Preventing Information Leakage from Virtual Machines' Memory in IaaS Clouds

Tadokoro, Hidekazu; Kourai, Kenichi; Chiba, Shigeru

doi:10.2197/ipsjtrans.5.156

Cited by 15 publications

(11 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Permitted access can be configured by users. Secure Runtime Environment [2,23] and VMCrypt [24] prevent information leakage from the memory of VMs to cloud operators. These systems encrypt the memory of VMs only when cloud operators access it from the management VM, while the systems do not when the VMs themselves access its memory.…”

Section: Secure Vm Management On Trusted Hypervisorsmentioning

confidence: 99%

See 1 more Smart Citation

Secure VM management with strong user binding in semi-trusted clouds

Inokuchi

Kourai

2020

J Cloud Comp

Self Cite

View full text Add to dashboard Cite

In Infrastructure-as-a-Service (IaaS) clouds, remote users access provided virtual machines (VMs) via the management server. The management server is managed by cloud operators, but not all the cloud operators are trusted in semi-trusted clouds. They can execute arbitrary management commands to users' VMs and redirect users' commands to malicious VMs. We call the latter attack the VM redirection attack. The root cause is that the binding of remote users to their VMs is weak. In other words, it is difficult to enforce the execution of only users' management commands to their VMs. In this paper, we propose UVBond for strongly binding users to their VMs to address this issue. UVBond boots user's VM by decrypting its encrypted disk inside the trusted hypervisor. Then it issues a VM descriptor to securely identify that VM. To bridge the semantic gap between high-level management commands and low-level hypercalls, UVBond uses hypercall automata, which accept the sequences of hypercalls issued by commands. We have implemented UVBond in Xen and created hypercall automata for various management commands. Using UVBond, we confirmed that a VM descriptor and hypercall automata prevented insider attacks and that the overhead was not large in remote VM management.

show abstract

Section: Secure Vm Management On Trusted Hypervisorsmentioning

confidence: 99%

“…Cloud operators inside the virtualized system cannot access the memory using VMI. Like the above systems [2,23,24], CloudVisor securely encrypts the memory when users' VMs are migrated. However, the overhead of nested virtualization is not small.…”

Section: Secure Vm Management On Untrusted Hypervisorsmentioning

confidence: 99%

Secure VM management with strong user binding in semi-trusted clouds

Inokuchi

Kourai

2020

J Cloud Comp

Self Cite

View full text Add to dashboard Cite

show abstract

“…This out-of-band remote management relies on the management VM, but the management VM is not always trustworthy in clouds [1], [2], [3], [4], [5]. Since the user VMs can be migrated between data centers, it is not guaranteed that they are run in data centers where all the administrators are trusted.…”

Section: Out-of-band Remote Managementmentioning

confidence: 99%

“…We assume that IaaS providers themselves are trusted. This assumption is widely accepted [1], [2], [3], [4], [5]. To guarantee the trustworthiness, a small number of trusted administrators are responsible for the maintenance of the VMM and the hardware.…”

Section: Threat Model and Assumptionsmentioning

confidence: 99%

See 1 more Smart Citation

Security Enhancement of Out-of-band Remote Management in IaaS Clouds

Egawa

Nishimura

Kourai

2013

IPSJ Online Transactions

Self Cite

View full text Add to dashboard Cite

In Infrastructure-as-a-Service (IaaS) clouds, the users manage the systems in the provided virtual machines (VMs) called user VMs through remote management software such as Virtual Network Computing (VNC). For dependability, they often perform out-of-band remote management via the management VM. Even in the case of system failures inside their VMs, the users could directly access their systems. However, the management VM is not always trustworthy in IaaS. Once outside or inside attackers intrude into the management VM, they could easily eavesdrop on all the inputs and outputs in remote management. To solve this security issue, this paper proposes FBCrypt for preventing information leakage via the management VM in out-of-band remote management. FBCrypt encrypts the inputs and outputs between a VNC client and a user VM using the virtual machine monitor (VMM). Sensitive information is protected against the management VM between them. The VMM intercepts the reads of virtual devices by a user VM and decrypts the inputs, whereas it intercepts the updates of a framebuffer by a user VM and encrypts the pixel data. We have implemented FBCrypt for para-virtualized and fully-virtualized guest operating systems in Xen and TightVNC. Then we confirmed that any keystrokes or pixel data did not leak.

show abstract