Professional Documents
Culture Documents
Analysis of Various Virtual Machine Attacks in Cloud Computing
Analysis of Various Virtual Machine Attacks in Cloud Computing
Analysis of Various Virtual Machine Attacks in Cloud Computing
IEEE Xplore Compliant - Part Number:CFP18J06-ART, ISBN:978-1-5386-0807-4; DVD Part Number:CFP18J06DVD, ISBN:978-1-5386-0806-7
Abstract— Cloud Computing is advanced technology for Cloud computing products, also called cloud service
resource sharing through network with less cost as delivery models, as in Below Fig1 shows, which are often
compare to other technologies. Cloud infrastructure roughly classified into a hierarchy of a service terms,
supports various models IaaS, SaaS, PaaS. Today the most presented here in order of increasing specialization:
important technique used in cloud computing is the Fig 1. Cloud Service Models
concept of virtualization. By using virtualization, more
than one operating system is supported with all resources Software as a Service (SaaS)
on single hardware. In addition, the virtualization
technology has limit security capabilities in order to secure Platform as a Service (PaaS)
wide area cloud environment. Sharing of one database to
many tenants is known as Multi tenancy. Multi-tenancy is
achieved by utilizing virtualization and allowing resource Infrastructure as a Service (IaaS)
sharing where Multi-tenancy is seen differently from
different service models.To secure cloud infrastructure a
hypervisor based virtualization is used. This paper Cloud physical
describes the various virtual machine security attacks and Infrastructure
analysis the various attacks based on hypervisor security
in virtualization environment.
Keywords— Virtualisation components, VMs attacks, Infrastructure-as-a-service (IaaS): where cloud providers
Multi tenancy, Hypervisor, VMs attacks deliver computation resources, storage and network as an
internet-based services. This service model is based on the
INTRODUCTION virtualization technology. Amazon EC2 is the most IaaS
provider.
Cloud computing supports multiple resources,
including computing resources, to deliver an integrated service Platform-as-a-service (PaaS): where cloud providers deliver
to the end user. In Cloud Computing, the IT and business platforms, tools and other business services that enable
resources such as servers, storage, network, applications, and customers to develop, deploy, and manage their own
processes that can be dynamically stipulated to the user needs applications, without installing any of these platforms or
and workload. Cloud computing means storing and accessing support tools on their local be hosted on top of IaaS model or
data and programs over the internet from a remote location. on top of the cloud infrastructures directly. Google Apps and
When we store data on or run a program from the local Microsoft Windows Azure are the most known.
computer’s hard drive, this is called local storage and
computing. The formal definition of Cloud Computing comes Software-as-a-service (SaaS) applications hosted on the
from the NIST: “Cloud computing is a model of for enabling cloud infrastructure as internet based service for end users,
ubiquitous, convenient, on-demand network access to a shared applications on the customers’ computers be hosted on top of
pool of configurable computing resources that can be rapidly PaaS, IaaS or directly hosted on cloud infrastructure.
provisioned and released with minimal management effort or SalesForce CRM is an example of the provider.
service provider interaction”. This is composed of five
essential characteristics, three service models, and four
deployment models.
Authorized licensed use limited to: VIT University. Downloaded on March 14,2022 at 16:09:48 UTC from IEEE Xplore. Restrictions apply.
Proceedings of the Second International Conference on Inventive Systems and Control (ICISC 2018)
IEEE Xplore Compliant - Part Number:CFP18J06-ART, ISBN:978-1-5386-0807-4; DVD Part Number:CFP18J06DVD, ISBN:978-1-5386-0806-7
Authorized licensed use limited to: VIT University. Downloaded on March 14,2022 at 16:09:48 UTC from IEEE Xplore. Restrictions apply.
Proceedings of the Second International Conference on Inventive Systems and Control (ICISC 2018)
IEEE Xplore Compliant - Part Number:CFP18J06-ART, ISBN:978-1-5386-0807-4; DVD Part Number:CFP18J06DVD, ISBN:978-1-5386-0806-7
C. Cache-Based Side Channel Attacks servers on which malicious VMs are co-located with at least
one of the T targets, divided by the total number of VMs
[7] Resource sharing in cloud computing raises a threat of launched by the attacker, i.e., Efficiency
Cache-Based Side Channel Attack (CSCA). It is proposed to (|VM(A,t)|)=|Servers(SuccVM( A,t)|/T
detect and prevent guest virtual machines from CSCA. Cache Note that the focus based on preventing attackers from co-
miss patterns were analysed in this solution to detect side locating with their targets, and consider that once co-residence
channel attack. CSCA is divided into two types and those are is achieved, attackers are able to construct side channels.
time driven cache attacks, and trace driven cache attacks. It is Although a second co-resident VM can make it easier for
based on a cloud setting with two VMs installed on a same attackers to extract sensitive information from the victim
physical machine using bare-metal hypervisor sharing highest which is focus on preventing any co-residence.
level cache. x Coverage
IV. ANALYSIS OF EXISTING ALGORITHMS Another criterion to measure the success of an attack
is the percentage of the conquered targets, i.e., Coverage,
which equals the number of target VMs co-located with
Unlike most previous work that studies the malicious VMs started in the attack, divided by the number of
elimination of side channels, it provides a different perspective targets T, i.e., Coverage (|VM(A,t)|)=|SuccTarget( A,t)|/T
in this research, by exploring multiple ways to improve VM where L is a legal user, and the target of A, Target(A), is the
allocation policies, so that it would be difficult and expensive set of VMs started by L, i.e., Target(A) = ΣtVM(L,t),
for attackers to achieve co-location. Specifically, the main |Target(A)| = T; SuccTarget(A,t) is a subset of Target(A) that
contributions include a set of appropriate security metrics are co-locates with at least one VM from VM(A,t).
defined for assessing different VM allocation policies, in
x VMmin
terms of their abilities in defending against the co-resident This is defined as the minimum number of VMs that
attack. Based on these metrics, an underlying fundamental the attacker needs to start so that at least one of them co-
principle is identified towards designing more secure policies. locates with at least one target. It is an estimate of the
A new policy named PSSF (Previously Selected minimum effort an attacker has to take in order to achieve co-
Server First) is proposed that takes into consideration all three residence.
aspects of security, workload balance and power consumption
– it mitigates the threat of co-resident attacks, but also satisfies
Table 1: Definitions regarding the security metrics
the constraints in workload balance and low power
consumption. A defence mechanism is designed that further
Name Definition
improves the effectiveness of the PSSF policy, by including a
K The total number of servers
machine learning approach based on clustering analysis and
A The attacker
semi-supervised learning. Our experimental results suggest
that once the mechanism is deployed, the overall costs for the L A legal user. The target of A is the
attacker will be substantially increased. set of VMs started by L
A game theoretic approach is applied to defend VM(L,t) The set of VMs started by L at
against co-resident attacks for two purposes. First, it time t
demonstrates that in order to increase the unpredictability for VM(A,t) The set of VMs started by A
the attacker in the VM allocation process, and hence the during one attack at time t
difficulty to launch attacks, it is better for cloud providers to Target(A) The target set of VMs that A
have a policy pool, where each policy is chosen with a certain intends to co-locate with,
probability. Second, a security game model is used to help Target(A) = ΣtVM(L,t),
determine the parameters in the defence mechanism, and guide |Target(A)| = T
the defender (cloud provider) to adapt their strategy over time. SuccTarget(A,t) A subset of Target(A) that co-
locates with at least one VM from
VM(A,t)
A. DEFINIITION OF SECURITY METRICS SuccVM(A,t) A subset of VM(A,t) that co-
locates with at least one of the T
In order to quantitatively analyse different VM allocation targets
policies, in terms of their abilities in defending against the co- Servers({a set of Servers that host the set of VMs
resident attack, to define the following three security metrics VMs})
(the definitions of all notation are given in Table 1):
x Efficiency
For attackers, clearly it is desirable to co-locate with V.HYPERVISOR SECURITY
as many targets as possible by starting the minimum number In a virtualization environment, there are several
of VMs. Hence, we define Efficiency as the gains divided by Virtual Machines that may have independent security zones
the costs. More precisely speaking, it equals the number of which are not accessible from other virtual machines that have
Authorized licensed use limited to: VIT University. Downloaded on March 14,2022 at 16:09:48 UTC from IEEE Xplore. Restrictions apply.
Proceedings of the Second International Conference on Inventive Systems and Control (ICISC 2018)
IEEE Xplore Compliant - Part Number:CFP18J06-ART, ISBN:978-1-5386-0807-4; DVD Part Number:CFP18J06DVD, ISBN:978-1-5386-0806-7
their own zones. A hypervisor has its own security zone, and it
is the controlling agent for everything within the virtualization [8] Omar Abdel Wahab, Jarnal Bentahar, Hadi Otrok, and Azzam
host. Hypervisor can touch and affect all acts of the virtual Mourad, “ Optimal Load Distribution of VM-based DDoS
machines running within the virtualization host. There are Attacks in the Cloud”, IEEE Transactions on Service
Computing, 2017.
multiple security zones exist within the same physical
infrastructure. This can cause a security issue when an attacker
[9] Manjinder Singh, Charanjit Singh, “ Multi Tenancy Security in
takes control over the hypervisor. [2] Another major Cloud Computing”, International Journal of Engineering
virtualization security concern is “escaping the virtual Sciences & Research Technology, Vol.6 Issue 3, 2017.
machine” ot the ability to reach the hypervisor from within the
virtual machine level. [10] Raghvendra Kumar, Arti Pandey, “ A Survey on Security Issues
in Cloud Computing”, IJSRSET, Vol. 2 Issue 3. 2016. Journal
V. CONCLUSION of Grid Distribution Computing Vol.8, No.2, 2015, pp.177-190.
This paper shows that security is the most significant
user’s concerns in cloud computing. In this paper, we focussed
on the various virtual machine security attacks and its analysis
in cloud environment. Attacks against the hypervisor
becoming more popular among the attackers realm. In this
paper, it is highlighted that Multi- tenancy as vulnerability
and provided in depth understanding related to different
dimensions and measures of security attacks in Multi tenancy.
And also discussed about the hypervisor security with in the
virtual machine environment.
REFERENCES
[1] S. Subashini, and V. Kavitha, “A Survey on security issues in
service delivery models of cloud computing,” Journal of
Network and Computer Applications, 2011.
Authorized licensed use limited to: VIT University. Downloaded on March 14,2022 at 16:09:48 UTC from IEEE Xplore. Restrictions apply.