More Web Proxy on the site http://driver.im/

research-article

Secure Out-of-band Remote Management of Virtual Machines with Transparent Passthrough

Authors:

Shota Futagami,

Kenichi KouraiAuthors Info & Claims

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Pages 430 - 440

https://doi.org/10.1145/3274694.3274749

Published: 03 December 2018 Publication History

Abstract

Infrastructure-as-a-Service clouds provide out-of-band remote management for users to access their virtual machines (VMs). Out-of-band remote management is a method for indirectly accessing VMs via their virtual devices. While virtual devices running in the virtualized system are managed by cloud operators, not all cloud operators are always trusted in clouds. To prevent information leakage from virtual devices and tampering with their I/O data, several systems have been proposed by trusting the hypervisor in the virtualized system. However, they have various issues on security and management. This paper proposes VSBypass, which enables secure out-of-band remote management outside the virtualized system using a technique called transparent passthrough. VSBypass runs the entire virtualized system in an outer VM using nested virtualization. Then it intercepts I/O requests of out-of-band remote management and processes those requests in shadow devices, which run outside the virtualized system. We have implemented VSBypass in Xen for the virtual serial console and GUI remote access. We confirmed that information leakage was prevented and that the performance was comparable to that in traditional out-of-band remote management.

References

[1]

ARM Ltd. 2017. ARM Architecture Reference Manual -- ARMv8, for ARMv8-A Architecture Profile.

[2]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. 2003. Xen and the Art of Virtualization. In Proc. ACM Symp. Operating Systems Principles. 164--177.

Digital Library

[3]

F. Bellard. {n. d.}. QEMU. https://www.qemu.org/.

[4]

M. Ben-Yehuda, M. D. Day, Z. Dubitzky, M. Factor, N. Har'El, A. Gordon, A. Liguori, O. Wasserman, and B.-A. Yassour. 2010. The Turtles Project: Design and Implementation of Nested Virtualization. In Proc. USENIX Symp. Operating Systems Design and Implementation. 423--436.

Digital Library

[5]

S. Butt, H. A. Lagar-Cavilla, A. Srivastava, and V. Ganapathy. 2012. Self-service Cloud Computing. In Proc. ACM Conf. Computer and Communications Security. 253--264.

Digital Library

[6]

CyberArk Software. 2009. Global IT Security Service.

[7]

T. Egawa, N. Nishimura, and K. Kourai. 2012. Dependable and Secure Remote Management in IaaS Clouds. In Proc. IEEE Intl. Conf. Cloud Computing Technology and Science. 411--418.

Digital Library

[8]

T. Garfinkel and M. Rosenblum. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. Network and Distributed Systems Security Symp. 191--206.

[9]

IBM Corporation. 2018. IBM Domino 9.0.1 Social Edition Documentation. https://www.ibm.com/support/knowledgecenter/en/SSKTMJ_9.0.1/admin/conf_restrictingadministratoraccess_t.html.

[10]

Intel Corp. 2013. 4th Generation Intel Core vPro Processors with Intel VMCS Shadowing.

[11]

S. Kawahara and K. Kourai. 2014. The Continuity of Out-of-band Remote Management across Virtual Machine Migration in Clouds. In Proceedings of the 7th IEEE/ACM International Conference on Utility and Cloud Computing. 176--185.

Digital Library

[12]

K. Kourai and K. Juda. 2016. Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted Clouds. In Proc. IEEE Int. Conf. Cloud Computing. 43--50.

[13]

K. Kourai and T. Kajiwara. 2015. Secure Out-of-band Remote Management Using Encrypted Virtual Serial Consoles in IaaS Clouds. In Proc. IEEE Int. Conf. Trust, Security and Privacy in Computing and Communications. 443--450.

Digital Library

[14]

C. Li, A. Raghunathan, and N. K. Jha. 2010. Secure Virtual Machine Execution under an Untrusted Management OS. In Proc. IEEE Int. Conf. Cloud Computing. 172--179.

Digital Library

[15]

C. Li, A. Raghunathan, and N. K. Jha. 2012. A Trusted Virtual Machine in an Untrusted Management Environment. IEEE Trans. Services Computing 5, 4 (2012), 472--483.

Digital Library

[16]

J. T. Lim, C. Dall, S. Li, J. Nieh, and M. Zyngier. 2017. NEVE: Nested Virtualization Extensions for ARM. In Proc. ACM Symp. Operating Systems Principles. 201--217.

Digital Library

[17]

S. Miyama and K. Kourai. 2017. Secure IDS Offloading with Nested Virtualization and Deep VM Introspection. In Proc. European Symp. Research in Computer Security, Part II. 305--323.

[18]

Oracle Corporation. 2018. Oracle Database 2 Day DBA. https://docs.oracle.com/en/database/oracle/oracle-database/18/admqs/administering-user-accounts-and-security.html.

[19]

G. Pék, L. Buttyán, and B. Bencsáth. 2013. A Survey of Security Issues in Hardware Virtualization. Comput. Surveys 45, 3 (2013), 40:1--40:34.

Digital Library

[20]

PwC. 2014. US Cybercrime: Rising Risks, Reduced Readiness.

[21]

Red Hat, Inc. {n. d.}. Kernel Based Virtual Machine. http://www.linux-kvm.org/.

[22]

N. Santos, K. P. Gummadi, and R. Rodrigues. 2009. Towards Trusted Cloud Computing. In Proc. USENIX Workshop on Hot Topics in Cloud Computing.

Digital Library

[23]

D. Sgandurra and E. Lupu. 2016. Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems. Comput. Surveys 48, 3 (2016), 46:1--46:38.

Digital Library

[24]

T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hi-rano, K. Kourai, Y. Oyama, E. Kawai, K. Kono, S. Chiba, Y. Shinjo, and K. Kato. 2009. BitVisor: A Thin Hypervisor for Enforcing I/O Device Security. In Proc. ACM SIGPLAN/SIGOPS Int. Conf. Virtual Execution Environments. 121--130.

Digital Library

[25]

H. Tadokoro, K. Kourai, and S. Chiba. 2012. Preventing Information Leakage from Virtual Machines' Memory in IaaS Clouds. IPSJ Online Trans. 5 (2012), 156--166.

[26]

C. Tan, Y. Xia, H. Chen, and B. Zang. 2012. TinyChecker: Transparent Protection of VMs against Hypervisor Failures with Nested Virtualization. In Proc. IEEE/IFIP Int. Workshop on Dependability of Clouds, Data Centers and Virtual Machine Technology.

[27]

TechSpot News. 2010. Google Fired Employees for Breaching User Privacy. http://www.techspot.com/news/40280-google-fired-employees-for-breaching-user-privacy.html.

[28]

TightVNC Group. {n. d.}. TightVNC. http://www.tightvnc.com/.

[29]

VMware Inc. {n. d.}. VMware vSphere Hypervisor. http://www.vmware.com/.

[30]

D. Williams, H. Jamjoom, and H. Weatherspoon. 2012. The Xen-Blanket: Virtualize Once, Run Everywhere. In Proc. ACM European Conf. Computer Systems. 113--126.

Digital Library

[31]

F. Zhang, J. Chen, H. Chen, and B. Zang. 2011. CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization. In Proc. ACM Symp. Operating Systems Principles. 203--216.

Digital Library

Cited By

Wong YShen QLi CLiu CAi T(2023)Detecting Malicious Migration on Edge to Prevent Running Data LeakageICASSP 2023 - 2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)10.1109/ICASSP49357.2023.10095432(1-5)Online publication date: 4-Jun-2023
https://doi.org/10.1109/ICASSP49357.2023.10095432
Unoki TKourai K(2023)VM Migration Support for Secure Out-of-Band VNC with Shadow Devices2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361346(0298-0305)Online publication date: 14-Nov-2023
https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361346
Huseynov HSaadawi TKourai K(2021)Hardening the Security of Multi-Access Edge Computing through Bio-Inspired VM IntrospectionBig Data and Cognitive Computing10.3390/bdcc50400525:4(52)Online publication date: 8-Oct-2021
https://doi.org/10.3390/bdcc5040052
Show More Cited By

Secure Out-of-band Remote Management of Virtual Machines with Transparent Passthrough
1. Security and privacy
  1. Systems security

Recommendations

The Continuity of Out-of-Band Remote Management across Virtual Machine Migration in Clouds
UCC '14: Proceedings of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing

In Infrastructure-as-a-Service (IaaS) clouds, users remotely manage the systems in virtual machines (VMs) called user VMs, e.g., Through VNC. To allow users to manage their VMs even on failures inside the VMs, IaaS usually provides out-of-band remote ...
Secure Out-of-Band Remote Management Using Encrypted Virtual Serial Consoles in IaaS Clouds
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01

In Infrastructure-as-a-Service (IaaS) clouds, users manage the systems in virtual machines (VMs) through remote management systems such as Secure Shell (SSH). IaaS often provides out-of-band remote management using virtual serial consoles (VSCs). Even ...
Secure Out-of-Band Remote Management Using Encrypted Virtual Serial Consoles in IaaS Clouds
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01

In Infrastructure-as-a-Service (IaaS) clouds, users manage the systems in virtual machines (VMs) through remote management systems such as Secure Shell (SSH). IaaS often provides out-of-band remote management using virtual serial consoles (VSCs). Even ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

December 2018

766 pages

ISBN:9781450365697

DOI:10.1145/3274694

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC '18

ACSAC '18: 2018 Annual Computer Security Applications Conference

December 3 - 7, 2018

PR, San Juan, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
135
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wong YShen QLi CLiu CAi T(2023)Detecting Malicious Migration on Edge to Prevent Running Data LeakageICASSP 2023 - 2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)10.1109/ICASSP49357.2023.10095432(1-5)Online publication date: 4-Jun-2023
https://doi.org/10.1109/ICASSP49357.2023.10095432
Unoki TKourai K(2023)VM Migration Support for Secure Out-of-Band VNC with Shadow Devices2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361346(0298-0305)Online publication date: 14-Nov-2023
https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361346
Huseynov HSaadawi TKourai K(2021)Hardening the Security of Multi-Access Edge Computing through Bio-Inspired VM IntrospectionBig Data and Cognitive Computing10.3390/bdcc50400525:4(52)Online publication date: 8-Oct-2021
https://doi.org/10.3390/bdcc5040052
Inokuchi KKourai K(2020)Secure VM management with strong user binding in semi-trusted cloudsJournal of Cloud Computing10.1186/s13677-020-0152-99:1Online publication date: 17-Jan-2020
https://doi.org/10.1186/s13677-020-0152-9
Unoki TKourai K(2020)VM Migration for Secure Out-of-band Remote Management with Nested Virtualization2020 IEEE 13th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD49709.2020.00077(517-521)Online publication date: Oct-2020
https://doi.org/10.1109/CLOUD49709.2020.00077

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents