12 an Exhaustive Survey on Security Concerns and Solutions at Different
Total Page:16
File Type:pdf, Size:1020Kb
An Exhaustive Survey on Security Concerns and Solutions at Different Components of Virtualization RAJENDRA PATIL and CHIRAG MODI, National Institute of Technology Goa, India Virtualization is a key enabler of various modern computing technologies. However, it brings additional vulnerabilities that can be exploited to affect the availability, integrity, and confidentiality of the underlying resources and services. The dynamic and shared nature of the virtualization poses additional challenges to the traditional security solutions. This article explores the vulnerabilities, threats, and attacks relevant to virtu- alization. We analyze the existing security solutions and identify the research gaps that can help the research community to develop a secured virtualization platform for current and future computing technologies. CCS Concepts: • Security and privacy → System security; Operating system security; Virtualization and security; Network security; Denial-of-service attacks; Additional Key Words and Phrases: Virtualization, hypervisor, virtual machine, vulnerability, security ACM Reference format: Rajendra Patil and Chirag Modi. 2019. An Exhaustive Survey on Security Concerns and Solutions at Different Components of Virtualization. ACM Comput. Surv. 52, 1, Article 12 (February 2019), 38 pages. https://doi.org/10.1145/3287306 12 1 INTRODUCTION Virtualization is an abstraction of hardware and software resources allowing heterogeneous archi- tectures to run on the same hardware [9]. The major components of the virtualization are virtual machines (VMs), hypervisors, and virtual networks. VM is a software system similar to the phys- ical system allowing us to run an operating system and other applications. Hypervisor offers an “abstraction of physical resources” like CPU, memory, network, and storage. It allows us to run multiple operating systems at a time on the same physical resources. It can be installed directly on hardware (Type I) or as a part of host OS (Type II). A virtual network enables communication among the VMs through virtual switch (vSwitch). In past decade, virtualization-based applications have increased by a tremendous amount. How- ever, the current implementations of the virtualization introduce many vulnerabilities and security challenges. In the National Vulnerability Database (NVD), several vulnerabilities related to well- known hypervisors such as XEN, VMware, and Qemu have been recorded. The successful exploita- tion of these vulnerabilities leads to many attacks, which can affect the confidentiality, integrity, This work is a part of the project titled “Designing out-of-VM Monitoring based Virtual Machine Introspection Frame- work for Securing Virtual Environment of Cloud Computing (ECR/2017/001221)” with funding support from Science and Engineering Research Board, Department of Science and Technology, Government of India. Authors’ address: R. Patil and C. Modi, National Institute of Technology Goa, Ponda, Goa 403401, India, emails: {rajendrapatil, cnmodi}@nitgoa.ac.in. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) mustbe honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. © 2019 Copyright held by the owner/author(s). Publication rights licensed to ACM. 0360-0300/2019/02-ART12 $15.00 https://doi.org/10.1145/3287306 ACM Computing Surveys, Vol. 52, No. 1, Article 12. Publication date: February 2019. 12:2 R. Patil and C. Modi Table 1. Key Terms Term Description Control VM It is a VM with higher privileges, e.g., Dom0 in Xen Rouge VM VM with abusive administrator Co-hosted VM VM which has shared resources with other VMs on the same physical server Hypervisor Management It manages the hypervisor and VM building functionalities Interface (HMI) Launching channel It is a communication channel from the origin of the VM image to the destination hypervisor where image is to be deployed Hypervisor Layer This layer enables the VMs to run on a physical server VM Management Layer It manages the Virtual Machines VM (OS) Kernel Layer It builds the Virtual Machine Virtual Machine Layer It contains all VMs on a single physical server VM Network Layer It makes VMs to communicate with each other through virtual switch Trusted Computing Base It is a combination of hardware and software components that defines the trusted (TCB) computing environment Hardware VM (HVM) It require virtualization extensions from the host CPU and thus, using Qemu (Quick emulator), it emulates the physical hardware Paravirtualized VM (PVM) It can run efficiently without hardware emulation. or availability (CIA) of the hypervisor or its underlying VMs. For instance, critical VENOM vul- nerability (CVE-2015-3456) in the open-source Qemu hypervisor allows an attacker to break out a VM, execute code on a host machine, and access all the other VMs on the host. This leads to hundreds or thousands of virtualization products being vulnerable to VENOM. The Foreshadow vulnerability (CVE-2018-3646) in XenServer allows an attacker to create a speculative side channel and steal data in VM RAM from other non-trusted VMs on the same physical server. Kaspersky Lab has analyzed that the cost of recovering from a security incident doubles when the attack affects virtual infrastructure. Thus, the virtualization environment needs to be secured. This article explores various vulnerabilities, security threats, and attacks related to virtualiza- tion and classify them according to the core components of the virtualization infrastructure. We investigate the existing security approaches and techniques for each component and explore the research gaps. By considering these research gaps, we provide possible security research directives that will help the research community to address the needs of virtualization security and to design a secured and trusted virtualization platform for future computing technologies. Table 1 presents different key terms that we have used in this article. In following, Section 2 discusses the vulnerabilities, threats, and attacks to virtualization. Sec- tion 3 analyzes the existing security solutions and challenges to the virtualization. Section 4 dis- cusses the research gaps in the existing solutions and provides future research directives for offer- ing better security in virtualization. Finally, Section 5 concludes our findings. 2 SECURITY CONCERNS AT VIRTUALIZATION AsshowninFigure1, the virtualization environment includes the physical servers and other related components such as the management server, the VM repository, and networks. A phys- ical server is virtualized using the hypervisor, which provides the abstractions of the physical resources. It has five components: VM, hypervisor, virtual network, host OS (control VM inthe case of a Type 1 hypervisor), and underlying hardware. A hypervisor runs multiple VMs on the same hardware. A VM or applications running on VMs can be accessed by an end user through the Internet. A management server is used to handle the management-related tasks of the virtu- alization. The VM repository stores the VM images, which are managed through the interaction ACM Computing Surveys, Vol. 52, No. 1, Article 12. Publication date: February 2019. An Exhaustive Survey on Security Concerns and Solutions at Virtualization 12:3 Fig. 1. Components of virtualization and attack surface. with the management server. A VM owner can launch a VM image to a hypervisor through the interaction with the management server. The network component presents typically three differ- ent networks: virtual network, internal network, and external network. VMs are connected over vSwitch, which forms the virtual network. The internal network is responsible for connecting the physical servers, storage servers, and management server. The external network connects the virtual environment to the external users through the Internet. The security threats to the virtualization are due to the vulnerabilities existing in the different components and operations involved in the virtual environment. Figure 2 shows the taxonomy of virtualization-related attacks. An attack surface is mapped from Figure 1 to Figure 2 to discuss the possible attacks from a particular source to a victim. 2.1 Security Challenges to Hypervisor Hypervisor enables the virtualization, and it has different components. For example, the Xen (Type 1) hypervisor contains a hypervisor core, management interface/privileged domain (Dom0), Qemu, and guest VMs. the KVM (Type 2) hypervisor interacts with the host OS, which is an additional component of KVM. The hypervisor core controls the execution of VMs by providing hardware abstraction. It performs CPU scheduling and memory partitioning for the VMs running on the hardware device. The hypervisor management interface carries all management actions of a VM. In a type 1 hypervisor, it is a control VM (Dom0), while in a type 2 hypervisor, it is a trusted pro- cess of the host OS. Dom0 is a privileged VM that has special rights to access I/O resources. Xen supports two types of VM: paravirtualized VM (PVM) and hardware VM (HVM). For guests run- ning as HVMs, Xen uses