Scholarly article on topic 'Threat Modelling of Virtual Machine Migration Auction'

Threat Modelling of Virtual Machine Migration Auction Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Academic journal
Procedia Computer Science
OECD Field of science
Keywords
{"Virtual Machine" / Migration / Threats / "Threat Modelling"}

Abstract of research paper on Computer and information sciences, author of scientific article — Santosh Kumar Majhi, Sunil Kumar Dhal

Abstract The auction process in Virtual Machine migration is a new concept to enhance the availability of the cloud resources by the business federation of Cloud Service Providers. In this process, the complete communication is performed over the Internet, which is in-secured. In addition, the VM auction is handled by the bidding module, which is a single application over the hypervisor. Though the hypervisor is carefully protected by available security techniques, we cannot ensure the security of the bidding module for this auction in VM migration. Before arguing the security of the VM migration auction system (VMMA), it is necessary to identify various threats to the system. Careful investigation enables the system administrator and its developer to build organized security requirements and protection mechanism. In this paper, we build a threat and security model for the VMMA system. The key components of the VMMA system are analyzed, and various possible threats are discussed.

Academic research paper on topic "Threat Modelling of Virtual Machine Migration Auction"

CrossMark

Available online at www.sciencedirect.com

ScienceDirect

Procedía Computer Science 78 (2016) 107 - 113

International Conference on Information Security & Privacy (ICISP2015), 11-12 December 2015,

Nagpur, INDIA

Threat Modelling of Virtual Machine Migration Auction

Santosh Kumar Majhia'b'*, Sunil Kumar Dhalb

aVeer Surendra Sai University of Technology, Odisha-768018, India bSri Sri University, Odisha, India

Abstract

The auction process in Virtual Machine migration is a new concept to enhance the availability of the cloud resources by the business federation of Cloud Service Providers. In this process, the complete communication is performed over the Internet, which is in-secured. In addition, the VM auction is handled by the bidding module, which is a single application over the hypervisor. Though the hypervisor is carefully protected by available security techniques, we cannot ensure the security of the bidding module for this auction in VM migration. Before arguing the security of the VM migration auction system (VMMA), it is necessary to identify various threats to the system. Careful investigation enables the system administrator and its developer to build organized security requirements and protection mechanism. In this paper, we build a threat and security model for the VMMA system. The key components of the VMMA system are analyzed, and various possible threats are discussed.

© 2016 The Authors.Publishedby ElsevierB.V. This is an open access article under the CC BY-NC-ND license

(http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of organizing committee of the ICISP2015

Keywords: Virtual Machine, Migration, Threats, Threat Modelling 1. Introduction

The cloud migration concept has been fast developing in current time. VM migration plays an important role in the consumerization of IT-with cloud technology in the user world is driving opportunity and growth in the business world. The use of VM migration establishes the portfolio of dynamic, scalable services provided by cloud services.

* Corresponding author. Tel.: +91-9438403651 E-mail aüWress;santoshism9@gmail.com

1877-0509 © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license

(http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of organizing committee of the ICISP2015

doi:10.1016/j.procs.2016.02.018

The advancement of virtualization technology and migration service enables the hypervisor to perform the maintenance, patch and upgrade in a time bound manner. In addition, the VM migration is performed when the user demands more scalability on resources. So, provisioning a time bound VM migration and Quality-of-Service (QoS) to consumers are the goal of CSPs. The CSPs also must ensure the high availability of resources for the consumer. Some other factors like unplanned downtime, lack of critical resources, underlying hardware failure or individual VM failure, server failures are the reason behind VM migration. Based on the business requirements and agreements a host can have multiple partners for migration. Majhi and Bera [12] has discussed the business federation among different CSPs to offer VM migration auction. This enables the interoperability among CSPs. A digital marketplace service has been established to increase the competitiveness in the VM migration in heterogeneous or different hosts. The security issues involved in receiver selection are very crucial as the whole bidding process is over the in-secured-channel i.e., the Internet.

Security breaches are very common in the communication network and related application. The private data lose during the auction process are paving into the question how the migration auction process is protected. As the concept of VM migration auction [12] has introduced in recent past, there is no security mechanism exist to protect the whole migration auction process. The risks increase from VM migration as the auction process followed by migration. New security threats are evolving as the migration auction process is among the CSPs over the public network, i.e., the bidding application of CSPs execute across the large networks.

Securing the migration process of a CSP does not necessarily imply the security of an auction process during migration. VLAN based approach isolates the migration traffic from the communication traffic and thereby establish a secure communication channel for VM migration. Network security engine-Hypervisor (NSE-H) provide security to the hypervisor by using firewall, IDS, IDPS [27]. A role based migration protection uses Intel vPro and TPM hardware, where attestation service is used to establish trust between hosts and to check whether destination meets the predefined security requirements (Wang, 2009). Virtual TPM-vTPM based migration protocol uses: (i) Secure session establishment between source and destination by the TLS handshake (ii) Remote attestation of destination (iii) Encrypted VM and vTPM are sent to the destination and source receives an acknowledgment (iv) Once the source receives the ACK then it deletes the VM and vTPM from source [4].

From the primary understanding, we suggest that the enhanced security models are designed for network and application security can be adapted in VMMA system. The above areas completely depend on the existing security requirements such as usage of authentication, authorization, availability, integrity and confidentiality. Alone authentication or authorization or availability or integrity or confidentiality cannot satisfy the security requirements. There might be trade-offs between the security mechanism e.g., the encryption to the auction data may ensure the confidentiality between sender and receivers, but cannot guarantee authentication and authorization [22]. Furthermore, it may introduce vulnerability lead to denial-of-service attack.

The VM migration auction involves multiple receivers for executing the bidding process. The CSPs control the migration auction by the distributed bidding application. This auction process may expose to integrity and confidentiality attack. Additionally, this process exposes to Denial-of-Service attach and hijacking, e.t.c. When designing a migration auction protection solution, the administrator or security engineer cannot use all the available security solutions. Rather environment specific countermeasure needs to be adapted. Hence, before the designing the security system for VM migration Auction, it is necessary to have a clear understanding about the possible threats or attacks and different weak points of the system. Once the threats will be determined, then the constructive countermeasure can be made. The system needs to incorporate proper countermeasure to avoid disaster in the VM migration auction system. In this paper, we have followed the threat modeling as a basis for protection engineering approach [15]. The systems engineering approach has been adapted for threat modeling, risk management, security requirements and developing secure vendor selection system. As per our best knowledge this work is the first to address the primary security issues in VM migration auction process.

2. Related Work

Many novel migration processes have been proposed for Virtual machine migration. Also, VM provisioning by auction method between cloud end users and Service Provider has been discussed in literature.

The live VM migration across subnet based on overlay approaches discussed in [10, 30, 32, 33]. They may require mobile IP support. Even so, Mobile IP has not well suited for the offline VM migration in the large network [13]. The overlay approach considers the large network as homogeneous network. However, practically, data centers deployed with heterogeneous environments. Greenberg et al. [6] discussed the interconnection among data centers to allow unseamed VM migration. The migration within the data center or across the data center is possible by use of the Open Flow network controller. Mysore et al. [14] discussed heterogeneity of data centers and single CSP. The VM migration changes the target system at the hypervisor or Operating System level is popularly known as host based approaches. Many researchers have also proposed the host based VM migration [6, 23, 2, 17]. The transfer of disks over WAN (Wide Area Network) has been proposed by Bradford et al. [2] and Pu et al. [17]discussed the VM migration by the modification of guest VM, which establish a connection with Open Flow Virtual switch (Open V switch). The source and target systems consist of similar environment (i.e., homogeneous) for VM migration. The VL2 system discussed the creation of overlay network using the location address (LA). A centralized directory (CD) is maintained for mapping the LA with the application address. The OS traps the ARP requests originating from end users and forwards to the CD for un-interrupted VM migration [6]. It does not address the problem of multiple data centers where the CD may not have control for all data centers over the network. Similarly, a hybrid approach has been discussed by Silvera et al. [23] and Kim et al. [11], where the target host changes its state, and mobile IP is required for VM migration. However, the above discussed approaches only use the homogeneous cloud environment. However, practically the platform is not uniform.

The network-based migration approaches propose the layer2 network and layer3 network for VM migration. The approaches, discuss (i) the replacement of an existing data center architecture with layer 3 routs to overcome the disadvantages of layer 2 routes [14] and (ii) the creation of layer 2 networks over various data centers by the extension of layer 2 technologies, e.g., layer2 VPN (VPLS) and OTV [3]. Mobile IP [8, 23] discuss the requirement of new IP addresses after migration. It does not require the existing IP address. However, Mann et al. [13] present a new approach to combine the advantages of layer2, and layer3 to address the triangular routing problem. The Openflow based systems [3, 9] resolve issues related to living VM migration over data centers. In the above discussion, researchers address the problem of VM migration across data centers from diverse aspects.

In the recent past, researchers proposed different economic models for distributed systems. The combinatorial auction based allocation mechanism has been adopted. A couple of researchers have proposed the economic models for VM provisioning in cloud computing. Wang et al. [25] discuss the pricing scheme based on the resource consumption. The users have decoupled from the CSPs. A pricing scheme establishes the bridge between user resource consumption and CSPs resource allocation. S. Zaman and D. Grosu [28] designed combinatorial auction based mechanism for dynamic provisioning and allocating VM instances in the cloud. Prasad et al. [24] proposed a resource allocation mechanism for procuring a couple of resources from active cloud vendors in a bidding process. A user procures a couple of resources from various cloud vendors has been considered. The user consents the requirements to auction broker and auction process run over broker, agent, where cloud providers participate in an auction process. The economical pricing model and test-bed mechanism used on cloud computing for user as well as CSPs benefit [1, 20, 26]. The economic model deployed for maximizing profit of user during the selection of VM instances among CSPs. Zaman et al. [28] and Prasad et al. [24] proposes a model for combinatorial auctions. Moreover, discussed methods focus the auction process between cloud user and cloud service providers, to maximize user benefit. Majhi and Bera [12] has established a VM marketplace between mutually agreed CSPs to allocate VM during demand from user. They have discussed the VM migration in heterogeneous environment.

There is no significant work has been done to analyze the possible and evolving threats to the VM marketplace. In addition, No security framework is available for the VM migration system.

In this paper, we consider designing a secured auction mechanism between various cloud service providers to maximize the CSPs benefit. Moreover, the possible threat remediation has been considered in the proposed work. By securing the VM migration auction system, the CSPs can facilitate un-interrupted service by migrating the VM instances between mutual agreed CSPs.

3. VM Migration Overview

The VM auction acts as the mediator among senders and receivers in the VM-marketplace. It will vary in terms of service offerings, VM migration agreements and bidding rules. The bidding system is considered as hypervisor mediated bidding. The migration module over the hypervisor does the mediator work between the hosts for VM migration bidding [12]. The VM migration auction scheme is defined by the participants, relation among participants and the components of bidding process.

3.1. Participants

The VMs offered by various heterogeneous Cloud Service Provider (CSPs) differ in various key features like virtual machine configuration, availability of hardware, services offered by VMs, application software used in the VM etc. The role of the various players in the proposed VM migration auction process is defined as follows: (i) CSPs act as sender as well as receiver, depending on type of job they want to perform. (ii) Business agreements act as business intermediaries between sender and receiver. The migration module can be implemented on top of the hypervisor involves (send/receive/participate) in the VM migration process. (iii)The migration module on receiver side receives the state of the VM (as VM files) from the sender and allocates it within the receiver. (iv) Users are the final service seekers based on the VM service offered by CSPs.

3.2. Relation Among Participants and Key Components

The business to business relation between CSPs is considered and the co-operation among participants through which VM bidding process is addressed. This concept will not cover the business to user interactions. The basis of the VM migration process is the availability of each resource and the minimum cost. The receiver is selected based on the above principle. Information about virtual machine configuration, OS running on the VM, and application software used are the key components for VM migration process. While determining the receiver VM for web server, app server and database also play important role. In addition, it is important to consider the licensing status (proprietary license or free) of application used in the VM before deciding the receiver. These key components need to be shared among the receivers before the bidding process.

4. Security Consideration

Current state of art shows that services are offered by virtualized infrastructures. Not only a single host independently provides the service, but the federation among corporate vendors is popular to provide uninterrupted services to the user. The cost optimizations, optimum usage of network and system resources are ensured by the service providers. Therefore, there emphasizing SOA technology in the competitive business world [5]. The only way by which federated business vendors communicate each other is via Internet. So, Internet provide mew platform of computation for virtual resources. However, the service providers communicate over an unspecified network, which is also in secured. This increases number of security issues. The security vulnerability put a challenge to the cloud computing domain. Kaminky DNS vulnerability is an example of security incidents reported in a cloud computing environment [18]. As per the Guardian newspaper survey in 2009, the security challenges in cloud

computing need more attention [29]. The scope of security requirements during the federated VM auction [12], requires comprehensive security solutions. The concentration should be on the security measure and the VM migration architecture.

We have considered both external and internal (within the enterprise) threats for analyzing the threats for VM migration auction architecture. We cannot say architecture is secure without identifying and addressing the system security requirements. So, threat modeling is the foundation for specifying the system security requirements. The security engineering has been incorporated in VM migration auction process from the initial phase of architecture specification. By this process, the time consuming and expensive security concerns can be avoided. The modeling should adhere to industry standards [31]. But, the general security requirements to underlying systems should be considered during the secure VM migration auction. In this section we have discussed the VM migration auction scheme by defining the participants, relation among participants and the components of the bidding process. The next section presents the detail threat modeling.

5. Threat Modeling of VM Migration Auction Process

The threat modeling for VM auction consists of three high level processes. (i) System Characteristics (ii) Asset Identification and Entry points (iii) Threat Identification

5.1. System Characteristics

The system model reveals important characteristics of the system like understanding different components, interlinking of application modules, usage scenario and identification of assumptions and dependencies [15].

5.2. Asset Identification and Entry Points

The asset is the critical resources which should be protected from the adversaries. Assets are the main target of the adversaries [15]. The attacker's main choice is the access points to control and exploit the system. Different entry point in the system are VM configuration files, CSP to CSP business agreement files, ports for communication, sockets and interfaces, etc.

5.3. Threat Identification

Threats may be internal, external or human errors. The threat can be enumerated by the above discussed system characteristics, asset identification and entry points. Confidentiality, Integrity, and Availability are the basis of threat identification. The threat modelling can be performed (i) from known vulnerability to typical threats and (ii) from threat to vulnerable. The former need more understanding of the system. To identify threat of the system, we need to list down the various key components. The target components can be protected by applying required security techniques. Various well known threats are (i) spoofing (ii) tampering (iii)repudiation (iv) information disclosure (v) denial of services (vi) elevation of privilege [15]. So, here we identify the threats to different components of the VM migration auction system. We have considered both data flow and network threat modelling [3]. In a VM auction system [12] the data flows from the sender CSP to the receivers via auction manager. Again the receiver responses to sender via the same auction manager. The main components of VM auction systems that the attacker might attack are: (i) Source (ii) Auction Migration Manager (AMM) (iii) Receiver (iv) Auction Log (v) Back end module (vi)Communication channel (vii) file handles etc.

The following listed attacks may be possible to the system. We have listed a limited threat here, but it can be expanded if more threats are analyzed.

(1) An external system might design the data flow graph of the system. This enables the attacker to build a jamming device. (2) The DoS attack on AMM to reduce the ability to access the valid receivers. Insecure over the Internet communication: Auction data may be illegally modified or the attacker may supply its own auction data. (3) Hijacking the functionality of the auction manager to control the process by the adversaries will ruin the core functionality of the system. (4) The front end accesses the backend or the dedicated storage of Cloud environment for business agreement and identification of the mutually agreed CSPs [12]. This allows the adversaries to access the critical data and files.

The other threats include unauthorized use of network services and unauthorized log-in into the auction process. These are too general vulnerability. We have considered the following security protection based on our risk analysis. (1) Integrity and Encryption check for the communication of CSPs over the Internet. (2) Verify that the receiver receives auction request is supplied by a mutual vendor. (3) Design a business policy framework to automate the mapping of auction request into the functional data flow. When the sender broadcast the auction, then the receiver will participate in the process such that the system has enough knowledge to construct the data flow. (4) The Hypervisor security mechanism should be extended to secure the bidding application. Provide isolation mechanism to isolate the vendors and none agreed vendors.

The possible threats have been analyzed along with the risk to the VM migration auction system. In the next section we will specify the security requirements for the system.

6. Security and Efficiency Requirements

The classical security properties have been specified to secure the VM migration auction process. To ensure the system is fully protected, the classical attacks like confidentiality attack, integrity attack, availability attack, authentication attack and physical attack need to be addressed. Base on the above attacks various security requirements have been listed as follows: (i) Impersonality: None can identify the VM Source from the data plane (ii) Non Repudiation: A vendor cannot deny it after receiving and allocating (iii) Impersonation: No one can impersonate as a VM Source (iii) Authenticity: None can forge a VM migration file with a valid signature (iv) Trustworthy: All Vendors should give equal importance during allocation (v) Verifiability: Vendors can verify the migration information during migration (vi) Allocation: The same migration process can not allocated to more than one vendor.

The security issues during the vendor (destination) selection will be addressed by various security requirements. This paper discussed about the vendor selection problem security issue and its solution that satisfies security requirements. Also the performance of the proposed system has been addressed as per the performance requirements of VM migration auction system. The various performance requirements are: (i) Efficiency of Transfer: The communication and allocation cost in both initiation of VM migration and allocation to new infrastructure are practical and low. (ii) One Time Registration: Any cloud provider can participate in many rounds of VM migration anonymously with one time registration. (iii) Easy Cancellation: The system can easily cancel a cloud provider.

7. Conclusion

We have presented the Virtual Machine (VM) migration auction process with core functionality. The main novelty of this work is identifying security threats and related security requirements for VMMA system. It is expected that the proposed system will fit well to higher scaling applications of designing secure VM migration by integrating existing cloud computing environment. This research is a main step towards securing VM migration auction which will enhance the business federation among cloud service providers for providing high scalable service to the users.

8. References

1. Altmann, J et al.. (2008). GridEcon: A Market Place for Computing Resources. InProc. Workshop Grid Economics and Business Models, pp. 185-196.

2. Bradford, R., Kotsovinos, E., Feldmann, A., & Schioberg, H. (2007). Live wide-area migration of virtual machines including local persistent state. In Proc. of ACM VEE.

3. Boughzala, B., Ben Ali, R., Lemay, M., Lemieux, Y., Cherkaoui, 0.(2011). Openflow supporting inter-domain virtual machine migration. In

Proc. of IEEE/IFIP WOCN.

4. Dandev, B. et al. (2011). Enabling Secure VM -vTPM Migration in private clouds. In Proceedings oof the ACSAC.

5. Doler, D., & Yao, A.C. (1982). On the Security of Public Key Protocol. In the proceedings oof the IEEE 22nd Annual Symposium on Foundation of Computer Science, pp. 350-357.

6. Greenberg, et al. (2009). VL2:A Scalable and Flexible Data Center Network. In Proc. of ACM SIGCOMM.

7. Hasan, R et al. (2005). Towards a Threat Model for Storage Systems. In Symposium on Requirements Engineering for Information Security.

8. Harney et al. (2007) . The efficacy of live virtual machine migrations over the internet. In Proc. oof ACM VTDC.

9. Hao, F., Lakshman, T. V., Mukherjee, S., & Song, H. (2010). Enhancing dynamic cloud-based services using network virtualization. In Proc.

of ACM SIGCOMM CCR.

10. Jiang, X., & Xu, D. (2004). Violin: Virtual internetworking on overlay infrastructures. In Proc oof ISPA.

11. Kimet al. (2008). Floodless in seattle: a scalable ethernet architecture forlarge enterprises. In Proc. of ACM SIGCOMM.

12. Majhi, S. K., & Bera, P. (2014). VM Migration Auction: Business Oriented Federation of Cloud Providers for Scaling of Application Services. In Proceedings of IEEEPDGC, Shimla, India.

13. Mann, V., Vishnoi, A., Kannan, K., & Kalyanaraman, S.(2012). CrossRoad: Seamless VM Mobility Across Data Centres through Software Defined Networking. In Proc of IEEENOMS.

14. Mysore et al.. (2009). PortLand: A Scalable Fault-Tolerant Layer 2 DataCenter Network Fabric. In Proc. oof ACM SIGCOMM .

15. Myagmar, S., Lee, A. J., & Yurcik, W. (2012). Threat Moddeling as a basis for Security Requirements. In proceedings SREIS.

16. Open vSwitch - Open Virtual Switch. From http://www.openvswitch.org

17. Pu, Y.et al. (2011). Cloud rack: Enhanced virtual topology migration approach with open vswitch. In Proc. oof IEEE ICOIN.

18. Olney, M., Mullen, K. M., & D. Kaminky (2008). 2008 DNS Vulunerability. Sourcefire Vulnerability Research Team Report.

19. Paulo et al. (2002). Efficient Algorithms for Pairing-Based Cryptosystems. Lecture Notes in Computer Science ,Vol. 2442, pp.354-369.

20. Risch, M., Altmann, J., Guo, L., Fleming, A., & Courcoubetis, C. (2009). The GridEcon Platform: A Business Scenario Testbed for Commercial Cloud Services. In Proc. Workshop Grid Economics and Business Models, pp. 46-59.

21. Smart, N. P. (2002). Identity-based authenticated key agreement protocol based on Weil pairing. Electronic Letters, pp. 532-630.

22. Swiderski, F., & Snyder, W. (2004). Threat Moddeling. Micosoft Press.

23. Silvera et al. (2009). IP mobility to support live migration of virtual machine across subnets. In Proc. oof SYSTOR.

24. Vinu Prasad, G., Rao, S. & Prasad, A.S.(2012). A Combinatorial Auction Mechanism for Multiple Resource Procurements in Cloud Computing. In Proc. of 12th Int'l Conf. Intelligent Systems Design and Applications, pp. 337-344.

25. Wang et al. (2009). Secured VM Live Migration in Personal Cloud. In Proceedings oof 16th ACM CCS, China.

26. Wang, H., Jing, Q., Chen, R., He, B., Qian, Z., & Zhou, L. (2010). Distributed Systems Meet Economics: Pricing in the Cloud. In Proc. Second USENIX Workshop Hot Topics in Cloud Computing.

27. Xianqin, C., Xiaopeng, G., Han,W., Sumei, W., & Xiang, L.(2011). Application - Transparent Live Migration for virtual machine on network security enhanced hypervisor. China Communications, pp 32 -42.

28. Zaman, S., & Grosu, D. (2013). A Combinatorial Auction Based Machanism for Dyanamic VM Provisoning and Allocation in Clouds . IEEE Transactions on Cloud Computing, Vol. 1, No. 2.

29. Bevan, B. (2008). What will frighten us next year?. the guardian newspaper, From http://www.theguardian.com/technology/2008/dec/11/security-cloud-computing.

30. Cisco Nexus 1000V Series Switches. From http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/data sheet c78492971.html.

31. CCEB- Common Criteria Editorial Board (1998).Common criteria for Information Technology Security Evaluation Report.

32. VMware Vnetwork distributed switches. From https://www.vmware.com/products/vnetworkdistributedswitch/overview.html.

33. VMware VMotion for Live Migration of virtual machines. From http://www.vmware.com/products/vi/vc/vmotion.html