1 / 26

Secure Migration of VM in Cloud Federation using Enhanced Key Management

Secure Migration of VM in Cloud Federation using Enhanced Key Management. Naveed Ahmad 2012-NUST-MS-CCS5-31. Supervisor:. Dr. Awais Shibli. Dr. Abdul Ghafoor, Dr. Zahid Anwar, Miss Hirra Anwar. Committee Members:. Agenda. Introduction Cloud Computing Virtualization VM migration

cora
Download Presentation

Secure Migration of VM in Cloud Federation using Enhanced Key Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Migration of VM in Cloud Federation using Enhanced Key Management Naveed Ahmad 2012-NUST-MS-CCS5-31 Supervisor: Dr. Awais Shibli Dr. Abdul Ghafoor, Dr. Zahid Anwar, Miss Hirra Anwar Committee Members:

  2. Agenda • Introduction • Cloud Computing • Virtualization • VM migration • Key Management in Cloud • Literature Survey • Survey Findings • Industry Survey • Community Response • Problem Statement • Proposed Architecture Design • Technology and standards • Future Milestones • References

  3. Cloud Computing • Cloud Services Model • SaaS • PaaS • IaaS • Cloud Federation • Federation Benefits • Cloud Burst • Load Balancing

  4. Virtualization • Virtualization • Types of Virtualization • Virtual Machine (VM)

  5. VM Migration • VM Migration • Live Migration (only shared storage) • Suspend/Pause and Transfer • Benefits of Migration • Load balancing • Disaster recovery • Hardware maintenance

  6. Key Management in Cloud • Service Side Encryption (SSE) with KMS provides • Data protection • Hardware Encryption (AES-NI) • Reduce client maintenance effort • Amazon /Google’s provides transparent encryption. • VM images (object), Volume, Data encryption • Creating, Storing, Protecting, and Providing access to keys.

  7. Literature Survey • Problem • Insecure VM migration in Xen/VMware/KVM. • Solution • Categorized Attack on VM migration into: • Control plane (Unauthorized migration operation) • Data plane (insecure channel) • Migration Module (buffer overflow issues) • Developed Xensploit Tool for exploitation Reference: J. Oberheide, E. Cooke and F. Jahanian, “Empirical exploitation of live Virtual Machine migration”, Proc. of BlackHat DC convention.

  8. Literature Survey • Problem • Inter Cloud VM mobility for cloud bursting and load balancing • Solution • Inter Cloud Proxies • Secure Channel between Proxies using SSH • Analysis • Tunnel does not provide host to host secure channel during migration. • Port forwarding on firewalls between the clouds • No Authorization mechanism. Reference: K. Nagin, D. Hadas, Z. Dubitzky, A. Glikson, I. Loy, B. Rochwerger and L. Schour, “Inter-cloud mobility of virtual machines”, International Conference on Systems and Storage, May 30-June 01, 2011, Haifa, Israel.

  9. Literature Survey • Problem • Trusted channel and remote attestation in VM migration • Solution • vTPM based migration proposed provides • Authentication, confidentiality, Integrity, • Reply Resistance, source non-repudiation • Two phases • Trusted channel establishment • VM and vTPM migration • Analysis • Authorization is not supported. • Dependency on TPM hardware . • Suspension of vTPM instance • Complex Key hierarchy from TPM to vTPM. • ` Reference: X. Wan, X. Zhang, L. Chen and J. Zhu, “An improved vTPM migration protocol based trusted channel”, International Conference on Systems and Informatics, 2012, pp. 871-875

  10. Literature Survey • Problem • VM migration is insecure process • Solution. • Load calculation on physical host • RSA with SSL protocol for authentication and encryption • Pre-copy or Post-copy migration techniques • Analysis. • Authorization is not supported • Neglected the affects of migration in cloud environment. Reference: V. P. Patil and G.A. Patil, “Migrating process and virtual machine in the cloud: load balancing and security perspectives,” International Journal of Advanced Computer Science and Information Technology 2012, vol. 1, pp. 11-19.

  11. Literature Survey • Problem • Security and Reliability in VM migration • Solution. • Policy/Role based Migration approach • Consists of attestation service, seal storage, policy service, migration service and secure hypervisor components • Analysis. • Authentication is not supported • Dependency on TPM and Seal storage hardware. Reference: W. Wang, Y. Zhang, B. Lin, X. Wu and K. Miao, “Secured and reliable VM migration in personal cloud”, 2nd International Conference on Computer Engineering and Technology, 2010

  12. Literature Survey • Problem • Resource Optimization in Federated Cloud using VM migration. • Solution. • Monitor the current workload of the physical servers • Detect the overloaded servers efficiently • VM replacement considering the federated environment • Analysis. • No security feature is supported Reference: Y. Xu, Y. Sekiya , “Scheme of Resource Optimization using VM Migration for Federated Cloud Proceedings of the Asia-Pacific Advanced Network 2011 v. 32, p. 36-44

  13. Survey Findings Analysis of Existing Solutions and Approaches

  14. Survey FindingsIdentified Limitations • Security • Insufficient Access Control • Lack of Mutual Authentication • Lack of Confidentiality • Lack of Integrity • Implementation • Dependency on TPM/Seal Storage module • TPM is bottleneck • Leakage of information in vTPM. • Port forwarding on intermediate firewall

  15. Industrial Survey http://searchservervirtualization.techtarget.com/feature/Virtual-machine-migration-FAQ-Live-migration-P2V-and-more

  16. Cont.. http://www.net-security.org/secworld.php?id=11825

  17. Problem Statement This research work is intended to propose a secure migration of Encrypted Images of VM and their keys between CSP’s. Furthermore, we also propose enhanced key management which securely handle migrated keys.

  18. Cont.. A Dashboard/CLI B Load Monitoring Dashboard/CLI Load Monitoring Insecure channel 3 1 2 4 5 1 2 Encrypted Image Store, (Windows8, Ubuntu, Centos,Suse ) Xen/KVM Encrypted Images Store, (Windows8, Ubuntu, Centos,Suse) Xen/KVM Authentication/ Authorization Module Authentication/ Authorization Module Key Manager Key Manager Can not store migration keys

  19. Requirements for VM migrationProcess • Security: • Role based access control • Mutual Authentication (source non-repudiation and trust) • Confidentiality during migration process • Integrity of VM and Keys • Key Management: • Migrated Keys of Encrypted VM Images must be included in Key Manager of receiver CSP.

  20. Proposed Architecture Design 1. Cert Req 1. Cert Req 2. Auth/Autz 2. Auth/Autz A B Dashboard/CLI Dashboard/CLI Load Monitoring 4. Migration Request 8 b). Migrated VM. 1 2 3 3. Run VM Instance 3. Run VM instance 2 5. Mutual Authentication 2 4 5 1 2 Xen/KVM Encrypted Images Store, Windows8, Ubuntu, Centos,Suse Encrypted Image Store, Windows8, Ubuntu, Centos,Suse Xen/KVM 6. SSL Channel/ Key shared (K) Authentication/ Authorization Module Authentication/ Authorization Module 7. [VM + {Key} Pub_B ] K 9. ACK Key Manager Key Manager 8a). Decrypt & Update Key Manager

  21. Technologies and Standards • Libvirt • KVM/XEN • Python • OpenStack Cloud OS • Key Manager (OpenStack ) • PKI (DogTag) • M2Crypt/pyopenssl

  22. Community Response https://launchpad.net/~harlowja

  23. Future Milestones

  24. THANKS

  25. References [1] K. Hashizume, D. G. Rosado, E. Fernández-Medina, and E. B. Fernandez, “An analysis of security issues for cloud computing,” Journal of Internet Services and Applications 2013. [2] P. Mell, T. Grance, 'The NIST definition of cloud computing". NIST,Special Publication 800–145, Gaithersburg, MD. [3] J. Oberheide, E. Cooke and F. Jahanian, “Empirical exploitation of live Virtual Machine migration”, Proc. of BlackHat DC convention 2008. [4] V. Vaidya, "Virtualization vulnerabilities and threats: a solution white paper", RedCannon Security Inc, 2009. http://www.redcannon.com/vDefense/VM_security_wp.pdf. [5] Steve Orrin, Virtualization Security: Challenges and Solutions, 2010. http://365.rsaconference.com/servlet/JiveServlet/previewBody/2555-102-2-3214/STAR-303.pdf. [6] J. Shetty, Anala M. R, Shobha G, “A survey on techniques of secure live migration of virtual machine”, International Journal of Computer Applications (0975 – 8887), vol. 39, no.12, February 2012. [7] X. Wan, X. Zhang, L. Chen and J. Zhu, “An improved vTPM migration protocol based trusted channel”, International Conference on Systems and Informatics, 2012, pp. 871-875. [8] OpenStack Security Guide, 2013. http://docs.openstack.org/security-guide/security-guide.pdf. [9] W. Wang, Y. Zhang, B. Lin, X. Wu and K. Miao, “Secured and reliable VM migration in personal cloud”, 2nd International Conference on Computer Engineering and Technology, 2010.

  26. References [10] B. Danev, R. J. Masti, G. O. Karame and S. Capkun,“Enabling secure VM-vTPM migration in private clouds”, Proceedings of the 27th Annual Computer Security Applications Conference, December 05-09, 2011, Orlando, Florida. [11] K. Nagin, D. Hadas, Z. Dubitzky, A. Glikson, I. Loy, B. Rochwerger and L. Schour, “Inter-cloud mobility of virtual machines”, International Conference on Systems and Storage, May 30-June 01, 2011, Haifa, Israel. [12] Y. Chen, Q. Shen, P. Sun, Y. Li, Z. Chen and S. Qing, “Reliable migration module in trusted cloud based on security level - design and implementation”, International Parallel and Distributed Processing Symposium Workshops & PhD Forum 2012. [13]. V. P. Patil and G.A. Patil, “Migrating process and virtual machine in the cloud: load balancing and security perspectives,” International Journal of Advanced Computer Science and Information Technology 2012, vol. 1, pp. 11-19 [14]. M. Aslam, C. Gehrmann, M. Bjorkman “Security and trust preserving VM migrations in public clouds”, International Conference on Trust, Security and Privacy in Computing and Communications 2012. [15] P. Botero, Diego “A brief tutorial on live virtual machine migration from a security perspective”, University of Princeton, USA. [16]. A. Rehman, S. Alqahtani, A. Altameem and T. Saba, “Virtual machine security challenges: case studies”, International Journal of Machine Learning and Cybernetics: 1-14, April 2013. [17]. F. Zhang, Y. Huang, H. Wang, H. Chen, B. Zang, “PALM: security preserving VM live migration for systems with VMM-enforced protection”, Third Asia-Pacific Trusted Infrastructure Technologies Conference, 2008.

More Related