Host-side Architecture for Securing Virtualization in Cloud Environment:
The security model prescribed here is purely host-side architecture that can be placed in a cloud system “as it is” without changing any aspect of the cloud. The system assumes the attacker is located in any form within the guest VM. This system is also asynchronous in nature and therefore is easier to hide from an attacker. Asynchronicity prevents timing analysis attacks from detect this system. The model believes that the host system is trustworthy. When a guest system is placed in the network, it’s susceptible to various kinds of attacks like, viruses, code injections (in terms of web applications), and buffer overflows. Other lesser-known attacks on clouds include DoS, keystroke analysis, and estimating traffic rates. In addition, an exploitation framework like metasploit can easily attack buffer overflow vulnerability and compromise the entire environment.
The above approach basically monitors key components. It takes into account the fact that the key attacks would be on kernel and middleware. Thus integrity checks are in place for these modules. Overall, the system checks for any malicious modifications in the kernel components. The design of the system takes into consideration attacks from outside the cloud and also from sibling virtual machines. In the above figure the dotted lines stand for monitoring data and red lines symbolize malicious data. This system is totally transparent to the guest VMs, as this is a totally host-integrated architecture.
The implementation of this system basically starts with attaching few modules onto the hosts. The following are the modules along with their functions:
Interceptor: The first module that all the host-traffic will encounter. The interceptor doesn’t block any traffic and so the presence of a third-party security system shouldn’t be detected by an attacker; thus, that the attacker’s activities can be logged in more detail. This feature also allows the system to be made more intelligent. This module takes the responsibility of monitoring suspicious guest activities. This also plays a role in replacing/restoring the affected modules in the case of an attack.
Warning Recorder: The result of the interceptor’s analysis is directly sent to this module. Here a warning pool is created for security checks. The warnings generated are prioritized for future reference.
Evaluator and hasher: This module performs security checks based on the priorities of the warning pool created by the warning recorder. Increased warning will lead to a security alert.
Actuator: The actuator actually makes the final decision whether to issue a security alert or not. This is done after receiving confirmation from Evaluator, hasher, and warning recorder.
This system performs an analysis on the memory footprints, and checks for both abnormal memory usages and connection attempts. This kind of detection of malicious activity is called anamoly based detection. Once any system is compromised the devious malware tries to affect other systems in the network until the entire unit is owned by the hacker. Targets of this type of attack also include the command and control servers, as in case of Botnets. In either case, there is an increase in memory activity and connection attempts that occur from a single point in the environment.
Another key strategy used by attackers is to utilize hidden processes as listed in the process list. An attacker performs a dynamic data attack/leveraging which hides the process he is using from the display on the system. The modules of this protection system perform periodic checks of the kernel schedulers. On scanning the kernel scheduler, it would detect hidden structures there by nullifying the attack.
This approach has been followed by two of the main open-source cloud distributions, namely Eucalyptus and OpenECP. In all implementation, this system remains transparent to the guest VM and the modules are generally attached to the key components of the architecture.
The system claims to be CPU-free in nature (as it’s asynchronous) and has shown few complex behaviors on I/O operations. It’s reasoned that this characteristic is due to constant file-integrity checks and analysis done by the warning recorder.
In this article, we have seen a novel architecture design that aims to secure virtualization on cloud environments. The architecture is purely host-integrated and remains transparent to the guest VMs. This system also assumes trustworthiness of the host, and assumes attacks originate from the guests. As in security, the rule of thumb says: Anything and everything can be penetrated with time and patience. But an intelligent security consultant can make things difficult for an attacker by integrating transparent systems so that they remain invisible and that it takes time for hackers to detect these systems under normal scenarios.
Lombardi F, Di Pietro R – Secure virtualization for cloud computing, 2010
Extending LDAP to cloud: http://enstratus.typepad.com/blog/2011/11/extend-ldap-ad-into-your-cloud-management.html