Cloud Security Is Not (Just) Virtualization Security

by Mihai Christodorescu, Reiner Sailer, Douglas Lee Schales Daniele Sgandurra, Diego Zamboni Copyright 2009 ACM 978-1-60558-784-4/09/11 Cloud computing can be enabled by the mechanism of virtualization where the customers provide their own VMs with OS , and the cloud provider runs them often without knowledge of the guest OSes or their configurations. Most of the existing security solutions assumes the knowledge of the OS running in the guest VM . Our approach make use of a secure-introspection technique to discover and verify the integrity of a guest kernel . It does not assume any a-priori semantic knowledge of the guest and the state of the guest VM. In this technique we make use of a whitelist generated offline once for every supported operating system and a malware blacklist. The introspection has the following steps : 1. Read the IDT(Interrupt Descriptor Table) from the virtual CPU registers 2. Analyze the content of the IDT and using the hash value of in-memory code blocks and white-lists of operating system, determine the guest OS running in the VM. 3. Using the information about the running OS, use the appropriate algorithms to discover other operating system structres that are linked to from the IDT (eg: system call tables, list of processes and loaded kernal modules etc..). 4. Continuously analyze all the discovered data structres using the whitelist appropriate for the guest OS to determine when they are modified or if the modifications are authorized or not. The secure-introspection algorithm is used identifies the guest OS and continuously validate each code fragment present in memory against a whitelist of known code. Every time the secureintrospection algorithm cannot validate a code fragment, it indicates that the kernel integrity might have been breached. Then depending on the defined security policy, the monitor can raise alerts on all unknown code fragments. The main advantage of secure-introspection is that securing the workload(guest OS in the VM) does not require of the workload. The algorithm also has good accuracy and high detection rate of invalid code fragments. Also the overhead is minimal. But here we assume that the hypervisor, which is under the control of the cloud provider, is correct and cannot be breached. Also it is assumed that the virtual machines where we host our discovery & integrity solution under the control of the cloud provider cannot be breached. So if any of these systems are compromised then the whole algorithm will fail.

Content Oriented Virtual Domains for Secure Information Sharing Across Organizations
by Takayuki Sasaki, Masayuki Nakae, Ryuichi Ogawa NEC Corporation Copyright 2010 ACM 978-1-4503-0089-6/10/10 The notion of virtual domains have been proposed so far to address the issue of secure information sharing across different organizations. A virtual domain is a workspace comprising virtual computer resources distributed accross different organizations dedicated to a particular collaborative activity such as software development, product design, etc . It is subject to information sharing policies that restrict the scope of information sharing within the domain. This paper proposes a method of constructing Content Oriented Virtual Domains. The CoVD is defined as a collection of computer resources that are connected via common services. In this model a workspace is constructed that comprises project members, authorized resources used by the members, and existing common services such as e-mail,web and fileservers can be leveraged without any modification. The CoVD described comprises the project members, the authorized resources, and the project policies and has modules for the following: (a) Member management for specifying the project members. (b) Resource management for constructing and authenticating virtual resources used in the member environment. (c) Policy management for specifying and distributing the project information sharing policies to the member environments. To make secure information sharing through the existing services, the policy is enforced not to the authorized resources, but to the project documents shared in common services. With this content-based policy enforcement, the CoVD achieves secure information sharing through the existing common services. The CoVD is an improvement over the earlier approch to virtual domains called TVD (Trusted Virtual Domain) that allows the member to use only the authorized resources. We have to construct additional resources that provide the common services. This is too expensive for most projects, because of the need to construct and manage the additional resources. CoVD does not incur such additional expenses because existing common services can be leveraged without any modification. . However it incurs a considerable overhead in downloading files, and poses a problem for optimization in future.