A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one

Tao WU; Qiusong YANG; Yeping HE

doi:10.1007/s11704-016-5190-6

Front. Comput. Sci. ›› 2017, Vol. 11 ›› Issue (5) : 821 -835. DOI: 10.1007/s11704-016-5190-6

RESEARCH ARTICLE

A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one

Tao WU ¹^,²^,³^,^†
, Qiusong YANG ¹
, Yeping HE ¹

Author information +

History +

PDF (617KB)

Abstract

Two key issues exist during virtual machine (VM) migration in cloud computing. One is when to start migration, and the other is how to determine a reliable target, both of which totally depend on whether the source hypervisor is trusted or not in previous studies. However, once the source hypervisor is not trusted any more, migration will be facing unprecedented challenges. To address the problems, we propose a secure architecture SMIG (secure migration), which defines a new concept of Region Critical TCB and leverages an innovative adjacent integrity measurement (AIM) mechanism. AIM dynamically monitors the integrity of its adjacent hypervisor, and passes the results to the Region Critical TCB, which then determines whether to start migration and where to migrate according to a table named integrity validation table. We have implemented a prototype of SMIG based on the Xen hypervisor. Experimental evaluation result shows that SMIG could detect amalicious hypervisor and start migration to a trusted one rapidly, only incurring a moderate overhead for computing intensive and I/O intensive tasks, and small for others.

Keywords

untrusted hypervisor / migration target / adjacent integrity measurement / Region Critical TCB

Cite this article

Download citation ▾

Tao WU, Qiusong YANG, Yeping HE. A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one. Front. Comput. Sci., 2017, 11(5): 821-835 DOI:10.1007/s11704-016-5190-6

登录浏览全文

4963

注册一个新账户忘记密码

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	ZhangF Z, ChenJ, ChenH B, Zang B Y. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of the 23rd ACM Symposium on Operating Systems Principles. 2011, 203–216

[2]	SzeferJ, LeeR B. Architectural support for hypervisor-secure virtualization. In: Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems. 2012, 437–450

[3]	JinS, AhnJ, ChaS, Huh J. Architectural support for secure virtualization under a vulnerable hypervisor. In: Proceedings of the 44th Annual IEEE/ACMInternational Symposium onMicroarchitecture. 2011, 272–283

[4]	ClarkC, FraserK, HandS, Hansen J G, JulE , LimpachC, PrattI, WarfieldA. Live migration of virtual machines. In: Proceedings of the 2nd Symposium on Networked Systems Design and Implementation. 2005, 273–286

[5]	TravostinoF, DaspitP, GommansL, Jog C, LaatC , MambrettiJ, MongaI, OudenaardeB V , RaghuathS, WangP Y. Seamless live migration of virtual machines over the MAN/WAN. Future Generation Computer Systems, 2006, 22(8): 901–907

[6]	BradfordR, Kotsovinos E, FeldmannA , SchiobergH. Live wide-area migration of virtual machines including local persistent state. In: Proceedings of the 3rd International ACM Conference on Virtual Execution Environments. 2007, 169–179

[7]	ChanchioK, Thaenkaew P. Time-bound, thread-based live migration of virtual machines. In: Proceedings of the 14th IEEE/ACMInternational Symposium on Cluster, Cloud and Grid Computing. 2014, 364–373

[8]	LuoY W, ZhangB B, WangX L, Wang Z L, SunY F , ChenH G. Live and incremental whole-system migration of virtual machines using block-bitmap. In: Proceedings of IEEE International Conference on Cluster Computing. 2008, 99–106

[9]	ZhangF Z, ChenH B. Security-preserving live migration of virtual machines in the cloud. Journal of Network and Systems Management, 2013, 21(4): 562–587

[10]	McCuneJ M, LiY L, QuN, ZhouZ W, DattaA, Gligor V, PerrigA . Trustvisor: efficient TCB reduction and attestation. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 143–158

[11]	WangZ, WuC, GraceM C, Jiang X X. Isolating commodity hosted hypervisors with Hyperlock. In: Proceedings of the 7th European conference on Computer Systems. 2012, 127–140

[12]	SzeferJ, LeeR B. A case for hardware protection of guest VMs from compromised hypervisors in cloud computing. In: Proceedings of the 31st IEEE International Conference on Distributed Computing Systems Workshops. 2011, 248–252

[13]	XiaY B, LiuY T, ChenH B. Architecture support for guest-transparent VMprotection from untrusted hypervisor and physical attacks. In: Proceedings of the 19th IEEE International Symposium on High Performance Computer Architecture. 2013, 246–257

[14]	TakemuraC, Crawford L S. The Book of Xen: A Practical Guide for System Administrator. San Francisco, CA: No Starch Press, 2009

[15]	ChiangJ H, LiH L, ChiuehT. Introspection-based memory deduplication and migration. In: Proceedings of the 9th ACM SIGPLAN/ SIGOPS International Conference on Virtual Execution Environments. 2013, 51–62

[16]	GallowayM, LoewenG, VrbskyS. Performance metrics of virtual machine live migration. In: Proceedings of the 8th IEEE International Conference on Cloud Computing. 2015, 637–644

[17]	ZhuG D, LiK, LiaoY B. Toward automatically deducing key device states for the live migration of virtual machines. In: Proceedings of the 8th IEEE International Conference on Cloud Computing. 2015, 1025–1028

[18]	KeaheyK, Deshpande U. Traffic-sensitive live migration of virtual machines. In: Proceedings of the 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing. 2015, 51–60

[19]	HouK Y, ShinK G, SungJ L. Application-assisted live migration of virtual machines with Java applications. In: Proceedings of the 10th European conference on Computer systems. 2015

[20]	SongX, ShiJ C, LiuR, Yang J, ChenH B . Parallelizing live migration of virtual machines. In: Proceedings of the 9th ACM SIGPLAN/ SIGOPS International Conference on Virtual Execution Environments. 2013, 85–96

[21]	ChenH B, ChenJ Y, MaoWB, Yan F. Daonity-grid security from two levels of virtualization. Information Security Technical Report, 2007, 12(3): 123–138

[22]	SailerR, ZhangX, JaegerT, Van Doorn L. Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of USENIX Security Symposium. 2004, 223–238

[23]	KellerE, SzeferJ, RexfordJ, Lee R B. Nohype: virtualized cloud infrastructure without the virtualization. In: Proceedings of the 37th Annual International Symposium on Computer Architecture. 2010, 350–361

[24]	SzeferJ, KellerE, LeeR B, Rexford J. Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th Conference on Computer and Communications Security. 2011, 401–412

[25]	SteinbergU, KauerB. NOVA: a microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems. 2010, 209–222

[26]	WangZ, JiangX X. Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 380–395

[27]	ChampagneD, LeeR B. Scalable architectural support for trusted software. In: Proceedings of the 16th IEEE International Conference on High Performance Computer Architecture. 2010, 1–12

[28]

ChenX X, Garfinkel T, LewisE C , SubrahmanyamP, Waldspurger C A, BonehD , DwoskinJ, PortsD R K. Overshadow: a virtualizationbased approach to retrofitting protection in commodity operating systems. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems. 2008, 2–13

[29]	HofmannO S, KimS, DunnA M, Lee M Z, WitchelE . Inktag: secure applications on an untrusted operating system. In:Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems. 2013, 265–278

[30]	CriswellJ, Dautenhahn N, AdveV . Virtual ghost: protecting applications from hostile operating systems. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems. 2014, 81–96

[31]	AzabA M, NingP, WangZ, Jiang X, ZhangX , SkalskyN C. Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010, 38–49

[32]	AzabA M, NingP, SezerE C, Zhang X. HIMA: a hypervisor-based integrity measurement agent. In: Proceedings of the 25th Annual Computer Security Applications Conference. 2009, 461–470

[33]	LiuZ Y, LeeJ, ZengJ Y, Wen Y F, LinZ Q , ShiW D. CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM. In: Proceedings the 40th Annual International Symposium on Computer Architecture. 2013, 392–403

[34]	WangZ, JiangX X, CuiW D, Ning P. Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009, 545–554

[35]	Al-AyyoubM, Jararweh Y, DaraghmehM , AlthebyanQ. Multi-agent based dynamic resource provisioning and monitoring for cloud computing systems infrastructure. Cluster Computing, 2015, 18(2): 919–932

[36]	CaleroJ M. MonPaaS: an adaptive monitoring platform as a service for cloud computing infrastructures and services. IEEE Transactions on Services Computing, 2015, 8(1): 65–78

[37]	ZhangT W, LeeR B. CloudMonatt: an architecture for security health monitoring and attestation of virtual machines in cloud computing. In: Proceedings of the 42nd ACM/IEEE International Symposium on Computer Architecture. 2015, 362–374

[38]	QiuL L, ZhangY, WangF, Kyung M, MahajanH R . Trusted computer system evaluation criteria. National Computer Security Center, l985

[39]	McCuneJ M, ParnoB, PerrigA, Reiter M K, IsozakiH . Flicker: an execution infrastructure for TCB minimization. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European conference on Computer systems. 2008, 315–328

[40]	McCuneJ M, ParnoB, PerrigA, Reiter M K, SeshadriA . Minimal TCB code execution. In: Proceedings of IEEE Symposium on Security and Privacy. 2007, 267–272

[41]	McCuneJ M, ParnoB, PerrigA, Reiter M K, SeshadriA . How low can you go? : recommendations for hardware-supported minimal TCB code execution. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems. 2008, 14–25

[42]	SingaraveluL, PuC, HärtigH , HelmuthC. Reducing TCB complexity for security-sensitive applications: three case studies. In: Proceedings of the 1st ACM SIGOPS/EuroSys European conference on Computer systems. 2006, 161–174