2011 International Conference on Cloud and Service Computing
Virtualization security for cloud computing service
Shengmei Luo，Zhaoji Lin，Xiaohua Chen
ZTE Corporation
Shenzhen, China
luo.shengmei@zte.com.cn
Abstract—Virtualization is a term that refers to the abstraction of
computer resources. The purpose of virtual computing
environment is to improve resource utilization by providing a
unified integrated operating platform for users and applications
based on aggregation of heterogeneous and autonomous
resources. More recently, virtualization at all levels (system
storage, and network) became important again as a way to
improve system security, reliability and availability, reduce costs
and provide greater flexibility. In this paper, we address the
requirements and solutions for the security of virtualization in
cloud computing environment. Moreover, a Virtualization
Security framework is presented which contains two parts:
virtual system security and virtualization security management.
Keywords-component; cloud computing; virtualization;
security; vulnerability;
I. INTRODUCTION
Faced with today’s innovative blow-up of cloud
technologies, we are forced to rebuild services in terms of
cloud. As commercial activities on the Internet, we already see
gigantic cloud such as Amazon EC2/S3 [1], Google Apps [2],
and Force.com [3] by the Internet application vendors.
Moreover, we see that software vendors such as Microsoft and
telecommunication carriers such as China Mobile, China
Telecom, China Unicom have launched cloud services.
Furthermore, governmental activities are fast catching up
commercial activities, including U.S. (Apps.gov [4]), U.K. (G-
Cloud), and Canada (Canadian Government Cloud).
Generally, a cloud is discussed in terms of services. The
menu of services is being enriched as SaaS (Software as a
Service), PaaS (Platform as a Service) and IaaS (Infrastructure
as a Service) have been invented as part of XaaS. Cloud
computing is a promising computing paradigm which recently
has drawn extensive attention from both academia and
industry. By combining a set of existing and emerging
techniques from research areas such as Service-Oriented
Architectures (SOA) and virtualization, cloud computing is
regarded as such a computing paradigm in which resources in
the computing infrastructure are provided as services over the
Internet. As promising as it is, cloud computing is also facing
many challenges that, if not well resolved, may impede its fast
growth. Data security, as it exists in many other applications, is
among these challenges that would raise great concerns from
users when they store sensitive information on cloud servers.
These concerns originate from the fact that cloud servers are
usually operated by commercial providers which are very
978-1-4577-1637-9/11/$26.00 ©2011 IEEE
Zhuolin Yang, Jianyong Chen
Dept. of Computer Science and Technology
Shenzhen University
Shenzhen, China
cjyok2000@hotmail.com
likely to be outside of the trusted domain of the users. Data
confidential against cloud servers is hence frequently desired
when users outsource data for storage in the cloud. In some
practical application systems, data confidentiality is not only a
security/privacy issue, but also of juristic concerns. Among
many security issues, a cloud is distinguished from other
environments in that users feel vague insecurity in participating
in a cloud. To be worse, it cannot be easily resolved. For
example, in a public cloud, the fact that users can delegate
system administration to cloud providers also means the quality
of administrations/operations is not controlled by users.
Furthermore, in a usual multi-tenant service, thanks to
virtualization technologies, there are additional problems such
as physical places of data (is our data physically separated from
our rivals?) and protection against adversaries on the same
virtual environment (is our data securely protected from other
parties using the same cloud service?). Points out that about
70% of potential cloud users think security as a major reason
against adoption of clouds.
Cloud computing already leverages virtualization for load
balancing via dynamic provisioning and migration of virtual
machines (VM or guest in the following) among physical
nodes. VMs on the Internet are exposed to many kinds of
interactions that virtualization technology can help filtering
while assuring a higher degree of security. In particular,
virtualization can also be used as a security component; for
instance, to provide monitoring of VMs, allowing easier
management of the security of complex cluster, server farms,
and cloud computing infrastructures to cite a few. However,
virtualization technologies also create new potential concerns
with respect to security.
Security of clouds has many facets. A number of
researchers discuss cloud security from their own viewpoints.
We can observe that many of them work under cloud security
alliance [5], and continue publishing guidelines on security.
In this article, we focused on virtualization security about
the present weaknesses and attacks. We propose a program to
solve the current problems effectively. This scheme is divided
into two blocks, the one is virtual system security which
proposes some solutions to address some security issues. The
other is virtualization security management mechanisms that
address the emergence of virtual machine management process,
vulnerabilities and threats. Through a combination of these two
mechanisms, the current virtual security risks can be effective,
flexible settled.
174
 II. OVERVIEW
For telecommunication operators, the first impact of cloud
computing on the network is in the service environment. The
XaaS modes emerged when telecommunication operators
tenant their hardware resources like computing resource,
storage resource and network resource, and service capacity
resource in legacy service environment like short message, to
third parties. These XaaS modes can improve the creative
capacity of telecommunication environment; reduce the
deployment cost of hardware and operating cost of service.
Sure, cloud-based telecommunication service environment
(CTSE) is a spry solution in the evolution of
telecommunication service environment.
Table 1 shows a view of the outline about operator
network. Especially, this figure emphasized an evolution of
telecommunication service environment from legacy service
environment to CTSE. We can find that CTSE is not just an
evolution in service methods, but also an evolution in
environment architecture. The later is more important for
security.
As shown in table 1, we can find that the security
requirements of CTSE are very different from security
requirements of legacy service environment. The Table 1
conclude the most two important aspects of this difference. In
column 3 of table 1, the technology dealing methods are the
suggestion solution for CTSE security in this contribution.
Leveled security mechanism is the specially mechanism for
CTSE. It can support the robust of the whole service operator
environment, and more agile.
TABLE I. THE DIFFERENT OF LEGACY SERVICE ENVIRONMENT
SECURITY AND CTSE SECURITY
Legacy security CTSE security Dealing technology
Single service oriented All services oriented On-demand and
differentiated security
methods
Affect a single service Affect all services Leveled security
while attack while attacked mechanism
III. SECURITY VULNERABILITIES IN VIRTUALIZATION
Most of security threats identified in a virtual machine
environment are very similar to the security threats associated
with any physical system. The following are some general
threats that are unique to the virtual environment [6].
A. Attack between VMs or between VMs and VMM
One of the primary benefits that virtualization brings is
isolation. This benefit, if not carefully deployed will become a
threat to the environment. Poor isolation or inappropriate
access control policy will cause the inter-attack between
VMs(virtual machine) or between VMs and VMM(virtual
machine monitor).
175
B. VM escape
Virtual machine escape（VM escape） is an exploit in
which the attacker runs code on a VM that allows an operating
system running within it to break out and interact directly with
the hypervisor. Such an exploit could give the attacker
accessing to the host operating system and all other virtual
machines (VMs) running on that host.
Virtual machines are allowed to share the resources of the
host machine but still can provide isolation between VMs and
between the VMs and the host. New software bugs were
already found to compromise isolation. One such example of
this kind of attack is VM escape.VM escape is one of the worst
case happens if the isolation between the host and between the
VMs is compromised. In the case of VM escape, the program
running in a virtual machine is able to completely bypass the
VMM layer, and get access to the host machine. Since the host
machine is the root of security of a virtual system, the program
which gain access to the host machine also gains the root
privileges basically escapes from the virtual machine
privileges.
If the attacker can compromise the virtual machines, they
will likely have control of all of the guests since the guests are
merely subsets of the program itself. Also, most virtual
machines run with very high privileges on the host because a
virtual machine needs comprehensive access to the host's
hardware so it can then map the real hardware into virtualized
hardware for the guests. Thus, compromising the virtual
machine means not only that the guests are goners, but the host
is also likely lost.
C. Virtual machine controlled by Host Machine
Host machine in the virtual environment is considered to be
the control point and there are implications that enable the host
to monitors and communicate with the VM applications up
running. Therefore it is more necessary to strictly protect the
host machines than protecting distinctive VMs. Different
virtualization technologies have different implications for the
host machine to influence the VMs up running in the system.
Following are the possible ways for the host to influence the
VMs:
• The host can start, shutdown, pause and restart the
VMs.
• The host is able to monitor and modify the resources
available for the virtual machines.
• The host if given enough rights can monitor the
applications running inside the VMs.
• The host can view, copy, and likely to modify the data
stored in the virtual disks assigned to the VMs.
Particularly, in general all the network traffic to/from the
VMs passes through the host. This enables the host to monitor
all the network traffic for all its VMs. In which case if a host is
compromised then the security of the VMs is under question.
Hence measurement should be taken when configuring the VM
environment so that enough isolation should be provided which
avoids the host being a gateway for attacking the virtual Virtualization security management protects the framework
machine. from attacks and threats.
The next two chapters will detail each part of the two-mode,
D. Denial of Service and give the description about the works done by two modules
A denial-of-service attack (DoS attack) or distributed in the framework.
denial-of-service attack (DDoS attack) is an attempt to make a
computer resource unavailable to its intended users. Although
the means to carry out, motives for, and targets of a DoS attack
may vary, it generally consists of the concerted efforts of
person or persons to prevent an Internet site or service from
functioning efficiently or at all, temporarily or indefinitely. Virtual system security
Perpetrators of DoS attacks typically target sites or services Virtualization
hosted on high-profile web servers such as banks, credit card VM VM VM Security
payment gateways, and even root nameservers. The term is Management
generally used with regards to computer networks, but is not
limited to this field; for example, it is also used in reference to VMM
CPU resource management.
One common method of attack involves saturating the Physical Resource
target machine with external communications requests, such
that it cannot respond to legitimate traffic, or responds so
slowly as to be rendered effectively unavailable. In general
terms, DoS attacks are implemented by either forcing the
targeted computer(s) to reset, or consuming its resources so Figure 1. A Virtualization Security framework
that it can no longer provide its intended service or obstructing
the communication media between the intended users and the V. VIRTUAL SYSTEM SECURITY
victim so that they can no longer communicate adequately.
In this section, virtual system security contains 4 parts: The
In virtual machine architecture the guest machines and the first part: VM system architecture security describes three VM
underlying host share the physical resources such as CPU, system structures. The second part: Access control puts
memory, hard disk, and network resource. So it is possible for forward an access control framework. The third part is virtual
a guest to impose a denial of service attack to other guests firewall. VIDS/vIPS is the last part that describe the benefits
residing in the same system. Denial of service attack in virtual would be achieved by deploying vIDS/vIPS.
environment can be described as an attack when a guest
machine takes all the possible resources of the system. This section is one of the most important chapters. There
are many problems about the virtualization security in cloud
E. VM sprawl computing at current state of art. The proposal of this section is
put forward for the risks of current virtualization security.
In a virtual system, inappropriate virtual machine Whether the problems caused by the virtualization or external
management policy will cause VM sprawling. VM sprawling is attacks, the program which this chapter poses can effectively
a case that the number of VMs is continuously growing, while address the problems.
most of them are idle or never back from sleep, which may
cause resource of host machine being largely wasted. A. VM system architecture security
A secure VM system should be protected by a robust,
IV. VIRTUALIZATION SECURITY FRAMEWORK efficient and flexible VM system architecture. Three VM
Virtualization security could be investigated from 2 system architectures are illustrated in figure 2-4 below.
aspects: virtual system security and virtualization security
management. A virtualization security framework was given as
figure 1.
Virtualization security framework is organized effectively
in two modules which are virtual system security and
virtualization security management. Two modules perform
their duties without disturbing each other, so that the entire
framework can be more efficient
The virtual system security consists of three layers: The fist
layer is Physical Resource layer. The second layer is VMM
which is the most important layer that should be heavily
facilitate with security mechanisms to protect VMs up running.
The top layer is VMs that provide virtualization services to
consumers.

176

Figure 2. VM system architecture where security mechanism is deplyed in
VMM layer
Figure 2 is the most popular VM architecture. In this model
VMM, as a security base is the most important layer that
should be heavily facilitate with security mechanisms to protect
VMs up running. Figure 3 spares some administration task of
VMM to special VM called admin VM, which will cooperate
with VMM to manage other VMs. In figure 4, VMs are able to
be protected through security control layer and admin VM. The
security control layer is a set of security functionalities
separated from VMM. By this way, VMM will become thinner
and could delegate all security tasks to security control layer
which will be bootstrapped even before VMM.
Each structure has its own characteristics: It is relatively
simple to achieve the first structure, but the efficiency and
flexibility of the first one is inferior than latter two. The second
structure can be said that it is a compromise structure. The
structure is more efficient and flexible than the prior one. And
building up this structure is relatively simpler than the last
structure. The last structure which has highest efficiency and
flexibility is the safest in the security system. But the third
structure is the more complex than the other architectures. In
the third architecture, Security control is separated from the
VMM layer so security control becomes an individual layer.
Then security control for the VMM layer is transparent. VMM
layer can focus on the demands of the VM management.

B. Access control
Access control in virtual environment refers to the practice
of restricting entrance to a resource to authorized VM. A well-
designed access control policy will make the physical
resources being used appropriately and communication
between VMs and between VM and VMM more trustworthy.
An access control framework for virtual system is shown as
figure 5:

Figure 3. VM system architecture where admin VM is deplyed in the VM Admin VM

layer.
VM
security ACE
policy VM1 VMn

ACA

VMM kernel
VMM

Hard disk CPU Memory NIC

Physical Resource

Figure 5. An access control framework

An access control framework is divided into three layers,

namely physical resource layer, Virtual machine monitor
system layer, Virtual machine system layer.
Figure 4. VM system architecture where security control is deplyed to
protect VMM.

177
 We can see from figure 5, the physical resource layer
contains the required hardware resources of the entire structure:
hard disk, CPU, Memory, NIC. Physical resource layer can be
said that it is the cornerstone of this framework. The above two
layers call the hardware resources through the physical
resource layer, so that the whole framework run well.
This access control framework mainly consists of Access
Control Agent (ACA) resided in VMM and Access Control
Enforcer (ACE) resided in Admin VM which is in charge of
managing the whole virtual system cooperating with VMM.
ACE is used to control Guest-VM access behaviors as per its
security policy profile. ACA is used to receive or the requests
from Guest-VM and then transfer them to ACE.
In the access control structure, Admin VM plays an
important role as an agent. By Admin VM controlling other
guest virtual machines, the security management of the Guest-
VM becomes easier in the VMM system. VMM system
delivery the work of security policy profile to the Admin VM,
and then VMM system controls the Guest-VM according to the
requires of the Admin VM. Adding an Admin VM in the
access control framework not only help the structure to be built
much simpler, but also increase more flexibility of the whole
structure.
C. Virtual firewall
A Virtual Firewall(VF) is a firewall deployed and running
entirely within a virtual environment and which provides the
packet filtering and monitoring. The VF can be realized in a
traditional software firewall on a guest virtual machine already
running, or it can be a purpose-built virtual security appliance
designed with virtual network security in mind, or it can be a
virtual switch with additional security capabilities, or it can be
a managed kernel process running within the host VMM.
Virtual Firewall protects our network and computers from
outside threats, including hackers and malicious attacks. A
Hosted Firewall gives organization all of the benefits of an on-
site firewall, with additional redundancy and safeguards
(including back-up power generation).
D. vIDS/vIPS
Nowadays, there are a variety of attacks in the network
everywhere. The system can effectively resist the network
attacks is a measure of the security of virtual system. Therefore,
a safe virtual system must be equipped with strong attacks
detection and prevention tools.
Virtual Intrusion Detection System (vIDS) / Virtual
Intrusion Prevention System (vIPS) protects virtual
environment through collecting and analyzing information
from network and Host to check if there are signs of attacking.
Benefits listed below (not exhaustive) may be achieved by
deploying vIDS/vIPS in virtual environment:
• Monitor and analyze virtual network behaviors.
• System configuration and weakness evaluation.
• Exception analysis and statistics.
178
• Ensure consistent security policies
• Security events alerting
• Protect vulnerable applications from virtual network
attack
• Detect spyware
VI. VIRTUALIZATION SECURITY MANAGEMENT
In this chapter, we divide the virtual machine management
into four parts: patch management, VM migration
management, VM image management, audit. Each section of
this chapter put forward the corresponding measure for the
problems which may be present in the event of the
virtualization security management.
A. Patch management
Patch management is an area of systems management that
involves acquiring, testing, and installing multiple patches
(code changes) to an administered computer system. Patch
management tasks include: maintaining current knowledge of
available patches, deciding what patches are appropriate for
particular systems, ensuring that patches are installed properly,
testing systems after installation, and documenting all
associated procedures, such as specific configurations required.
The idea behind patch management is built around the
proper methods of identifying and testing various types of code
changes, with an eye to making the programming code function
with a greater degree of efficiency. Patch management also
extends to the actual implementation of the code changes and
monitoring the function of the code to identify any unforeseen
circumstances that did not emerge during the testing phase.
Efficient VM patch management will greatly decrease the
possibilities of VM being attacked, especially, when VMs are
in dormant or just awake from dormant state. How to distribute
the patches to those VMs is a key issue should be considered in
virtual environment.
B. VM migration management
VM migration is a vulnerable process that is easily to be
attacked. When a VM is going to migrate to somewhere,
particular security mechanisms should be taken into account,
for example, remote attestation, communication channel
security and conformity checking and so on.
VM migration is clearly not always as easy as it sounds.
Even for enterprises with automated tools such as live
migration and resource scheduling -- and not all organizations
use these tools -- other factors creep in. The security and
compliance postures of physical servers must be analyzed to
ensure that sensitive workloads are not colocated in ways that
create security or compliance risks. For example, locating a
VM with customer credit card data on the same physical
machine as a publicly accessible Web server would violate
Payment Card Industry (PCI) regulations. Even running two
VMs on a single machine can violate PCI . VM migration may
also need to go through a rigorous IT Infrastructure Library
(ITIL) process requiring approval by a change-approval board
(CAB) and configuration recording in a configuration these records. Then, based on these records, we can develop
management database (CMDB) or configuration management appropriate strategies against these future harmful behaviors
system (CMS). In this case, instant and ungoverned live
migration would violate corporate policies. Unplanned VII. CONCLUSION
migration of virtual workloads can even cause resource issues
In this paper, we first point out some security vulnerabilities
outside the server environment, as colocation can introduce
in virtualization security and management and analyze the
database contention, overload a network device or transport, or
vulnerabilities. Then we propose a virtualization security
cause unexpected delays in storage I/O. Thus, a good migration
framework aim at the vulnerabilities. In this framework, VM
management system is necessary for the virtualization security
system architecture can solve the problem of virtualization
framework.
security effectively, and virtualization security management
C. VM image management settles the question that various VM managements bring.
VM Image (VMI) is a special type of file/data format which Through the combination of these two models, we can
is used to instantiate (create) a virtual machine within the effectively solve the risk caused by the current virtualization
virtual environment. So the confidentiality and integrity of security and management.
VMI is of great importance when VM is under bootstrapping or
migrating. VIII. ACKNOWLEDGEMENTS
The work was supported by Science and Technology Plan
D. Audit of Shenzhen City under the project number
In a virtual system, VM behaviors and sensitive data should JC201005250045A.
be monitored during its lifecycle. Auditing may provide a
REFERENCES
mechanism to log all the trace of the activities left by the
virtual system. [1] Amazon:AmazonWebServices,http://aws.amazon.com/
[2] Google,GoogleApps,http://www.google.com/apps/intl/en/business/index
We audit the VM behaviors and sensitive data in order to .html
monitor whether the operation of the virtual system is well or [3] Salesforce.com,Force.com,http://www.salesforce.com/platform/
the sensitive data is safe. When the destruction of the virtual [4] https://apps.gov/cloud/advantage/main/start page.do
system or the sensitive data happened, if we have regularly [5] CloudSecurityAlliance,http://www.cloudsecurityalliance.org/
logged the activities left by the virtual system, we can diagnose [6] G. J. Popek and R. P. Goldberg, “Formal requirements for virtualizable
the reasons of destructions of system and data quickly through third generation architectures,” Comm. ACM, vol. 17, no. 7, pp. 412–
421,1974

179