Virtualization security for
cloud computing service
Shengmei Luo，Zhaoji Lin，Xiaohua Chen
ZTE Corporation Shenzhen, China
Zhuolin Yang, Jianyong Chen
Dept. of Computer Science and Technology
Shenzhen University Shenzhen, China
International Conference on Cloud and Service Computing 2011 IEEE
Speaker: 張宗典
Date:2012/06/01
Advisor：陳志達 教授
Type：Conference
Outline
Introduction
 Security Vulnerabilities in Virtualization
 Virtualization Security Framework
 Virtual System Security
 Virtualization Security Management
 Conclusion

2016/7/14
2
Outline
Introduction
 Security Vulnerabilities in Virtualization
 Virtualization Security Framework
 Virtual System Security
 Virtualization Security Management
 Conclusion

2016/7/14
3
Introduction(1/3)

The menu of services is being enriched.
 SaaS , Paas , IaaS have been invented as part of XaaS.
 XaaS=Anything as a Service
 Business as a Service(BaaS)、Database as a
Service(DaaS)、Voice as a Service(VaaS)…..eveything
as a Service
2016/7/14
4
Introduction(2/3)

Combing a set of existing techniques, such as SOA
and Virtualization.
 Cloud Computing is regarded as a paradigm.

Data confidential against cloud servers is hence
frequently desired when users outsource data for
storage in the cloud.
2016/7/14
5
Introduction(3/3)

Cloud computing already leverages virtualization
for load balancing via dynamic provisioning and
migration of VM among physical nodes.

This article Focused on virtualization security.
 Weaknesses and Attacks

And propose a scheme to solve current problems
effectively.
 Virtual system security
 Virtual security managment
2016/7/14
6
Outline
Introduction
 Security Vulnerabilities in Virtualization
 Virtualization Security Framework
 Virtual System Security
 Virtualization Security Management
 Conclusion

2016/7/14
7
Security Vulnerabilities in Virtualization

Most of security threats identified in a VM
environment are very similar.
 Attack between VMs or between VMs and VMM
 VM escape
 Virtual machine controlled by Host Machine
 Denial of Service
 VM sprawl
2016/7/14
8
Attack between VMs or between VMs
and VMM

Primary benefits that virtualization brings is
isolation.

If not carefully deployed will become a threat to
the environment.

Poor isolation access control policy will cause the
inter-attack between VMs or between VMs and
VMM.
2016/7/14
9
VM escape

一種應用，攻擊者續允許扣作系統與管理程序直接互
動的VM運作，使攻擊者進入主機上運行的其他VM。

If he attacker can compromise the VMs, they will
have control of all of the guests.

Most VMs run with very high privileges on the host
because a VM needs comprehensive access to the
host’s hardware so it can map the real hardware
into virtualized hardware for the guests..
2016/7/14
10
Virtual machine controlled by Host
Machine

More necessary to strictly protect the host machine
than VMs.

If a host is compromised then the security of the
VMs is under question.
2016/7/14
11
Denial of Service

DoS or DDoS is an attempt to make a computer
resource unavailable to its intended user.

Perpetrators of Dos attacks typically target sites or
services hosted on high-profile web server.
 Such as banks, credit card payment gateways…
2016/7/14
12
Denial of Service

In VM architecture the guest machines and the
underlying host share the physical resources such
as CPU, memory, HD…
2016/7/14
13
VM sprawl

Inappropriate virtual machine management policy
will cause VM sprawl.
2016/7/14
14
Outline
Introduction
 Security Vulnerabilities in Virtualization
 Virtualization Security Framework
 Virtual System Security
 Virtualization Security Management
 Conclusion

2016/7/14
15
Virtualization Security Framework

Virtualization security could be investigate from
2aspects
 Virtual system security
 Virtualization security management
2016/7/14
16
Virtualization Security Framework
A Virtualization security framework
2016/7/14
17
Outline
Introduction
 Security Vulnerabilities in Virtualization
 Virtualization Security Framework
 Virtual System Security
 Virtualization Security Management
 Conclusion

2016/7/14
18
Virtual System Security

Virtual system security contains 4 parts.
 VM system architecture security
 Access control
 Virtual firewall
 vIDS/vIPS
2016/7/14
19
VM system architecture security

A security VM system should be protected by a
robust, efficient and flexible.

Three architecture:
 Popular
 Admin VM
 Security control
2016/7/14
20
VM system architecture security
Popular
Admin VM
Security Control
2016/7/14
21
Access Control
2016/7/14
22
Virtual firewall

VF is a firewall deployed and running entirely
within a virtual environment and which provides
the packet filtering and monitoring.

It can be a managed kernel process running
within the host VMM.
2016/7/14
23
vIDS/vIPS

vIDS and vIPS protects virtual environment
through collecting and analyzing information
from network and Host to check if there are signs
of attacking.
2016/7/14
24
Outline
Introduction
 Security Vulnerabilities in Virtualization
 Virtualization Security Framework
 Virtual System Security
 Virtualization Security Management
 Conclusion

2016/7/14
25
Virtualization Security Management

Divide the VM management into four parts.
 Patch management
 VM migration management
 VM image management
 Audit
2016/7/14
26
Patch management

開發及分銷廠商補丁導致無休止循環的安全更新生產
系統。

管理安全更新不是一個簡單的任務對於任何組織。修
補程序管理過程中必須正式通過文件和接收管理部門
批准，以提供最佳的戰略實施這類系統的變化。廠商
會經常修復安全問題的軟件或固件通過版本更新。他
們可能不說明原因的版本改變或者什麼缺陷得到解決
在給定的更新。
2016/7/14
27
VM migration management

VM migration is a vulnerable process that is easily
to be attacked.

When a VM is going to migrate to somewhere,
particular security mechanisms should be taken
into account.
2016/7/14
28
VM image management

VM Image is a special type of file/data format
which is used to instantiate(create) a VM within
the virtual environment.
2016/7/14
29
Audit

Audit the VM behaviors and sensitive data in
order to monitor whether the operation of the
virtual system is well or the sensitive data is safe.
2016/7/14
30
Outline
Introduction
 Security Vulnerabilities in Virtualization
 Virtualization Security Framework
 Virtual System Security
 Virtualization Security Management
 Conclusion

2016/7/14
31
Conclusion

Propose a virtualization security framework aim
at the vulnerabilities.

This framework, VM system architecture can solve
the problem of virtualization security effectively,
and virtualization security management.
2016/7/14
32
Thanks for listening
2016/7/14
33