Dongyang Zhan,Kai Tan,Lin Ye,Haining Yu,Hao Liu

DOI: https://doi.org/10.32604/cmc.2021.019432

2021-01-01

Abstract:: Cloud computing plays an important role in today’s Internet environment, which meets the requirements of scalability, security and reliability by using virtualization technologies. Container technology is one of the two mainstream virtualization solutions. Its lightweight, high deployment effi-ciency make container technology widely used in large-scale cloud computing. While container technology has created huge benefits for cloud service providers and tenants, it cannot meet the requirements of security monitoring and management from a tenant perspective. Currently, tenants can only run their security monitors in the target container, but it is not secure because the attacker is able to detect and compromise the security monitor. In this paper, a secure external monitoring approach is proposed to monitor target containers in another management container. The management container is transparent for target containers, but it can obtain the executing information of target containers, providing a secure monitoring environment. Security monitors running inside management containers are secure for the cloud host, since the management containers are not privileged. We implement the transparent external management containers by performing the one-way isolation of processes and files. For process one-way isolation, we leverage Linux namespace technology to let management container become the parent of target containers. By mounting the file system of target container to that of the management container, file system one-way isolation is achieved. Compared with the existing host-based monitoring approach, our approach is more secure and suitable in the cloud environment.

XIANG Guo-Fu,JIN Hai,ZOU De-Qing,CHEN Xue-Guang

DOI: https://doi.org/10.3724/sp.j.1001.2012.04219

2012-01-01

Journal of Software

Abstract:In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring.Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor.This approach can enhance the effectiveness and anti-attack ability of security tools.From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring.According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring.Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions.It is significant for virtualization research and security monitoring research.

Huaizhe Zhou,Haihe Ba,Yongjun Wang,Zhiying Wang,Jun Ma,Yunshi Li,Huidong Qiao

DOI: https://doi.org/10.3390/sym11020252

2019-01-01

Abstract:The dramatic proliferation of cloud computing makes it an attractive target for malicious attacks. Increasing solutions resort to virtual machine introspection (VMI) to deal with security issues in the cloud environment. However, the existing works are not feasible to support tenants to customize individual security services based on their security requirements flexibly. Additionally, adoption of VMI-based security solutions makes tenants at the risk of exposing sensitive information to attackers. To alleviate the security and privacy anxieties of tenants, we present SECLOUD, a framework for monitoring VMs in the cloud for security analysis in this paper. By extending VMI techniques, SECLOUD provides remote tenants or their authorized security service providers with flexible interfaces for monitoring runtime information of guest virtual machines (VMs) in a non-intrusive manner. The proposed framework enhances effectiveness of monitoring by taking advantages of architectural symmetry of cloud environment. Moreover, we harden our framework with a privacy-preserving capacity for tenants. The flexibility and effectiveness of SECLOUD is demonstrated through a prototype implementation based on Xen hypervisor, which results in acceptable performance overhead.

Huaizhe Zhou,Haihe Ba,Jiangchun Ren,Yongjun Wang,Yunshi Li,Yong Chen,Zhiying Wang

DOI: https://doi.org/10.1109/ICISCE.2017.39

2017-01-01

Abstract:With the introduction of virtual machine introspection into IaaS cloud, indirect inspection of the state about guest VMs is supported with strong isolation. But it requires the privilege access to the virtual machine monitor and lacks manageability due to the need of installing various security vendors' agents in a privileged VM. In this paper, we propose an agentless and uniform introspection framework, called SE-Cloud, which supports expert security vendors to build robust and flexible protections for guest VMs of their customers. With the separation of introspection and security-business code, SE-Cloud can stealthily fetch the state of monitored VMs without installing any code of security vendors, which resists rootkit from compromising or evading "in-the-box" security services and is convenient to manage "out-of-the-box" security services. Our preliminary experimental results show that SE-Cloud can support robust and flexible introspection over guest VMs with acceptable overhead.

Huaizhe Zhou,Haihe Ba,Jiangchun Ren,Yongjun Wang,Zhiying Wang,Yunshi Li

DOI: https://doi.org/10.1007/978-3-319-72389-1_41

2017-01-01

Abstract:Security and privacy concern is still one of the major issues that prevent users from moving to public clouds. Introduction of security services based on virtual machine introspection into cloud does not relieve this situation, because these services are inflexible and untrusted by tenants. The root cause of the problem is that the cloud administrator has more privilege over the security services, which leaves no options for the tenants to protect their virtual machines. In this paper, we propose a technique to decouple security services from cloud platform via remote virtual machine introspection. It enables remote trusted managed security services to protect tenants’ virtual machines stealthily. We have implemented a proof-of-concept prototype with Xen hypervisor, called SE-Cloud. With the separation of introspection and security-business code, the security services can not be abused by administrators and have little impact on the management virtual machine. Our preliminary experimental results show that SE-Cloud can provide more robust and flexible protections for tenant virtual machines with acceptable overhead.

Yaqiang Mao,Xujian Chen,Yuan Luo

DOI: https://doi.org/10.1049/cp.2014.1285

2014-01-01

Abstract:As a basic cloud service model, the Infrastructure-as-aService (IaaS) provides fundamental computing resources for PaaS and SaaS with a guaranteed ability to reduce costs and improve resource efficiency. Virtualization plays a crucial role to support the IaaS. However, it is not safety because of exposing the hosted virtual machines (VMs) to uncontrollable environment. In addition, traditional in-guest security solutions, relying on operation system kernel trustworthiness, are no longer effective to virtual infrastructure. In this paper, we introduce HVSM (Hybrid Virtualization Security Monitor) to deal with above security problems, which is a new In-OutVM hybrid virtualization-aware architecture depending on lightweight, comprehensive and dynamic security monitoring. First, as to Hybrid, HVSM utilizes virtual machine introspection technique to inspect kernel running state of the guest VM (GVM) from outside. Inside the GVM, measure agent (MA) tests and delivers processes' integrity information to security VM (SVM). In succession, MA is in the guard of measure agent keeper (MAK) running in the SVM. Second, dynamically, HVSM combines kernel state information with processes' integrity so as to provide a security report on GVM. Third, a proof-of-concept prototype is implemented using libvmi based on Xen hypervisor. Finally, we evaluate efficiency and the performance overhead of HVSM, which is acceptably low to support real-time monitoring.

Yutian Yang,Wenbo Shen,Bonan Ruan,Wenmao Liu,Kui Ren

DOI: https://doi.org/10.1109/tpsisa52974.2021.00016

2021-01-01

Abstract:In recent years, containerization has become a major trend in the cloud due to its high resource utilization efficiency and convenient DevOps support. However, the complexity of container system also introduces attack surfaces. This paper aims to summarize security challenges in the container cloud. In particular, we first divide the whole container system into different layers according to their functionalities, including the kernel layer, the container layer, and the orchestration layer. We then summarize security-related technologies. After that, we discuss the security challenges for each layer. Finally, we present the current protection status for the container system and highlight future research directions. Our study shows that to improve the container cloud security, we need to design and implement more robust kernel isolation mechanisms, conduct systematic and thorough security analysis on existing container techniques, and develop comprehensive configuration checking tools.

Lijun Wang,Haodong Zou,Ling Wang,Xin Chen,Jinghang Yu

DOI: https://doi.org/10.1109/ICEACE60673.2023.10442536

2023-01-01

Abstract:In recent years, cloud computing technology has been widely applied, and virtualization technology is an important supporting technology. Different from virtual machine technology, container technology has been widely used due to its advantages of elasticity, scalability, lightweight, high availability, high resource utilization, agility, and support for rapid dynamic expansion. However, it has also brought new container security issues. This paper proposes a node security determination method to evaluate container security to achieve node security determination.

Baohua Zhao,Zhihao Wang,Ningyu An,Chunhui Ren

DOI: https://doi.org/10.1088/1742-6596/1871/1/012016

2021-01-01

Journal of Physics Conference Series

Abstract:Container technology has a series of advantages such as low physical resource consumption, fast startup speed, high concurrency, and can run in a variety of environments. It is widely used in scenarios such as big data and cloud computing. Container technology has certain advantages in performance, but there are some shortcomings in security. The container technology shares the kernel with the host, and its security mainly depends on the host. Once the attacker breaks through the host’s defense, he can easily access the files deployed in the container, steal or tamper with the file data, and cause losses to users and users. In response to the above problems, this paper proposes a container-oriented isolation control technology, which realizes further isolation of files inside the container by adding domain names to programs and files. If the program domain name matches the file part, the files in the current container cannot be accessed, and the security of the files in the container can be effectively ensured after the host is compromised.

Zhuping Zou,Yulai Xie,Kai Huang,Gongming Xu,Dan Feng,Darrell Long

DOI: https://doi.org/10.1109/tcc.2019.2935724

IF: 5.697

2022-01-01

IEEE Transactions on Cloud Computing

Abstract:Container-based virtualization has gradually become a main solution in today's cloud computing environments. Detecting and analyzing anomaly in containers present a major challenge for cloud vendors and users. This paper proposes an online container anomaly detection system by monitoring and analyzing multidimensional resource metrics of the containers based on the optimized isolation forest algorithm. To improve the detection accuracy, it assigns each resource metric a weight and changes the random feature selection in the isolation forest algorithm to the weighted feature selection according to the resource bias of the container. In addition, it can identify abnormal resource metrics and automatically adjust the monitoring period to reduce the monitoring delay and system overhead. Moreover, it can locate the cause of the anomalies via analyzing and exploring the container log. The experimental results demonstrate the performance and efficiency of the system on detecting the typical anomalies in containers in both simulated and real cloud environments.

Bin Shi,Lei Cui,Bo Li,Xudong Liu,Zhiyu Hao,Haiying Shen

DOI: https://doi.org/10.1007/978-3-030-00470-5_31

2018-01-01

Abstract:Virtual machine introspection (VMI) is one compelling technique to enhance system security in clouds. It is able to provide strong isolation between untrusted guests and security tools placed in guests, thereby enabling dependability of the security tools even if the guest has been compromised. Due to this benefit, VMI has been widely used for cloud security such as intrusion detection, security monitoring, and tampering forensics. However, existing VMI solutions suffer significant performance degradation mainly due to the high overhead upon frequent memory address translations and context-switches. This drawback limits its usage in many real-world scenarios, especially when fine-grained monitoring is desired. In this paper, we present ShadowMonitor, an effective VMI framework that enables efficient in-VM monitoring without imposing significant overhead. ShadowMonitor decomposes the whole monitoring system into two compartments and then assigns each compartment with isolated address space. By placing the monitored components in the protected compartment, ShadowMonitor guarantees the safety of both monitoring tools and guests. In addition, ShadowMonitor employs hardware-enforced instructions to design the gates across two compartments, thereby providing efficient switching between compartments. We have implemented ShadowMonitor on QEMU/KVM exploiting several hardware virtualization features. The experimental results show that ShadowMonitor could prevent several types of attacks and achieves 10\(\times \) speedup over the existing method in terms of both event monitoring and overall application performance.

Weiwen Tang,Zeyu Mi

DOI: https://doi.org/10.1109/sose.2018.00031

2018-01-01

Abstract:In JointCloud computing, the hypervisor used by each cloud plays a key role in providing services and protection for guest virtual machines (VMs). Unfortunately, the commodity hypervisor usually has a considerable attack surface and its memory is especially prone to be tampered with by an attacker who resides in one VM and then threatens the security of other co-located VMs. To mitigate such threat, previous solutions proposed an out-of-the-box design which leverages the nested virtualization to introduce a higher privileged software layer (a nested hypervisor) below the hypervisor. It also installs a security monitor into a trusted VM which is protected by the nested hypervisor and isolated from the untrusted hypervisor. The monitor is responsible for dynamically validating the behaviors of the untrusted hypervisor. Although monitoring from outside of the hypervisor can help ensure security, the large number of context switches caused by the nested virtualization incurs unacceptable overheads and makes this approach unsuitable for the cloud environment. In this paper, we introduce In-Hypervisor Memory Introspection (IHMI), an in-the-box way to monitor the hypervisor based on the nested virtualization. Our system puts the monitor into the untrusted hypervisor for efficiency while guaranteeing the same level of memory security as monitoring the hypervisor from a separated secure VM. By leveraging hardware virtualization features of current processors, IHMI isolates the monitor from the hypervisor via the nested page table and implements an efficient switch between them. Further, IHMI configures a uni-directional mapping for the monitor which allows the monitor to access the hypervisor's memory at native speed while forbidding the hypervisor from accessing the monitor's memory. Our IHMI system is currently still in an early stage and we report our design as well as preliminary evaluation results in this paper.

Delu Huang,Handong Cui,Shihao Wen,Cheng Huang

DOI: https://doi.org/10.1109/ICCC47050.2019.9064441

2019-01-01

Abstract:Docker container technology is an emerging virtualization technology which has a very high efficiency in the phases of development and deployment. Although Docker container technology shows better convenience than traditional virtualization technology-virtual machine, it suffers the poor security due to the unmatured auditing procedures of Docker image releasing. Thus, to protect the security of host computer or local Docker containers from the attacks of malicious Docker containers, it is necessary to detect the potential threats existing in Docker images and find the risks when Docker container instances run in the host computer. This paper gives a detailed analysis on Docker's existing security mechanisms and the main threats Docker users must face. Finally, the corresponding threats detection techniques for Docker images and Docker container instances are presented, and the experiment result proves the effectivity of the proposed detection framework.

LIU Yu-tao,CHEN Hai-bo

DOI: https://doi.org/10.11959/j.issn.2096-109x.2016.00091

2016-01-01

Abstract:The virtualization security has increasingly drawn widespread attention with the spread of cloud computing in recent years.Thanks to another level of indirection,virtualization can provide stronger isolation mechanisms,as well as bottom-up security services for upper-level software.On the other side,the extra indirection brings complexity and overhead as well,which poses huge challenges.A series of recent representative work done by the institute of parallel and distributed system shanghai jiaotong university,including providing security services of trusted execution environment,virtual machine monitoring,intra-domain isolation,as well as optimizing trusted computing base and cross-world calls in the virtualization environment.Finally the problems and directions in the space of virtualization security were summarized.

Qian Liu,Chuliang Weng,Minglu Li,Yuan Luo

DOI: https://doi.org/10.1109/MSP.2010.143

IF: 3.105

2010-01-01

IEEE Security & Privacy

Abstract:Cloud computing relies heavily on virtualization. Virtualization technology has developed rapidly because of the rapid decrease in hardware cost and concurrent increase in hardware computing power. A virtual machine monitor (VMM, also called a hγpervisor) between the hardware and the OS enables multiple virtual machines (VMs) to run on top of a single physical machine. The VMM manages scheduling and dispatching the physical resources to the individual VMs as needed, and the VMs appear to users as separate computers. Widely used virtualization technologies include VMWare, Xen, Denali, and the Kernel-Based Virtual Machine (KVM). In this framework, a module measures executables running in virtual machines (VMs) and transfers the values to a trusted VM. Comparing those values to a reference table containing the trusted measurement values of running executables verifies the executable/s status.

Jietao Xiao,Nanzi Yang,Wenbo Shen,Jinku Li,Xin Guo,Zhiqiang Dong,Fei Xie,Jianfeng Ma

2023-01-01

Abstract:People proposed to use virtualization techniques to reinforce the isolation between containers. In the design, each container runs inside a lightweight virtual machine (called microVM). MicroVM-based containers benefit from both the security of microVM and the high efficiency of the container, and thus are widely used on the public cloud. However, in this paper, we demonstrate a new attack surface that can be exploited to break the isolation of the microVM-based container, called operation forwarding attacks. Our key observation is that certain operations of the microVM-based container are forwarded to host system calls and host kernel functions. The attacker can leverage the operation forwarding to exploit the host kernel's vulnerabilities and exhaust host resources. To fully understand the security risk of operation forwarding attacks, we divide the components of the microVM-based container into three layers according to their functionalities and present corresponding attacking strategies to exploit the operation forwarding of each layer. Moreover, we design eight attacks against Kata Containers and Firecracker-based containers and conduct experiments on the local environment, AWS, and Alibaba Cloud. Our results show that the attacker can trigger potential privilege escalation, downgrade 93.4% IO performance and 75.0% CPU performance of the victim container, and even crash the host. We further give security suggestions for mitigating these attacks.

Wei Liu,Jun Yan,Xingshen Wei,Haiqing Wang,Shishun Zhu

DOI: https://doi.org/10.1109/cieec50170.2021.9510589

2021-05-28

Abstract:In recent years, due to the elastic container technical characteristics and active open source community support, container technology has become an important basic technology for the new digital infrastructure of power. Now, the container technology is very popular and widely used in power cloud platform, but the problem of power system security risk caused by container can’t be ignored. Aiming at the problem of container security, this paper proposes a lightweight container security enhancement framework. Based on the methods of lightweight hardware virtualization isolation, cloud trust, and transparent encryption and decryption of container data, we implemented the container framework in the power cloud platform. Experiments show that the mechanism has played a practical role and has little impact on the business in terms of performance.

Hai Jin,Guofu Xiang,Deqing Zou,Song Wu,Feng Zhao,Min Li,Weide Zheng

DOI: https://doi.org/10.1007/s11227-011-0608-2

IF: 3.3

2013-01-01

The Journal of Supercomputing

Abstract:With the development of information technology, cloud computing becomes a new direction of grid computing. Cloud computing is user-centric, and provides end users with leasing service. Guaranteeing the security of user data needs careful consideration before cloud computing is widely applied in business. Virtualization provides a new approach to solve the traditional security problems and can be taken as the underlying infrastructure of cloud computing. In this paper, we propose an intrusion prevention system, VMFence, in a virtualization-based cloud computing environment, which is used to monitor network flow and file integrity in real time, and provide a network defense and file integrity protection as well. Due to the dynamicity of the virtual machine, the detection process varies with the state of the virtual machine. The state transition of the virtual machine is described via Definite Finite Automata (DFA). We have implemented VMFence on an open-source virtual machine monitor platform—Xen. The experimental results show our proposed method is effective and it brings acceptable overhead.

Zhigao TONG,Lina ZHANG,Shuiguang DENG

DOI: https://doi.org/10.13196/j.cims.2017.05.023

2017-01-01

Abstract:To make up the deficiency of granularity and depth of existing containerized PaaS platform monitoring methods,an intelligent monitoring method was researched and implemented.In this method,the monitoring module dynamically adjusted the sampling period so that the sampling points were concentrated in the time period where the resource consumption occupancy of application system fluctuated greater;if the fluctuation amplitude exceeded the threshold,the system call data of application were collected and analyzed;the monitoring module integrated the statistical analysis results and the original monitoring data in time sequence and provides query interface,which could help the user located abnormalities or found performance bottlenecks.Compared with the existing monitoring scheme,the proposed method could reflect the change of application running state more finely.At the same time,dynamic data collection mechanism could effectively save the cost of computing and storage resources.

Jiahao Sun,Chengrong Wu,Jiawei Ye

DOI: https://doi.org/10.1109/smartcloud49737.2020.00010

2020-01-01

Abstract:Compared to the virtual machine, containers that share the host's operating system kernel is a more lightweight virtualization technology. The container technology makes it easier and faster to deploy and update applications and the container orchestration technology provide people with a powerful tools to manage containers which make the clouds based on containers become popular. But at the same time, the container technology also introduces many security challenges. Among them, the vulnerabilities and malware in container images, as well as some wrong settings that violate security compliance rules, have become main potential security threats. In addition, tampered malicious images are likely to become entry points for the attacks to the cloud platform infrastructure and other containers. In this paper, we proposes a container cloud security enhancement system, based on blockchain technology. On the one hand, this system combines multi-apsects security checks to prevent the upload of images that contain security threats to the cloud environment. on the other hand, Using blockchain technology to verify the integrity of the image and record the information about security to prevent the generation of malicious containers based on tampered images. In addition, the security of the container cloud environment is further improved by scanning the images in the image repositories periodically, patching the images and upgrading the running containers in the cloud.