survey

An Exhaustive Survey on Security Concerns and Solutions at Different Components of Virtualization

Authors:

Rajendra Patil,

Chirag ModiAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 52, Issue 1

Article No.: 12, Pages 1 - 38

https://doi.org/10.1145/3287306

Published: 13 February 2019 Publication History

Abstract

Virtualization is a key enabler of various modern computing technologies. However, it brings additional vulnerabilities that can be exploited to affect the availability, integrity, and confidentiality of the underlying resources and services. The dynamic and shared nature of the virtualization poses additional challenges to the traditional security solutions. This article explores the vulnerabilities, threats, and attacks relevant to virtualization. We analyze the existing security solutions and identify the research gaps that can help the research community to develop a secured virtualization platform for current and future computing technologies.

References

[1]

Khalid Aissaoui, Hafsa Aitidar, Hicham Belhadaoui, and Mounir Rifi. 2017. Survey on data remanence in cloud computing environment. In Proceeedings of the IEEE International Conference on Wireless Technologies, Embedded and Intelligent Systems. 1--4.

[2]

Bushra Albelooshi, Khaled Salah, Thomas Martin, and Ernesto Damiani. 2015. Experimental proof: Data remanence in cloud VMs. In Proceeedings of the International Conference on Cloud Computing. 1017--1020.

Digital Library

[3]

Mudassar Aslam, Christian Gehrmann, and Mats Björkman. 2012. Security and trust preserving VM migrations in public clouds. In Proceeedings of the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. 869--876.

Digital Library

[4]

Mudassar Aslam, Christian Gehrmann, Lars Rasmusson, and Mats Björkman. 2012. Securely launching virtual machines on trustworthy platforms in a public cloud. In Proceeedings of the International Conference on Cloud Computing and Services Science. 1--10.

[5]

Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Rui Qiao, Reetuparna Das, Matthew Hicks, Yossi Oren, and Todd Austin. 2016. ANVIL: Software-based protection against next-generation rowhammer attacks. ACM SIGPLAN Not. 51, 4 (2016), 743--755.

Digital Library

[6]

Ahmed M Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, and Nathan C Skalsky. 2010. HyperSentry: Enabling stealthy in-context measurement of hypervisor integrity. In Proceeedings of the 17th ACM Conference on Computer and Communications Security. 38--49.

Digital Library

[7]

Ahmed M. Azab, Peng Ning, and Xiaolan Zhang. 2011. Sice: A hardware-level strongly isolated computing environment for x86 multi-core platforms. In Proceeedings of the 18th ACM Conference on Computer and Communications Security. 375--388.

Digital Library

[8]

Sina Bahram, Xuxian Jiang, Zhi Wang, Mike Grace, Jinku Li, Deepa Srinivasan, Junghwan Rhee, and Dongyan Xu. 2010. Dksm: Subverting virtual machine introspection for fun and profit. In Proceeedings of the 29th IEEE Symposium on Reliable Distributed Systems. 82--91.

Digital Library

[9]

Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. In Proceeedings of the ACM SIGOPS Operating Systems Review, Vol. 37. 164--177.

Digital Library

[10]

Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding applications from an untrusted cloud with haven. ACM Trans. Comput. Syst. 33, 3 (2015), 266--283.

Digital Library

[11]

Naomi Benger, Joop Van de Pol, Nigel P. Smart, and Yuval Yarom. 2014. Ooh aah just a little bit: A small amount of side channel can go a long way. In Proceeedings of the International Workshop on Cryptographic Hardware and Embedded Systems. 75--92.

Digital Library

[12]

Sarani Bhattacharya and Debdeep Mukhopadhyay. 2016. Curious case of rowhammer: Flipping secret exponent bits using timing analysis. In Proceeedings of the International Conference on Cryptographic Hardware and Embedded Systems. 602--624.

[13]

Ferdinand Brasser, Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. Cannot touch this: Software-only mitigation against rowhammer attacks targeting kernel memory. In Proceedings of the 26th USENIX Security Symposium (Security). 116--130.

Digital Library

[14]

Franz Ferdinand Brasser, Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2016. Can’t touch this: Practical and generic software-only defenses against rowhammer attacks. Computing Research Repository abs/1611.08396 (2016), 1--15.

[15]

Chaitanya Buragohain and Nabajyoti Medhi. 2016. FlowTrApp: An SDN based architecture for DDoS attack detection and mitigation in data centers. In Proceeedings of the 3rd International Conference on Signal Processing and Integrated Networks (SPIN’16). 519--524.

[16]

Jamie Butler. 2004. Dkom (direct kernel object manipulation). Black Hat Windows Security (2004).

[17]

Shakeel Butt, H. Andrés Lagar-Cavilla, Abhinav Srivastava, and Vinod Ganapathy. 2012. Self-service cloud computing. In Proceeedings of the 2012 ACM Conference on Computer and Communications Security. 253--264.

Digital Library

[18]

Antonio Celesti, Angelo Salici, Massimo Villari, and Antonio Puliafito. 2011. A remote attestation approach for a secure virtual machine migration in federated cloud environments. In Proceeedings of the 1st International Symposium on Network Cloud Computing and Applications. 99--106.

Digital Library

[19]

David Champagne. 2010. Scalable Security Architecture for Trusted Software. Princeton University.

[20]

Ramaswamy Chandramouli. 2014. Security recommendations for hypervisor deployment. Draft NIST Special Publication (2014), 1--37.

[21]

Suresh N. Chari and Ashish Kundu. 2016. Sanitization of Virtual Machine Images. US Patent App. 15/086,290.

[22]

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-oriented programming without returns. In Proceeedings of the 17th ACM Conference on Computer and Communications Security. 559--572.

Digital Library

[23]

Stephen Checkoway and Hovav Shacham. 2013. Iago attacks: Why the system call API is a bad untrusted RPC interface. SIGARCH Comput. Archit. News 41, 1 (2013), 253--264.

Digital Library

[24]

Haibo Chen, Fengzhe Zhang, Cheng Chen, Ziye Yang, Rong Chen, Binyu Zang, and Wenbo Mao. 2007. Tamper-resistant execution in an untrusted operating system using a virtual machine monitor. Technical Report FDUPPITR-2007-08001. Parallel Processing Institute, 1--16.

[25]

Xiaoxin Chen, Tal Garfinkel, E Christopher Lewis, Pratap Subrahmanyam, Carl A Waldspurger, Dan Boneh, Jeffrey Dwoskin, and Dan RK Ports. 2008. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. ACM Spec. Interest Group Operat. Syst. Rev. 42, 2 (2008), 2--13.

Digital Library

[26]

Yueqiang Cheng, Xuhua Ding, and R Deng. 2013. Appshield: Protecting applications against untrusted operating system. Singaport Management University Technical Report, SMU-SIS-13 (2013).

[27]

Yueqiang Cheng, Zhi Zhang, and Surya Nepal. 2018. Still hammerable and exploitable: On the effectiveness of software-only physical kernel isolation. Computing Research Repository abs/1802.07060 (2018), 1--12.

[28]

Siddhartha Chhabra, Brian Rogers, Yan Solihin, and Milos Prvulovic. 2011. SecureME: A hardware-software approach to full system security. In Proceeedings of the International Conference on Supercomputing. 108--119.

Digital Library

[29]

Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang. 2013. NICE: Network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. Depend. Sec. Comput. 10, 4 (2013), 198--211.

Digital Library

[30]

Patrick Colp, Mihir Nanavati, Jun Zhu, William Aiello, George Coker, Tim Deegan, Peter Loscocco, and Andrew Warfield. 2011. Breaking up is hard to do: Security and functionality in a commodity hypervisor. In Proceeedings of the 23rd ACM Symposium on Operating Systems Principles. 189--202.

Digital Library

[31]

John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. Virtual ghost: Protecting applications from hostile operating systems. ACM Spec. Interest Group Comput. Arch. News 42, 1 (2014), 81--96.

Digital Library

[32]

Anthony Desnos, Éric Filiol, and Ivan Lefou. 2011. Detecting (and creating&excl;) a HVM rootkit (aka BluePill-like). J. Comput. Virol. 7, 1 (2011), 23--49.

Digital Library

[33]

Baozeng Ding, Yeping He, Yanjun Wu, and Yuqi Lin. 2013. HyperVerify: A VM-assisted architecture for monitoring hypervisor non-control data. In Proceeedings of the IEEE 7th International Conference on Software Security and Reliability-Companion (SERE-C’13). 26--34.

Digital Library

[34]

Dmitry Evtyushkin, Jesse Elwell, Meltem Ozsoy, Dmitry Ponomarev, Nael Abu Ghazaleh, and Ryan Riley. 2014. Iso-x: A flexible architecture for hardware-managed isolated execution. In Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture. 190--202.

Digital Library

[35]

Kang Fan, Dehui Mao, ZhiHui Lu, and Jie Wu. 2013. Ops: Offline patching scheme for the images management in a secure cloud environment. In Proceeedings of the IEEE International Conference on Services Computing. 587--594.

Digital Library

[36]

Eduardo B. Fernandez, Raul Monge, and Keiko Hashizume. 2013. Two patterns for cloud computing: Secure virtual machine image repository and cloud policy management point. In Proceeedings of the 20th Conference on Pattern Languages of Programs. 1--11.

Digital Library

[37]

Yangchun Fu and Zhiqiang Lin. 2013. Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery. ACM Spec. Interest Group Program. Lang. Not. 48, 7 (2013), 97--110.

Digital Library

[38]

Michael Misiu Godfrey and Mohammad Zulkernine. 2014. Preventing cache-based side-channel attacks in a cloud environment. IEEE Trans. Cloud Comput. 2, 4 (2014), 395--408.

[39]

Irazoqui Gorka, Inci Mehmet Sinan, Eisenbarth Thomas, and Berk Sunar. 2014. Fine grain cross-VM attacks on xen and VMware. In Proceeedings of the International Conference on Big Data and Cloud Computing. 737--744.

Digital Library

[40]

Bernd Grobauer, Tobias Walloschek, and Elmar Stocker. 2011. Understanding cloud computing vulnerabilities. IEEE Sec. Priv. 9, 2 (2011), 50--57.

Digital Library

[41]

Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+ Flush: A fast and stealthy cache attack. In Detection of Intrusions and Malware, and Vulnerability Assessment. 279--299.

Digital Library

[42]

Keiko Hashizume, Nobukazu Yoshioka, and Eduardo B. Fernandez. 2013. Three misuse patterns for cloud computing. Security Engineering for Cloud Computing: Approaches and Tools, D. G. Rosado, D. Mellado, E. Fernandez-Medina, and M. Piattini (Eds.). IGI Global, Pennsylvania, United States, 36--53.

[43]

Owen S. Hofmann, Sangman Kim, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel. 2013. Inktag: Secure applications on an untrusted operating system. In Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems. 265--278.

Digital Library

[44]

Zakaria Igarramen and Mustapha Hedabou. 2016. Protecting co-resident VMs from side-channel attack in cloud environment: SAFEPERIMETER system. In Proceeedings of the Mediterranean Conference on Information 8 Communication Technologies. 539--547.

[45]

Mehmet Sinan Inci, Berk Gulmezoglu, Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. 2015. Seriously, get off my cloud&excl; cross-VM RSA key recovery in a public cloud. IACR Cryptology ePrint Archive. Report 2015/898. 1--15.

[46]

Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. 2015. A shared cache attack that works across cores and defies VM sandboxing and its application to AES. In Proceeedings of the IEEE Symposium on Security and Privacy (SP’15). 591--604.

Digital Library

[47]

Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar. 2014. Wait a minute&excl; a fast, cross-VM attack on AES. In Proceeedings of the International Workshop on Recent Advances in Intrusion Detection. 299--319.

[48]

Raj Jain and Subharthi Paul. 2013. Network virtualization and software defined networking for cloud computing: A survey. IEEE Commun. Mag. 51, 11 (2013), 24--31.

[49]

Amarnath Jasti, Payal Shah, Rajeev Nagaraj, and Ravi Pendse. 2010. Security in multi-tenancy cloud. In Proceeedings of the IEEE International Carnahan Conference on Security Technology. 35--41.

[50]

Deepak Jeswani, Akshat Verma, Praveen Jayachandran, and Kamal Bhattacharya. 2013. Imageelves: Rapid and reliable system updates in the cloud. In Proceeedings of the 33rd IEEE International Conference on Distributed Computing Systems. 390--399.

Digital Library

[51]

Seongwook Jin, Jeongseob Ahn, Jinho Seol, Sanghoon Cha, Jaehyuk Huh, and Seungryoul Maeng. 2015. H-SVM: Hardware-assisted secure virtual machines under a vulnerable hypervisor. IEEE Trans. Comput. 64, 10 (2015), 2833--2846.

Digital Library

[52]

Miltiadis Kandias, Nikos Virvilis, and Dimitris Gritzalis. 2011. The insider threat in cloud computing. In Proceeedings of the International Workshop on Critical Information Infrastructures Security. 93--103.

[53]

Muhammad Kazim, Rahat Masood, and Muhammad Awais Shibli. 2013. Securing the virtual machine images in cloud computing. In Proceeedings of the 6th International Conference on Security of Information and Networks. 425--428.

Digital Library

[54]

Taesoo Kim, Marcus Peinado, and Gloria Mainar-Ruiz. 2012. STEALTHMEM: System-level protection against cache-based side-channel attacks in the cloud. In Proceeedings of the USENIX Security Symposium. 189--204.

Digital Library

[55]

Samuel T. King and Peter M. Chen. 2006. SubVirt: Implementing malware with virtual machines. In Proceeedings of the IEEE Symposium on Security and Privacy. 1--14.

Digital Library

[56]

Chunxiao Li, Anand Raghunathan, and Niraj K. Jha. 2010. Secure virtual machine execution under an untrusted management OS. In Proceeedings of the 3rd IEEE International Conference on Cloud Computing. 172--179.

Digital Library

[57]

Yanlin Li, Jonathan M. McCune, James Newsome, Adrian Perrig, Brandon Baker, and Will Drewry. 2014. MiniBox: A two-way sandbox for x86 native code. In Proceeedings of the USENIX Annual Technical Conference. 409--420.

Digital Library

[58]

Li Lin, Shuang Li, Bo Li, Jing Zhan, and Yong Zhao. 2016. TVGuarder: A trace-enable virtualization protection framework against insider threats for IaaS environments. Int. J. Grid High Perf. Comput. 8, 4 (2016), 1--20.

Digital Library

[59]

Joshua Lind, Christian Priebe, Divya Muthukumaran, Dan OKeeffe, Pierre-Louis Aublin, Florian Kelbert, Tobias Reiher, David Goltzsche, David Eyers, Rüdiger Kapitza, et al. 2017. Glamdring: Automatic application partitioning for Intel SGX. In Proceeedings of the USENIX Annual Technical Conference. 284--298.

Digital Library

[60]

Anyi Liu, Jim Chen, and Li Yang. 2011. Real-time detection of covert channels in highly virtualized environments. In Proceeedings of the International Conference on Critical Infrastructure Protection. 151--164.

[61]

Fangfei Liu, Qian Ge, Yuval Yarom, Frank Mckeen, Carlos Rozas, Gernot Heiser, and Ruby B. Lee. 2016. Catalyst: Defeating last-level cache side channel attacks in cloud computing. In Proceeedings of the IEEE International Symposium on High Performance Computer Architecture (HPCA’16). 406--418.

[62]

Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. 2015. Last-level cache side-channel attacks are practical. In Proceeedings of the IEEE Symposium on Security and Privacy (SP’15). 605--622.

Digital Library

[63]

Ziyi Liu, JongHyuk Lee, Junyuan Zeng, Yuanfeng Wen, Zhiqiang Lin, and Weidong Shi. 2013. Cpu transparent protection of os kernel and hypervisor integrity with programmable dram. In Proceeedings of the 40th Annual International Symposium on Computer Architecture (ISCA’13). 392--403.

Digital Library

[64]

Clémentine Maurice, Christoph Neumann, Olivier Heen, and Aurélien Francillon. 2015. C5: Cross-cores cache covert channel. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 46--64.

Digital Library

[65]

Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. 2010. TrustVisor: Efficient TCB reduction and attestation. In Proceeedings of the IEEE Symposium on Security and Privacy (SP’10). 143--158.

Digital Library

[66]

Soo-Jin Moon, Vyas Sekar, and Michael K. Reiter. 2015. Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration. In Proceeedings of the ACM Conference on Computer and Communications Security. 1595--1606.

Digital Library

[67]

Heitor M. B. Moraes, Rogério V. Nunes, and Dorgival Guedes. 2014. DCPortalsNg: Efficient isolation of tenant networks in virtualized datacenters. In Proceeedings of the 13th International Conference on Networks. 230--235.

[68]

Derek Gordon Murray, Grzegorz Milos, and Steven Hand. 2008. Improving Xen security through disaggregation. In Proceeedings of the 4th ACM International Conference on Virtual Execution Environments. 151--160.

Digital Library

[69]

Kara Nance, Matt Bishop, and Brian Hay. 2008. Virtual machine introspection: Observation or interference? IEEE Secur. Priv. 6, 5 (2008), 32--37.

Digital Library

[70]

Anh Nguyen, Himanshu Raj, Shravan Rayanchu, Stefan Saroiu, and Alec Wolman. 2012. Delusional boot: Securing hypervisors without massive re-engineering. In Proceeedings of the 7th ACM European Conference on Computer Systems. 141--154.

Digital Library

[71]

Keisuke Okamura and Yoshihiro Oyama. 2010. Load-based covert channels between Xen virtual machines. In Proceeedings of the ACM Symposium on Applied Computing. 173--180.

Digital Library

[72]

Nicolae Paladi, Christian Gehrmann, Mudassar Aslam, and Fredric Morenius. 2012. Trusted launch of virtual machine instances in public iaas environments. In Proceeedings of the International Conference on Information Security and Cryptology. 309--323.

Digital Library

[73]

Wuqiong Pan, Yulong Zhang, Meng Yu, and Jiwu Jing. 2012. Improving virtualization security by splitting hypervisor into smaller components. In Proceeedings of the Annual Conference on Data and Applications Security and Privacy. 298--313.

Digital Library

[74]

Anjali Pandey and Shashank Srivastava. 2014. An approach for virtual machine image security. In Proceeedings of the International Conference on Signal Propagation and Computer Technology. 616--623.

[75]

Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, and Stefan Mangard. 2016. DRAMA: Exploiting DRAM addressing for cross-CPU attacks. In Proceeedings of the USENIX Security Symposium. 565--581.

Digital Library

[76]

Jonas Pfoh, Christian Schneider, and Claudia Eckert. 2011. Nitro: Hardware-based system call tracing for virtual machines. In Proceeedings of the International Workshop on Security. 96--112.

Digital Library

[77]

Himanshu Raj, Ripal Nathuji, Abhishek Singh, and Paul England. 2009. Resource management for isolation enhanced cloud services. In Proceeedings of the ACM Workshop on Cloud Computing Security. 77--84.

Digital Library

[78]

Himanshu Raj, David Robinson, Talha Bin Tariq, Paul England, Stefan Saroiu, and Alec Wolman. 2011. Credo: Trusted computing for guest VMs with a commodity hypervisor. Technical Report MSR-TR2011-130. Microsoft Research (2011), 1--12.

[79]

Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. 2016. Flip feng shui: Hammering a needle in the software stack. In Proceeedings of the USENIX Security Symposium. 1--18.

Digital Library

[80]

Darrell Reimer, Arun Thomas, Glenn Ammons, Todd Mummert, Bowen Alpern, and Vasanth Bala. 2008. Opening black boxes: Using semantic information to combat virtual machine image sprawl. In Proceeedings of the 4th ACM International Conference on Virtual Execution Environments. 111--120.

Digital Library

[81]

Jiangchun Ren, Ling Liu, Da Zhang, Qi Zhang, and Haihe Ba. 2016. Tenants attested trusted cloud service. In Proceeedings of the IEEE 9th International Conference on Cloud Computing (CLOUD’16). 600--607.

[82]

Jianbao Ren, Yong Qi, Yuehua Dai, Xiaoguang Wang, and Yi Shi. 2015. Appsec: A safe execution environment for security sensitive applications. In Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. 187--199.

Digital Library

[83]

Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceeedings of the 16th ACM Conference on Computer and Communications Security. 199--212.

Digital Library

[84]

Francisco Rocha and Miguel Correia. 2011. Lucy in the sky without diamonds: Stealing confidential data in the cloud. In Proceeedings of the IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W’11). 129--134.

Digital Library

[85]

Francisco Rocha, Thomas Gross, and Aad van Moorsel. 2013. Defense-in-depth against malicious insiders in the cloud. In Proceeedings of the IEEE International Conference on Cloud Engineering (IC2E’13). 88--97.

Digital Library

[86]

Joanna Rutkowska and Rafał Wojtczuk. 2008. Preventing and detecting Xen hypervisor subversions. Blackhat Briefings USA (2008).

[87]

Alireza Saberi, Yangchun Fu, and Zhiqiang Lin. 2014. HYBRID-BRIDGE: Efficiently bridging the semantic gap in virtual machine introspection via decoupled execution and training memoization. In Proceeedings of the 21st Annual Network and Distributed System Security Symposium. 1--15.

[88]

Rishikesh Sahay, Gregory Blanc, Zonghua Zhang, and Hervé Debar. 2015. Towards autonomic DDoS mitigation using software defined networking. In Proceeedings of the NDSS Workshop on Security of Emerging Networking Technologies (SENT’15). 1--7.

[89]

Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Ronald Perez, Leendert Van Doorn, John Linwood Griffin, and Stefan Berger. 2005. sHype: Secure hypervisor approach to trusted virtualized systems. IBM Research Report RC23511.

[90]

Brendan Saltaformaggio, Dongyan Xu, and Xiangyu Zhang. 2013. Busmonitor: A hypervisor-based solution for memory bus covert channels. In Proceeedings of the 6th European Workshop on Systems Security. 1--6.

[91]

Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues. 2009. Towards trusted cloud computing. In Proceedings of the 2009 Conference on Hot Topics in Cloud Computing. 1--5.

Digital Library

[92]

Joshua Schiffman, Thomas Moyer, Hayawardh Vijayakumar, Trent Jaeger, and Patrick McDaniel. 2010. Seeding clouds with trust anchors. In Proceeedings of the ACM Workshop on Cloud Computing Security. 43--46.

Digital Library

[93]

Roland Schwarzkopf, Matthias Schmidt, Christian Strack, Simon Martin, and Bernd Freisleben. 2012. Increasing virtual machine security in cloud environments. J. Cloud Comput. Adv. Syst. Appl. 1, 1 (2012), 1--12.

[94]

Mark Seaborn and Thomas Dullien. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat (2015). https://www.blackhat.com/docs/us-15/materials/us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges.pdf.

[95]

Saeed Shafieian, Mohammad Zulkernine, and Anwar Haque. 2014. Attacks in public clouds: Can they hinder the rise of the cloud? In Cloud Computing. 3--22.

[96]

Jicheng Shi, Xiang Song, Haibo Chen, and Binyu Zang. 2011. Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring. In Proceeedings of the IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops. 194--199.

Digital Library

[97]

Lei Shi, Yuming Wu, Yubin Xia, Nathan Dautenhahn, Haibo Chen, Binyu Zang, Haibing Guan, and Jinming Li. 2017. Deconstructing xen. In Proceeedings of the Network and Distributed System Security Symposium. 1--15.

[98]

Seungwon Shin and Guofei Gu. 2012. CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?). In Proceeedings of the 20th IEEE International Conference on Network Protocols (ICNP’12). 1--6.

Digital Library

[99]

Seungwon Shin, Haopei Wang, and Guofei Gu. 2015. A first step toward network security virtualization: From concept to prototype. IEEE Trans. Inf. Forens. Secur. 10, 10 (2015), 2236--2249.

Digital Library

[100]

Baljit Singh, Dmitry Evtyushkin, Jesse Elwell, Ryan Riley, and Iliano Cervesato. 2017. On the detection of kernel-level rootkits using hardware performance counters. In Proceeedings of the ACM on Asia Conference on Computer and Communications Security. 483--493.

Digital Library

[101]

Read Sprabery, Konstantin Evchenko, Abhilash Raj, Rakesh B. Bobba, Sibin Mohan, and Roy H. Campbell. 2018. A novel scheduling framework leveraging hardware cache partitioning for cache-side-channel elimination in clouds. Computing Research Repository abs/1708.09538 (2018), 1--12.

[102]

Abhinav Srivastava and Jonathon Giffin. 2012. Efficient protection of kernel data structures via object partitioning. In Proceeedings of the 28th Annual Computer Security Applications Conference. 429--438.

Digital Library

[103]

Udo Steinberg and Bernhard Kauer. 2010. NOVA: A microhypervisor-based secure virtualization architecture. In Proceeedings of the 5th European Conference on Computer Systems. 209--222.

Digital Library

[104]

Jakub Szefer, Eric Keller, Ruby B Lee, and Jennifer Rexford. 2011. Eliminating the hypervisor attack surface for a more secure cloud. In Proceeedings of the ACM Conference on Computer and Communications Security. 401--412.

Digital Library

[105]

Jakub Szefer and Ruby B. Lee. 2011. A case for hardware protection of guest vms from compromised hypervisors in cloud computing. In Proceeedings of the 31st International Conference on Distributed Computing Systems Workshops (ICDCSW’11). 248--252.

Digital Library

[106]

Jakub Szefer and Ruby B Lee. 2012. Architectural support for hypervisor-secure virtualization. ACM Spec. Interest Group Program. Lang. Not. 47, 4 (2012), 437--450.

Digital Library

[107]

Cheng Tan, Yubin Xia, Haibo Chen, and Binyu Zang. 2012. Tinychecker: Transparent protection of vms against hypervisor failures with nested virtualization. In Proceeedings of the IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops (DSN-W’12). 1--6.

[108]

Venkatanathan Varadarajan, Thomas Ristenpart, and Michael Swift. 2014. Scheduler-based defenses against cross-VM side-channels. In Proceeedings of the 23rd USENIX Security Symposium. 687--702.

Digital Library

[109]

Xin Wan, XinFang Zhang, Liang Chen, and JianXin Zhu. 2012. An improved vTPM migration protocol based trusted channel. In Proceeedings of the International Conference on Systems and Informatics. 870--875.

[110]

Bing Wang, Yao Zheng, Wenjing Lou, and Y Thomas Hou. 2015. DDoS attack protection in the era of cloud computing and software-defined networking. Comput. Netw. 81 (2015), 308--319.

Digital Library

[111]

Jiang Wang, Angelos Stavrou, and Anup Ghosh. 2010. Hypercheck: A hardware-assisted integrity monitor. In Recent Advances in Intrusion Detection. 158--177.

Digital Library

[112]

Wei Wang, Ya Zhang, Ben Lin, Xiaoxin Wu, and Kai Miao. 2010. Secured and reliable VM migration in personal cloud. In Proceeedings of the International Conference on Computer Engineering and Technology. 705--709.

[113]

Xiaoguang Wang, Yue-hua Dai, and Jianbao Ren. 2014. TrustOSV: Building trustworthy executing environment with commodity hardware for a safe cloud. Int. J. Grid High Perf. Comput. (IJGHPC’14) 9, 10 (2014), 2303--2314.

[114]

X. Wang and R. Karri. 2013. NumChecker: Detecting kernel control-flow modifying rootkits by using hardware performance counters. In Proceeedings of the 50th ACM/EDAC/IEEE Design Automation Conference. 1--7.

Digital Library

[115]

Ye Wang, Yueping Zhang, Vishal Singh, Cristian Lumezanu, and Guofei Jiang. 2013. NetFuse: Short-circuiting traffic surges in the cloud. In Proceeedings of the IEEE International Conference on Communications. 3514--3518.

[116]

Zhi Wang and Xuxian Jiang. 2010. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceeedings of the IEEE Symposium on Security and Privacy. 380--395.

Digital Library

[117]

Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. 2009. Countering kernel rootkits with lightweight hook protection. In Proceeedings of the 16th ACM Conference on Computer and Communications Security. 545--554.

Digital Library

[118]

Zhi Wang, Chiachih Wu, Michael Grace, and Xuxian Jiang. 2012. Isolating commodity hosted hypervisors with hyperlock. In Proceeedings of the 7th ACM European Conference on Computer Systems. 127--140.

Digital Library

[119]

Ziqi Wang, Rui Yang, Xiao Fu, Xiaojiang Du, and Bin Luo. 2016. A shared memory based cross-VM side channel attacks in IaaS cloud. In Proceeedings of the IEEE Conference on Computer Communications Workshops. 181--186.

[120]

Jinpeng Wei, Xiaolan Zhang, Glenn Ammons, Vasanth Bala, and Peng Ning. 2009. Managing security of virtual machine images in a cloud environment. In Proceeedings of the ACM Workshop on Cloud Computing Security. 91--96.

Digital Library

[121]

Michael Weiß, Benedikt Heinz, and Frederic Stumpf. 2012. A cache timing attack on AES in virtualization environments. In Proceedings of the International Conference on Financial Cryptography and Data Security. 314--328.

[122]

Winai Wongthai, Francisco Rocha, and Aad Van Moorsel. 2013. Logging solutions to mitigate risks associated with threats in infrastructure as a service cloud. In Proceeedings of the International Conference on Cloud Computing and Big Data (CloudCom-Asia’13). 163--170.

Digital Library

[123]

Chiachih Wu, Zhi Wang, and Xuxian Jiang. 2013. Taming hosted hypervisors with (mostly) deprivileged execution. In Proceeedings of the 20th Network 8 Distributed System Security Symposium. 1--15.

[124]

JingZheng Wu, Liping Ding, Yongji Wang, and Wei Han. 2011. Identification and evaluation of sharing memory covert timing channel in Xen virtual machines. In Proceeedings of the IEEE International Conference on Cloud Computing (CLOUD’11). 283--291.

Digital Library

[125]

Jingzheng Wu, Liping Ding, Yanjun Wu, Nasro Min-Allah, Samee U Khan, and Yongji Wang. 2014. C2detector: A covert channel detection framework in cloud computing. Secur. Commun. Netw. 7, 3 (2014), 544--557.

Digital Library

[126]

Rui Wu, Ping Chen, Peng Liu, and Bing Mao. 2014. System call redirection: A practical approach to meeting real-world virtual machine introspection needs. In Proceeedings of the 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 574--585.

Digital Library

[127]

Zhenyu Wu, Zhang Xu, and Haining Wang. 2012. Whispers in the hyper-space: High-speed covert channel attacks in the cloud. In Proceeedings of the USENIX Security Symposium. 159--173.

Digital Library

[128]

Yubin Xia, Yutao Liu, and Haibo Chen. 2013. Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks. In Proceeedings of the 19th IEEE International Symposium on High Performance Computer Architecture. 246--257.

Digital Library

[129]

Yubin Xia, Yutao Liu, Haibo Chen, and Binyu Zang. 2012. Defending against vm rollback attack. In Proceeedings of the 42nd IEEE International Conference on Dependable Systems and Networks Workshops. 1--5.

[130]

Jidong Xiao, Zhang Xu, Hai Huang, and Haining Wang. 2012. A covert channel construction in a virtualized environment. In Proceeedings of the ACM Conference on Computer and Communications Security. 1040--1042.

Digital Library

[131]

Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, and Radu Teodorescu. 2016. One bit flips, one cloud flops: Cross-VM row hammer attacks and privilege escalation. In Proceeedings of the USENIX Security Symposium. 19--35.

Digital Library

[132]

Xi Xiong, Donghai Tian, and Peng Liu. 2011. Practical protection of kernel integrity for commodity OS from untrusted extensions. In Proceeedings of the Annual Network and Distributed System Security Symposium. 1--17.

[133]

Yunjing Xu, Michael Bailey, Farnam Jahanian, Kaustubh Joshi, Matti Hiltunen, and Richard Schlichting. 2011. An exploration of L2 cache covert channels in virtualized environments. In Proceeedings of the 3rd ACM Workshop on Cloud Computing Security Workshop. 29--40.

Digital Library

[134]

Yuval Yarom and Katrina Falkner. 2014. FLUSH+ RELOAD: A high resolution, low noise, L3 cache side-channel attack. In Proceeedings of the USENIX Security Symposium. 719--732.

Digital Library

[135]

Younis A. Younis, Kashif Kifayat, Qi Shi, and Bob Askwith. 2015. A new prime and probe cache side-channel attack for cloud computing. In Proceeedings of the IEEE International Conference on Computer and Information Technology (CIT’15). 1718--1724.

[136]

Cong Yu, Li Xin Li, Kui Wang, and Wen Tao Yu. 2013. Protecting the security and privacy of the virtual machine through privilege separation. In Applied Mechanics and Materials, Vol. 347. 2488--2494.

[137]

Zili Zha, Min Li, Wanyu Zang, Meng Yu, and Songqing Chen. 2015. AppGuard: A hardware virtualization based approach on protecting user applications from untrusted commodity operating system. In Proceeedings of the International Conference on Computing, Networking and Communications (ICNC’15). 685--689.

[138]

Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. 2011. CloudVisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceeedings of the 23rd ACM Symposium on Operating Systems Principles. 203--216.

Digital Library

[139]

Yinqian Zhang, Ari Juels, Alina Oprea, and Michael K Reiter. 2011. Homealone: Co-residency detection in the cloud via side-channel analysis. In Proceeedings of the IEEE Symposium on Security and Privacy (SP’11). 313--328.

Digital Library

[140]

Yinqian Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2012. Cross-VM side channels and their use to extract private keys. In Proceeedings of the ACM Conference on Computer and Communications Security. 305--316.

Digital Library

[141]

Yulong Zhang, Wuqiong Pan, Qingpei Wang, Kun Bai, and Meng Yu. 2013. Hypebios: Enforcing vm isolation with minimized and decomposed cloud tcb. Technical Report, Virginia Commonwealth University (2013).

[142]

Wu Zhou, Peng Ning, Xiaolan Zhang, Glenn Ammons, Ruowen Wang, and Vasanth Bala. 2010. Always up-to-date: Scalable offline patching of vm images in a compute cloud. In Proceeedings of the 26th Annual Computer Security Applications Conference. 377--386.

Digital Library

[143]

Ziqiao Zhou, Michael K. Reiter, and Yinqian Zhang. 2016. A software approach to defeating side channels in last-level caches. In Proceeedings of the ACM Conference on Computer and Communications Security. 871--882.

Digital Library

[144]

Min Zhu, Bibo Tu, Wei Wei, and Dan Meng. 2017. HA-VMSI: A lightweight virtual machine isolation approach with commodity hardware for ARM. In Proceeedings of the 13th ACM International Conference on Virtual Execution Environments. 242--256.

Digital Library

[145]

Vincent J. Zimmer and Yasser Rasheed. 2011. Hypervisor runtime integrity support. US Patent 7,962,738.

Cited By

Chaudhari AGohil BRao U(2023)A review on cloud security issues and solutionsJournal of Computer Security10.3233/JCS-21014031:4(365-391)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.3233/JCS-210140
Bringhenti DMarchetto GSisto RValenza F(2023)Automation for Network Security Configuration: State of the Art and Research TrendsACM Computing Surveys10.1145/361640156:3(1-37)Online publication date: 5-Oct-2023
https://dl.acm.org/doi/10.1145/3616401
Nhlabatsi AKhan KHong JKim DFernandez RFetais N(2023)Quantifying Satisfaction of Security Requirements of Cloud Software SystemsIEEE Transactions on Cloud Computing10.1109/TCC.2021.309777011:1(426-444)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TCC.2021.3097770
Show More Cited By

Index Terms

An Exhaustive Survey on Security Concerns and Solutions at Different Components of Virtualization

Recommendations

Virtualization Sparks Security Concerns

Virtualization is becoming increasingly popular because it helps organizations optimize their hardware utilization. However, the technology has raised numerous security concerns.
Architectural support for hypervisor-secure virtualization
ASPLOS '12

Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...
Security Challenges of Virtualization in Cloud Computing
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies

Recent years have been advanced in cloud computing technology. Virtualization supports cloud computing to virtualize the resources to provide software-as-a-service, infrastructure-as-a-service and platform-as-a-service mainly. Many Virtual Machines are ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 52, Issue 1

January 2020

758 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3309872

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering

Issue’s Table of Contents

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 February 2019

Accepted: 01 October 2018

Revised: 01 September 2018

Received: 01 July 2017

Published in CSUR Volume 52, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Funding Sources

Science and Engineering Research Board

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
1,393
Total Downloads

Downloads (Last 12 months)90
Downloads (Last 6 weeks)4

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chaudhari AGohil BRao U(2023)A review on cloud security issues and solutionsJournal of Computer Security10.3233/JCS-21014031:4(365-391)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.3233/JCS-210140
Bringhenti DMarchetto GSisto RValenza F(2023)Automation for Network Security Configuration: State of the Art and Research TrendsACM Computing Surveys10.1145/361640156:3(1-37)Online publication date: 5-Oct-2023
https://dl.acm.org/doi/10.1145/3616401
Nhlabatsi AKhan KHong JKim DFernandez RFetais N(2023)Quantifying Satisfaction of Security Requirements of Cloud Software SystemsIEEE Transactions on Cloud Computing10.1109/TCC.2021.309777011:1(426-444)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TCC.2021.3097770
Gonçalves CAntunes NVieira M(2023)Intrusion Injection for Virtualized Systems: Concepts and Approach2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00047(417-430)Online publication date: Jul-2023
https://doi.org/10.1109/DSN58367.2023.00047
Velloso PMorales DNguyen TPujolle G(2023)BASICS: A Multi-Blockchain Approach for Securing VM Migration in Joint-Cloud Systems2023 IEEE 20th Consumer Communications & Networking Conference (CCNC)10.1109/CCNC51644.2023.10060260(523-528)Online publication date: 8-Jan-2023
https://doi.org/10.1109/CCNC51644.2023.10060260
Gonçalves CMenasché DAvritzer AAntunes NVieira M(2023)Detecting Anomalies Through Sequential Performance Analysis in Virtualized EnvironmentsIEEE Access10.1109/ACCESS.2023.329364311(70716-70740)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3293643
Gu JMa YZheng BWeng C(2022)Outlier: Enabling Effective Measurement of Hypervisor Code Integrity With Group DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.310490019:6(3686-3698)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TDSC.2021.3104900
An SLeung AHong JEom TPark J(2022)Toward Automated Security Analysis and Enforcement for Cloud Computing Using Graphical Models for SecurityIEEE Access10.1109/ACCESS.2022.319054510(75117-75134)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3190545
Akello PBeebe NChoo K(2022)A literature survey of security issues in Cloud, Fog, and Edge IT infrastructureElectronic Commerce Research10.1007/s10660-022-09615-yOnline publication date: 18-Oct-2022
https://doi.org/10.1007/s10660-022-09615-y
Al Zoubi RMahfood BAbbas S(2022)Security Issues and Defenses in VirtualizationProceedings of International Conference on Information Technology and Applications10.1007/978-981-16-7618-5_52(605-617)Online publication date: 21-Apr-2022
https://doi.org/10.1007/978-981-16-7618-5_52
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents