Visible to the public Virtual Machines, 2015

SoS Newsletter- Advanced Book Block

SoS Logo

Virtual Machines, 2015


Arguably, virtual machines are more secure than actual machines. This idea is based on the notion that an attacker cannot jump the gap between the virtual and the actual. The growth of interest in cloud computing suggest it is time for a fresh look at the vulnerabilities in virtual machines. In the articles presented below, security concerns are addressed in some interesting ways. The articles cited below show how competition between I/O workloads could be exploited, describe a "gathering storm" for V/M security issues, and discuss digital forensics issues in the cloud.


Jin, S.; Ahn, J.; Seol, J.; Cha, S.; Huh, J.; Maeng, S., "H-SVM: Hardware-assisted Secure Virtual Machines under a Vulnerable Hypervisor," Computers, IEEE Transactions on, vol. PP, no .99, pp.1, 1, 09 January 2015. doi: 10.1109/TC.2015.2389792
Abstract: With increasing demands on cloud computing, protecting guest virtual machines (VMs) from malicious attackers has become critical to provide secure services. The current cloud security model with software-based virtualization relies on the invulnerability of the software hypervisor and its trustworthy administrator with the root permission. However, compromising the hypervisor with remote attacks or root permission grants the attackers with a full access capability to the memory and context of a guest VM. This paper proposes a HW-based approach to protect guest VMs even under an untrusted hypervisor. With the proposed mechanism, memory isolation is provided by the secure hardware, which is much less vulnerable than the software hypervisor. The proposed mechanism extends the current hardware support for memory virtualization based on nested paging with a small extra hardware cost. The hypervisor can still flexibly allocate physical memory pages to virtual machines for efficient resource management. In addition to the system design for secure virtualization, this paper presents a prototype implementation using system management mode. Although the current system management mode is not intended for security functions and thus limits the performance and complete protection, the prototype implementation proves the feasibility of the proposed design.
Keywords: Context; Hardware; Memory management; Registers; Virtual machine monitors; Virtual machining; Virtualization; Cloud Computing; Security; Virtualization (ID#: 15-5342)


Su, Kui; Xu, Lei; Chen, Cong; Chen, Wenzhi; Wang, Zonghui, "Affinity and Conflict-Aware Placement of Virtual Machines in Heterogeneous Data Centers," Autonomous Decentralized Systems (ISADS), 2015 IEEE Twelfth International Symposium on, pp. 289, 294, 25-27 March 2015. doi: 10.1109/ISADS.2015.42
Abstract: Virtual machine placement (VMP) problem has been a key issue in IaaS/PaaS cloud infrastructures. Many recent works on VMP prove that inter-VM relations such as memory share, traffic dependency and resource competition should be seriously considered to save energy, increase the performance of infrastructure, reduce service level agreement violation rates and provide better administrative capabilities to the cloud provider. However, most existing works consider the inter-VM relations without taking the heterogeneity of cloud data centers into account. In practice, heterogeneous physical machines (PM) in a heterogeneous data center are often partitioned into logical groups for load balancing and specific services, cloud users always assigned their VMs with specific PM requirements, which make the inter-VM relations far more complex. In this paper, we propose an efficient solution for VMP with inter-VM relation constraints in a heterogeneous data center. The experimental results prove that our solution can efficiently solve the complex problem with an acceptable runtime.
Keywords: Bandwidth; Delays; Distributed databases; Greedy algorithms; Runtime; Security; Virtual machining; Affinity; Cloud data centers; Conflict; Heterogeneity; Virtual machine placement (ID#: 15-5343)


Sethi, Shuchi; Shakil, Kashish Ara; Alam, Mansaf, "Seeking Black Lining in Cloud," Computing for Sustainable Global Development (INDIACom), 2015 2nd International Conference on, pp. 1251, 1256, 11-13 March 2015. Doi: (not provided)
Abstract: This work is focused on attacks on confidentiality that require time synchronization. This manuscript proposes a detection framework for covert channel perspective in cloud security. This problem is interpreted as a binary classification problem and the algorithm proposed is based on certain features that emerged after data analysis of Google cluster trace that forms base for analyzing attack free data. This approach can be generalized to study the flow of other systems and fault detection. The proposed framework makes no assumptions pertaining to data distribution as a whole making it suitable to meet cloud dynamism.
Keywords: Conferences; Bus contention; Cloud security; Covert channel; Virtual machines (ID#: 15-5344)


Bekeneva, Ya.; Shipilov, N.; Borisenko, K.; Shorov, A., "Simulation of DDoS-attacks and Protection Mechanisms Against Them," Young Researchers in Electrical and Electronic Engineering Conference (EIConRusNW), 2015 IEEE NW Russia, pp. 49, 55, 2-4 Feb. 2015. doi: 10.1109/EIConRusNW.2015.7102230
Abstract: Distributed Denial of Service (DDoS) attacks have become a major threat to current networks. This article provides an overview on existing DDoS attacks generating tools and defense methods against them. The main difficulty of exploring DDoS attack features using such tools is the problem of raising huge real network and making lots of preparations to run tests executing these tools. We provide novel system for studying different DDoS attacks and counterattack technologies in virtual network. System architecture and interface is shown. Scenarios of simulating attacks are described, test results collected, analyzed, and presented.
Keywords: Filtering; DDoS; Egress Filtering; INET; NTP attack; OMNeT++;ReaSE; SYN-flooding; multi-level topology; network security; ngress Filtering; simulation; virtual machine; virtual network (ID#: 15-5345)


Marnerides, A.K.; Spachos, P.; Chatzimisios, P.; Mauthe, A.U., "Malware Detection in the Cloud under Ensemble Empirical Mode Decomposition," Computing, Networking and Communications (ICNC), 2015 International Conference on, pp. 82, 88, 16-19 Feb. 2015. doi: 10.1109/ICCNC.2015.7069320
Abstract: Cloud networks underpin most of todays' socio-economical Information Communication Technology (ICT) environments due to their intrinsic capabilities such as elasticity and service transparency. Undoubtedly, this increased dependence of numerous always-on services with the cloud is also subject to a number of security threats. An emerging critical aspect is related with the adequate identification and detection of malware. In the majority of cases, malware is the first building block for larger security threats such as distributed denial of service attacks (e.g. DDoS); thus its immediate detection is of crucial importance. In this paper we introduce a malware detection technique based on Ensemble Empirical Mode Decomposition (E-EMD) which is performed on the hypervisor level and jointly considers system and network information from every Virtual Machine (VM). Under two pragmatic cloud-specific scenarios instrumented in our controlled experimental testbed we show that our proposed technique can reach detection accuracy rates over 90% for a range of malware samples. In parallel we demonstrate the superiority of the introduced approach after comparison with a covariance-based anomaly detection technique that has been broadly used in previous studies. Consequently, we argue that our presented scheme provides a promising foundation towards the efficient detection of malware in modern virtualized cloud environments.
Keywords: cloud computing; computer network security; invasive software; virtual machines; DDoS; E-EMD; cloud networks; covariance-based anomaly detection technique; distributed denial of service attacks; elasticity; ensemble empirical mode decomposition; malware detection; pragmatic cloud-specific scenarios; security threats; service transparency; socio-economical information communication technology environments; virtual machine; Accuracy; Empirical mode decomposition; Information security; Malware; Measurement; Virtual machine monitors; Anomaly Detection; Cloud computing; Empirical Mode Decomposition; Malware Detection (ID#: 15-5346)


Kanstren, Teemu; Lehtonen, Sami; Savola, Reijo; Kukkohovi, Hilkka; Hatonen, Kimmo, "Architecture for High Confidence Cloud Security Monitoring," Cloud Engineering (IC2E), 2015 IEEE International Conference on, pp. 195, 200, 9-13 March 2015. doi: 10.1109/IC2E.2015.21
Abstract: Operational security assurance of a networked system requires providing constant and up-to-date evidence of its operational state. In a cloud-based environment we deploy our services as virtual guests running on external hosts. As this environment is not under our full control, we have to find ways to provide assurance that the security information provided from this environment is accurate, and our software is running in the expected environment. In this paper, we present an architecture for providing increased confidence in measurements of such cloud-based deployments. The architecture is based on a set of deployed measurement probes and trusted platform modules (TPM) across both the host infrastructure and guest virtual machines. The TPM are used to verify the integrity of the probes and measurements they provide. This allows us to ensure that the system is running in the expected environment, the monitoring probes have not been tampered with, and the integrity of measurement data provided is maintained. Overall this gives us a basis for increased confidence in the security of running parts of our system in an external cloud-based environment.
Keywords: Computer architecture; Cryptography; Monitoring; Probes; Servers; Virtual machining; TPM; cloud; monitoring; secure element; security assurance (ID#: 15-5347)


Kashif, U.A.; Memon, Z.A.; Balouch, A.R.; Chandio, J.A., "Distributed Trust Protocol for IaaS Cloud Computing," Applied Sciences and Technology (IBCAST), 2015 12th International Bhurban Conference pp.275,279, 13-17 Jan. 2015. doi: 10.1109/IBCAST.2015.7058516
Abstract: Due to economic benefits of cloud computing, consumers have rushed to adopt Cloud Computing. Apart from rushing into cloud, security concerns are also raised. These security concerns cause trust issue in adopting cloud computing. Enterprises adopting cloud, will have no more control over data, application and other computing resources that are outsourced from cloud computing provider. In this paper we propose a novel technique that will not leave consumer alone in cloud environment. Firstly we present theoretical analysis of selected state of the art technique and identified issues in IaaS cloud computing. Secondly we propose Distributed Trust Protocol for IaaS Cloud Computing in order to mitigate trust issue between cloud consumer and provider. Our protocol is distributed in nature that lets the consumer to check the integrity of cloud computing platform that is in the premises of provider's environment. We follow the rule of security duty separation between the premises of consumer and provider and let the consumer be the actual owner of the platform. In our protocol, user VM hosted at IaaS Cloud Computing uses Trusted Boot process by following specification of Trusted Computing Group (TCG) and by utilizing Trusted Platform Module (TPM) Chip of the consumer. The protocol is for the Infrastructure as a Service IaaS i.e. lowest service delivery model of cloud computing.
Keywords: cloud computing; formal specification; security of data; trusted computing; virtual machines; IaaS cloud computing; Infrastructure as a Service; TCG specification; TPM chip; Trusted Computing Group; cloud computing platform integrity checking; cloud consumer; cloud environment; cloud provider; computing resources; distributed trust protocol; economic benefit; security concern; security duty separation; service delivery model; trust issue mitigation; trusted boot process; trusted platform module chip; user VM; Hardware; Information systems; Security; Virtual machine monitors; Trusted cloud computing; cloud computing; cloud security and trust; trusted computing; virtualization (ID#: 15-5348)


Meera, G.; Geethakumari, G., "A Provenance Auditing Framework For Cloud Computing Systems," Signal Processing, Informatics, Communication and Energy Systems (SPICES), 2015 IEEE International Conference on, pp. 1, 5, 19-21 Feb. 2015. doi: 10.1109/SPICES.2015.7091427
Abstract: Cloud computing is a service oriented paradigm that aims at sharing resources among a massive number of tenants and users. This sharing facility that it provides coupled with the sheer number of users make cloud environments susceptible to major security risks. Hence, security and auditing of cloud systems is of great relevance. Provenance is a meta-data history of objects which aid in verifiability, accountability and lineage tracking. Incorporating provenance to cloud systems can help in fault detection. This paper proposes a framework which aims at performing secure provenance audit of clouds across applications and multiple guest operating systems. For integrity preservation and verification, we use established cryptographic techniques. We look at it from the cloud service providers' perspective as improving cloud security can result in better trust relations with customers.
Keywords: auditing; cloud computing; cryptography; data integrity; fault diagnosis; meta data; resource allocation; service-oriented architecture; trusted computing; accountability; cloud computing systems; cloud environments; cloud security; cloud service providers; cryptographic techniques; fault detection; integrity preservation; integrity verification; lineage tracking; metadata history; operating systems; provenance auditing framework; resource sharing; security risks; service oriented paradigm; sharing facility; trust relations; verifiability; Cloud computing; Cryptography; Digital forensics; Monitoring; Virtual machining; Auditing; Cloud computing; Provenance
(ID#: 15-5349)


Rawat, S.; Dhruv, B.; Kumar, P.; Mittal, P., "Dissection and Proposal of Multitudinal Security Threats and Menace in Cloud Computing," Computational Intelligence & Communication Technology (CICT), 2015 IEEE International Conference on,  pp. 123, 128, 13-14 Feb. 2015.  doi: 10.1109/CICT.2015.130
Abstract: Cloud computing has emerged as a amazing field in IT world today. It fords all the impediment of computing technology and allows the working and storage of data over internet itself. It has allowed the IT workers to expand their business over internet giving a hike to capabilities and potential in the business field. But the question of security remains unanswered as till now all the IT firms have not accepted cloud completely. Business firms still fear to deploy their enterprise solely on cloud due to the security issues. In this paper, we study about issues in the cloud service delivery models and the various security issue faced in cloud computing. Based on this detailed study, we further provide recommendation that could be followed to conquer the security concerns in the cloud.
Keywords: cloud computing; security of data; IT firms; IT workers; IT world; Internet; business field; cloud computing; cloud service delivery models; multitudinal security menace; multitudinal security threat dissection; multitudinal security threat proposal; Business; Cloud computing; Computational modeling; Security; Software as a service; Virtual machine monitors; Cloud Computing; Cloud Delivery Models; Data Security Threats and Risks (ID#: 15-5350)


Xianqing Yu; Ning, Peng; Vouk, Mladen A., "Enhancing Security Of Hadoop In A Public Cloud," Information and Communication Systems (ICICS), 2015 6th International Conference on, pp. 38, 43, 7-9 April 2015. doi: 10.1109/IACS.2015.7103198
Abstract: Hadoop has become increasingly popular as it rapidly processes data in parallel. Cloud computing gives reliability, flexibility, scalability, elasticity and cost saving to cloud users. Deploying Hadoop in cloud can benefit Hadoop users. Our evaluation exhibits that various internal cloud attacks can bypass current Hadoop security mechanisms, and compromised Hadoop components can be used to threaten overall Hadoop. It is urgent to improve compromise resilience, Hadoop can maintain a relative high security level when parts of Hadoop are compromised. Hadoop has two vulnerabilities that can dramatically impact its compromise resilience. The vulnerabilities are the overloaded authentication key, and the lack of fine-grained access control at the data access level. We developed a security enhancement for a public cloud-based Hadoop, named SEHadoop, to improve the compromise resilience through enhancing isolation among Hadoop components and enforcing least access privilege for Hadoop processes. We have implemented the SEHadoop model, and demonstrated that SEHadoop fixes the above vulnerabilities with minimal or no run-time overhead, and effectively resists related attacks.
Keywords: Access control; Authentication; Cloud computing; Containers; Resilience; Virtual machine monitors; Public cloud; compromise resilience; lack of fine-grained access control; least access privilege; overloaded authentication key; security (ID#: 15-5351)


Pasquier, Thomas F.J.-M.; Singh, Jatinder; Bacon, Jean, "Information Flow Control for Strong Protection with Flexible Sharing in PaaS," Cloud Engineering (IC2E), 2015 IEEE International Conference on, pp.279,282, 9-13 March 2015. doi: 10.1109/IC2E.2015.64
Abstract: The need to share data across applications is becoming increasingly evident. Current cloud isolation mechanisms focus solely on protection, such as containers that isolate at the OS-level, and virtual machines that isolate through the hypervisor. However, by focusing rigidly on protection, these approaches do not provide for controlled sharing. This paper presents how Information Flow Control (IFC) offers a flexible alternative. As a data-centric mechanism it enables strong isolation when required, while providing continuous, fine grained control of the data being shared. An IFC-enabled cloud platform would ensure that policies are enforced as data flows across all applications, without requiring any special sharing mechanisms.
Keywords: Cloud computing; Computers; Containers; Context; Kernel; Security (ID#: 15-5352)


Singh, Jatinder; Pasquier, Thomas F.J.-M.; Bacon, Jean; Eyers, David, "Integrating Messaging Middleware and Information Flow Control," Cloud Engineering (IC2E), 2015 IEEE International Conference on, pp.54,59, 9-13 March 2015. doi: 10.1109/IC2E.2015.13
Abstract: Security is an ongoing challenge in cloud computing. Currently, cloud consumers have few mechanisms for managing their data within the cloud provider's infrastructure. Information Flow Control (IFC) involves attaching labels to data, to govern its flow throughout a system. We have worked on kernel-level IFC enforcement to protect data flows within a virtual machine (VM). This paper makes the case for, and demonstrates the feasibility of an IFC-enabled messaging middleware, to enforce IFC within and across applications, containers, VMs, and hosts. We detail how such middleware can integrate with local (kernel) enforcement mechanisms, and highlight the benefits of separating data management policy from application/service-logic.
Keywords: Cloud computing; Context; Kernel; Runtime; Security; Servers; Information Flow Control; cloud computing; distributed systems; middleware; policy; security (ID#: 15-5353)


Yang, Chao-Tung; Lien, Wei-Hsiang; Shen, Yu-Chuan; Leu, Fang-Yi, "Implementation of a Software-Defined Storage Service with Heterogeneous Storage Technologies," Advanced Information Networking and Applications Workshops (WAINA), 2015 IEEE 29th International Conference on, pp. 102, 107, 24-27 March 2015. doi: 10.1109/WAINA.2015.50
Abstract: SDS becomes more and more popular, and several companies have announced their product. But the generic standard still has not appeared, most products are only appropriate for their devices and SDS just can integrate a few storages. In this thesis, we will use the Open Stack to build and manage the cloud service, and use software to integrate storage resources include Hadoop HDFS, Ceph and Swift on Open Stack to achieve the concept of SDS. The software used can integrate different storage devices to provide an integrated storage array and build a virtual storage pool, so that users do not feel restrained by the storage devices. Our software platform also provides a web interface for managers to arrange the storage space, administrate users and security settings. For allocation of the storage resources, we make a policy and assign the specific storage array to the machine that acquires the resource according to the policy.
Keywords: Arrays; Companies; Electromagnetic compatibility; Servers; Software; Virtualization; Ceph; Cloud service; HDFS; Hadoop; Software-Defined Storage; Virtualization (ID#: 15-5354)


Yamaguchi, Hiroshi; Gotaishi, Masahito; Sheu, Phillip C-Y; Tsujii, Shigeo, "Privacy Preserving Data Processing," Advanced Information Networking and Applications (AINA), 2015 IEEE 29th International Conference on, pp. 714, 719, 24-27 March 2015. doi: 10.1109/AINA.2015.258
Abstract: A data processing functions are expected as a key-issue of knowledge-intensive service functions in the Cloud computing environment. Cloud computing is a technology that evolved from technologies of the field of virtual machine and distributed computing. However, these unique technologies brings unique privacy and security problems concerns for customers and service providers due to involvement of expertise (such as knowledge, experience, idea, etc.) in data to be processed. We propose the cryptographic protocols preserving the privacy of users and confidentiality of the problem solving servers.
Keywords: Data processing; Indexes; Information retrieval; Security; Servers; Web services; Cloud Computing; Cryptographic Protocol; Privacy; Security (ID#: 15-5355)


Gimenez Ocano, S.; Ramamurthy, B.; Yong Wang, "Remote Mobile Screen (RMS): An Approach For Secure BYOD Environments," Computing, Networking and Communications (ICNC), 2015 International Conference on, pp. 52, 56, 16-19 Feb. 2015. doi: 10.1109/ICCNC.2015.7069314
Abstract: The introduction of bring your own device (BYOD) policy in the corporate world creates benefits for companies as well as job satisfaction for the employee. However, it also creates challenges in terms of security as new vulnerabilities arise. In particular, these challenges include space isolation, data confidentiality, and policy compliance as well as handling the resource constraints of mobile devices and the intrusiveness created by installed applications seeking to perform BYOD functions. We present Remote Mobile Screen (RMS), an approach for secure BYOD environments that addresses all these challenges. In order to achieve this, the enterprise provides the employee with a trusted virtual machine running a mobile operating system, which is located in the enterprise network and to which the employee connects using the mobile BYOD device. We describe our proposed solution and discuss our experimental results. Finally, we discuss advantages and disadvantages of RMS and possible future work.
Keywords: mobile computing; operating systems (computers); security of data; RMS; bring your own device policy; data confidentiality; mobile operating system; policy compliance; remote mobile screen; secure BYOD environments; space isolation; Companies; Computer architecture; Mobile communication; Mobile handsets; Random access memory; Security; Servers; Bring your own device (BYOD);data confidentiality; policy enforcement; security; space isolation; virtualization (ID#: 15-5356)


Wester, Craig; Engelman, Noel; Smith, Terrence; Odetunde, Kehinde; Anderson, Bob; Reilly, Joe, "The Role Of The SCADA RTU In Today's Substation," Protective Relay Engineers, 2015 68th Annual Conference for, pp. 622, 628, March 30 2015-April 2 2015. doi: 10.1109/CPRE.2015.7102199
Abstract: The interface between Supervisory, Control and Data Acquisition (SCADA) functions and Protection and Control (P&C) functions has been blurred since the acceptance and full utilization of microprocessor based relays. The control, data acquisition and protection functions have been incorporated into a single Intelligent Electronic Device (IED). In many cases this is a clean, economically sound, solution. In some cases, the merging of the SCADA functions into a protective IED has created operation gaps that need to be addressed. There needs to be a balance of the merger so that reliability and redundancy are considered. In addition, it is important to consider how the substation can be operated if a protective relay output is not operational. The merger of SCADA with protection and control has created jurisdictional challenges since the SCADA group is a separate organization from the protection and control group. A Human Machine Interface (HMI) is being installed in substations by many utilities for monitoring and control purposes. It is important to incorporate local HMI functionality in this discussion. This paper will review several distribution and transmission substation designs that merge SCADA and Protection & Control. Each design will be discussed with advantages and disadvantages. The paper will propose designs that balance SCADA and Protection & Control and include local HMI functionality, IED access and security.
Keywords: Microprocessors; Protective relaying; Protocols; Reliability; Security; Substations; AAA (Authentication, Authorization, Accounting); ASCII (American Standard Code for Information Interchange); CIP (Critical Infrastructure Protection);Current Transformer (CT); DNP3 (Distributed Network Protocol); HMI (Human Machine Interface);IED (Intelligent Electronic Device); IP (Internet Protocol);Input/Output (I/O); LAN (Local Area Network); NERC (North American Electric Reliability Corporation);  NIST (National Institute of Standards and Technology); P&C (Protection & Control); Potential Transformer (PT); RADIUS (Remote Authentication Dial-In User Service); RBAC (Role Based Access Control); RTOS (Real Time Operating System); RTU (Remote Terminal Unit); SCADA (Supervisory Control & Data Acquisition); SEM (Security Event Management); VPN (Virtual Private Network); WAN (Wide Area Network) (ID#: 15-5357)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.