JAC : A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755
A Concept of Security and Vulnerability Attacks, Protection Process in Virtualization for Cloud Computing
J. Saravanan
M.Phil. Research Scholar D.B.Jain College (Autonomous), Thoraipakkam, Chennai, India. E-mail: [email protected]
Saravanan .P
Assistant Professor D.B.Jain College (Autonomous), Thoraipakkam, Chennai, India. E-mail: [email protected], [email protected]
Abstract: Security Issues are the principal issues of the virtualization era whilst there's a record switch and application get right of entry to from one virtual system to another, as it's miles a decisive threat to efficiency. Today’s IT intension is to have an outlook for the virtualization era that allows the business global to run with fewer sources. Still there exist positive virtualization issues when ordinary packages and virtual packages are made to be had to run in a virtual environment. Security issues among virtual machines, virtual applications, and physical machines are important. The following issues had been handled, to decorate the performance of the digital environment.
Keywords: Security Virtualization, Privacy, Virtual Machine, Threat, VMs, Vulnerabilities, Virtualization, Cloud Computing.
I. INTRODUCTION
Virtualization is generally defined as a technology that introduces a software program abstraction layer among the hardware and the running system and applications going for walks on top of it. This abstraction layer is referred to as a digital system reveal (VMM) or hypervisor and essentially hides the physical sources of the computing gadget from the running machine (OS).
Since the hardware resources are at once managed with the aid of the VMM and now not via the OS, it's miles viable to run a couple of (probable one of a kind) OSs in parallel on the identical hardware. As an end result, the hardware platform is partitioned into one or more logical devices referred to as virtual machines (VMs). ”Virtuality” differs from ”fact” best in the formal world, whilst owning a comparable essence or impact. In the laptop world, digital surroundings are perceived the same as that of a real surrounding with the aid of software applications and the rest of the world, though the underlying mechanisms are formally exclusive.
The virtualization technology has many benefits: smooth control of the virtual environment; the high pace of deployment of recent servers; the performance of creating backup copies, testing updates, and new capability on up- to-date copies of productive systems. Unlike the physical surroundings, in which there are not any restrictions on the usage of safety features on the host (community site visitors may be filtered via widespread community device, in addition, to defend against intrusion and get right of entry to), it is not always feasible or even dangerous in a digital surrounding for using safety method; for instance, simultaneous anti-virus scanning of tough drives of numerous digital machines, creating a large load at the device. Network visitors among digital machines do no longer go away from the server, and consequently, it does not directly see community security. In addition, there's an extra software program layer, which also desires to be included.
Volume XIII, Issue V, MAY 2020 Page No: 153 JAC : A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755
Figure 1. Structure of Virtualization Security
II. VIRTUALIZATION LAYER COMPONENTS
2.1. Hypervisor
The hypervisor acts as the abstraction layer that provides the necessary useful resource management capabilities that enable the sharing of hardware assets between the VMs. Hypervisors have principal fashions: hosted (para-virtualization) such as Xen and Hyper virtualization), together with VMware. These two fashions change-off some stage of isolation to growth the sharing of sources amongst VMs. Typically, it comes to the value of performance[1].
2.2. Virtual Network
The virtual network carries the digital switch (vSwitch) software that controls multiplexing visitors among the Virtual NICs (VNICs) of the installed VMs and Physical NICs (PNICs) of the physical host. The vSwitch also controls the inter-VM site visitors on a single host that doesn’t contact the PNICs of the host, and manage the clients agree with zones.
The vSwitch acts like a bodily switch in a non-virtualized surrounding, and nearly do the equal obligations, inclusive of the middle layer 2 forwarding capabilities, VLAN tagging, layer 2 checksum, and segmentation. However, some features like Spanning Tree Protocol aren't needed inside the vSwitch because there's no manner to make redundant transfer connections[1].
2.3. Virtual Machines (VMs)
VMs are the software program entities that emulate an actual physical gadget. VMs run below the manipulate of the hypervisor that virtualizes and multiplexes the hardware resources[1]. The rest of this paper is prepared as follows. Section 2 explores the cloud virtual infrastructure safety troubles and the one-of-a-kind threats which could affect the virtual infrastructure components. Section three reviews the previous paintings within the location of securing the virtual cloud infrastructure and virtualized servers. In section 4, we explore the important thing research challenges of enforcing safety solutions to shield the cloud virtual infrastructure.
Volume XIII, Issue V, MAY 2020 Page No: 154 JAC : A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755
III. CLOUD VIRTUALIZATION INFRASTRUCTURE SECURITY
The Cloud computing model affords agencies with an extra efficient, bendy, and cost-effective opportunity to personalize their computing sources. However, hackers and safety researchers have proven that these abilities of virtualization can be exploited to create new and greater robust forms of malware that are difficult to detect and can evade contemporary security technologies.
Figure 2. Infrastructure of Secured Virtual Environment
3.1. Threat Model
Security responsibility inside the cloud isn't a single-aspect responsibility. Security is shared between the cloud issuer and the cloud user. Customers are not privy to how their VMs are being protected. On the other hand, the cloud providers strolling VMs aren't aware of the VM contents.
Thus, there may be no entire accept as true with dating among cloud customers and carriers. From a cloud provider attitude, clients’ VMs can not be trusted and this could be our research focus.
In our danger model, a hacker may be a cloud consumer that hosts a carrier or non-cloud person, and in both fashions the victim is the cloud company that runs the carrier or the other hosted VMs[1].
In the previous danger model, hackers have greater possibilities of achievement, because they have got get entry to the Cloud Virtual Infrastructure (VCI), and may run one of a kind malware to gain greater get right of entry to privileges.
3.2. Security Threats
Breaching the safety of any aspect in the VCI influences notably on the security of the alternative additives and consequently affects the overall machine security. One of a kind vulnerabilities and safety threats in cloud computing specializing in VCI safety threats[1]. Security threats for the cloud digital infrastructure may be divided into 3 classes.
Volume XIII, Issue V, MAY 2020 Page No: 155 JAC : A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755
3.3. Hypervisor Attacks
Hackers consider the hypervisor a capability goal due to the extra control afforded by means of lower layers within the machine. Compromising the hypervisor permits gaining manipulate over the setup VMs, the physical device, and hosted programs. HyperJacking, BLUEPILL, Vitriol, SubVir, and DKSM are well-known assaults that concentrate on the virtual layer at run-time. These VM-Based Rootkits (VMBRs) are able to put a malicious hypervisor at the fly or enhancing the installed hypervisor to gain manage over the host workload. In a few hypervisors like Xen, the hypervisor isn't always alone in administering the VMs. A unique privileged VM serves as an administrative interface to Xen, and control the alternative VMs. This VM is likewise a capacity goal for hacker's goal to take advantage of vulnerabilities inside that VM to advantage get right of entry to the hypervisor or the alternative mounted VMs[1].
Figure 3. Hypervisor Attacks
3.4. vSwitch Attacks
The vSwitch is vulnerable to a wide range of layer-2 attacks like a bodily transfer[1]. These assaults consist of vSwitch configurations, VLANs, and believe zones and ARP tables.
3.5. Virtual Machine Attacks
Cloud servers include VMs, those VMs can be active or offline, and in each state they may be prone to various assaults. Active VMs are prone to all conventional attacks that may affect bodily servers. Once a VM is compromised, this gives the VMs on the identical physical server a possibility of being able to attack every difference, because of the VMs proportion the equal hardware and software resources e.g. Reminiscence, tool drivers, garage, hypervisor software program.
The colocation of a couple of VMs in an unmarried server and sharing the same assets increases the attack surface and the chance of VM-to-VM or VM-hypervisor compromise. On the opposite hand, when a physical server is off, it is secure from assaults. However, with VMs whilst a VM turns into offline, it's far nonetheless to be had as VM picture files which can be at risk of malware infections and patching[1]. Additionally, provisioning gear and VM templates are uncovered to unique assaults that concentrate on creating new unauthorized VMs or patch the VM templates to infect the opposite VMs so one can be cloned from this template.
3.6. Multi-Tenancy
Different users within a cloud percentage the same programs and the bodily hardware to run their VMs. This sharing can allow records leakage exploitation and will increase the assault surface and the chance of VM-to- VM or VM-to hypervisor compromise[1].
Volume XIII, Issue V, MAY 2020 Page No: 156 JAC : A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755
3.7. Workload Complexity
Server aggregation duplicates the quantity of workload and network traffic that runs within the cloud's physical servers, which will increase the complexity of handling the cloud workload[1].
3.8. Loss of Control
users are not aware about the vicinity of their records and offerings and the cloud vendors run VMs they're not aware of their contents[1].
3.9. Network Topology
The cloud structure could be very dynamic and the prevailing workload alternate over the years, due to creating and removing VMs[1]. In addition, the cell nature of the VMs that allows VMs emigrate from one server to every other leads to a non-predefined community topology.
3.10. No Physical Endpoints
Due to the server and community virtualization, the quantity of bodily endpoints (e.g. Switches, servers, NICs) is reduced. These bodily endpoints are traditionally utilized in defining, handling, and protective IT property[1].
3.11. Single Point of Access
Virtualized servers have a limited number of get entry to factors (NICs) available to all VMs. This represents a critical safety vulnerability in which compromising these get entry to factors opens the door to compromise the VCI together with VMs, hypervisor, or the vSwitch[1].
IV. VIRTUALIZATION SECURITY ISSUES
While virtualization brings isolation and abstraction in connection with protection within the cloud infrastructure, it additionally produces a few important protection worries alongside all of the conventional networked systems. Security is the most important hurdle for any employer throughout the migration and implementation of its machine inside the cloud infrastructure. Some of the fundamental security issues are:
4.1. Securing all Elements of Virtual Environment and Maintaining Security
The protection of a virtualization solution is heavily dependent on the character safety of each issue, from the hypervisor and host OS to guest OS’s, applications, and storage. Sound protection practices ought to be set up inclusive of maintaining software up to date with safety patches, using relaxed configuration baselines, antivirus software, or some other appropriate mechanism to come across or stop attacks[2].
4.2. Restricting and Protecting Administrator Access to the Virtualization Solution
The safety of the complete digital infrastructure relies on the security of the virtualization management system that controls the hypervisor and allows the operator to create new visitor OS and carry out other administrative movements.
Some virtualization merchandise provides a couple of approaches to manage hypervisors; every control interface should be secured, whether domestically or remotely available. For faraway administration, the confidentiality of communications has to be covered[2].
Volume XIII, Issue V, MAY 2020 Page No: 157 JAC : A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755
4.3. Issues with the Hypervisor
The hypervisor is a bit of a software program that works as a digital device manager and lies between the VMs and the hardware. Since it has the authority to control all the VMs walking at the physical system, compromising the hardware may additionally lead to excessive damage to the complete cloud infrastructure. VM break out is one of the principal attacks at the hypervisor[3].
In this take advantage of, the attacker gets a manner to run some piece of code to interrupt the security layer of the OS and start to immediately interact with the hypervisor. In the cloud infrastructure, at several events hypervisors get a modification at runtime to avoid downtime.
During this alteration backdoor or rootkit may be inserted into the hypervisor and later it is able to be used to manipulate the complete gadget. White container assaults are extraordinarily rare over cloud structures, but they improve serious safety worries due to rogue machine directors and employees as they could take gain in their privileges to insert malicious codes beneath.
4.4. Issues with the Networks
Network Virtualization works properly within the cloud, however, it brings several assault surfaces to the cloud infrastructure. Since virtual networks are software program-based totally it has numerous attack surfaces that are determined on every software system (e.g. A buffer overflow, integer overflow, and so on.)[3].
Software-based totally networks do no longer offer protection as the bodily networks offer so it's far especially smooth to compromise and reroute the community site visitors which may additionally purpose severe loss. Although there are numerous virtual protection appliances (VSAs) (e.g. Firewalls, IDSs) nonetheless there are conventional security problems with these also due to the fact software-based totally systems have weaknesses.
As stated earlier networks can be compromised for the duration of the migration of the VM which might also cause the information leakage and raises the concern of the insanity of the VM photograph that is being migrated. There are numerous digital networks (e.g. Physical control community, migration community, garage network, and many others.) which can be compromised and purpose excessive trouble to the complete cloud infrastructure.
V. COUNTERMEASURES FOR VIRTUALIZATION SECURITY PROCESS
We have mentioned numerous varieties of vulnerabilities and attacks inside the previous sections. In this segment, we discuss briefly some countermeasures to keep away from those troubles. However, the high goal of this paper is to factor out the safety issues within the cloud infrastructure related to virtualization. Therefore, countermeasures in this section are not discussed in detail and entire.
5.1. Ensuring the Hypervisor is Properly Secured
Securing a hypervisor involve actions that are general for any form of software program, along with putting in updates as they grow to be had. Other encouraged actions consist of disabling unused virtual hardware, document sharing, and considering using the capabilities of the hypervisor to monitor the safety of every guest OS going for walks inside it, in addition to the safety activities happening between the guest running device. The hypervisor also wishes to be carefully monitored for signs and symptoms of compromise.
Virtual programs being accessed within the digital surroundings on-demand by the consumer have to have privateness, such that the customers gaining access to the virtual application is non-public from any other purchaser inside the digital surroundings. If no longer, there occurs a migration of statistics from one consumer to some other purchaser within the equal virtual surroundings which ends up in fact insecurity.
Volume XIII, Issue V, MAY 2020 Page No: 158 JAC : A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755
Figure 4. Structure of Virtual OS Simultaneously
The data is insecure in such cases if there is no privateness among digital applications and the customer. This isn't always a problem in case of a physical environment, in which every utility and the clients isolated from each other. When virtual applications get right of entry to facts from the database server, the information from the server becomes inconsistent, with the aid of numerous operations executed by using the client.
When the operating machine is furnished as a service, there stand up several troubles rather than while the programs are accessed On-Demand. For instance, while there are multiple OS requests by using the clients concurrently, the server slows down[2].
5.2. Virtual Machine Security
Administrators ought to set up a software program or software that stops VMs from using extra assets until authorized. Moreover, a light-weight manner have to run on a virtual device that collects logs from the VMs and monitors them in actual-time to x any tampering of VMs. The visitor OS and applications running on it must be hardened with the aid of the usage of exceptional safety practices.
These practices include putting in security software including anti-viruses, anti-spyware, firewall, Host Intrusion Prevention System (HIPS), internet utility safety, and log tracking in visitor OS[6].
To identify the faults in guest OS Dan P. Et al. Proposed a device called "Vigilant". It utilizes virtualization and system learning techniques to display VMs through hypervisor with out placing any monitoring agent in VMs (out-of-band detection). Flavio L. Et al. Proposed the Advanced Cloud Protection System (ACPS) that video display units and protects the integrity of OS in guest VMs.
The periodic tracking of executable system much less is completed to check the conduct of Cloud additives. It uses virtual introspection techniques to deploy visitor monitoring machines inside the system without being observed by attackers on guest VM. Hence any suspicious interest at the visitor OS can be blocked.
Volume XIII, Issue V, MAY 2020 Page No: 159 JAC : A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755
Figure 5. Virtual Machine Security
5.3. Secure Programming
CSPs and providers should follow relaxed programming methodologies and perform rigorous testing to avoid bugs and vulnerabilities as they could purpose extreme damage[3].
5.4. Secure IAM
Identity and Access Management enables the proper individuals to access the proper assets in the proper instances and for proper reasons. Instead of unmarried administrator access to the complete system, there should be function-based totally get admission to the assets. Secure IAM essential as illegitimate get entry to assets may additionally reason several types of threats[3].
5.5. Securing the Network
The Secure community is essential to avoid information leakage, execution of arbitrary code, rerouting the community site visitors, and sanity of VMs[3]. Networks should be secured through the use of the comfortable channel of verbal exchange such as SSL and IPsec.
5.6. Miscellaneous
Restricting Physical Access also facilitates in fending off white-field assaults. Logging and Monitoring help in auditing and forensics to find out the motive of the attack and averting within the future[3]. Securing dormant VMs is likewise essential as it is able to incorporate touchy information even as it not noted of the safety patches. So proper control of dormant VM pictures is essential. Separation of VMs in line with the extent of protection wanted.
VI. CONCLUSION
In this paper, we factor the outcome of the security vulnerabilities and assault surfaces in conjunction with the fundamental introduction of cloud computing and the virtualization era. Cloud computing is feasible only due to the virtualization era. Virtualization exists below the cloud so for the safety of the cloud it is a long way obligatory that the safety of the virtualization is at an ideal degree. Further, we additionally mentioned a number of the possible countermeasures to the important security vulnerabilities and assaults.
In the future, an assessment criterion desires to be proposed by which we can analyze the effectiveness of countermeasures.
Volume XIII, Issue V, MAY 2020 Page No: 160 JAC : A JOURNAL OF COMPOSITION THEORY ISSN : 0731-6755
REFERENCE
[1] Amani S. Ibrahim, James Hamlyn-Harris and John Grundy, “Emerging Security Challenges of Cloud Virtual Infrastructure,” In Proceedings of APSEC 2010 Cloud Workshop, Sydney, Australia, 30th Nov 2010. pp.1–5.
[2] R. Anand, S. Sarswathi and R. Regan, “Security Issues in Virtualization Environment,” 2012 International Conference on Radar, Communication and Computing (ICRCC), SKP Engineering College, Tiruvannamalai, TN., India. 21 - 22 December, 2012. pp.254-256.
[3] Vimlesh Kumar, Rajkumar Singh Rathore, “Security Issues withVirtualization in Cloud Computing.” International Conference on Advances in Computing, Communication Control and Networking (ICACCCN2018), ISBN: 978-1-5386-4119-4/, 2018. pp.487-490.
[4] Anatoliy P. Nyrkov, Yuri F. Katorin, Vagiz D. Gaskarov, Lena S. Brazhnikova, Nikolai Vikhrov, “Analysis of Platform Vulnerabilities for the Virtualization Process.” ISBN:978-1-5386-4340-2/, 2018. pp.94-95.
[5] Omnia AbdElRahem, Ayman M. Bahaa-Eldin, “Virtualization Security A Survey.” ISBN:978-1-5090- 3267-9/, 2016. pp.32-39.
[6] Muhammad Kazim, Rahat Masood, Muhammad Awais Shibli, and Abdul Ghafoor Abbasi, “Security Aspects of Virtualization in Cloud Computing.” https://www.researchgate.net/publication/273950406, Conference Paper, DOI: 10.1007/978-3-642-40925-7_22, September 2013. pp.1-10.
[7] J. Saravanan, Saravanan .P, “A Conceptual Study on Load Balancing, Operating System, Storage, and Server Process in Virtualization – A Case Study of Comparative of Cloud Computing.” Journal of Interdisciplinary Cycle Research, ISSN NO: 0022-1945, Volume XII, Issue IV, April/2020. pp.487- 499.
Volume XIII, Issue V, MAY 2020 Page No: 161