Visible to the public Virtual Machines

SoS Newsletter- Advanced Book Block

Virtual Machines

The use of virtual machines, that is, software-based emulations of a computer, holds promise for security applications. But virtual machines are often less efficient than actual machines. Security research in this area has begun to focus on large scale applications of virtual machines in cloud computing. Specific works cited address mash-up services, data center migration, and data center federations and networks.

  • "Remote and deep attestations to mitigate threats in Cloud Mash-Up services," Celesti, A.; Fazio, M.; Villari, M.; Puliafito, A.; Mulfari, D., Computer and Information Technology (WCCIT), 2013 World Congress on , vol., no., pp.1,6, 22-24 June 2013. (ID#:14-1299) Available at: Security concerns surrounding the widespread adoption of cloud computing is discussed in this paper, particularly by enterprises who must ensure the confidentiality and integrity of classified data. This paper discusses the role of Trusted Computing in the emergence of cloud mash-up services. The role that Remote and Deep Attestation protocols play in the physical and virtual security of cloud computing is also discussed in terms of a federated environment..
  • "Joint study on optimizations of data center deployment, VM assignment and migration," Yin Li; Min Yao; Chuang Lin, Quality of Service (IWQoS), 2013 IEEE/ACM 21st International Symposium on , vol., no., pp.1,10, 3-4 June 2013. (ID#:14-1300) Available at: Enterprises build private clouds to provide IT resources for geographically distributed subsidiaries or product divisions. Public cloud providers like Amazon [1] lease their platforms to enterprise users, thus, enterprises can also rent a number of virtual machines (VMs) from their data centers in the service provider networks. Unfortunately, the networks cannot always guarantee stable connectivity for their clients to access the VMs or low-latency transfer among data centers. Usually, latency and bandwidth are in an uncertain network environment. Being affected by background traffics, the network status can be volatile. To reduce the latency of client accesses, enterprises should consider the network status when they deploy data centers or rent virtual data centers from cloud providers. In this paper, we first develop a long-term oblivious data center deployment scheme for an enterprise to meet its client requirements under uncertain network status. Then, we design the optimal VM assignment schemes to assign VMs residing on each data center to each client in the enterprise. To accommodate to the changes of the network status, a VM migration scheme is adopted. The latter two schemes are short-term optimizations given the data center deployment policy. The two-time-scale optimizations work in a joint way, and lay down a framework to help enterprises make better use of private clouds or public clouds.
  • "Cross-stratum orchestration and flexgrid optical networks for data center federations," Velasco, L.; Asensio, A.; Castro, A.; Berral, J.L.; Carrera, D.; Lopez, V.; Fernandez-palacios, J.P., Network, IEEE , vol.27, no.6, pp.23,30, November-December 2013. (ID#:14-1301) Available at: Current inter-data-center connections are configured as static big fat pipes, which entails large bit rate over-provisioning and thus high operational costs for DC operators. On the other hand, network operators cannot share such connections between customers, because DC traffic varies greatly over time. Those connections are used to perform virtual machine migration and database synchronization among federated DCs, allowing elastic DC operations. To improve resource utilization and save costs, dynamic inter-DC connectivity is currently being targeted from a research point of view and in standardization form. In this article, we show that dynamic connectivity is not enough to guarantee elastic DC operations and might lead to poor performance provided that not enough overprovisioning of network resources is performed. To alleviate it to some extent, we propose using the flexgrid optical technology that enables finer spectrum granularity adaptation and the ability to dynamically increase and decrease the amount of optical resources assigned to connections. DCs can be interconnected through a flexgrid-based network controlled using a centralized software defined network, based on the architecture currently being proposed by the IETF; a cross-stratum orchestrator architecture coordinates DC and network elastically. Illustrative results show that dynamic elastic connectivity provides benefits by reducing the amount of overprovisioned network resources and facilitating elastic DC operations.
  • Pi-Chung Wang, "Scalable Packet Classification for Datacenter Networks," Selected Areas in Communications, IEEE Journal on , vol.32, no.1, pp.124,137, January 2014. (ID#:14-1302) Available at: The key challenge to a datacenter network is its scalability to handle many customers and their applications. In a datacenter network, packet classification plays an important role in supporting various network services. Previous algorithms store classification rules with the same length combinations in a hash table to simplify the search procedure. The search performance of hash-based algorithms is tied to the number of hash tables. To achieve fast and scalable packet classification, we propose an algorithm, encoded rule expansion, to transform rules into an equivalent set of rules with fewer distinct length combinations, without affecting the classification results. The new algorithm can minimize the storage penalty of transformation and achieve a short search time. In addition, the scheme supports fast incremental updates. Our simulation results show that more than 90% hash tables can be eliminated. The reduction of length combinations leads to an improvement on speed performance of packet classification by an order of magnitude. The results also show that the software implementation of our scheme without using any hardware parallelism can support up to one thousand customer VLANs and one million rules, where each rule consumes less than 60 bytes and each packet classification can be accomplished under 50 memory accesses.
  • "Challenges in Implementing Cache-Based Side Channel Attacks on Modern Processors," Gajrani, J.; Mazumdar, P.; Sharma, S.; Menezes, B., VLSI Design and 2014 13th International Conference on Embedded Systems, 2014. 27th International Conference on , vol., no., pp.222,227, 5-9 Jan. 2014. (ID#:14-1303) Available at: .This paper discusses the prevalence of side channel attacks, which exploit information gathered from hardware - such as power usage and timing, in order to compromise a system. This paper delves into existing research on cache-based side channel attacks on AES software implementation. These attacks are particularly noted in the cloud environment, as further detailed in the paper.This paper discusses the prevalence of side channel attacks, which exploit information gathered from hardware - such as power usage and timing, in order to compromise a system. This paper delves into existing research on cache-based side channel attacks on AES software implementation. These attacks are particularly noted in the cloud environment, as further detailed in the paper.
  • "A paravirtualized file system for accelerating file I/O," Kihong Lee; Dongwoo Lee; Young Ik Eom, Big Data and Smart Computing (BIGCOMP), 2014 International Conference on , vol., no., pp.309,313, 15-17 Jan. 2014 (ID#:14-1304) Available at: Virtualization performance has significantly increased due to recent technological advances, yet suffers from associated CPU and I/O strain. This paper details improvements for virtualized I/O performance through use of a dedicated thread, a paravirtualized file system, and shared queue, in order to eliminiate strain associated to processes like mode switching.
  • "Novel approach for security in Wireless Sensor Network using bio-inspirations," Rathore, H.; Badarla, V.; Jha, S.; Gupta, A., Communication Systems and Networks (COMSNETS), 2014 Sixth International Conference on , vol., no., pp.1,8, 6-10 Jan. 2014. (ID#:14-1305) Available at: This paper places into conversation the similarities between compromised computer networks and a human body fighting pathogens. The authenticity and intergrity of a Wireless Sensor Network (WSN), which senses physical specifications through sensor devices connected to nodes, may be compromised over time, and spurred the inspiration for using biology as a basis for combating these security threats. This paper discusses the use of machine learning to help detect and classify bogus nodes, as a threatened immune system might defend the human body from pathogenic viruses.
  • "Whispers in the Hyper-Space: High-Bandwidth and Reliable Covert Channel Attacks Inside the Cloud," Wu, Z.; Xu, Z.; Wang, H., Networking, IEEE/ACM Transactions on , vol.PP, no.99, pp.1,1 2014. (ID#:14-1306) Available at: Privacy and information security in general are major concerns that impede enterprise adaptation of shared or public cloud computing. Specifically, the concern of virtual machine (VM) physical co-residency stems from the threat that hostile tenants can leverage various forms of side channels (such as cache covert channels) to exfiltrate sensitive information of victims on the same physical system. However, on virtualized x86 systems, covert channel attacks have not yet proven to be practical, and thus the threat is widely considered a "potential risk." In this paper, we present a novel covert channel attack that is capable of high-bandwidth and reliable data transmission in the cloud. We first study the application of existing cache channel techniques in a virtualized environment and uncover their major insufficiency and difficulties. We then overcome these obstacles by: 1) redesigning a pure timing-based data transmission scheme, and 2) exploiting the memory bus as a high-bandwidth covert channel medium. We further design and implement a robust communication protocol and demonstrate realistic covert channel attacks on various virtualized x86 systems. Our experimental results show that covert channels do pose serious threats to information security in the cloud. Finally, we discuss our insights on covert channel mitigation in virtualized environments.
  • "DR-Cloud: Multi-cloud based disaster recovery service," Gu, Yu; Wang, Dongsheng; Liu, Chuanyi, Tsinghua Science and Technology, vol.19, no.1, pp.13,23, Feb. 2014. (ID#:14-1307) Available at: This paper discusses disaster recovery in a cloud computing environment, an essential topic accompanying the rise and widespread use of the cloud in industry and academia. This paper details DR-Cloud, a disaster recovery service model that utilizes multiple cloud service providers and varying optimization scheduling methods.
  • "A Compressive Sensing Based Secure Watermark Detection and Privacy Preserving Storage Framework," Qia Wang; Wenjun Zeng; Jun Tian, Image Processing, IEEE Transactions on , vol.23, no.3, pp.1317,1328, March 2014. (ID#:14-1308) Available at: Privacy is a critical issue when the data owners outsource data storage or processing to a third party computing service, such as the cloud. In this paper, we identify a cloud computing application scenario that requires simultaneously performing secure watermark detection and privacy preserving multimedia data storage. We then propose a compressive sensing (CS)-based framework using secure multiparty computation (MPC) protocols to address such a requirement. In our framework, the multimedia data and secret watermark pattern are presented to the cloud for secure watermark detection in a CS domain to protect the privacy. During CS transformation, the privacy of the CS matrix and the watermark pattern is protected by the MPC protocols under the semi-honest security model. We derive the expected watermark detection performance in the CS domain, given the target image, watermark pattern, and the size of the CS matrix (but without the CS matrix itself). The correctness of the derived performance has been validated by our experiments. Our theoretical analysis and experimental results show that secure watermark detection in the CS domain is feasible. Our framework can also be extended to other collaborative secure signal processing and data-mining applications in the cloud.
  • "Graphical Password Authentication: Cloud Securing Scheme," Gurav, Shraddha M.; Gawade, Leena S.; Rane, Prathamey K.; Khochare, Nilesh R., Electronic Systems, Signal Processing and Computing Technologies (ICESC), 2014 International Conference on , vol., no., pp.479,483, 9-11 Jan. 2014. (ID#:14-1309) Available at: This article discusses increased vulnerability of applications when authentication is made user-friendly, as well as the proposed use of graphical passwords in a cloud environment. Alphanumeric passwords have proved aggravating to remember for some users, prompting the discussion of using images as passwords, which are more easily remembered than number and/or letter combinations.
  • "Hilbert-curve based cryptographic transformation scheme for protecting data privacy on outsourced private spatial data," Kim, Hyeong-Il; Hong, Seung-Tae; Chang, Jae-Woo, Big Data and Smart Computing (BIGCOMP), 2014 International Conference on , vol., no., pp.77,82, 15-17 Jan. 2014. (ID#:14-1310) Available at: With the rise and widespread adoption of cloud environments, the concern has now shifted to the practice of outsourcing databases containing sensitive information. This article recognizes that, while attempting to censor location data privacy, current methods are easily bypassed and exploited. This paper proposes a novel cryptographic transformation scheme, using local clustering based on the Hilbert curve, to bolster security for data privacy, and decrease query processing time.
  • "An Approach to Balance the Load with Security for Distributed File System in Cloud," Chiwande, Vidya N.; Tayal, Animesh R., Electronic Systems, Signal Processing and Computing Technologies (ICESC), 2014 International Conference on, pp.266,270, 9-11 Jan. 2014. (ID#:14-1311) Available at: This paper highlights the challenges surrounding the secure use of distributed file systems, particularly the issue of load imbalance whenever nodes are upgraded, replaced, or included. The authors propose a novel load rebalancing algorithm, focusing on preventing imbalance for the central node. By using Hadoop, the authors combat associated security challenges with the use of Kerberos authentication protocol.
  • "Collaborative network security in multi-tenant data center for cloud computing," Chen, Zhen; Dong, Wenyu; Li, Hang; Zhang, Peng; Chen, Xinming; Cao, Junwei, Tsinghua Science and Technology , vol.19, no.1, pp.82,94, Feb. 2014. (ID#:14-1312) Available at: This paper discusses using shared cloud service infrastructure, and the challenges this poses in terms of respective security requirements for respective clients using the same service. This paper proposes a group-effort network security prototype system, called vCNSMS, used in conjunction with an open source UTM system for packet review. Different levels of security are accompanied by associated packet review schemes, and intelligence flow is monitored using a smart packet scheme to help prevent networks attack from within the data center network.
  • "Confidentiality-Preserving Image Search: A Comparative Study Between Homomorphic Encryption and Distance-Preserving Randomization," Lu, W.; Varna, A.L.; Wu, M., Access, IEEE , vol.2, no., pp.125,141, 2014. (ID#:14-1313) Available at: Recent years have seen increasing popularity of storing and managing personal multimedia data using online services. Preserving confidentiality of online personal data while offering efficient functionalities thus becomes an important and pressing research issue. In this paper, we study the problem of content-based search of image data archived online while preserving content confidentiality. The problem has different settings from those typically considered in the secure computation literature, as it deals with data in rank-ordered search, and has a different security-efficiency requirement. Secure computation techniques, such as homomorphic encryption, can potentially be used in this application, at a cost of high computational and communication complexity. Alternatively, efficient techniques based on randomizing visual feature and search indexes have been proposed recently to enable similarity comparison between encrypted images. This paper focuses on comparing these two major paradigms of techniques, namely, homomorphic encryption-based techniques and feature/index randomization-based techniques, for confidentiality-preserving image search. We develop novel and systematic metrics to quantitatively evaluate security strength in this unique type of data and applications. We compare these two paradigms of techniques in terms of their search performance, security strength, and computational efficiency. The insights obtained through this paper and comparison will help design practical algorithms appropriate for privacy-aware cloud multimedia systems.
  • "Shared Authority Based Privacy-preserving Authentication Protocol in Cloud Computing," Liu, H.; Ning, H.; Xiong, Q.; Yang, L.T., Parallel and Distributed Systems, IEEE Transactions on , vol.PP, no.99, pp.1,1 2014. (ID#:14-1314) Available at: Cloud computing is emerging as a prevalent data interactive paradigm to realize users' data remotely stored in an online cloud server. Cloud services provide great conveniences for the users to enjoy the on-demand cloud applications without considering the local infrastructure limitations. During the data accessing, different users may be in a collaborative relationship, and thus data sharing becomes significant to achieve productive benefits. The existing security solutions mainly focus on the authentication to realize that a user's privative data cannot be unauthorized accessed, but neglect a subtle privacy issue during a user challenging the cloud server to request other users for data sharing. The challenged access request itself may reveal the user's privacy no matter whether or not it can obtain the data access permissions. In this paper, we propose a shared authority based privacy-preserving authentication protocol (SAPA) to address above privacy issue for cloud storage. In the SAPA, 1) shared access authority is achieved by anonymous access request matching mechanism with security and privacy considerations (e.g., authentication, data anonymity, user privacy, and forward security); 2) attribute based access control is adopted to realize that the user can only access its own data fields; 3) proxy re-encryption is applied by the cloud server to provide data sharing among the multiple users. Meanwhile, universal composability (UC) model is established to prove that the SAPA theoretically has the design correctness. It indicates that the proposed protocol realizing privacy-preserving data access authority sharing, is attractive for multi-user collaborative cloud applications.
  • "A privacy-aware query authentication index for database outsourcing," Miyoung Jang; Min Yoon; Jae-Woo Chang, Big Data and Smart Computing (BIGCOMP), 2014 International Conference on , pp.72,76, 15-17 Jan. 2014. (ID#:14-1315) Available at: This paper discusses the concern of data confidentiality and query result integrity for outsourced databases, especially with the increasing popularity of cloud computing. Existing methods, such as bucket-based authentication, are considered to be relatively vulnerable. This paper proposes a query authentication method, which utilizes a periodic data grouping scheme to divide a spatial database into groups with a unique signature. The group signature is then used to verify outsourced data in range query replies to clients.


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.