kazim finaldefense

Virtual machines image protection in Cloud computing

Muhammad Kazim (2011-NUST-MSCCS-23)

Thesis SupervisorDr. Muhammad Awais Shibli

G.E.C MembersDr. Abdul Ghafoor AbbasiDr. Hamid MukhtarMs. Rahat MasoodDepartment of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

AgendaIntroductionMotivationResearch MethodologyProblem StatementResearch ContributionsImplementationResultsEvaluationConclusionDepartment of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


VirtualizationIn Cloud computing, Virtualization is the basis of providing Infrastructure as a Service (IaaS).

A single system can concurrently run multiple isolated virtual machines (VMs), operating systems or multiple instances of a single operating system (OS).

Virtualization maximizes the jobs a single CPU can do.

Organizations are using virtualization to gain efficiency in platform and application hosting.Department of Computing, School of Electrical Engineering and Computer Sciences, NUST Islamabad


Virtualization in CloudFigure 1: Virtualization in CloudDepartment of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


Virtual Disk Image A single file or directory representing the hard drive of a guest operating system.

Encapsulates all components of a guest OS, including the applications and virtual resources used by guest OS.

Provides the ability to quickly launch and deploy virtual machines across various hosts.



MotivationAccording to different surveys , virtualization security is one of the most important security issues in Cloud.

Disk images in storage can be compromised through attacks such as unauthorized access, data leakage, malware installation and snapshot access in storage.

Through attacks integrity, and confidentiality of images and sensitive customer data stored in them can be compromised.

Standard bodies (NIST, CSA and PCI DSS) have published security guidelines to emphasize the importance of virtualization and disk images security.



Research Methodology Identifying problem statementDevelop hypothesisTesting and evaluationDesign frameworkDefining research areaLiterature reviewFramework implementationDepartment of Computing, School of Electrical Engineering and Computer Sciences, NUST - IslamabadFigure 2: Thesis research methodology


Related WorkLiterature surveyIaaS SecuritySecurity analysis of virtualizationVirtual machines securityDisk images securitySecurity guidelines on virtualizationNational Institute of Standards and Technology (NIST)Cloud Security Alliance (CSA)Payment Card Industry Data Security Standard (PCI DSS) Industrial solutionsStorage Made Easy, Piston Cloud and Metacloud



Problem StatementVirtual machine images are vulnerable to infrastructure, hypervisor and storage attacks in Cloud. Therefore, VM images must be secured in Cloud storage through best security practices, both for protecting the sensitive customer data and maintaining the integrity of disk images.Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


Research ContributionsTheoretical (Two research publications)

Practical (Development of disk image protection framework)



Conference PapersMuhammad Kazim, Rahat Masood, Muhammad Awais Shibli, Abdul Ghafoor Abbasi, Security aspects of virtualization in Cloud computing, 12th International Conference on Computer Information Systems and Industrial Management Applications, CISIM, Springer, Krakow-Poland 2013, September 25-27.

Muhammad Kazim, Rahat Masood, Muhammad Awais Shibli, Securing the virtual machine images in Cloud computing, 6th International Conference on Security of Information and Networks (SIN 2013), ACM-SIGSAC, Aksaray-Turkey 2013, November 26-28.



Analysis of virtualization security in CloudThe security analysis of Cloud virtualization was done from three different aspects including:General requirements for securing Cloud virtualization components including hypervisor, virtual machines, disk images and service providers.Identification of possible attacks on virtualization components.Analysis of existing techniques for the security of virtualization components.



Virtual machines security analysis


RequirementsAttacksSolutionsIsolation between virtual machines should be properly implementedMalicious programs use covert channels to communicate with other VMs in unauthorized wayVigilant can monitor faults in guest OS of VM

Update the OS regularly and use anti-virus software, secure internet and restrict remote accessMalicious programs can monitor traffic, steal critical data, and tampering the functionality of VMsSecurity features such as firewall, HIPS, log monitoring must be provided in guest OSSecurely boot the guest VMs Attacker can tamper boot process of guest VMsSecurity protocol by J. Kong can be to ensure secure boot of guest VMs There must be limit on VMs resource usageUsing a malicious VM to consume extra resources of the system, resulting in DOS attack Administrator must deploy a software or application that limits VMs to use authorized resources


Disk images security analysisDepartment of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad

RequirementsAttacksSolutionsDisk images must be secured from storage attacksAttacker can compromise the stored images by installing malware and accessing the contents of imagesUse encryption and hashing of images before saving themSnapshot access must be prevented from authorized access VM checkpoint attacks Checkpoint attacks can be prevented by encrypting the checkpoints using SPARCApply updates and patches to maintain images secure Old images are vulnerable to zero day attacks Nuwa is a tool designed to apply efficient patching to VM images in Cloud Backup of the virtual machines images must bemaintainedUnauthorized access to the backup data can result in leakage of sensitiveinformationBackup of VM images must be encrypted. J. Wei et.al. proposed an image management system to manage Cloud VM images


Implementation PerspectiveImplement a framework that that ensures confidentiality of images through encryption.Images are decrypted when required by the VM.Hashing techniques are used to ensure integrity of images.Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


Encrypted Virtual Disk Images in Cloud (EVDIC)To secure the virtual machine images from storage attacks in Cloud, EVDIC is proposed.

EVDIC protects the virtual machine images in Cloud by encrypting them before storage. The images are decrypted only when required by the virtual machine.

EVDIC proposes the security of key management and key exchange process.

*Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


Disk Image Storage in Cloud Figure 4: Image Encryption in CloudDepartment of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


Disk Image Retrieval in Cloud

Figure 5: Image Decryption in CloudDepartment of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


OpenStackOpenStack is a highly scalable and elastic cloud computing platform for both large and small public private Clouds.

There are currently seven core components of OpenStack: Compute, Object Storage, Identity, Dashboard, Block Storage, Network and Image Service.Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


Deployment of OpenStack for development

Devstack A documented shell script to build complete OpenStack development environments

Deployment of DevstackSetup a fresh supported Linux installationClone devstackDeploy your OpenStack Cloud

http://devstack.org/Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


Debugging of source codeDebugging of Swift through command line Pdb (Python debugger)

Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - IslamabadFigure 6: Command line debugging using pdb


Virtual machines in OpenStackDepartment of Computing, School of Electrical Engineering and Computer Sciences, NUST - IslamabadFigure 7: Virtual machines cycle in OpenStack


Integration of Image encryption and decryption with Swift

OpenStack Swift API is implemented as a set of ReSTful web services. The proxy server initiates an internal Swift PUT request to the object servers. Object servers processes images chunk by chunk so each chunk gets encrypted and gets stored as part of encrypted file.For decryption object server decrypts each chunk before it sends the image to the proxy server.



Image Encryption Module in Swift Figure 8: Image Encryption in OpenStackDepartment of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


Image Decryption Module in SwiftDepartment of Computing, School of Electrical Engineering and Computer Sciences, NUST - IslamabadFigure 9: Image Decryption in OpenStack


Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - IslamabadVirtual machines cycle in OpenStackFigure 10: IEM and IDM in OpenStack


ResultsAfter VM termination, image is stored into Swift encrypted storage.AES is block sized encryption, that adds extra padding to images.Encryption of images maintains their confidentiality in Cloud storage.Hash of image is taken before encryption. During decryption hash of image is calculated again, and compared with the original hash to ensure integrity of image.



EvaluationVarious tools can be used to explore and modify the images including CDmage, Daemon tools and Archive Manager.The content of encrypted images cannot be displayed by these tools.Our system provides protection to images from data leakage, data alteration and image modification.Performance evaluation of the system shows ~15% overhead caused on image processing time due to increase of image size after encryption, retrieval of encryption keys during encryption, decryption and applying the cryptographic techniques. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad


Evaluation Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - IslamabadFigure 11: Image upload in SwiftFigure 12: Image download in Swift


ConclusionImage encryption module encrypts all virtual disk images before storage in OpenStack. They are decrypted when required by the virtual machine.

Integrity and confidentiality of virtual machine images in storage is ensured. They are secure from all possible storage attacks such as data theft, malware installation and hypervisor issues.



Future DirectionsEncryption of accounts to protect users and images lists in Swift. Integration of Key Management protocol with Swift image encryption.Encryption of persistent storage used by virtual machines during execution.



References[1] Shubhashis Sengupta, Vikrant Kaulgud, Vibhu Saujanya Sharma, Cloud Computing Security - Trends and Research Directions, IEEE World Congress on Services, Washington, DC, USA, 2011.

[2] Jakub Szefer, Ruby B. Lee, A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing, 31st International Conference on Distributed Computing Systems Workshops, Washington, DC, USA, 2011.

[3] Jinzhu Kong, Protecting the confidentiality of virtual machines against untrusted host, International Symposium on Intelligence Information Processing and Trusted Computing, Washington, DC, USA, 2010.

[4] Farzad Sabahi, Secure Virtualization for Cloud Environment Using Hypervisor-based Technology, International Journal of Machine Learning and Computing vol. 2, no. 1, February 2012, pp.39-45.

[5] Jenni Susan Reuben, A Survey on Virtual Machine Security, TKK T-110.5290 Seminar on Network Security, 2007.



[6] Seongwook Jin, Jeongseob Ahn, Sanghoon Cha, and Jaehyuk Huh, Architectural Support for Secure Virtualization under a Vulnerable Hypervisor, Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture, USA, 2011.

[7] Ryan Shea, Jiangchuan Liu, Understanding the Impact of Denial of Service on Virtual Machines, IEEE 20th International Workshop on Quality of Service (IWQoS), Burnaby, BC, Canada, 2012.

[8] Wu Zhou, Peng Ning, Xiaolan Zhang, Always up-to-date: scalable offline patching of VM images in a compute cloud, Proceedings of the 26th Annual Computer Security Applications Conference, New York, USA, 2010, pp. 377-386.

[9] J.Wei, X. Zhang, G. Ammons, V. Bala, and P. Ning, Managing security of virtual machine images in a cloud environment," in Proceedings of the 2009 ACM workshop on Cloud computing security. ACM, 2009, pp. 91- 96.

[10] Mikhail I. Gofman, Ruiqi Luo, Ping Yang, Kartik Gopalan, SPARC: A security and privacy aware Virtual Machine checkpointing mechanism, Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, New York, USA, 2011, pp. 115-124.



kazim finaldefense

Documents