1 / 21

Dependable and Secure Remote Management in IaaS Clouds

Dependable and Secure Remote Management in IaaS Clouds. Tomohisa Egawa (Kyushu Institute of Technology) Naoki Nishimura (Kyushu Institute of Technology ) Kenichi Kourai (Kyushu Institute of Technology). Remote VM Management in IaaS. In-band remote management is usually used

kristen-mcgowan
Download Presentation

Dependable and Secure Remote Management in IaaS Clouds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dependable and Secure Remote Managementin IaaS Clouds TomohisaEgawa(Kyushu Institute of Technology) NaokiNishimura(Kyushu Institute of Technology) KenichiKourai(Kyushu Institute of Technology)

  2. Remote VM Management in IaaS • In-band remote management is usually used • A server runs in a user VM • The user connects to the server with VNC or SSH • However, users cannot access their VMs • when they fail the configuration of the firewall or network • when the systemsin the VMs crash IaaS User User VM VNC Client VNC Server VM VM

  3. Out-of-band Remote Management • Users can access their VMs via a VNC server in the management VM • The VNC server directly accesses virtual devices of a user VM • e.g. virtual keyboard, virtual video card • More dependable method • Not rely on the network of the user VM • Users can check kernel messages when the system crashes IaaS Management VM User VNC Client VNC Server User VM virtual devices virtual drivers

  4. The Management VM is Not Always Trustworthy • Administrators in clouds may not be trusted • Users cannot know where their VMs are running • Lazy administrators cause vulnerable management VM to be penetrated by outside attackers • Malicious administrators can act as inside attackers Data Center 1 Data Center 2 VM VM Management VM VM Management VM VM VM VM Legitimate Administrator Malicious Administrator User VNC Client

  5. Information Leakage to the Management VM • Attackers in the management VM can steal sensitive information of user VMs • Keystrokes from VNC clients • e.g. Password, credit card number, etc. • Screen updates from user VMs • e.g. Displayed passwords, software keyboard, etc. Management VM Password & Screen Caputure User VM User VNC Server malware VNC Client virtual devices device drivers

  6. FBCrypt User • FBCrypt encrypts the inputs and outputs between a VNC client and a user VM • The VMM decrypts keyboard inputs • The VMM encrypts screen updates • The attackers in the management VM cannot steal sensitive information Management VM User VM VNC Server VNC Client virtual devices device drivers encrypt / decrypt intercept encrypt / decrypt VMM

  7. Protecting the VMM inside IaaS • Remote attestation of the VMM • To guarantee the integrity of the VMM at the boot time • Runtime memory protection of the VMM against the management VM • The management VM cannot access the code and data of the VMM Management VM Signed measurement VMM Verifier TPM Hash Hardware

  8. Protecting User VMs inside IaaS • The memory and CPU states of user VMs can be protected by the VMM • They are encrypted when the management VM accesses • Secure runtime environment [Li et al. '2010] • VMCrypt [Tadokoro et al. '2012] • The management VM cannot access decrypted inputs or unencrypted screen updates in user VMs User VM Management VM Keystroke & Screen memory VMM encrypt

  9. Encryption of Keyboard Inputs • The VMM decrypts a keyboard input encrypted by a VNC client • A virtual keyboard device passes it to the VMM • The VMM stores a decrypted one into the keyboard queue • In para-virtualized Linux of Xen, the queue is in a user VM • The VMM also converts a keysym (ASCII code) into a keycode User VNC Client Management VM User VM encrypt queue virtual keyboard VNC Server decrypt convert VMM

  10. Confidentiality and Integrity • FBCrypt uses AES-CTR as a stream cipher • Inputs are encrypted to a different stream every time • They cannot perform even replay attacks • The VMM checks the integrity of the inputs with the MAC • A VNC client sends the MAC with encrypted inputs • Attackers cannot insert arbitrary inputs User Management VM User VM virtual keyboard queue VNC Server VNC Client encrypt integrity check decrypt & convert VMM

  11. Replication of VRAM • The VMM replicates VRAM of a user VM • A virtual video card accesses the replicated VRAM • A user VM can use the original one without modification • The VMM encrypts the pixel data in the replicated VRAM • A VNC client decrypts updated pixel data User User VM Management VM VNC Client decrypt VNC Server video card video driver VRAM VRAM encrypt VMM

  12. Synchronization of VRAMs • The VMM synchronizes the original and replicated VRAMs • It monitors updates to the original VRAM • Update events are sent from a user VM to a virtual video card • It copies updated areas to the replicated VRAM with encryption User VM Management VM User VNC Server video card video driver VNC Client VRAM monitor VRAM decrypt VMM encrypt

  13. Key Management • A VNC client securely shares a session key with the VMM • A VNC client generates a session key on a VNC connection • The key is encrypted with the VMM's public key • Only the VMM can decrypt it with its private key • The management VM cannot decrypt it User Verifier VNC Client public key VNC Server User VM Management VM encrypt decrypt Attestation session key private key VMM

  14. Experiments • We conducted several experiments for FBCrypt • We attempted to eavesdrop on inputs and outputs of VNC • We examined the overhead and the response time in remote management Server Client

  15. Attempts at Eavesdropping • We embedded malware into the VNC server in the management VM • Key logger • Screen capture • Demo Management VM User VM VNC Server Key logger User Screen capture VNC Client virtual devices device drivers

  16. Overheads in a Keyboard Input • We measured overheads when a keyboard input is sent to a user VM • Client side: 802μs • Encryption, hash calculation • Most comes from sending extra data for the MAC • Server side: 15μs • Decryption, hash calculation Server side Client side 802 Management VM User VM queue VNC Server VNC Client 15 integrity check decrypt & convert encrypt [μs] VMM

  17. Response time of a Keyboard Input • We measured the time after typing a character until it is displayed in the VNC client • The increase of the response time: 7 ms (6%) • Decryption of a keyboard input • Encryption of pixel data for the displayed character [ms] 113 120 Management VM User VM queue VNC Server VNC Client ’A’ integrity check decrypt & convert encrypt Keystroke! VMM

  18. Overheads in a Full-screen Update • We measured overheads when the full screen of 800x600 was updated • Server side: 37 ms • Synchronization and encryption of VRAM • Client side: 47 ms • Decryption of pixel data Server side [ms] 47 Client side User VM 37 Management VM VNC Server VRAM VRAM VNC Client decrypt encrypt VMM

  19. Response Time of a Full-screen Update • We measured the time from a keyboard input to a full-screen update by terminating a screen saver • The increase of the response time: 46ms (31.5%) • The server-side overhead was hidden • because of the long timer interval used in the VNC server [ms] 192 146 User VM Management VM VNC Server VRAM VRAM VNC Client decrypt encrypt VMM

  20. Related Work • Xoar [Colp et al. '2010] • It runs a VNC server in an isolated VM • The security is not improved against insider attacks • vSphere Hypervisor [VMware Inc.] • It runs a VNC server in the VMM • No information leakage via the management VM • Attackers can steal sensitive information by compromising the VNC server • CloudVisor [Zhang et al. '2011] • The security monitor underneath the VMM encrypts the memory of the user VMs • It does not consider the security in remote management

  21. Conclusion • We proposed FBCrypt for dependable and secure remote management in IaaS clouds • FBCrypt prevents information leakage via the management VM in out-of-band remote management • It encrypts the input and outputs between a VNC client and a user VM using the VMM • Future work • To support fully-virtualized guest OSes such as Windows • To apply FBCrypt to other remote management software such as SSH

More Related