure like physical attacks and those that remain the customer's responsibility like attacks on a customer's tenant. It also outlines various security measures implemented in Windows Azure like certifications, penetration testing, access controls, and role-based access.
Vmware Seminar Security & Compliance for the cloud with Trend MicroGraeme Wood
The document discusses security and compliance requirements for cloud computing. It provides an overview of key compliance standards and regulations that affect customers. It then discusses some of the unique security challenges that virtualized and cloud environments can present compared to traditional IT environments. Specifically, it notes that system boundaries are less clear in virtual systems and that more components and complexity are involved. Finally, it outlines some of the foundations that VMware and its partners are providing to help address these challenges, such as security hardening guides, virtual trust zones, and network segmentation controls.
Get free Software patches and get rid of vulnerability attacks by using free patch management software from Comodo. Know more: https://one.comodo.com/rmm.php
IRJET-Virtualization Technique for Effective Resource Utilization and Dedicat...IRJET Journal
This document discusses virtualization techniques for effective resource utilization and dedicated resource management. It describes how virtualization with commodity hypervisors can logically partition resources in a single system but cannot create dedicated partitions. The document then introduces secured partitions which can create guest partitions with dedicated non-shared CPU, memory, and I/O resources through hardware assistance. It provides details on the architecture and advantages of secured partitions, including improved security, error containment and performance compared to traditional logical partitioning.
This PhD proposal outlines a system to provide rapid recovery from attacks and increased resistance to malware, viruses, and system errors. The system uses virtualization techniques to isolate user data, applications, and system components. User data is stored in a file system virtual machine to protect it from corruption. Applications are isolated in separate virtual machine appliances to limit their ability to interfere with other components. A network virtual machine incorporates intrusion detection and firewalls. The proposal discusses the design, implementation, and evaluation of the system to improve both performance and security compared to existing approaches.
Virtually Secure: Uncovering the risks of virtualizationSeccuris Inc.
Virtually Secure: Uncovering the risks of virtualization
Organizations have been quickly leveraging the benefits of virtualized platforms in their datacenters, often unknowingly increasing the exposure of their most prized assets.
Michael will highlight the key concerns around virtualization technologies including the answers to questions such as are virtualized servers PCI compliant and what minimum controls must exist to protect the hypervisor? He will walk the audience through the latest technical threats and shed light on the solutions and controls available to secure your virtual environments.
Virtualisation: Pitfalls in Corporate VMware ImplementationsJason Edelstein
Discusses virtualisation security threats and countermeasures with a specific focus on the VMware virtualisation platform.
Additional information can be found at: http://www.senseofsecurity.com.au
This document discusses security issues related to cloud computing. It begins by defining cloud computing and describing common cloud service and deployment models. It then outlines traditional security problems like data loss, downtime, and malware that still apply in cloud environments. New issues introduced by cloud characteristics like virtualization, multi-tenancy, and elastic scaling are also examined, such as virtualization vulnerabilities and lack of network perimeter control. The document concludes by focusing on data security challenges involving confidentiality, integrity and availability of data in transit, at rest, and in use within cloud platforms. Homomorphic encryption is presented as a potential solution for securely outsourcing computation on encrypted data.
This document discusses planning a secure Windows Server 2003 network. It covers selecting server and desktop computers, operating systems, and security features. Some key points include categorizing computers by role, standardizing hardware, selecting an operating system based on applications and costs, and configuring security permissions for files, folders, and the registry. Domain controllers require additional security as the failure of one could disrupt the whole network. The document also discusses infrastructure servers like DNS and DHCP and how to secure them.
Virtualization has become a widely and attractive employed technology in cloud computing environments. Sharing of a single physical machine between multiple isolated virtual machines leading to a more optimized hardware usage, as well as make the migration and management of a virtual system more efficiently than its physical counterpart. Virtualization is a fundamental technology in a cloud environment. However, the presence of an additional abstraction layer among software and hardware causes new security issues. Security issues related to virtualization technology have become a significant concern for organizations due to arising some new security challenges. This paper aims to identify the main challenges and risks of virtualization in cloud computing environments. Furthermore, it focuses on some common virtual-related threats and attacks affect the security of cloud computing. The survey was conducted to obtain the views of the cloud stakeholders on virtualization vulnerabilities, threats, and approaches that can be used to overcome them. Finally, we propose recommendations for improving security, and mitigating risks encounter virtualization that necessary to adopt secure cloud computing.
The document discusses various attacks targeting virtualization systems, including guest hopping, VM deletion/control attacks, code/file injection, VM migration attacks, and hyperjacking. It describes how hyperjacking involves installing a rogue hypervisor beneath the original one to gain control of the host operating system without being detected by guest VMs or applications. The VENOM vulnerability allowed this by exploiting a buffer overflow in the virtual floppy disk controller driver included in many virtualization platforms like KVM and Xen. Mitigations for hyperjacking include hypervisor self-protection, validation of the running hypervisor, and preventing direct external modification.
A Trusted IaaS Environment with Hardware Security Modulenexgentechnology
bulk ieee projects in pondicherry,ieee projects in pondicherry,final year ieee projects in pondicherry
Nexgen Technology Address:
Nexgen Technology
No :66,4th cross,Venkata nagar,
Near SBI ATM,
Puducherry.
Email Id: praveen@nexgenproject.com.
www.nexgenproject.com
Mobile: 9751442511,9791938249
Telephone: 0413-2211159.
NEXGEN TECHNOLOGY as an efficient Software Training Center located at Pondicherry with IT Training on IEEE Projects in Android,IEEE IT B.Tech Student Projects, Android Projects Training with Placements Pondicherry, IEEE projects in pondicherry, final IEEE Projects in Pondicherry , MCA, BTech, BCA Projects in Pondicherry, Bulk IEEE PROJECTS IN Pondicherry.So far we have reached almost all engineering colleges located in Pondicherry and around 90km
A Trusted IaaS Environment with Hardware Security Modulenexgentechnology
bulk ieee projects in pondicherry,ieee projects in pondicherry,final year ieee projects in pondicherry
Nexgen Technology Address:
Nexgen Technology
No :66,4th cross,Venkata nagar,
Near SBI ATM,
Puducherry.
Email Id: praveen@nexgenproject.com.
www.nexgenproject.com
Mobile: 9751442511,9791938249
Telephone: 0413-2211159.
NEXGEN TECHNOLOGY as an efficient Software Training Center located at Pondicherry with IT Training on IEEE Projects in Android,IEEE IT B.Tech Student Projects, Android Projects Training with Placements Pondicherry, IEEE projects in pondicherry, final IEEE Projects in Pondicherry , MCA, BTech, BCA Projects in Pondicherry, Bulk IEEE PROJECTS IN Pondicherry.So far we have reached almost all engineering colleges located in Pondicherry and around 90km
Nexgen Technology Address:
Nexgen Technology
No :66,4th cross,Venkata nagar,
Near SBI ATM,
Puducherry.
Email Id: praveen@nexgenproject.com.
www.nexgenproject.com
Mobile: 9751442511,9791938249
Telephone: 0413-2211159.
NEXGEN TECHNOLOGY as an efficient Software Training Center located at Pondicherry with IT Training on IEEE Projects in Android,IEEE IT B.Tech Student Projects, Android Projects Training with Placements Pondicherry, IEEE projects in pondicherry, final IEEE Projects in Pondicherry , MCA, BTech, BCA Projects in Pondicherry, Bulk IEEE PROJECTS IN Pondicherry.So far we have reached almost all engineering colleges located in Pondicherry and around 90km
Cloud Computing Hypervisors and Comparison Xen KVM cloudresearcher
The document discusses and compares two open source hypervisors, Xen and KVM, that can be used to manage virtual machines (VMs) on cloud computing platforms. Both hypervisors allow for virtualization of hardware and enable multiple VMs to run concurrently on the same physical machine. Xen uses a model where one privileged VM (Domain 0) manages other VMs, while KVM implements each VM as a Linux process. The document analyzes the hypervisors' approaches to security, memory management, and performance to determine their suitability for cloud environments.
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...ijcncs
This document summarizes a research paper on secure virtualization for cloud environments. The paper proposes a two-tier security architecture that uses multiple working modes for security components at the guest level to decrease overhead from security processes. It also includes a security supervisor at the hypervisor layer to avoid false security alarms. The paper discusses security issues in virtualized cloud environments like access control vulnerabilities, DOS attacks, vulnerabilities in the virtualization platform and security management. It proposes solutions like access control policies, load balancing during attacks, secure administrative zones, and additional security mechanisms like firewalls and intrusion detection to address these issues.
Design of Intrusion Tolerance System based on Service Redundancy LevelIOSRJEEE
The Internet is an open space where a great number of computer systems are connected. Since many services are provided through the Internet, malicious users can easily intrude on any of those systems by using the vulnerabilities of the Internet. Although Intrusion Detection and Prevention System (IDPS) can be used to defend against such malicious activities, it is not always possible to completely protect a targeted system against the attacks. For this reason, Intrusion Tolerance Systems (ITS) has been proposed to maintain services even in threatening environments, where some malicious attacks have intruded into a system successfully. In this paper, we propose a new ITS based upon maintaining a service redundancy level to ensure that all services are properly provided to users even if a malicious intrusions such as VM (virtual machine) escape attack exists. The simulation results show that the proposed scheme can guarantee the operation of every ongoing service by maintaining the service redundancy level of all services
Virtualization vulnerabilities, security issues, and solutions:
Virtualization is technological revolution that
separates functions from underlying hardware and allows
us to create useful environment from abstract resources.
Virtualization technology has been targeted by attackers
for malicious activity. Attackers could compromise VM
infrastructures, allowing them to access other VMs on the
same system and even the host.
This presentation emphasize on
the assessment of virtualization specific vulnerabilities,
security issues and possible solutions.
By-Nitish Awasthi
B.Tech.CTIS
Invertis University Bareilly
Using Virtualization Technique to Increase Security and Reduce Energy Consump...IJORCS
An approach has been presented in this paper in order to generate a secure environment on internet Based Virtual Computing platform and also to reduce energy consumption in green cloud computing. The proposed approach constantly checks the accuracy of stored data by means of a central control service inside the network environment and also checks system security through isolating single virtual machines using a common virtual environment. This approach has been simulated on two types of Virtual Machine Manager (VMM) Quick EMUlator (Qemu), HVM (Hardware Virtual Machine) Xen and outputs of the simulation in VMInsight show that when service is getting singly used, the overhead of its performance will be increased. As a secure system, the proposed approach is able to recognize malicious behaviors and assure service security by means of operational integrity measurement. Moreover, the rate of system efficiency has been evaluated according to the amount of energy consumption on five applications (Defragmentation, Compression, Linux Boot Decompression and Kernel Boot). Therefore, this has been resulted that to secure multi-tenant environment, managers and supervisors should independently install a security monitoring system for each Virtual Machines (VMs) which will come up to have the management heavy workload of. While the proposed approach, can respond to all VM’s with just one virtual machine as a supervisor.
Virtualization allows multiple operating systems to run on a single physical system by sharing hardware resources. It is enabled by a hypervisor which controls the host system's processor and resources, allocating them to guest virtual machines. Virtualization improves resource utilization and costs by pooling physical hardware and allocating virtual resources on demand. However, the hypervisor is a potential point of failure as it has control over the entire system and is part of the trusted computing base. Approaches aim to reduce this risk by removing the hypervisor or restricting its control.
Risk Analysis and Mitigation in Virtualized EnvironmentsSiddharth Coontoor
As companies move towards hybrid cloud solution there are still many private cloud solutions still out there. Traditional risk assessment techniques cannot be applied to such virtual servers. This paper is an attempt to identify key assets and assess risks related to these critical assets.
Cloud computing provides on-demand access to shared configurable computing resources like servers, storage, databases, networking, software, analytics and more via the internet with minimal management effort. It has 5 essential characteristics, 3 service models (SaaS, PaaS, IaaS), and 4 deployment models (private, public, hybrid, community). Security is a major concern in cloud computing due to issues like data ownership, multi-tenancy, loss of physical control and proprietary implementations. A typical use case of provisioning a virtual machine involves a user request, provisioning by cloud management, and access to the ready VM.
The document summarizes a project report on implementing a model for security in the cloud using a dynamic firewall restriction algorithm. The report includes an abstract describing the proposed security architecture that provides flexible security as a service for cloud tenants and customers. It then outlines the various chapters in the report, including an introduction, literature survey, analysis, module descriptions, implementation details, future work, and conclusions. The proposed system aims to implement an effective firewall security at the tenant level to block unauthorized access and filter unwanted requests before they reach virtual machines in the cloud.
A survey on Improvement of virtual network communication security of trusted ...ijsrd.com
Cloud computing and Infrastructure-as-a-Service (IaaS) are emerging and promising technologies, however their faster-pased adoption is hampered by data security concerns. At the same time, Trusted Computing (TC) is experiencing an increasing interest and revived interest as a security mechanism for IaaS. In this paper we present a protocol and We address the lack of an implementable mechanism to to ensure the launch of a virtual machine (VM) instance on a trusted remote compute host. Relying on Trusted Platform Module operations such as binding and sealing to provide integrity guarantees for clients that require a trusted VM launch, we have designed a trusted launch protocol for VM instances and images in public IaaS environments. We also present a proof-of-concept implementation of the protocol based on OpenStack, an open-source IaaS platform. The results provide a basis for the use of TC mechanisms within IaaS platforms and pave the way for a wider applicability of TC to IaaS security.
This document discusses cloud security risks and provides an overview of cloud security. It outlines various security risks in cloud computing including insider and outsider attacks, privacy and trust issues, and vulnerabilities in operating systems, virtualization, and shared images. It also describes the Xoar system for improving security by reducing the trusted computing base and limiting privileges and interfaces of system components. Finally, it discusses the need for a trusted virtual machine monitor to prevent the cloud provider from accessing the system.
Similar to Identifying and analyzing security threats to virtualized cloud computing infrastructures (20)
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
From Natural Language to Structured Solr Queries using LLMsSease
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
ScyllaDB is making a major architecture shift. We’re moving from vNode replication to tablets – fragments of tables that are distributed independently, enabling dynamic data distribution and extreme elasticity. In this keynote, ScyllaDB co-founder and CTO Avi Kivity explains the reason for this shift, provides a look at the implementation and roadmap, and shares how this shift benefits ScyllaDB users.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
QA or the Highway - Component Testing: Bridging the gap between frontend appl...zjhamm304
These are the slides for the presentation, "Component Testing: Bridging the gap between frontend applications" that was presented at QA or the Highway 2024 in Columbus, OH by Zachary Hamm.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
2. 154741228: Identifying and Analyzing Security Threats to Virtualized Cloud Computing Inrrastructures
hypervisor runs directly upon the hardware with a separated
layer from the host OS. Type-2 hypervisor runs together with
the host OS. Due to the isolation from the host OS, the
security, performance and scalability features in Type-I are
enhanced than Type-2 [11]. The highly used industry based
type-l and type-2 hypervisor include Xen and KVM
respective Iy.
A. Xen Hypervisor
Xen resides between the VMs and underlying physical
hardware. In order to create a secure operating environment,
Xen hypervisor divides the VMs into two domains i.e.
DomainO (DomO) and DomainU (DomU) according to the
accessibility privileges. The DomO VM has higher privileges
and it can access the hardware whereas DomU VMs have
lower privileges and cannot directly access the hardware.
When Xen hypervisor starts, for the first time it loads DomO
VM. Normally the user of DomO is a system administrator who
has privilege to use the hypervisor interface to create, delete or
manage any DomU VMs. Each DomU VM contains a
modified Linux kernel that includes front-end drivers that
communicates with the Xen hypervisor, instead of
communicating directly with hardware. For each DomU VM,
CPU and memory access operations are handled directly by the
Xen hypervisor. However, 110 is directed to DomO since Xen
hypervisor itself is not able to perform any I/O operation [12].
B. Kernel Virtual Machine (KVM) Hypervisor
KVM is developed by implementing Linux kernel module
with enhanced hypervisor functionalities. Each Linux process
has two modes of execution, user and kernel mode. The user
mode is considered as unprivileged while kernel mode is
considered as privileged process. The default mode for a
process is user mode. It changes to the kernel mode when it
requires some sort of services from kernel such as request for
writing to hard disk. While implementing the KVM, the
developers added a third mode for process, called as guest
mode. The guest mode itself has two normal modes user and
kernel, can be called as guest-user and guest-kernel mode.
When a guest process is executing non-I/O guest code, it will
run in guest-user mode. In guest-kernel mode, the process
handles exits from guest-user mode due to I/O or other special
instructions. In user mode, the Linux process performs I/O on
behalf of a guest. In the KVM model each guest VM is
implemented as a simple Linux process and that process itself
is able to run multiple applications concurrently because it is
acting as a virtual OS [13]. Each VM is scheduled by standard
Linux scheduler.
III. ATTACKS ON VCCI AND VULNERABILITIES OF
VMMS
Due to inappropriate security standards used for
hypervisors at infrastructure level, there are several security
gaps that can be exploited by the inside or outside malicious
attackers to misuse the infrastructure as shown in Fig. 2 [8].
External
Figure 2. Insider and Outsider Attack [8]
Attack on any component of VCCI may affect the others. In
order to overcome this issue, the infrastructure needs to be
secured by implementing security tools and techniques that
isolates the VMM, guest/ host OS and physical hardware from
the side-effects of each other. [2] Identified two major attacks
on VCCI (VM to VM and VM to Hypervisor) as shown in Fig.
3 [2].
. End
.... Users
·
·· ····
·
···· 1·· ····· .. ······· Cloud
Provider
Cloud
Figure 3. Attack Surface [2]
Hyper·
visor
toVM
attack
Servers
The attacks visualized in Fig.3 can take place due to three
major vulnerabilities (VM hopping, VM escape and VM
mobility) identified in hypervisors [7] [4].
Proceedings of 20121ntemational of Cloud Computing, Technologies, Applications Management 152
3. Sarrraz Nawaz Brohi, Mervat Adib Bamiah, Muhammad Nawaz Brohi, Ruk shanda Kamran
A, VM Hopping
When several VMs are running on the same host OS, a
malicious attacker such as remote un-trusted cloud user on one
VM can obtain the access of other VM just by knowing its IP
address. Once a VM is attacked, the attacker can monitor the
traffic going over the VM and change the flow of traffic
or manipulate it. This attack can create a major issue of Denial
of Service (DOS) that is actually an attempt to make a
computer resource unavailable to its intended users [4]. If VM
is running since a long time, an attacker can modify the
configuration file such that VM goes off state. Therefore the
ongoing communication to that VM could be stopped. When
the connection is resumed, the VM needs to start the
entire communication again [7].
B. VM Escape
This vulnerability allows a guest-level VM to attack its host.
Under this an attacker such as an un-trusted user of cloud
services can run a code on a VM that allows an OS running
within it to break out and interact directly with the hypervisor.
Such an exploit could give the attacker access to the host OS
and all other VMs running on that host [4]. If an attacker gains
access to the host running multiple VMs, he/she can access the
resources which are shared by the other VMs. The host can
monitor the memory being allocated and the CPU utilization. If
necessary an attacker can bring down these resources and turn
off the hypervisor and if the hypervisor fails, all the other VMs
turn off eventually [7].
C. VM Mobility
Under a VCCI, VMs can move from one physical host to
another is called as VM mobility. However, VM mobility can
be risky for security attacks, VM files can be stolen without
physical theft of the host machine [3]. VMs can be moved over
the Network or copied through a USB. Since VM are not
essentially present on the physical machine, the threat for an
attack increases. The contents of the VM are stored in a file on
the hypervisor. If the VM is moved to another location, then
the virtual disk is also recreated and an attacker can then
modify the source configuration file and alter the VMs
activities. VM can also be compromised if the VM is offline.
An attacker can modify the configuration file of the VM.
Gaining access to the virtual disk, attacker has sufficient
time to break in all the security measure such as
passwords, important credentials, etc. Since this VM is a copy
of the actual VM, it is difficult to trace the attacker with
this threat [7]. This attack is normally caused by a malicious
cloud administrator.
IV. SECURITY TOOLS AND TECHNIQUES FOR SECURING
THE VIRTUALIZED CLOUD COMPUTING
INFRASTRUCTURE
There are numerous security tools and techniques available
to overcome the malicious threats on VCCI and hypervisor
vulnerabilities. During our analysis, we have identified some
major approaches for securing a VCCI by reviewing the past
and present literature. These include EKM, ACMs, lOTs,
vTPM, VFs and TVDs. The significances of these techniques
to secure a VCCI are described as follows:
A. Encryption and Key Management (EKM)
The protection of data against the loss and theft is a shared
responsibility of cloud customer and CSP. Nowadays,
encryption is one of the strongly recommended techniques in
cloud Service Level Agreements (SLAs) [26]. The confidential
data of customer must be encrypted at three different stages i.e.
encryption of data- at- rest (encrypting the customer's data on
disk storage as cipher text that will protect the data from
malicious CSP and illegal use), encryption of data-at-transit
(encrypting the confidential information such as credit cards
while transmitting over a network) and encryption of data on
backup media such as external or internal storages, this can
protect against misuse of lost or stolen media [14]. However,
encryption only is not enough to keep the data secure, there
must be proper key management practices to ensure the safe
and legal access of encryption keys. For-instance encryption
keys must be protected same as sensitive data itself and these
keys should be accessed only by limited and authorized
personalities and proper procedures must be followed if
encryption keys are lost or stolen [14]. It is the customer's
responsibility to enforce the use of encryption and key
management in their SLAs. However, type of encryption
technique used depends upon the requirements and objectives.
The common encryption methods that can be used on VCCI
include symmetric and asymmetric algorithms. From
symmetric cryptography family, Triple Data Encryption
Algorithm (TOEA) also known as Triple-DES or (3DES) and
Advanced Encryption Standard (AES) are most common types
of encryption techniques. These types of encryption and
decryption process use a secret key. From asymmetric
cryptography, RSA and Elliptic Curve Cryptography (ECC)
are mostly used encryption techniques, unlike symmetric these
methods uses two different keys, a public key for encryption
and a private key for decryption [24]. If data encryption
practices are followed accurately, the data will be saved from
the illegal accesses or theft of a malicious CSP's administrator
and remote hackers.
B. Intrusion Detection Tools (IDTs)
The multi-tenant and distributed nature of the cloud makes
it an attractive target for potential intruders. Appropriate IDTs
should be used at VCCI which continuously collects and
analyzes data from a computing system, aiming to detect
intrusive actions. There are two main approaches for IDTs i.e.
Network-based lOTs (NIDTs) and Host-based lOTs (HIOTs),
NIDTs are based on monitoring the network traffic flowing
through the systems and examining events as packets of
information exchange between computers. While, HIOTs are
based on monitoring local activity on a host like processes,
network connections, system calls, logs, etc and examining
events like what files were accessed and what applications
were executed [16]. Both lOTs tools should be used at VCCI to
ensure safe and secure operating environment in order to block
the intruders.
Proceedings of 20121ntemational of Cloud Computing, Technologies, Applications Management 153
4. 154741228: Identifying and Analyzing Security Threats to Virtualized Cloud Computing Inrrastructures
C. Virtual Firewall (VF)
It is a firewall service running in a virtualized environment
which provides usual packet filtering and monitoring services
that a physical firewall provides [18]. VFs can execute in
various modes typically hypervisor-mode (hypervisor
resident) and bride-mode. In order to protect the VMs and
VMM, hypervisor-resident VFs must be implemented on the
VMM where it is responsible to capture malicious VM
activities including packet injections. These VFs require a
modification to the physical host hypervisor kernel to install
process hooks or modules allowing the VF system access to
VM information and direct access to the virtual network
switches as well as virtualized network interfaces moving
packet traffIc between VMs. The hypervisor-resident VF can
use the same hooks to then perform all firewall functions like
packet inspection, dropping, and forwarding but without
actually touching the virtual network at any point. Hypervisorresident
VFs can be faster as compared to bridge-mode VFs
because they are not performing packet inspection in VFs, but
rather from within the kernel at native hardware speeds [19].
D. Trusted Virtual Domains (TVDs)
A TVD is security technique formed at VCCI by grouping
the related VMs running on separate physical machine into a
single network domain with a unified security policy. The
multiple instances of TVDs co-exist on a single platform
under a shared resource policy. The use of TVD provides
strong isolation among un-related VMs as the communication
among TVDs takes places only according to the security
policies defmed by administrator configured in the VMM. A
malicious VM cannot join any TVD because in order to join
TVD, a VM should fulfIl the requirements of the policy so no
malicious VM can affect the VMs of trusted users on cloud
[20]. Normally the VMs residing in a TVD are labeled with a
unique identifier. For-instance the VMs of one customer will
be labeled differently from the other customer. The labeling is
used to identity the assigned VMs to a particular customer and
to allow the same labeled VMs to run on inside the same TVD
that must be designed by following a proper security
guidelines and policies that doesn't exhibit any loop holes.
E. Access Control Mechanisms (ACMs)
ACMs are responsible of protecting of a VCCI by limiting,
denying or restricting access to a system or an entity such as
processes, VM and VMMs according to the well defined
security policies [15]. Most common ACMs used in VCCI
include Mandatory Access Control (MAC), Discretionary
Access Control (DAC) and Role Based Access Control
(RBAC). All these techniques are known as identity based
ACMs as user subjects and resources objects are identified by
unique names. Identification may be done directly or through
roles assigned to the subjects [25]. ACMs guarantees integrity
and confidentiality of the resources. Access control must be
performed by a trusted party which can be also the CSP or
third party in association with the cloud customer. Moreover,
the collaboration and the expression of access control at each
layer e.g. hypervisor or OS must be achieved in a dedicated
and neutral language to allow a unification policy regardless
of the layer.
F. Virtual Trusted Platform Module (vTPM)
IBM researchers proposed TPM virtualization that is based
on certificate chain linking vTPMs to the physical TPM in
order to provide its capabilities and make it available to all
VMs running on a platform. vTPMs can be located in a
specific layer over the hypervisor. A vTPM instance is created
for each VM by vTPM Manager which is built in a specific
VM and may invoke its own vTPM through the hypervisor
[17]. Each VM has its associated vTPM instance that emulates
the TPM functionality to extend the chain of trust from the
physical TPM to each vTPM via careful management of
signing keys and certificates. A vTPM has its own virtual
Endorsement Key (EK) and virtual Storage Root Key (SRK)
beside some software on the host. In multi-tenant VCCI
the system of vTPM virtualizes a physical TPM to be used by
a number of VM on a single hardware platform [23].
V. IMPLEMENTATION OF SECURITY TOOLS AND TECHNIQUES
FOR FORMULATING A SECURE VCCI
The security tools and techniques discussed in previous
section have been implemented by various researchers to
design and develop secure VCCI. This section describes some
of the valuable contributions by the researchers. [21] designed
Trusted Virtual Datacenter (TVDc). The aim of TVDc is to
provide a safety net that reduces the risk of security issues that
take place by misusing the VMs with the help of malicious
software. [22] Proposed a trusted VMM with the use of
encryption methods. This technique is referred as CloudVisor.
It is implemented as a security monitor that runs in the highest
privileged mode even more than the hypervisor. Once the
CloudVisor runs then it starts the hypervisor that executes in
the least privileges mode. In order to enforce protection and
isolation, CloudVisor monitors the use hardware by VMM and
VMs. CloudVisor uses security authentication TPM for secure
boot-up and encryption of VMs data. [8] Proposed the TVMM
by using TPM as root of trust by implementing it on Xen
hypervisor. The vTPM provides the iso lation security between
VMs so no any VMs can access the resources of others. [8]
Also proposed a page-based encryption method. This method
uses the secret key managed by the hypervisor to encrypt all
pages. Encryption uses AES-128 in CBC mode, and hashing
uses SHA-256 before the pages are handed over to DomO.
These are few of the valuable contributions however there is
tremendous amount of research being carried out by several
researchers for securing the VCCI.
VI. CONCLUSION AND FUTURE WORK
Multi-tenancy is one of the significant characteristics of
cloud computing that refers to the mechanism of sharing a
cloud platform and resources to the several clients. In order to
achieve the benefits of this technique, cloud computing has
moved towards virtualization, where each clients is assigned
with one or multiple VMs. Beside the benefits, multi-tenant
cloud environments is also vulnerable to attacks that have
impede the trust on adopting cloud computing. Attacks have
Proceedings of 20121ntemational of Cloud Computing, Technologies, Applications Management 154
5. Sarrraz Nawaz Brohi, Mervat Adib Bamiah, Muhammad Nawaz Brohi, Ruk shanda Kamran
been identified from outsiders and insiders, The major targeted
point for attack on veel includes the VMM. In order to secure
the VMM, several techniques have been introduced that are
implemented by various researchers from academia and
industry to secure the veeI. The adoption of cloud computing
is an un-stopping task so the challenge is to formulate a secure
eel. In order to contribute in the field of cloud computing we
analyzed the security issues on VeeI, however security is not
only limited to virtualization components. A eel must be
secure at various layers physical, network, application,
management and organizational layers by considering the
governmental policies and SLAs etc. However, the future
direction of our research is to conduct an analysis identitying
and overcoming the security issues on cloud computing from
governance and operational perspectives.
ACKNOWLED GMENT
We are thankful to God Ahnighty for glvrng us the
knowledge and wisdom to complete this work. We are also
thankful to our parents for their encouraging support.
REFERENCES
[I] Y amini, B. Selvi, D .V., 2010. Cloud virtualization: A potential way to
reduce glob al warming. In Recent Advances in Space Technology
Services and Climate Change (RSTSCC), 2010. Recent Advances in
Space Technology Services and Climate Change (RSTSCC), 2010. pp.
55-57.
[2] Szefer, 1., et al. 2011. Eliminating the hypervisor attack surface for a
more secure cloud. Proceedings of the 18th ACM conference on
Computer and communications security. Chicago, Illinois, USA, ACM:
401-412.
[3] D awoud, W., Tak ouna, 1. Meinel, C., 2010. Inrrastructure as a service
security: Challenges and solutions. In Informatics and Systems (INFOS).
2010 The 7th International Conference on. Informatics and Systems
(lNFOS), 2010. pp. 1-8.
[4] Shengmei, L., et aI., 2011. Virtualization security for cloud computing
service. In Cloud and Service Computing (CSC), 2011 International
Conference on. Cloud and Service Computing (CSC), 2011 International
Conference on. pp. 174-179.
[5] Tak ab i, H., Joshi, J.B.D . Ahn, G ., 2010. Security and Privacy
Challenges in Cloud Computing Environments. Security Privacy,
IEEE, 8(6), pp.24-31.
[6] Wang, Z. Jiang, x., 2010. HyperSafe: A Lightweight Approach to
Provide Lifetime Hypervisor Control-Flow Integrity. In Security and
Privacy (SP), 2010 IEEE Symposium on. Security and Privacy (SP),
2010 IEEE Symposium on. pp. 380-395.
[7] Jasti, A., et al. 2010. Security in multi-tenancy cloud. In Security
Technology (ICCST), 2010 IEEE International Carnahan Conference
on. Security Technology (lCCST), 2010 IEEE International Carnahan
Conference on. pp. 35-41.
[8] Jinzhu Kong, 2010. Protecting the Confidentiality of Virtual Machines
Against Untrusted Host. In Intelligence Information Processing and
Trusted Computing (lPTC), 2010 International Symposium on.
Intelligence Information Processing and Trusted Computing (IPTC),
20 I 0 International Symposium on. pp. 364-368.
[9] Fu Wen Li Xiang, 2011. The study on data security in Cloud
Computing b ased on Virtualization. In II. In Medicine and Education
(lTME), 2011 International Symposium on. pp. 257-261.
[10] Suryanarayana, v., Jasti, A. Pendse, R., 2010. Credit scheduling and
pre fetching in hypervisors using Hidden Mark ov Models. In Local
Computer Network s (LCN), 2010 IEEE 35th Conference on. Local
Computer Network s (LCN), 2010 IEEE 35th Conference on. pp. 224-
227.
[II] Naughton, I., et al. 2010. Loadab le Hypervisor Modules, System
Sciences (HICSS), 2010 43rd Hawaii International Conference on, vol.,
no., pp.l-8.
[12] Peijie Y u. et aI., 2010. Real-time Enhancement for Xen Hypervisor. In
Emb edded and Ub iquitous Computing (EUC), 2010 IEEE/IFIP 8th
International Conference on. Emb edded and Ub iquitous Computing
(EUC), 2010 IEEE/IFIP 8th International Conference on. pp. 23-30.
[13] Pham, c., et al. 2011. CloudVal: A framework for validation of
virtualization environment in cloud infrastructure. In D ependab le
Systems Network s (D SN), 2011 IEEE/IFIP 41st International
Conference on. D ependab le Systems Network s (D SN), on. pp. 189-
196.
[14] CSA, 2010, D omain 12: G uidance for Identity Access Management
V2.l.Cloud Security Alliance. Availab le at:
http: //www.cloudsecurityalliance.org/guidance/csaguide- dom 12. pdf
[15] Afoulk i, Z., et al. 2012. MAC protection of the Open Neb ula Cloud
environment, High Performance Computing and Simulation (HPCS),
2012 International Conference on, vol., no., pp.85.
[16] Harley Kozushk o, Intrusion D etection: Host-Based and Network -Based
Intrusion D etection Systems, Availab le from
http: //infohost.nmt.edu/-sfs/Students/HarleyKozushk o/PapersIintrusion
D etectio nP aper.p df
[17] Achemlal, M., et.al. 2011. Trusted Platform Module as an Enab ler for
Security in Cloud Computing, Network and Information Systems
Security (SAR-SSI), 2011 Conference on , vol., no., pp.I-6.
[18] Wik i, Virtual Firewall, Availab le from
http: //en.wik ipedia.org/wik ilVirtual_firewall.
[19] Clement Berthelot, Evaluation of a Virtual Firewall in a Cloud
Envirorunent, Availab le from
http: //b uchananweb .co.uk /09014406_MSc_VirtuaIFirewall.pdf
[20] Luigi, C., et al. Trusted Virtual D omains - D esign, Implementation and
Lessons Learned, Availab le from
http: //infohost.nmt.edu/-sfs/Students/HarleyKozushk o/PapersIintrusion
D etectionPaper. pdf
[21] Berger, S., R. Caceres, et al. 2009. Security for the cloud infrastructure:
Trusted virtual data center implementation. IBM Journal of Research
and D evelopment 53(4): 6: 1-6: 12.
[22] Zhang, F., et al. 2011. CloudVisor: retrofitting protection of virtual
machines in multi-tenant cloud with nested virtualization. Proceedings
of the Twenty-Third ACM Symposium on Operating Systems
Principles. Cascais, Portugal, ACM: 203-216.
[23] D ongxi, L., et al. 2010. A Cloud Architecture of Virtual Trusted
Platform Modules, Emb edded and Ub iquitous Computing (EUC), 2010
IEEE/IFIP 8th International Conference on, vol., no., pp.804-811.
[24] Jing-Jang h., et al. 2011. A Business Model for Cloud Computing Based
on a Separate Encryption and D ecryption Service, Information Science
and Applications (lCISA), 2011 International Conference on , vol., no.,
pp.I-7, 26-29.
[25] Khan, A., 2012. Access Control in Cloud Computing Envirorunent, In
ARPN Journal of Engineering and Applied Sciences, vol-7, no-5.,
pp.613-615.
[26] Jansen, W., and G rance, I., 2011, G uidelines onSecurity and Privacy in
Pub lic Cloud Computing. National Institute of Standards and
Technology Special Publication 800-144. NIST Special Pub lication 800-
144.
Proceedings of 20121nternational of Cloud Computing, Technologies, Applications Management 155