Wenjuan Li,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/iceie.2010.5559829

2010-01-01

Abstract:Security and interoperability is the biggest challenge to promote cloud computing currently. Trust has proved to be one of the most important and effective alternative means to construct security in distributed systems. In order to efficiently and safely construct entities' trust relationship in cloud and cross-clouds environment, this paper proposed a novel cloud trust model and a new cloud security framework. The propose trust model is domain-based. It divides one cloud provider's resource nodes into the same trust domain. It designs different trust strategies for different roles. Trust recommendation is treated as one type of cloud services just like computation or storage. Based on the proposed trust model, it introduced a novel cloud security framework with an independent trust management module. Using the proposed security model, it introduced some trust-based security mechanisms. Results of simulation experiments show that the proposed security model can achieve high transaction success rate with high trust accuracy.

Fengzhe Zhang,Jin Chen,Haibo Chen,Binyu Zang

DOI: https://doi.org/10.1145/2043556.2043576

2011-01-01

Abstract:Multi-tenant cloud, which usually leases resources in the form of virtual machines, has been commercially available for years. Unfortunately, with the adoption of commodity virtualized infrastructures, software stacks in typical multi-tenant clouds are non-trivially large and complex, and thus are prone to compromise or abuse from adversaries including the cloud operators, which may lead to leakage of security-sensitive data.In this paper, we propose a transparent, backward-compatible approach that protects the privacy and integrity of customers' virtual machines on commodity virtualized infrastructures, even facing a total compromise of the virtual machine monitor (VMM) and the management VM. The key of our approach is the separation of the resource management from security protection in the virtualization layer. A tiny security monitor is introduced underneath the commodity VMM using nested virtualization and provides protection to the hosted VMs. As a result, our approach allows virtualization software (e.g., VMM, management VM and tools) to handle complex tasks of managing leased VMs for the cloud, without breaking security of users' data inside the VMs.We have implemented a prototype by leveraging commercially-available hardware support for virtualization. The prototype system, called Cloud Visor, comprises only 5.5K LOCs and supports the Xen VMM with multiple Linux and Windows as the guest OSes. Performance evaluation shows that Cloud Visor incurs moderate slow-down for I/O intensive applications and very small slowdown for other applications.

Pengze Guo,Yongkai Zhou,Zhi Xue,Xinxing Yin,Liang Pang,Yan Zhu,Xiao Chen,Fangbiao Li

2014-01-01

Abstract:The past decade has witnessed the rapid development of cloud computing. Virtualization, which is the basis of delivering Infrastructure as a Service (IaaS), has led to an explosive growth in the cloud computing industry. Meanwhile, new threats are also introduced. This paper explores different aspects of cloud virtualization security, including security threats of virtualization infrastructure and attacks that can be launched on virtual cloud. The research mainly focuses on hypervisor security, vSwitch security and virtual machine security. The paper also discusses state-of-the-art solutions to those threats, which are beneficial for implementing effective protection methods for virtual cloud environment.

LIU Yu-tao,CHEN Hai-bo

DOI: https://doi.org/10.11959/j.issn.2096-109x.2016.00091

2016-01-01

Abstract:The virtualization security has increasingly drawn widespread attention with the spread of cloud computing in recent years.Thanks to another level of indirection,virtualization can provide stronger isolation mechanisms,as well as bottom-up security services for upper-level software.On the other side,the extra indirection brings complexity and overhead as well,which poses huge challenges.A series of recent representative work done by the institute of parallel and distributed system shanghai jiaotong university,including providing security services of trusted execution environment,virtual machine monitoring,intra-domain isolation,as well as optimizing trusted computing base and cross-world calls in the virtualization environment.Finally the problems and directions in the space of virtualization security were summarized.

Pengfei Sun,Qingni Shen,Liang Gu,Yangwei Li

DOI: https://doi.org/10.1109/anthology.2013.6784967

2013-01-01

Abstract:Virtualization technologies enable multi-tenancy cloud business models by providing a scalable, shared resource platform for all tenants. Computing capacity, storage, and network are shared between multi-tenants. However, placing different customers' workloads on the same virtualization platform may lead to security vulnerabilities, which include the failure of mechanisms separating storage, memory, routing, and even reputation between different tenants of the shared infrastructure. The co-location of many customers inevitably causes conflict for the cloud provider as customers' communication security requirements are likely to be divergent from each other. In this paper, we introduce Multi-lateral Security concept to multi-tenancy cloud platform. It is difficult to analyze policies defined by consumers in the same virtualization platform in order to guarantee configuration stability given that policies may have conflicts leading to unpredictable effects. We present the Multilateral Security Architecture for Virtualization platform (VPMS) which enables the multilateral security for consumers.

Yue-hua Dai,Xiaoguang Wang,Yi Shi,Jianbao Ren,Yong Qi

DOI: https://doi.org/10.1109/iccchina.2012.6356995

2012-01-01

Abstract:The use of virtualization in cloud computing is becoming more and more popular. Cloud service providers leverage virtualization technology to multiplex hardware resource, consolidate servers, and provide a rounded executing environment to remote cloud users. However, the current executing environment the cloud provides is not trustable. For a user's computing environment faces threats from other malicious cloud users who aim at attacking the whole underlying virtualization software (virtual machine monitor, VMM, or hypervisor). In this paper, we make an analysis of the potential threat to a commodity hyper-visor, and propose architecture for safe executing environment on hardware-sharing platform. The main ideas of our architecture are: removal of interaction between hypervisor and executing environment; attestation of the initial environment state to remote user. To prove the effectiveness of our architecture, we build a prototype system which can create multiple secure isolated executing environment on current multi-core x86 hardware. The final evaluation shows that with current commodity virtualization techniques, we can provide a safe executing environment for remote cloud users with no performance overhead.

Xiangyang Luo,Lin Yang,Dai Hao,Fenlin Liu,Daoshun Wang

DOI: https://doi.org/10.4304/jnw.9.3.571-581

2014-01-01

Abstract:Data security and virtualization security issues are two key bottlenecks restricting the application of cloud computing promoting and applications, especially for the Cloud-based media computing system. In this paper, states of the art of the techniques on cloud computing data security issues, such as data encryption, access control, integrity authentication and other issues is surveyed, on this basis, the key technical issues of the cloud computing data security should concern about and focus on are indicated, and some corresponding countermeasures and suggestions are presented. For the virtualization security problem introduced by private cloud computing, the security risks induced by virtualization are analyzed and classified, and then based on the divide-conquer idea, for each kind of security risk, some corresponding solutions are presented.

Nadiah M. Almutairy,Khalil H. A. Al-Shqeerat

DOI: https://doi.org/10.2139/ssrn.3436071

2019-01-01

SSRN Electronic Journal

Abstract:Virtualization has become a widely and attractive employed technology in cloud computing environments. Sharing of a single physical machine between multiple isolated virtual machines leading to a more optimized hardware usage, as well as make the migration and management of a virtual system more efficiently than its physical counterpart. Virtualization is a fundamental technology in a cloud environment. However, the presence of an additional abstraction layer among software and hardware causes new security issues. Security issues related to virtualization technology have become a significant concern for organizations due to arising some new security challenges. This paper aims to identify the main challenges and risks of virtualization in cloud computing environments. Furthermore, it focuses on some common virtual-related threats and attacks affect the security of cloud computing. The survey was conducted to obtain the views of the cloud stakeholders on virtualization vulnerabilities, threats, and approaches that can be used to overcome them. Finally, we propose recommendations for improving security, and mitigating risks encounter virtualization that necessary to adopt secure cloud computing.

Ranabhat Saugatdeep,Alexey N. Nazarov,Tuleun Terhemen Daniel,,,

DOI: https://doi.org/10.36724/2664-066x-2022-8-6-2-9

2022-01-01

SYNCHROINFO JOURNAL

Abstract:Lately, the most efficient solution for an organization and individual of internet based distributed computing platforms is cloud computing. Processing, storage, and data management are just a few of the useful services that end users can get from cloud computing. However, it raises a lot of issues with privacy and security which needs to be resolved. Major component of cloud computing is virtualization technology, which helps to develop complex cloud services based on the externalization and composition of these resources. The primary concern with cloud computing security is virtualization security. The collective measures and methods that ensure the safety of a virtualization environment are referred to as virtualization security. It tackles the security risks that virtualized components encounter, as well as techniques for mitigating or preventing them. In recent days, attacks are mainly aimed either to the virtualization architecture or the infrastructure. We prefer to examine the security holes associated with virtualization in this paper and how concentrating on virtualization security might ultimately result in safeguarding cloud computing platform. Through this paper we tend to highlight the recent progress and an overview of the existing works performed on various dimensions of the cloud security. We conclude our paper by making several recommendations with respect to the attack vector for supporting cloud protection with a mathematical LP model.

Gregory Levitin,Liudong Xing,Yuanshun Dai

DOI: https://doi.org/10.1016/j.ejor.2017.11.064

IF: 6.4

2017-01-01

European Journal of Operational Research

Abstract:The virtualization technology, particularly virtual machines (VMs) used in cloud computing systems have raised unique security and survivability risks for cloud users. This paper focuses on one of such risks, co-residence attacks where a user's information in one VM can be accessed (stolen) or corrupted through side channels by a malicious attacker's VM co-residing on the same server. We model and optimize users' data protection policy in which sensitive data are partitioned into several blocks to enhance data security and multiple replicas are further created for each block to provide data survivability in a cloud environment subject to the co-residence attacks. Both users' and attackers' VMs are distributed among cloud servers at random. Probabilistic models are first suggested to derive the overall probabilities of an attacker's success in data theft and data corruption. Based on the suggested probabilistic evaluation models, optimization problems of obtaining the data partition/replication policy to balance data security, data survivability and a user's overheads are formulated and solved. The possible user's uncertainty about the number of attacker's VMs is taken into account. Numerical examples demonstrating influence of different constraints on the optimal policy are presented. (C) 2017 Elsevier B.V. All rights reserved.

Jun Tang,Yong Cui,Qi Li,Kui Ren,Jiangchuan Liu,Rajkumar Buyya

DOI: https://doi.org/10.1145/2906153

IF: 16.6

2016-01-01

ACM Computing Surveys

Abstract:With the rapid development of cloud computing, more and more enterprises/individuals are starting to outsource local data to the cloud servers. However, under open networks and not fully trusted cloud environments, they face enormous security and privacy risks (e.g., data leakage or disclosure, data corruption or loss, and user privacy breach) when outsourcing their data to a public cloud or using their outsourced data. Recently, several studies were conducted to address these risks, and a series of solutions were proposed to enable data and privacy protection in untrusted cloud environments. To fully understand the advances and discover the research trends of this area, this survey summarizes and analyzes the state-of-the-art protection technologies. We first present security threats and requirements of an outsourcing data service to a cloud, and follow that with a high-level overview of the corresponding security technologies. We then dwell on existing protection solutions to achieve secure, dependable, and privacy-assured cloud data services including data search, data computation, data sharing, data storage, and data access. Finally, we propose open challenges and potential research directions in each category of solutions.

Yu-Ding WANG,Jia-Hai YANG,Cong XU,Xiao LING,Yang YANG

DOI: https://doi.org/10.13328/j.cnki.jos.004820

2015-01-01

Abstract:With the intensive and large scale development of cloud computing, security becomes one of the most important problems. As an important part of security domain, access control technique is used to limit users' capability and scope to access data and ensure the information resources not to be used and accessed illegally. This paper focuses on the state-of-the-art research of access control technology in cloud computing environment. First, it briefly introduces access control theory, and discusses the access control framework in cloud computing environment. Then, it thoroughly surveys the access control problems in cloud computing environment from three aspects including cloud access control model, cloud access control based on ABE (attribute-based encryption) cryptosystem, and multi-tenant and virtualization access control in cloud. In addition, it probes the best current practices of access control technologies within the major cloud service providers and open source cloud platforms. Finally, it summarizes the problems in the current research and prospects the development of future research.

Gregory Levitin,Liudong Xing,Hong-Zhong Huang

DOI: https://doi.org/10.1111/risa.13219

2018-01-01

Risk Analysis

Abstract:Empowered by virtualization technology, service requests from cloud users can be honored through creating and running virtual machines. Virtual machines established for different users may be allocated to the same physical server, making the cloud vulnerable to co-residence attacks where a malicious attacker can steal a user's data through co-residing their virtual machines on the same server. For protecting data against the theft, the data partition technique is applied to divide the user's data into multiple blocks with each being handled by a separate virtual machine. Moreover, early warning agents (EWAs) are deployed to possibly detect and prevent co-residence attacks at a nascent stage. This article models and analyzes the attack success probability (complement of data security) in cloud systems subject to competing attack detection process (by EWAs) and data theft process (by co-residence attackers). Based on the suggested probabilistic model, the optimal data partition and protection policy is determined with the objective of minimizing the user's cost subject to providing a desired level of data security. Examples are presented to illustrate effects of different model parameters (attack rate, number of cloud servers, number of data blocks, attack detection time, and data theft time distribution parameters) on the attack success probability and optimization solutions.

Xiaoguang Wang,Yi Shi,Yuehua Dai,Yong Qi,Jianbao Ren,Yu Xuan

DOI: https://doi.org/10.4304/jcp.9.10.2303-2314

2014-01-01

Journal of Computers

Abstract:The Infrastructure as a Service (IaaS) cloud computing model is widely used in current IT industry, providing the cloud users virtual machines as the executing environment. However, current executing environment the cloud provided is not trustworthy. For a user's executing environment faces threats from malicious cloud users who aim at attacking the underlying virtualization software (virtual machine monitor, VMM, or hypervisor). In this paper, we first make an analysis of the potential threats to a commodity hypervisor, and then propose architecture to build a more trustworthy executing environment for IaaS cloud. The main ideas of our architecture are: removing interaction between hypervisor and the exposed executing environment, enhancing platform data secrecy as well as providing feature rich environment attestation. To prove the effectiveness of our architecture, we build a prototype system, named TrustOSV, which can host multiple trustworthy isolated computing environments on multi-core x86 hardware. The final evaluation shows that TrustOSV can provide enhanced security guarantees to the exposed VMs at modest cost.

Zhen Chen,Wenchao Qi,Pengfei He,Linlin Liu,Limin Shen

DOI: https://doi.org/10.11999/JEIT211185

2023-01-01

Abstract:n the cloud era, cloud Application Programming Interface (API) is the best carrier for servicedelivery, capability replication and data output. However, cloud API increases the exposure and attack surfaceof cloud application while opening up services and data. Through data hijacking, traffic analysis and othertechnologies, attackers can obtain the key resources of the target cloud API, so as to identify the identity andbehavior of users, or even directly cause the paralysis of the underlying system. Currently, there are many typesof attacks against cloud APIs, and their threats and protection methods are different. However, the existingresearches lack a systematic summary for cloud API attack and protection methods. In this paper, a detailsurvey on the threats and protection methods faced by cloud API is conducted. Firstly, the evolution and theclassification of cloud API are analyzed. The vulnerability of cloud API and the importance of cloud APIsecurity research are then discussed. Furthermore, a systematical cloud API security research framework isproposed, which covers six aspects: identity authentication, cloud API Distributed Denial of Service (DDoS)attack protection, replay attack protection, Man-In-The-Middle (MITM) attack protection, injection attackprotection and sensitive data protection. In addition, the necessity of Artificial Intelligence (AI) protection forcloud API is discussed. Finally, the future challenges and development trends of cloud API protection are presented

Wang Guo-Feng,Liu Chuan-Yi,Pan He-Zhong,Fang Bin-Xing

DOI: https://doi.org/10.11897/SP.J.1016.2017.00296

2017-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:The division of data ownership and data management is regarded as the key characteristics of cloud computing. Customers outsource their data to the cloud and need to use cloud computing platform for data management, as a result losing direct control over the data. The introduction of cloud computing model has brought some new security issues and challenges, such as malicious cloud administrator, security vulnerabilities and improper access interface. So insider threats become more crucial, especially with the cloud administrators gaining more control on customers' virtual machines and data in reality. How to defend against malicious insiders, especially who have priorities to access or steal customers' data and computation resources, has become a challenging problem as well as a common focus of attention in both academia and industry in recent years. For further study of the insider threats in cloud computing model, making systematic summary from ways and means to deal with, and promoting domestic research in this direction, this paper firstly summarizes the major types of internal threats in the cloud environment, and takes an experimental approach to demonstrate typical insider vulnerabilities and possible actionable attacks. This paper summarizes and proposes three approaches to deal with insider threats in the cloud, as: user & entity behavior analysis and evaluation, cloud administration priority division and run-time access control, and customer controlled data encryption. For each approach, this paper thoroughly analyzes its technical principles, key technologies, state of the art, as well as practical possibilities in the real world. At last, this paper points out the future research directions and key technologies against insider threats in the cloud. © 2017, Science Press. All right reserved.

Francesco Gadaleta,Raoul Strackx,Nick Nikiforakis,Frank Piessens,Wouter Joosen

DOI: https://doi.org/10.48550/arXiv.1405.6058

2014-05-22

Abstract:Protecting commodity operating systems and applications against malware and targeted attacks has proven to be difficult. In recent years, virtualization has received attention from security researchers who utilize it to harden existing systems and provide strong security guarantees. This has lead to interesting use cases such as cloud computing where possibly sensitive data is processed on remote, third party systems. The migration and processing of data in remote servers, poses new technical and legal questions, such as which security measures should be taken to protect this data or how can it be proven that execution of code wasn't tampered with. In this paper we focus on technological aspects. We discuss the various possibilities of security within the virtualization layer and we use as a case study \HelloRootkitty{}, a lightweight invariance-enforcing framework which allows an operating system to recover from kernel-level attacks. In addition to \HelloRootkitty{}, we also explore the use of special hardware chips as a way of further protecting and guaranteeing the integrity of a virtualized system.

Cryptography and Security

Ping Xia

DOI: https://doi.org/10.1007/978-3-030-43306-2_6

2020-01-01

Abstract:Cloud computing is another technological revolution of the Internet. It is the product of the development of the information age, which has changed the way people use data and applications. The core idea of cloud computing is to virtualize server entities into logical servers, forming a large cloud resource pool, and providing services such as common computing, parallel processing, and shared resources. However, with the continuous development of cloud computing technology, the large amount of user and application data processed on the virtual cloud server is vulnerable to various security threats. This paper mainly analyzes the data security risks of the virtual cloud server from three aspects of data transmission, data storage, and data application, and proposes corresponding data security precautions to ensure the data security of the virtual cloud server and build a good cloud service network security environment.

Qian Liu,Chuliang Weng,Minglu Li,Yuan Luo

DOI: https://doi.org/10.1109/MSP.2010.143

IF: 3.105

2010-01-01

IEEE Security & Privacy

Abstract:Cloud computing relies heavily on virtualization. Virtualization technology has developed rapidly because of the rapid decrease in hardware cost and concurrent increase in hardware computing power. A virtual machine monitor (VMM, also called a hγpervisor) between the hardware and the OS enables multiple virtual machines (VMs) to run on top of a single physical machine. The VMM manages scheduling and dispatching the physical resources to the individual VMs as needed, and the VMs appear to users as separate computers. Widely used virtualization technologies include VMWare, Xen, Denali, and the Kernel-Based Virtual Machine (KVM). In this framework, a module measures executables running in virtual machines (VMs) and transfers the values to a trusted VM. Comparing those values to a reference table containing the trusted measurement values of running executables verifies the executable/s status.

Liudong Xing,Gregory Levitin

DOI: https://doi.org/10.1016/j.ress.2017.06.006

IF: 7.247

2017-01-01

Reliability Engineering & System Safety

Abstract:This paper models cloud computing systems subject to co-resident attacks, where an attacker can get access to a user's sensitive data through co-residence of their virtual machines on the same physical server. Both attackers’ and users’ virtual machines are distributed among cloud servers at random. It is assumed that attacker's successes in getting unauthorized access to data in different servers are independent events that can occur with a given probability. To mitigate effects of the co-resident attacks, a data protection policy based on the partition technique is applied where sensitive data are divided and distributed among multiple virtual machines in the cloud. As the information is useful only in its integrity, the attacker should get access to all of the separated data blocks to steal the information. On the other hand, corrupting any block can destroy the information and make it useless. Hence, creating more blocks can make data more difficult to steal (lower data theft probability), but easier to corrupt (higher data corruption probability). This work makes original contributions by formulating and solving constrained optimization problems to balance the data theft and data corruption probabilities. Particularly probabilistic models are first presented, which derive probabilities that an attacker can succeed in the data theft and data corruption. Further an optimal number of different data blocks (corresponding to the number of user's virtual machines) is obtained, which minimizes the data theft probability subject to meeting a data corruption probability constraint. Both fixed and uncertain numbers of attacker's virtual machines are considered. Numerical examples are presented to demonstrate influence of cloud system parameters on the optimal user's data partition policy obtained.