|
|
|
A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one |
Tao WU1,2,3( ), Qiusong YANG1, Yeping HE1 |
1. Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
2. State Key Laboratory of Computer Science, Chinese Academy of Sciences, Beijing 100190, China
3. University of Chinese Academy of Sciences, Beijing 100049, China |
|
|
|
|
Abstract Two key issues exist during virtual machine (VM) migration in cloud computing. One is when to start migration, and the other is how to determine a reliable target, both of which totally depend on whether the source hypervisor is trusted or not in previous studies. However, once the source hypervisor is not trusted any more, migration will be facing unprecedented challenges. To address the problems, we propose a secure architecture SMIG (secure migration), which defines a new concept of Region Critical TCB and leverages an innovative adjacent integrity measurement (AIM) mechanism. AIM dynamically monitors the integrity of its adjacent hypervisor, and passes the results to the Region Critical TCB, which then determines whether to start migration and where to migrate according to a table named integrity validation table. We have implemented a prototype of SMIG based on the Xen hypervisor. Experimental evaluation result shows that SMIG could detect amalicious hypervisor and start migration to a trusted one rapidly, only incurring a moderate overhead for computing intensive and I/O intensive tasks, and small for others.
|
| Keywords
untrusted hypervisor
migration target
adjacent integrity measurement
Region Critical TCB
|
|
Corresponding Author(s):
Tao WU
|
|
Just Accepted Date: 05 May 2016
Online First Date: 22 September 2017
Issue Date: 26 September 2017
|
|
| 1 |
ZhangF Z, ChenJ, ChenH B, Zang B Y. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of the 23rd ACM Symposium on Operating Systems Principles. 2011, 203–216
https://doi.org/10.1145/2043556.2043576
|
| 2 |
SzeferJ, LeeR B. Architectural support for hypervisor-secure virtualization. In: Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems. 2012, 437–450
https://doi.org/10.1145/2150976.2151022
|
| 3 |
JinS, AhnJ, ChaS, Huh J. Architectural support for secure virtualization under a vulnerable hypervisor. In: Proceedings of the 44th Annual IEEE/ACMInternational Symposium onMicroarchitecture. 2011, 272–283
https://doi.org/10.1145/2155620.2155652
|
| 4 |
ClarkC, FraserK, HandS, Hansen J G, JulE , LimpachC, PrattI, WarfieldA. Live migration of virtual machines. In: Proceedings of the 2nd Symposium on Networked Systems Design and Implementation. 2005, 273–286
|
| 5 |
TravostinoF, DaspitP, GommansL, Jog C, LaatC , MambrettiJ, MongaI, OudenaardeB V , RaghuathS, WangP Y. Seamless live migration of virtual machines over the MAN/WAN. Future Generation Computer Systems, 2006, 22(8): 901–907
https://doi.org/10.1016/j.future.2006.03.007
|
| 6 |
BradfordR, Kotsovinos E, FeldmannA , SchiobergH. Live wide-area migration of virtual machines including local persistent state. In: Proceedings of the 3rd International ACM Conference on Virtual Execution Environments. 2007, 169–179
https://doi.org/10.1145/1254810.1254834
|
| 7 |
ChanchioK, Thaenkaew P. Time-bound, thread-based live migration of virtual machines. In: Proceedings of the 14th IEEE/ACMInternational Symposium on Cluster, Cloud and Grid Computing. 2014, 364–373
https://doi.org/10.1109/CCGrid.2014.107
|
| 8 |
LuoY W, ZhangB B, WangX L, Wang Z L, SunY F , ChenH G. Live and incremental whole-system migration of virtual machines using block-bitmap. In: Proceedings of IEEE International Conference on Cluster Computing. 2008, 99–106
|
| 9 |
ZhangF Z, ChenH B. Security-preserving live migration of virtual machines in the cloud. Journal of Network and Systems Management, 2013, 21(4): 562–587
https://doi.org/10.1007/s10922-012-9253-1
|
| 10 |
McCuneJ M, LiY L, QuN, ZhouZ W, DattaA, Gligor V, PerrigA . Trustvisor: efficient TCB reduction and attestation. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 143–158
https://doi.org/10.1109/SP.2010.17
|
| 11 |
WangZ, WuC, GraceM C, Jiang X X. Isolating commodity hosted hypervisors with Hyperlock. In: Proceedings of the 7th European conference on Computer Systems. 2012, 127–140
https://doi.org/10.1145/2168836.2168850
|
| 12 |
SzeferJ, LeeR B. A case for hardware protection of guest VMs from compromised hypervisors in cloud computing. In: Proceedings of the 31st IEEE International Conference on Distributed Computing Systems Workshops. 2011, 248–252
https://doi.org/10.1109/ICDCSW.2011.51
|
| 13 |
XiaY B, LiuY T, ChenH B. Architecture support for guest-transparent VMprotection from untrusted hypervisor and physical attacks. In: Proceedings of the 19th IEEE International Symposium on High Performance Computer Architecture. 2013, 246–257
|
| 14 |
TakemuraC, Crawford L S. The Book of Xen: A Practical Guide for System Administrator. San Francisco, CA: No Starch Press, 2009
|
| 15 |
ChiangJ H, LiH L, ChiuehT. Introspection-based memory deduplication and migration. In: Proceedings of the 9th ACM SIGPLAN/ SIGOPS International Conference on Virtual Execution Environments. 2013, 51–62
|
| 16 |
GallowayM, LoewenG, VrbskyS. Performance metrics of virtual machine live migration. In: Proceedings of the 8th IEEE International Conference on Cloud Computing. 2015, 637–644
https://doi.org/10.1109/CLOUD.2015.90
|
| 17 |
ZhuG D, LiK, LiaoY B. Toward automatically deducing key device states for the live migration of virtual machines. In: Proceedings of the 8th IEEE International Conference on Cloud Computing. 2015, 1025–1028
https://doi.org/10.1109/CLOUD.2015.143
|
| 18 |
KeaheyK, Deshpande U. Traffic-sensitive live migration of virtual machines. In: Proceedings of the 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing. 2015, 51–60
|
| 19 |
HouK Y, ShinK G, SungJ L. Application-assisted live migration of virtual machines with Java applications. In: Proceedings of the 10th European conference on Computer systems. 2015
https://doi.org/10.1145/2741948.2741950
|
| 20 |
SongX, ShiJ C, LiuR, Yang J, ChenH B . Parallelizing live migration of virtual machines. In: Proceedings of the 9th ACM SIGPLAN/ SIGOPS International Conference on Virtual Execution Environments. 2013, 85–96
https://doi.org/10.1145/2451512.2451531
|
| 21 |
ChenH B, ChenJ Y, MaoWB, Yan F. Daonity-grid security from two levels of virtualization. Information Security Technical Report, 2007, 12(3): 123–138
https://doi.org/10.1016/j.istr.2007.05.005
|
| 22 |
SailerR, ZhangX, JaegerT, Van Doorn L. Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of USENIX Security Symposium. 2004, 223–238
|
| 23 |
KellerE, SzeferJ, RexfordJ, Lee R B. Nohype: virtualized cloud infrastructure without the virtualization. In: Proceedings of the 37th Annual International Symposium on Computer Architecture. 2010, 350–361
https://doi.org/10.1145/1815961.1816010
|
| 24 |
SzeferJ, KellerE, LeeR B, Rexford J. Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th Conference on Computer and Communications Security. 2011, 401–412
https://doi.org/10.1145/2046707.2046754
|
| 25 |
SteinbergU, KauerB. NOVA: a microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems. 2010, 209–222
https://doi.org/10.1145/1755913.1755935
|
| 26 |
WangZ, JiangX X. Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 380–395
https://doi.org/10.1109/SP.2010.30
|
| 27 |
ChampagneD, LeeR B. Scalable architectural support for trusted software. In: Proceedings of the 16th IEEE International Conference on High Performance Computer Architecture. 2010, 1–12
https://doi.org/10.1109/HPCA.2010.5416657
|
| 28 |
ChenX X, Garfinkel T, LewisE C , SubrahmanyamP, Waldspurger C A, BonehD , DwoskinJ, PortsD R K. Overshadow: a virtualizationbased approach to retrofitting protection in commodity operating systems. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems. 2008, 2–13
https://doi.org/10.1145/1346281.1346284
|
| 29 |
HofmannO S, KimS, DunnA M, Lee M Z, WitchelE . Inktag: secure applications on an untrusted operating system. In:Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems. 2013, 265–278
https://doi.org/10.1145/2451116.2451146
|
| 30 |
CriswellJ, Dautenhahn N, AdveV . Virtual ghost: protecting applications from hostile operating systems. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems. 2014, 81–96
https://doi.org/10.1145/2541940.2541986
|
| 31 |
AzabA M, NingP, WangZ, Jiang X, ZhangX , SkalskyN C. Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010, 38–49
https://doi.org/10.1145/1866307.1866313
|
| 32 |
AzabA M, NingP, SezerE C, Zhang X. HIMA: a hypervisor-based integrity measurement agent. In: Proceedings of the 25th Annual Computer Security Applications Conference. 2009, 461–470
https://doi.org/10.1109/ACSAC.2009.50
|
| 33 |
LiuZ Y, LeeJ, ZengJ Y, Wen Y F, LinZ Q , ShiW D. CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM. In: Proceedings the 40th Annual International Symposium on Computer Architecture. 2013, 392–403
https://doi.org/10.1145/2485922.2485956
|
| 34 |
WangZ, JiangX X, CuiW D, Ning P. Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009, 545–554
https://doi.org/10.1145/1653662.1653728
|
| 35 |
Al-AyyoubM, Jararweh Y, DaraghmehM , AlthebyanQ. Multi-agent based dynamic resource provisioning and monitoring for cloud computing systems infrastructure. Cluster Computing, 2015, 18(2): 919–932
https://doi.org/10.1007/s10586-015-0449-5
|
| 36 |
CaleroJ M. MonPaaS: an adaptive monitoring platform as a service for cloud computing infrastructures and services. IEEE Transactions on Services Computing, 2015, 8(1): 65–78
https://doi.org/10.1109/TSC.2014.2302810
|
| 37 |
ZhangT W, LeeR B. CloudMonatt: an architecture for security health monitoring and attestation of virtual machines in cloud computing. In: Proceedings of the 42nd ACM/IEEE International Symposium on Computer Architecture. 2015, 362–374
https://doi.org/10.1145/2749469.2750422
|
| 38 |
QiuL L, ZhangY, WangF, Kyung M, MahajanH R . Trusted computer system evaluation criteria. National Computer Security Center, l985
|
| 39 |
McCuneJ M, ParnoB, PerrigA, Reiter M K, IsozakiH . Flicker: an execution infrastructure for TCB minimization. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European conference on Computer systems. 2008, 315–328
https://doi.org/10.1145/1352592.1352625
|
| 40 |
McCuneJ M, ParnoB, PerrigA, Reiter M K, SeshadriA . Minimal TCB code execution. In: Proceedings of IEEE Symposium on Security and Privacy. 2007, 267–272
https://doi.org/10.1109/SP.2007.27
|
| 41 |
McCuneJ M, ParnoB, PerrigA, Reiter M K, SeshadriA . How low can you go? : recommendations for hardware-supported minimal TCB code execution. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems. 2008, 14–25
https://doi.org/10.1145/1346281.1346285
|
| 42 |
SingaraveluL, PuC, HärtigH , HelmuthC. Reducing TCB complexity for security-sensitive applications: three case studies. In: Proceedings of the 1st ACM SIGOPS/EuroSys European conference on Computer systems. 2006, 161–174
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
| |
Shared |
|
|
|
|
| |
Discussed |
|
|
|
|
