Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems

Virtualization technology enables Cloud providers to efficiently use their computing services and resources. Even if the benefits in terms of performance, maintenance, and cost are evident, however, virtualization has also been exploited by attackers to devise new ways to compromise a system. To address these problems, research security solutions have evolved considerably over the years to cope with new attacks and threat models. In this work, we review the protection strategies proposed in the literature and show how some of the solutions have been invalidated by new attacks, or threat models, that were previously not considered. The goal is to show the evolution of the threats, and of the related security and trust assumptions, in virtualized systems that have given rise to complex threat models and the corresponding sophistication of protection strategies to deal with such attacks. We also categorize threat models, security and trust assumptions, and attacks against a virtualized system at the different layers—in particular, hardware, virtualization, OS, and application.

[1]  Peter Druschel,et al.  Guardat: A foundation for policy-protected data , 2014 .

[2]  Jonathan M. McCune,et al.  OASIS: on achieving a sanctuary for integrity and secrecy on untrusted platforms , 2013, CCS.

[3]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[4]  AvizienisAlgirdas,et al.  Basic Concepts and Taxonomy of Dependable and Secure Computing , 2004 .

[5]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[6]  Jiang Wang,et al.  Autonomic Recovery: HyperCheck: A Hardware-Assisted Integrity Monitor , 2013 .

[7]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[8]  Larry Rudolph,et al.  Thunderstrike: EFI firmware bootkits for Apple MacBooks , 2015, SYSTOR.

[9]  Xuxian Jiang,et al.  Towards a VMM-based usage control framework for OS kernel integrity protection , 2007, SACMAT '07.

[10]  Peter Ferrie Attacks on Virtual Machine Emulators , 2007 .

[11]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[12]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[13]  Matti A. Hiltunen,et al.  An exploration of L2 cache covert channels in virtualized environments , 2011, CCSW '11.

[14]  Peter Ferrie Attacks on More Virtual Machine Emulators , 2007 .

[15]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[16]  Wenke Lee,et al.  Taming Virtualization , 2008, IEEE Security & Privacy.

[17]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[18]  Mark Ryan,et al.  Cloud computing security: The scientific challenge, and a survey of solutions , 2013, J. Syst. Softw..

[19]  Gorka Irazoqui Apecechea,et al.  S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[21]  Peng Liu,et al.  MyCloud: supporting user-configured privacy protection in cloud computing , 2013, ACSAC.

[22]  Ralf Steinmetz,et al.  Threat as a Service?: Virtualization's Impact on Cloud Security , 2012, IT Professional.

[23]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[24]  Gorka Irazoqui Apecechea,et al.  Wait a Minute! A fast, Cross-VM Attack on AES , 2014, RAID.

[25]  Tal Garfinkel,et al.  When Virtual Is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments , 2005, HotOS.

[26]  Krishna P. Gummadi,et al.  Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services , 2012, USENIX Security Symposium.

[27]  Engin Kirda,et al.  Hypervisor-based malware protection with AccessMiner , 2015, Comput. Secur..

[28]  Ed Skoudis,et al.  Hiding Virtualization from Attackers and Malware , 2007, IEEE Security & Privacy.

[29]  Yoshiyasu Takefuji,et al.  Towards a tamper-resistant kernel rootkit detector , 2007, SAC '07.

[30]  Zhi Wang,et al.  Isolating commodity hosted hypervisors with HyperLock , 2012, EuroSys '12.

[31]  Bernd Eggers Rootkits Subverting The Windows Kernel , 2016 .

[32]  Peng Ning,et al.  SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms , 2011, CCS '11.

[33]  James Greene Intel ® Trusted Execution Technology Hardware-based Technology for Enhancing Server Platform Security , 2013 .

[34]  Yeping He,et al.  HyperVerify: A VM-assisted Architecture for Monitoring Hypervisor Non-control Data , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[35]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[36]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[37]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[38]  Benjamin Farley,et al.  Resource-freeing attacks: improve your cloud performance (at your neighbor's expense) , 2012, CCS.

[39]  Gene Tsudik,et al.  Secure Code Update for Embedded Devices via Proofs of Secure Erasure , 2010, ESORICS.

[40]  Tal Garfinkel,et al.  Compatibility Is Not Transparency: VMM Detection Myths and Realities , 2007, HotOS.

[41]  Ruby B. Lee,et al.  Architectural support for hypervisor-secure virtualization , 2012, ASPLOS XVII.

[42]  Zhi Wang,et al.  Taming Hosted Hypervisors with (Mostly) Deprivileged Execution , 2013, NDSS.

[43]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[44]  Zhi Wang,et al.  DKSM: Subverting Virtual Machine Introspection for Fun and Profit , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[45]  P. Mell,et al.  SP 800-145. The NIST Definition of Cloud Computing , 2011 .

[46]  Yutao Liu,et al.  Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[47]  Subasish Mohapatra,et al.  Virtualization: A Survey on Concepts, Taxonomy and Associated Security Issues , 2010, 2010 Second International Conference on Computer and Network Technology.

[48]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[49]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[50]  Michael A. Rappa,et al.  The utility business model and the future of computing services , 2004, IBM Syst. J..

[51]  Jennifer Rexford,et al.  Eliminating the hypervisor attack surface for a more secure cloud , 2011, CCS '11.

[52]  Robert P. Goldberg,et al.  Survey of virtual machine research , 1974, Computer.

[53]  Mendel Rosenblum,et al.  The Reincarnation of Virtual Machines , 2004, ACM Queue.

[54]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[55]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[56]  Cliff Changchun Zou,et al.  SMM rootkits: a new breed of OS independent malware , 2008, SecureComm.

[57]  Frank Piessens,et al.  Fides: selectively hardening software application components against kernel-level or process-level malware , 2012, CCS '12.

[58]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[59]  Daniele Sgandurra,et al.  Measuring Semantic Integrity for Remote Attestation , 2009, TRUST.

[60]  Levente Buttyán,et al.  A survey of security issues in hardware virtualization , 2013, CSUR.

[61]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[62]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[63]  Shouhuai Xu,et al.  Multi-processor architectural support for protecting virtual machine privacy in untrusted cloud environment , 2013, CF '13.

[64]  Patrick Stewin,et al.  Understanding DMA Malware , 2012, DIMVA.

[65]  Robert J. Creasy,et al.  The Origin of the VM/370 Time-Sharing System , 1981, IBM J. Res. Dev..

[66]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[67]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[68]  Evan R. Sparks A Security Assessment of Trusted Platform Modules , 2007 .

[69]  G LevineJohn,et al.  Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection , 2006, S&P 2006.

[70]  Abhinav Srivastava,et al.  Trusted VM Snapshots in Untrusted Cloud Infrastructures , 2012, RAID.

[71]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[72]  Gene Tsudik,et al.  SMART: Secure and Minimal Architecture for (Establishing Dynamic) Root of Trust , 2012, NDSS.

[73]  Henry L. Owen,et al.  Detecting and categorizing kernel-level rootkits to aid future detection , 2006, IEEE Security & Privacy Magazine.

[74]  Srinath T. V. Setty,et al.  A Hybrid Architecture for Interactive Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[75]  共立出版株式会社 コンピュータ・サイエンス : ACM computing surveys , 1978 .

[76]  Chris I. Dalton,et al.  Separating hypervisor trusted computing base supported by hardware , 2010, STC '10.

[77]  Peng Ning,et al.  HIMA: A Hypervisor-Based Integrity Measurement Agent , 2009, 2009 Annual Computer Security Applications Conference.

[78]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[79]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[80]  Xinwen Zhang,et al.  CloudSeal: End-to-End Content Protection in Cloud-Based Storage and Delivery Services , 2011, SecureComm.

[81]  David Lie,et al.  Manitou: a layer-below approach to fighting malware , 2006, ASID '06.

[82]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[83]  Zhenyu Wu,et al.  Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[84]  Sherali Zeadally,et al.  Virtualization: Issues, security threats, and solutions , 2013, CSUR.

[85]  Adrian Perrig,et al.  Remote detection of virtual machine monitors with fuzzy benchmarking , 2008, OPSR.

[86]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[87]  Cheng Chen,et al.  Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor , 2007 .

[88]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[89]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[90]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[91]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[92]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[93]  Yeping He,et al.  Systemic threats to hypervisor non-control data , 2013, IET Inf. Secur..

[94]  Ruby B. Lee,et al.  A software-hardware architecture for self-protecting data , 2012, CCS.

[95]  Donghai Tian,et al.  Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions , 2011, NDSS.

[96]  Zhiqiang Lin,et al.  HYBRID-BRIDGE: Efficiently Bridging the Semantic Gap in Virtual Memory Introspection via Decoupled Execution and Training Memoization , 2014, NDSS 2014.

[97]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[98]  Shouhuai Xu,et al.  TEE: a virtual DRTM based execution environment for secure cloud-end computing , 2010, CCS '10.

[99]  Michael S. Hsiao,et al.  Interlocking obfuscation for anti-tamper hardware , 2013, CSIIRW '13.

[100]  Xeno Kovah,et al.  BIOS chronomancy: fixing the core root of trust for measurement , 2013, CCS.

[101]  Christopher Krügel,et al.  Detecting System Emulators , 2007, ISC.

[102]  Alexander Shraer,et al.  Verifying cloud services: present and future , 2013, OPSR.

[103]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[104]  James E. Smith,et al.  The architecture of virtual machines , 2005, Computer.

[105]  Mohammad Zulkernine,et al.  Preventing Cache-Based Side-Channel Attacks in a Cloud Environment , 2014, IEEE Transactions on Cloud Computing.

[106]  G. Edward Suh,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003, ICS.

[107]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[108]  Wenke Lee,et al.  Secure and Robust Monitoring of Virtual Machines through Guest-Assisted Introspection , 2012, RAID.

[109]  Taisook Han,et al.  CAFE: A Virtualization-Based Approach to Protecting Sensitive Cloud Application Logic Confidentiality , 2015, AsiaCCS.

[110]  Zahir Tari,et al.  Security and Privacy in Cloud Computing , 2014, IEEE Cloud Computing.

[111]  Kang G. Shin,et al.  Using hypervisor to provide data secrecy for user applications on a per-page basis , 2008, VEE '08.

[112]  David M. Eyers,et al.  CloudSafetyNet: Detecting Data Leakage between Cloud Tenants , 2014, CCSW.

[113]  Ruby B. Lee,et al.  Characterizing hypervisor vulnerabilities in cloud computing servers , 2013, Cloud Computing '13.

[114]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[115]  Mattia Monga,et al.  Replay attack in TCG specification and solution , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[116]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[117]  Srdjan Capkun,et al.  An architecture for concurrent execution of secure environments in clouds , 2013, CCSW.

[118]  Swarup Bhunia,et al.  RTL Hardware IP Protection Using Key-Based Control and Data Flow Obfuscation , 2010, 2010 23rd International Conference on VLSI Design.

[119]  Angelos Stavrou,et al.  HyperCheck: A Hardware-AssistedIntegrity Monitor , 2014, IEEE Trans. Dependable Secur. Comput..

[120]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[121]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[122]  Yangchun Fu,et al.  Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection , 2012, 2012 IEEE Symposium on Security and Privacy.

[123]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[124]  Jiqiang Liu,et al.  OB‐IMA: out‐of‐the‐box integrity measurement approach for guest virtual machines , 2015, Concurr. Comput. Pract. Exp..

[125]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[126]  Trent Jaeger,et al.  Secure coprocessor-based intrusion detection , 2002, EW 10.

[127]  Roberto Di Pietro,et al.  KvmSec: a security extension for Linux kernel virtual machines , 2009, SAC '09.

[128]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[129]  Swarup Bhunia,et al.  HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection , 2009, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[130]  Wolter Pieters,et al.  Defining the Cloud Battlefield - Supporting Security Assessments by Cloud Customers , 2013, 2013 IEEE International Conference on Cloud Engineering (IC2E).

[131]  Emmett Witchel,et al.  InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[132]  Christos Gkantsidis,et al.  VC3: Trustworthy Data Analytics in the Cloud Using SGX , 2015, 2015 IEEE Symposium on Security and Privacy.

[133]  Brian Hay,et al.  Forensics examination of volatile system data using virtual introspection , 2008, OPSR.

[134]  Seung Ryoul Maeng,et al.  A Trusted IaaS Environment with Hardware Security Module , 2016, IEEE Transactions on Services Computing.

[135]  Udo Steinberg,et al.  NOVA: a microhypervisor-based secure virtualization architecture , 2010, EuroSys '10.

[136]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[137]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[138]  Rafal Wojtczuk,et al.  Following the White Rabbit : Software attacks against Intel ( R ) VT-d technology , 2011 .

[139]  Abhinav Srivastava,et al.  On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment , 2014, AsiaCCS.

[140]  Evan R. Sparks A Security Assessment of Trusted Platform Modules Computer Science Technical Report TR2007-597 , 2007 .

[141]  Muli Ben-Yehuda,et al.  The Turtles Project: Design and Implementation of Nested Virtualization , 2010, OSDI.

[142]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[143]  Zhi Wang,et al.  Process out-grafting: an efficient "out-of-VM" approach for fine-grained process execution monitoring , 2011, CCS '11.

[144]  Ruby B. Lee,et al.  Scalable architectural support for trusted software , 2010, HPCA - 16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.

[145]  Abhinav Srivastava,et al.  Self-service cloud computing , 2012, CCS '12.

[146]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[147]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[148]  Daniele Sgandurra,et al.  Cloud security is not (just) virtualization security: a short paper , 2009, CCSW '09.

[149]  Ruby B. Lee,et al.  A Framework for Realizing Security on Demand in Cloud Computing , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[150]  Emmett Witchel,et al.  Ensuring operating system kernel integrity with OSck , 2011, ASPLOS XVI.

[151]  Adrian Perrig,et al.  Towards Sound Detection of Virtual Machines , 2008, Botnet Detection.