A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one

Tao WU, Qiusong YANG, Yeping HE

PDF(617 KB)
PDF(617 KB)
Front. Comput. Sci. ›› 2017, Vol. 11 ›› Issue (5) : 821-835. DOI: 10.1007/s11704-016-5190-6
RESEARCH ARTICLE

A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one

Author information +
History +

Abstract

Two key issues exist during virtual machine (VM) migration in cloud computing. One is when to start migration, and the other is how to determine a reliable target, both of which totally depend on whether the source hypervisor is trusted or not in previous studies. However, once the source hypervisor is not trusted any more, migration will be facing unprecedented challenges. To address the problems, we propose a secure architecture SMIG (secure migration), which defines a new concept of Region Critical TCB and leverages an innovative adjacent integrity measurement (AIM) mechanism. AIM dynamically monitors the integrity of its adjacent hypervisor, and passes the results to the Region Critical TCB, which then determines whether to start migration and where to migrate according to a table named integrity validation table. We have implemented a prototype of SMIG based on the Xen hypervisor. Experimental evaluation result shows that SMIG could detect amalicious hypervisor and start migration to a trusted one rapidly, only incurring a moderate overhead for computing intensive and I/O intensive tasks, and small for others.

Keywords

untrusted hypervisor / migration target / adjacent integrity measurement / Region Critical TCB

Cite this article

EndNote

Ris (Procite)

Bibtex

Download citation ▾
Tao WU, Qiusong YANG, Yeping HE. A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one. Front. Comput. Sci., 2017, 11(5): 821‒835 https://doi.org/10.1007/s11704-016-5190-6

References

Publishing order | Descend order by publishing year | Descend order by cited within
[1]
ZhangF Z, ChenJ, ChenH B, Zang B Y. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of the 23rd ACM Symposium on Operating Systems Principles. 2011, 203–216
CrossRef Google scholar
[2]
SzeferJ, LeeR B. Architectural support for hypervisor-secure virtualization. In: Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems. 2012, 437–450
CrossRef Google scholar
[3]
JinS, AhnJ, ChaS, Huh J. Architectural support for secure virtualization under a vulnerable hypervisor. In: Proceedings of the 44th Annual IEEE/ACMInternational Symposium onMicroarchitecture. 2011, 272–283
CrossRef Google scholar
[4]
ClarkC, FraserK, HandS, Hansen J G, JulE , LimpachC, PrattI, WarfieldA. Live migration of virtual machines. In: Proceedings of the 2nd Symposium on Networked Systems Design and Implementation. 2005, 273–286
[5]
TravostinoF, DaspitP, GommansL, Jog C, LaatC , MambrettiJ, MongaI, OudenaardeB V , RaghuathS, WangP Y. Seamless live migration of virtual machines over the MAN/WAN. Future Generation Computer Systems, 2006, 22(8): 901–907
CrossRef Google scholar
[6]
BradfordR, Kotsovinos E, FeldmannA , SchiobergH. Live wide-area migration of virtual machines including local persistent state. In: Proceedings of the 3rd International ACM Conference on Virtual Execution Environments. 2007, 169–179
CrossRef Google scholar
[7]
ChanchioK, Thaenkaew P. Time-bound, thread-based live migration of virtual machines. In: Proceedings of the 14th IEEE/ACMInternational Symposium on Cluster, Cloud and Grid Computing. 2014, 364–373
CrossRef Google scholar
[8]
LuoY W, ZhangB B, WangX L, Wang Z L, SunY F , ChenH G. Live and incremental whole-system migration of virtual machines using block-bitmap. In: Proceedings of IEEE International Conference on Cluster Computing. 2008, 99–106
[9]
ZhangF Z, ChenH B. Security-preserving live migration of virtual machines in the cloud. Journal of Network and Systems Management, 2013, 21(4): 562–587
CrossRef Google scholar
[10]
McCuneJ M, LiY L, QuN, ZhouZ W, DattaA, Gligor V, PerrigA . Trustvisor: efficient TCB reduction and attestation. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 143–158
CrossRef Google scholar
[11]
WangZ, WuC, GraceM C, Jiang X X. Isolating commodity hosted hypervisors with Hyperlock. In: Proceedings of the 7th European conference on Computer Systems. 2012, 127–140
CrossRef Google scholar
[12]
SzeferJ, LeeR B. A case for hardware protection of guest VMs from compromised hypervisors in cloud computing. In: Proceedings of the 31st IEEE International Conference on Distributed Computing Systems Workshops. 2011, 248–252
CrossRef Google scholar
[13]
XiaY B, LiuY T, ChenH B. Architecture support for guest-transparent VMprotection from untrusted hypervisor and physical attacks. In: Proceedings of the 19th IEEE International Symposium on High Performance Computer Architecture. 2013, 246–257
[14]
TakemuraC, Crawford L S. The Book of Xen: A Practical Guide for System Administrator. San Francisco, CA: No Starch Press, 2009
[15]
ChiangJ H, LiH L, ChiuehT. Introspection-based memory deduplication and migration. In: Proceedings of the 9th ACM SIGPLAN/ SIGOPS International Conference on Virtual Execution Environments. 2013, 51–62
[16]
GallowayM, LoewenG, VrbskyS. Performance metrics of virtual machine live migration. In: Proceedings of the 8th IEEE International Conference on Cloud Computing. 2015, 637–644
CrossRef Google scholar
[17]
ZhuG D, LiK, LiaoY B. Toward automatically deducing key device states for the live migration of virtual machines. In: Proceedings of the 8th IEEE International Conference on Cloud Computing. 2015, 1025–1028
CrossRef Google scholar
[18]
KeaheyK, Deshpande U. Traffic-sensitive live migration of virtual machines. In: Proceedings of the 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing. 2015, 51–60
[19]
HouK Y, ShinK G, SungJ L. Application-assisted live migration of virtual machines with Java applications. In: Proceedings of the 10th European conference on Computer systems. 2015
CrossRef Google scholar
[20]
SongX, ShiJ C, LiuR, Yang J, ChenH B . Parallelizing live migration of virtual machines. In: Proceedings of the 9th ACM SIGPLAN/ SIGOPS International Conference on Virtual Execution Environments. 2013, 85–96
CrossRef Google scholar
[21]
ChenH B, ChenJ Y, MaoWB, Yan F. Daonity-grid security from two levels of virtualization. Information Security Technical Report, 2007, 12(3): 123–138
CrossRef Google scholar
[22]
SailerR, ZhangX, JaegerT, Van Doorn L. Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of USENIX Security Symposium. 2004, 223–238
[23]
KellerE, SzeferJ, RexfordJ, Lee R B. Nohype: virtualized cloud infrastructure without the virtualization. In: Proceedings of the 37th Annual International Symposium on Computer Architecture. 2010, 350–361
CrossRef Google scholar
[24]
SzeferJ, KellerE, LeeR B, Rexford J. Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th Conference on Computer and Communications Security. 2011, 401–412
CrossRef Google scholar
[25]
SteinbergU, KauerB. NOVA: a microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems. 2010, 209–222
CrossRef Google scholar
[26]
WangZ, JiangX X. Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 380–395
CrossRef Google scholar
[27]
ChampagneD, LeeR B. Scalable architectural support for trusted software. In: Proceedings of the 16th IEEE International Conference on High Performance Computer Architecture. 2010, 1–12
CrossRef Google scholar
[28]
ChenX X, Garfinkel T, LewisE C , SubrahmanyamP, Waldspurger C A, BonehD , DwoskinJ, PortsD R K. Overshadow: a virtualizationbased approach to retrofitting protection in commodity operating systems. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems. 2008, 2–13
CrossRef Google scholar
[29]
HofmannO S, KimS, DunnA M, Lee M Z, WitchelE . Inktag: secure applications on an untrusted operating system. In:Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems. 2013, 265–278
CrossRef Google scholar
[30]
CriswellJ, Dautenhahn N, AdveV . Virtual ghost: protecting applications from hostile operating systems. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems. 2014, 81–96
CrossRef Google scholar
[31]
AzabA M, NingP, WangZ, Jiang X, ZhangX , SkalskyN C. Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010, 38–49
CrossRef Google scholar
[32]
AzabA M, NingP, SezerE C, Zhang X. HIMA: a hypervisor-based integrity measurement agent. In: Proceedings of the 25th Annual Computer Security Applications Conference. 2009, 461–470
CrossRef Google scholar
[33]
LiuZ Y, LeeJ, ZengJ Y, Wen Y F, LinZ Q , ShiW D. CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM. In: Proceedings the 40th Annual International Symposium on Computer Architecture. 2013, 392–403
CrossRef Google scholar
[34]
WangZ, JiangX X, CuiW D, Ning P. Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009, 545–554
CrossRef Google scholar
[35]
Al-AyyoubM, Jararweh Y, DaraghmehM , AlthebyanQ. Multi-agent based dynamic resource provisioning and monitoring for cloud computing systems infrastructure. Cluster Computing, 2015, 18(2): 919–932
CrossRef Google scholar
[36]
CaleroJ M. MonPaaS: an adaptive monitoring platform as a service for cloud computing infrastructures and services. IEEE Transactions on Services Computing, 2015, 8(1): 65–78
CrossRef Google scholar
[37]
ZhangT W, LeeR B. CloudMonatt: an architecture for security health monitoring and attestation of virtual machines in cloud computing. In: Proceedings of the 42nd ACM/IEEE International Symposium on Computer Architecture. 2015, 362–374
CrossRef Google scholar
[38]
QiuL L, ZhangY, WangF, Kyung M, MahajanH R . Trusted computer system evaluation criteria. National Computer Security Center, l985
[39]
McCuneJ M, ParnoB, PerrigA, Reiter M K, IsozakiH . Flicker: an execution infrastructure for TCB minimization. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European conference on Computer systems. 2008, 315–328
CrossRef Google scholar
[40]
McCuneJ M, ParnoB, PerrigA, Reiter M K, SeshadriA . Minimal TCB code execution. In: Proceedings of IEEE Symposium on Security and Privacy. 2007, 267–272
CrossRef Google scholar
[41]
McCuneJ M, ParnoB, PerrigA, Reiter M K, SeshadriA . How low can you go? : recommendations for hardware-supported minimal TCB code execution. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems. 2008, 14–25
CrossRef Google scholar
[42]
SingaraveluL, PuC, HärtigH , HelmuthC. Reducing TCB complexity for security-sensitive applications: three case studies. In: Proceedings of the 1st ACM SIGOPS/EuroSys European conference on Computer systems. 2006, 161–174

RIGHTS & PERMISSIONS

2017 Higher Education Press and Springer-Verlag Berlin Heidelberg
AI Summary AI Mindmap
PDF(617 KB)

Accesses

Citations

Detail
Sections
Recommended

/