SlideShare une entreprise Scribd logo
1  sur  6
Télécharger pour lire hors ligne
International Journal of Engineering Research and Development
eISSN : 2278-067X, pISSN : 2278-800X, www.ijerd.com
Volume 2, Issue 3 (July 2012), PP. 40-45

   Cutting-Edge Perspective of Security Analysis for Xen Virtual
                            Machines
                       Omkar Kulkarni, Niu Xinli, Pamu Kumar Swamy


Abstract––Virtualization and cloud computing is rapidly changing the enterprise landscape with enterprises and even
individual users opting for cloud based solutions. With the large number of benefits that it provides it also increases
security risk and needs immediate attention owing to its wide adoptability. We present in this paper an analysis of two
attacks on virtual machines which run on xen hypervisor concentrating on insider as well as outsider intruder. In xen,
pygrub is the commonly used bootloader for domU, but posses most of the security breaches. We present a DoS attack
that occurs due to the inherent behavior of pygrub. We also present another attack where it is possible to compromise
passwords of guest domain either through the control domains root user or through an external user that gains these root
privileges. We present some of the architectural pitfalls in xen that leads to these security breaches and suggest the
importance of utilizing stub-domains that separates the functionality of control domain (dom0) to make xen a more
secure hypervisor.

                                           I.          INTRODUCTION
          Enterprises today are increasingly inclined towards utilizing a dynamic IT infrastructure as enabled by Cloud
computing and Virtualization technology. Cloud computing enables enterprises to deploy and manage their services such as
enterprise applications, e-commerce, content delivering and web hosting at a minimal expense of actual resources utilized.
Thus, the enterprises data and services will be managed by some “trusted” corporation‟s data center.

           Virtualization is a key technology adopted for enabling cloud computing at data centers, where the applications or
services run inside virtual machines mapped onto physical servers. Multiple virtual machines can run on one physical server
depending on the need and resource utilizations of the applications. A software layer, virtual machine monitor (VMM)
provides a virtual hardware abstraction that reflects the underlying physical machine. In some architectures such as Xen[1]
there is an additional management domain that manages other virtual machines. Virtualization provides several advantages
such as performance isolation, security, and easy management of resources.

          Given the constant increase in the tendency of enterprises and individual users, offloading their data and
computing services to the data center for number of usage scenarios, security of user‟s sensitive data has emerged as a major
concern. The data present in data centers is beyond direct control of individual users and enterprises, is constantly under
attack from internal and external attacks. Either intended data access or accidentally employees of cloud providers can
malice user‟s sensitive data. External attacks such as Denial of services can cause service breakdowns for the enterprises
cloud hosting services. This fact of security threats have been well studied by researchers [6,7,4] and brings out the
significance of the need for improved security at these data centers.

           Taking a closer look at the virtual machines based architecture that enables these data center, a major question
arises around the trustworthiness of the VMM or the hypervisor together with the management domains if present. We can
identify two major security loopholes, first one being the dependence on the additional privileged domain for drivers for
physical devices and administrative tools which manages access controls along with the hypervisor but fails to manage
implicit information flows [4]. The second one which emerges as a subsidiary of this is the higher privileges that the user of
this domain enjoys leading to a potential internal threat. Also compromising this domain leads to the compromise of all the
VMs running on that physical system. This enforces the need for a better and secure architecture for the virtualized
architectural environments.

          In this paper, we first discuss xen‟s architecture and the role of management domain. We then showcase a typical
attack scenario that presents a potential for Denial of Service attack. We then discuss another approach to circumvent this
attack and in the following section we present need for stub domain based architecture.

                                         II.           RELATED WORK
           Virtualization technology and virtual machines provides numerous technical and cost advantages. But these
advantages doesn't come for free, it also brings some risks with it too. The work by Keisuke Okamura[4] shows a technique
to create load based covert channels between xen virtual machines. Here they use cpu load as covert channels. They have
developed CCCV, a system that creates a covert channel and communicates data secretly using CPU loads.The work by
Rafal Woitczuk[7] outlines the recent work by the author to design and develop a backdoor for machines running the Xen
hypervisor. An attacker can gain backdoor control over the host by overwriting xen code and datastructures. The work by
Ristenpart et al. [8] shows an attack that identifies whether a particular virtual machine is likely to reside on the same
physical server of a cloud infrastructure. It also demonstrates a side-channel attack that causes information leakage across

                                                             40
Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines

virtual machines. These different attacks demonstrated in the above mentioned research work alleviate the security concerns.
In our work we present analysis of a denial of service (DoS) attack and other attack scenarios to demonstrate the need for
better security architecture for Xen.

          The work by Fengzhe Zhang et al[9] shows the design and working of cloudvisor, a retrofitting protection of
virtual machines in multi-tanent cloud with nested virtualization. This approach protects the privacy and integrity of
customers virtual machines on virtualized infrastructures. sHype [10] is a MAC-based security extension to Xen. sHype
enables administrators to apply various security policies to virtual machines running on an sHype-extended hypervisor. The
work by Jon Oberheide et al [11] describes the Empirical Exploitation of Live Virtual Machine Migration. They defined and
investigated three classes of threats to virtual machine migration: control plane, data plane, and migration module threats.
Then showed how a malicious party using these attack strategies can exploit the latest versions of the popular Xen and
VMware virtual machine monitors and presented a tool to automate the manipulation of a guest operating system‟s memory
during a live virtual machine migration. Patrick Colp et al [12] presented Xoar, a modified version of Xen that retrofit the
modularity and isolation principles used in xen. Xoar breaks the control domain into single purpose components and showed
numerous advantages of this componentization. With the study of these security architectures, in this paper we present our
thoughts for making xen less vulnerable.

                                        III.          XEN AT A GLANCE
           Xen, a virtual machine monitor(VMM) known as hypervisor too, is the basic abstraction layer of software which
directly sits on the hardware (i.e. bare-metal or type1 hypervisor) that lies below any operating system and allows execution
of multiple virtual guest operating systems simultaneously on a single physical machine.

          The architecture diagram is shown in figure1. Xen is responsible for CPU scheduling and memory partitioning of
various virtual machines running on hardware device. It also controls the execution of virtual machines as they share the
common processing environment.

3.1.Domain0(Dom0): Xen runs guests in environments known as domains, which encapsulate a complete running virtual
environment. When Xen boots, it does load a Domain0 (dom0) guest kernel. Domain 0 is the first guest to run, and has
elevated privileges. All Xen virtualization environments require Domain 0 to be running before any other virtual machines
can be started. Xen does not include any device drivers by itself, nor a user interface. These are all provided by the operating
system and userspace tools running in the dom0 guest. Domain 0 has special rights to access physical I/O resources as well
as it interact with the other virtual machines (Domain U: PV and HVM Guests) running on the system.




                                                  Figure 1: Xen architecture

3.2.DomainU(DomU): An unprivileged domain (domU) guest is more restricted. DomainU guests have no direct access to
physical hardware on the machine. Unlike dom0 guests, you can have an arbitrary number of domU guests on a single
machine, and they may be able to be migrated. Xen supports Para and full virtualization. All paravirtualized virtual machines
running on a Xen hypervisor are referred to as Domain U PV Guests and are modified Linux operating systems, Solaris,
FreeBSD, and other UNIX operating systems. All fully virtualized machines running on a Xen hypervisor are referred to as
Domain U HVM Guests and run standard Windows or any other unchanged operating system. The Domain U PV Guest
virtual machine is aware that it does not have direct access to the hardware and recognizes that other virtual machines are
running on the same machine. The Domain U HVM Guest virtual machine is not aware that it is sharing processing time on
the hardware and that other virtual machines are present. For each HVM a special daemon is started in domain0, Qemu-dm.
Qemu-dm supports the DomainU HVM Guest for networking and disk access requests.

                                                IV.           PYGRUB
          The bootloader most commonly used to boot domU is PyGrub or python grub. PyGrub is a part of xen-utils
package. DomU's boot configurations are specified in config file using kernel, ramdisk and some extra lines. PyGrub is the
alternate method which specifies a 'bootloader' line in config file and uses that to load a kernel from domU's filesystem.

                                                              41
Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines

PyGrub enable us to start linux domUs with a kernel inside domU‟s filesystem instead of a kernel that lies in the filesystem
of dom0. This means easier management i.e. domU manages its own kernel and initrd. This enables easier kernel update
from domU or migration of HVMed linuxes.

          When we try to load/start a domU(PV Guest), a request is sent to domain loader from xen to load the required
domain. Domain loader runs pyGrub Utility. PyGrub itself runs in dom0 root privileges. It opens PV guest disk image and
reads grub menu.lst from disk. PyGrub copies the required kernel image and ramdisk image in /tmp i.e. dom0 filesystem and
closes the disk. The domain loader reads /tmp and loads particular kernel and domU get started. The architecture diagram is
shown as below in figure2.




                                                      Figure2: PyGrub


Problems with pygrub:
    1. PyGrub runs in root privileges of dom0. It reads the data directly provided by domU user. Such a dom0 root
        process that parses user-provided data is a potential security breach.
    2. pyGrub bootloader used to boot Xen para-virtualized guests did not have support for password command as
        supported by normal grub. If this option was used in grub.conf, it did not restrict users with access to para-
        virtualized guest's console from booting guest or changing kernel boot parameters without providing configured
        password. This could allow user with access to VMs console to get root privileges on the guest's operating
        system.[16]

     3.   pyGrub does not check the size of bzip2-compressed kernel. This can be a security breach and can be used as a
          DoS to guest PV domains
     4.   PyGrub (the version we use anyway) is unfortunately not a complete re-implementation of GRUB, so functionality
          such as the menu does not readily exist. It serves mainly to allow specification of the kernel, initial ramdisk and
          boot-time parameters.
     5.   It does not provide network boot functionality.


                            V.           DENIAL OF SERVICE ATTACK(DoS)
           A denial of service attack (DoS) is an incident in which a user is deprived of the service of resource they would
normally expect to have. Here we present a scenario that shows a DoS type attack on guest virtual machines hosted by an
hypervisor. Let a hypervisor is hosting n-domUs, say domain-A, domain-B and so on. Each domain is provided with its own
separate disk space. All domains are given equal weightage. Required resources are provided and VCPUs are mapped to core
CPU in fair scheduling policy. Let user of domain-A is an attacker/intruder. The pygrub i.e. pv bootloader [python
bootloader] doesn't check the size of a bzip2 or lzma compressed kernel image. Denial of service can be caused by padding a
large file at the end of the kernel image, which can be used by a malicious domU root i.e. by domain-A user. Attacker takes
advantage of this breach. What an attacker actually does is, he compiles a bzip2 compressed kernel, attaches a large file of
size approximately 10GB to kernel image and boots through the newly compiled kernel. To start this heavy kernel, most of
the resources are occupied by domain A denying rest of the domains from those resources for particular time till that domain
get booted. These resources are occupied by domain a till it gets started, then the resources are released. The attacker will
reboots the domain a in tolerant time interval so that resources are occupied by this domain a most of the time, denying other
domains to use those resources.




                                                             42
Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines

                                     VI.            EVALUATION OF DoS
          The test environment platform was a single desktop machine with an Intel core2 duo processor and 4GB main
memory(RAM). The cloud infrastructure was emulated by xen 4.1-amd64 hypervisor. The management VM was dom0
running ubuntu server 11.10 with inbuilt xen enabled kernel 3.0.0-12-generic. We ran ubuntu 10.10 with kernel 2.6.35-22-
generic as domU.

           First to compress a kernel in bzip2 and to compile the bzip2 compressed kernel we downloaded a kernel which has
domU support. For our experiments we used Linux-3.1. We compiled this bzip2-compressed kernel in domU. Then we
padded a file of large size approximately of size 2GB(generated by dd from /dev/zero) to this compiled kernel image. After
trying for booting the system through this heavy kernel we got actual results. When we allocated 2GB memory to dom0 with
4.3GB swap space, the domU can't be started because of lack of memory. The system was busy in swapping but eventually
ran out of memory and swap space. See figures 3 and 4 for references.




                                              Figure3: system out of memory




                     Figure4: xen related processes occupy the cpus, and kswapd is busying swapping

         The most of the resources were occupied by this booting process to boot domU. It took nearly 10 minutes and
pygrub got crashed due to lack of memory, shown in figure5.




                                                  Figure5: PyGrub crashed

Then we allocated 4GB memory to dom0, now domU can be started but with a great cost, as shown in figure6.




                                       Figure6: domU boots successfully at great cost

          At the same time when the booting was going on we tried to use some resources from other domUs running but got
denied. If the domU with heavy kernel is rebooted in some xen tolerant interval, the most of the resources are occupied by
malicious domU all the time.

             VII.            CLERATEXT PASSWORDS IN MEMORY SNAPSHOTS
          In this section we are going to discuss a problem of a malicious insider in a cloud which is based on Infrastructure
as a service(IaaS) model. The service availing user mostly trusts the service provider for the storage and safety of his data.
The attack demonstrated below shows that how a malicious insider can steal confidential data of a cloud user. Thus,
concluding that how unwise it is to trust a cloud service provider mostly for safety of stored data.

           [15]What an intruder does is, he just simply issues a dump-core command, which is a part of xen management(xm)
user interface. By issuing this command on a target VM, malicious insider takes a snapshot/dump of a target VM. The dump-
core command performs a dump of the memory region reserved to the targeted VM. The attacker only needs to identify the
VM in the command. In our case, to confirm the presence of passwords in the dump file, we used the cat command to send
the dump into the standard output that was redirected to the strings and grep commands in order to locate the known
password. See the figures, 7,8 and 9 for more details.




                                                             43
Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines




                                                      Figure7: xm list


                                              Figure8: dump-core command




                                  Figure9: Analyzing the dump for presence of password

 VIII.        THE ANALYSIS AND SOLUTION PHILOSOPHY FOR DoS AND PASSWORD
                                STEALING ATTACK
          An in depth analysis for finding the root cause of the DoS attack and the determining of passwords in memory
dump and other similar attacks demonstrated is the inappropriate architecture of the control domain i.e. the dom0 in security
point of view. This control VM enjoys highly elevated priveldges and is responsible for all major tasks including the booting
of VM, enabling the transfer of network data, disk access, migration of VM etc. This poses us with an important question, is
this domain worth of these highly elevated privileges? From the functional working of Xen architecture point of view, this
domain actually requires such high privileges. If this is required then how do we solve the root cause for the security
breaches presented? Let us first analyze a possible solution for the DoS attack.

Pv-Grub:
PV-GRUB is a real GRUB source code recompiled against Mini-OS, and works more like a usual, full fledged bootloader so
overcoming the drawbacks of pygrub, which is not a usual bootloader. In PV domU it is just required to provide a path to
PV-GRUB kernel in configuration file. PV-GRUB replaces PyGrub to boot domU image safely. It runs regular grub inside
created domain itself and uses regular domU facilities to read the disk, so it reduces the overload of tasks of dom0. It can
fetch from network too i.e. provide network boot facility. It reads domU disk and network interface of domain and access
menu.lst of PV guest. Then uses the regular PV console to show grub menu and loads the required kernel image. The actual
architecture and working of PV-GRUB is shown in figure10 below.




                                                   Figure10: PV-Grub
pv-grub lies in philosophy with breaking the control VM into parts[12]. The functionality of dom0 is broken into different
stub-domains those run as normal domains on xen hypervisor. This breaking is useful in management as well as security
point of view.

          Looking at the password attack, there is no necessity of allowing dom0 a full control of guest domain. Activities
such as guest OS dump must not be allowed at all from dom0. If at all required for all such tasks like taking memory dumps
etc. must be delegated to a new VM that is executed only on active involvement of Enterprises or user whose data lies on the
cloud.



                                                            44
Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines

          Thus breaking up the functionality of control VM can reduce the security risks. To break a management
domain(dom0), we need to define the classes of interaction where dom0 is required for domU and this can be used as a basis
for breaking.

                                              IX.             CONCLUSION
          The Cloud computing and virtualization is a most promising paradigm with acceptance worldwide. The paper
focused on the malicious insider as well as outsider threat. We also discussed the detailed analysis of these threats and a
philosophical solution for these attacks. The Py-grub is responsible for DoS based attack. The dom0 is provided with all
privileges and is responsible for all important tasks. To avoid internal threats, the stub-domains concept must be
implemented and dom0 should not have the privileges alone like taking a dump of guest domU.

                                                        REFERENCES
  [1].    Paul Rarham, Boris Dragovic, Keir Fraser, „Xen and the Art of Virtualization‟, ACM2003
  [2].    Reiner Sailer, Enriquillo Valdez, Trent Jaeger, „sHype: Secure Hypervisor Approach to Trusted Virtualized Systems‟, IBM
          Research Report, February 2, 2005
  [3].    Flavio Lombardi, Roberto Di Pietro, „KvmSec: A Security Extension for Linux Kernel Virtual Machines‟, ACM 2009
  [4].    Keisuke Okamaura, Yoshihiro Oyama, „Load based Covert Channels between Xen Virtual Machines‟, ACM 2010
  [5].    David Chisnall, „The Definitive Guide to the Xen Hypervisor‟, Prentice Hall Publications, 2008
  [6].    Understanding Cloud Computing Vulnerabilities, Article in 2011 IEEE journal
  [7].    Rafal Wojtczuk, „Subverting the Xen hypervisor‟, Black Hat USA 2008
  [8].    T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-
          Party Compute Clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009),
          2009.
  [9].    Fengzhe Zhang, Jin Chen, Haibo Chen and Binyu Zang, „Cloudvisor: Retrofitting Protection of Virtual Machines in Multi-tanent
          cloud with nested Virtualization‟
  [10].   R. Sailer, T. Jaeger, E. Valdez, R. C´aceres, R. Perez,S. Berger, J. L. Griffin, and L. van Doorn. Building a MAC-based Security
          Architecture for the Xen Opensource Hypervisor. In Proceedings of the 21st Annual Computer Security Applications Conference,
          pages 276–285, 2005.
  [11].   Jon Oberheide, Evan Cooke, Farnam Jahanian, „Empirical Exploitation of Live Virtual Machine Migration‟, ACM
  [12].   Patrick Colp, Mihir Nanavati, Jun Zhu, William Aiello, „Breaking Up is Hard to Do: Security and Functionality in a Commodity
          Hypervisor‟, SOSP ’11, October 23-26, 2011, Cascais, Portugal. ACM 2011
  [13].   Xen 4.1, http://bits.xensource.com/oss-xen/release/4.1.0/xen-4.1.0.tar.gz
  [14].   VMware Workstation. http://www.vmware.com/products/ws/
  [15].   Francisco Rocha, Miguel Correia, 'Lucy In The Sky without diamonds: Stealing confidential data in the cloud'
  [16].   www.google.co.in
  [17].   https://bugzilla.redhat.com/show_bug.cgi?id=525740




                                                                  45

Contenu connexe

Tendances

ConsoleWorks ITFM for VMware
ConsoleWorks ITFM for VMwareConsoleWorks ITFM for VMware
ConsoleWorks ITFM for VMwareTvkearns
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
CS8791 Cloud Computing - Question Bank
CS8791 Cloud Computing - Question BankCS8791 Cloud Computing - Question Bank
CS8791 Cloud Computing - Question Bankpkaviya
 
Tolly report: Trend Micro Deep Security 7.5 vs. McAfee and Symantec
Tolly report: Trend Micro Deep Security 7.5 vs. McAfee and SymantecTolly report: Trend Micro Deep Security 7.5 vs. McAfee and Symantec
Tolly report: Trend Micro Deep Security 7.5 vs. McAfee and SymantecUNIT4 IT Solutions
 
IRJET-Virtualization Technique for Effective Resource Utilization and Dedicat...
IRJET-Virtualization Technique for Effective Resource Utilization and Dedicat...IRJET-Virtualization Technique for Effective Resource Utilization and Dedicat...
IRJET-Virtualization Technique for Effective Resource Utilization and Dedicat...IRJET Journal
 
The Design of Convoluted Kernel Architectural Framework for Trusted Systems –...
The Design of Convoluted Kernel Architectural Framework for Trusted Systems –...The Design of Convoluted Kernel Architectural Framework for Trusted Systems –...
The Design of Convoluted Kernel Architectural Framework for Trusted Systems –...rahulmonikasharma
 
Remote Access Outgoing VDI Gateway
Remote Access Outgoing VDI GatewayRemote Access Outgoing VDI Gateway
Remote Access Outgoing VDI GatewayObserveIT
 
SECURITY APPREHENSIONS IN DIFFERENT REGIONS OF CLOUD CAPTIOUS GROUNDS
SECURITY APPREHENSIONS IN DIFFERENT REGIONS OF CLOUD CAPTIOUS GROUNDSSECURITY APPREHENSIONS IN DIFFERENT REGIONS OF CLOUD CAPTIOUS GROUNDS
SECURITY APPREHENSIONS IN DIFFERENT REGIONS OF CLOUD CAPTIOUS GROUNDSIJNSA Journal
 
Imp (distributed vmm)
Imp (distributed vmm)Imp (distributed vmm)
Imp (distributed vmm)Punit Gupta
 
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...csandit
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927Todd Deshane
 

Tendances (16)

ConsoleWorks ITFM for VMware
ConsoleWorks ITFM for VMwareConsoleWorks ITFM for VMware
ConsoleWorks ITFM for VMware
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
 
Dz25764770
Dz25764770Dz25764770
Dz25764770
 
CS8791 Cloud Computing - Question Bank
CS8791 Cloud Computing - Question BankCS8791 Cloud Computing - Question Bank
CS8791 Cloud Computing - Question Bank
 
Tolly report: Trend Micro Deep Security 7.5 vs. McAfee and Symantec
Tolly report: Trend Micro Deep Security 7.5 vs. McAfee and SymantecTolly report: Trend Micro Deep Security 7.5 vs. McAfee and Symantec
Tolly report: Trend Micro Deep Security 7.5 vs. McAfee and Symantec
 
IRJET-Virtualization Technique for Effective Resource Utilization and Dedicat...
IRJET-Virtualization Technique for Effective Resource Utilization and Dedicat...IRJET-Virtualization Technique for Effective Resource Utilization and Dedicat...
IRJET-Virtualization Technique for Effective Resource Utilization and Dedicat...
 
Sattt
SatttSattt
Sattt
 
The Design of Convoluted Kernel Architectural Framework for Trusted Systems –...
The Design of Convoluted Kernel Architectural Framework for Trusted Systems –...The Design of Convoluted Kernel Architectural Framework for Trusted Systems –...
The Design of Convoluted Kernel Architectural Framework for Trusted Systems –...
 
Remote Access Outgoing VDI Gateway
Remote Access Outgoing VDI GatewayRemote Access Outgoing VDI Gateway
Remote Access Outgoing VDI Gateway
 
SECURITY APPREHENSIONS IN DIFFERENT REGIONS OF CLOUD CAPTIOUS GROUNDS
SECURITY APPREHENSIONS IN DIFFERENT REGIONS OF CLOUD CAPTIOUS GROUNDSSECURITY APPREHENSIONS IN DIFFERENT REGIONS OF CLOUD CAPTIOUS GROUNDS
SECURITY APPREHENSIONS IN DIFFERENT REGIONS OF CLOUD CAPTIOUS GROUNDS
 
666 670
666 670666 670
666 670
 
Imp (distributed vmm)
Imp (distributed vmm)Imp (distributed vmm)
Imp (distributed vmm)
 
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...
Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recen...
 
SP1_Battlecard
SP1_BattlecardSP1_Battlecard
SP1_Battlecard
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
 

En vedette

IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
MEMS MICROPHONE INTERFACE
MEMS MICROPHONE INTERFACEMEMS MICROPHONE INTERFACE
MEMS MICROPHONE INTERFACEIJERD Editor
 
Reducing Corrosion Rate by Welding Design
Reducing Corrosion Rate by Welding DesignReducing Corrosion Rate by Welding Design
Reducing Corrosion Rate by Welding DesignIJERD Editor
 
Gold prospecting using Remote Sensing ‘A case study of Sudan’
Gold prospecting using Remote Sensing ‘A case study of Sudan’Gold prospecting using Remote Sensing ‘A case study of Sudan’
Gold prospecting using Remote Sensing ‘A case study of Sudan’IJERD Editor
 
Active Power Exchange in Distributed Power-Flow Controller (DPFC) At Third Ha...
Active Power Exchange in Distributed Power-Flow Controller (DPFC) At Third Ha...Active Power Exchange in Distributed Power-Flow Controller (DPFC) At Third Ha...
Active Power Exchange in Distributed Power-Flow Controller (DPFC) At Third Ha...IJERD Editor
 
Router 1X3 – RTL Design and Verification
Router 1X3 – RTL Design and VerificationRouter 1X3 – RTL Design and Verification
Router 1X3 – RTL Design and VerificationIJERD Editor
 
A Novel Method for Prevention of Bandwidth Distributed Denial of Service Attacks
A Novel Method for Prevention of Bandwidth Distributed Denial of Service AttacksA Novel Method for Prevention of Bandwidth Distributed Denial of Service Attacks
A Novel Method for Prevention of Bandwidth Distributed Denial of Service AttacksIJERD Editor
 
Influence of tensile behaviour of slab on the structural Behaviour of shear c...
Influence of tensile behaviour of slab on the structural Behaviour of shear c...Influence of tensile behaviour of slab on the structural Behaviour of shear c...
Influence of tensile behaviour of slab on the structural Behaviour of shear c...IJERD Editor
 

En vedette (9)

www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.com
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 
MEMS MICROPHONE INTERFACE
MEMS MICROPHONE INTERFACEMEMS MICROPHONE INTERFACE
MEMS MICROPHONE INTERFACE
 
Reducing Corrosion Rate by Welding Design
Reducing Corrosion Rate by Welding DesignReducing Corrosion Rate by Welding Design
Reducing Corrosion Rate by Welding Design
 
Gold prospecting using Remote Sensing ‘A case study of Sudan’
Gold prospecting using Remote Sensing ‘A case study of Sudan’Gold prospecting using Remote Sensing ‘A case study of Sudan’
Gold prospecting using Remote Sensing ‘A case study of Sudan’
 
Active Power Exchange in Distributed Power-Flow Controller (DPFC) At Third Ha...
Active Power Exchange in Distributed Power-Flow Controller (DPFC) At Third Ha...Active Power Exchange in Distributed Power-Flow Controller (DPFC) At Third Ha...
Active Power Exchange in Distributed Power-Flow Controller (DPFC) At Third Ha...
 
Router 1X3 – RTL Design and Verification
Router 1X3 – RTL Design and VerificationRouter 1X3 – RTL Design and Verification
Router 1X3 – RTL Design and Verification
 
A Novel Method for Prevention of Bandwidth Distributed Denial of Service Attacks
A Novel Method for Prevention of Bandwidth Distributed Denial of Service AttacksA Novel Method for Prevention of Bandwidth Distributed Denial of Service Attacks
A Novel Method for Prevention of Bandwidth Distributed Denial of Service Attacks
 
Influence of tensile behaviour of slab on the structural Behaviour of shear c...
Influence of tensile behaviour of slab on the structural Behaviour of shear c...Influence of tensile behaviour of slab on the structural Behaviour of shear c...
Influence of tensile behaviour of slab on the structural Behaviour of shear c...
 

Similaire à IJERD (www.ijerd.com) International Journal of Engineering Research and Development

Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM cloudresearcher
 
Migration of Virtual Machine to improve the Security in Cloud Computing
Migration of Virtual Machine to improve the Security in Cloud Computing Migration of Virtual Machine to improve the Security in Cloud Computing
Migration of Virtual Machine to improve the Security in Cloud Computing IJECEIAES
 
Virtualization for Cloud Environment
Virtualization for Cloud EnvironmentVirtualization for Cloud Environment
Virtualization for Cloud EnvironmentDr. Sunil Kr. Pandey
 
Risk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsRisk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsSiddharth Coontoor
 
IRJET- A Survey on Virtualization and Attacks on Virtual Machine Monitor (VMM)
IRJET- A Survey on Virtualization and Attacks on Virtual Machine Monitor (VMM)IRJET- A Survey on Virtualization and Attacks on Virtual Machine Monitor (VMM)
IRJET- A Survey on Virtualization and Attacks on Virtual Machine Monitor (VMM)IRJET Journal
 
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...Neha417639
 
Server Virtualization Architecture and Implementation
Server Virtualization Architecture and ImplementationServer Virtualization Architecture and Implementation
Server Virtualization Architecture and ImplementationLockheed Martin
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesNiranjana Padmanabhan
 
VIRTUAL MACHINES AND NETWORKS – INSTALLATION, PERFORMANCE, STUDY, ADVANTAGES ...
VIRTUAL MACHINES AND NETWORKS – INSTALLATION, PERFORMANCE, STUDY, ADVANTAGES ...VIRTUAL MACHINES AND NETWORKS – INSTALLATION, PERFORMANCE, STUDY, ADVANTAGES ...
VIRTUAL MACHINES AND NETWORKS – INSTALLATION, PERFORMANCE, STUDY, ADVANTAGES ...IJNSA Journal
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
 
Cloud models and platforms
Cloud models and platformsCloud models and platforms
Cloud models and platformsPrabhat gangwar
 
Protecting Dynamic Datacenters From the Latest Threats
Protecting Dynamic Datacenters From the Latest ThreatsProtecting Dynamic Datacenters From the Latest Threats
Protecting Dynamic Datacenters From the Latest Threatswhite paper
 
SECURITY AND PRIVACY OF SENSITIVE DATA IN CLOUD COMPUTING: A SURVEY OF RECENT...
SECURITY AND PRIVACY OF SENSITIVE DATA IN CLOUD COMPUTING: A SURVEY OF RECENT...SECURITY AND PRIVACY OF SENSITIVE DATA IN CLOUD COMPUTING: A SURVEY OF RECENT...
SECURITY AND PRIVACY OF SENSITIVE DATA IN CLOUD COMPUTING: A SURVEY OF RECENT...cscpconf
 
Advantages And Disadvantages Of Software Virtualization (DHL)
Advantages And Disadvantages Of Software Virtualization (DHL)Advantages And Disadvantages Of Software Virtualization (DHL)
Advantages And Disadvantages Of Software Virtualization (DHL)Jenny Alexander
 

Similaire à IJERD (www.ijerd.com) International Journal of Engineering Research and Development (20)

Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM
 
Migration of Virtual Machine to improve the Security in Cloud Computing
Migration of Virtual Machine to improve the Security in Cloud Computing Migration of Virtual Machine to improve the Security in Cloud Computing
Migration of Virtual Machine to improve the Security in Cloud Computing
 
Virtualization for Cloud Environment
Virtualization for Cloud EnvironmentVirtualization for Cloud Environment
Virtualization for Cloud Environment
 
Risk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsRisk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized Environments
 
IRJET- A Survey on Virtualization and Attacks on Virtual Machine Monitor (VMM)
IRJET- A Survey on Virtualization and Attacks on Virtual Machine Monitor (VMM)IRJET- A Survey on Virtualization and Attacks on Virtual Machine Monitor (VMM)
IRJET- A Survey on Virtualization and Attacks on Virtual Machine Monitor (VMM)
 
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
 
Dz25764770
Dz25764770Dz25764770
Dz25764770
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Parth virt
Parth virtParth virt
Parth virt
 
Server Virtualization Architecture and Implementation
Server Virtualization Architecture and ImplementationServer Virtualization Architecture and Implementation
Server Virtualization Architecture and Implementation
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud Resources
 
Unit 2
Unit 2Unit 2
Unit 2
 
VIRTUAL MACHINES AND NETWORKS – INSTALLATION, PERFORMANCE, STUDY, ADVANTAGES ...
VIRTUAL MACHINES AND NETWORKS – INSTALLATION, PERFORMANCE, STUDY, ADVANTAGES ...VIRTUAL MACHINES AND NETWORKS – INSTALLATION, PERFORMANCE, STUDY, ADVANTAGES ...
VIRTUAL MACHINES AND NETWORKS – INSTALLATION, PERFORMANCE, STUDY, ADVANTAGES ...
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
Cloud models and platforms
Cloud models and platformsCloud models and platforms
Cloud models and platforms
 
Virtualization - cloud computing
Virtualization - cloud computingVirtualization - cloud computing
Virtualization - cloud computing
 
Protecting Dynamic Datacenters From the Latest Threats
Protecting Dynamic Datacenters From the Latest ThreatsProtecting Dynamic Datacenters From the Latest Threats
Protecting Dynamic Datacenters From the Latest Threats
 
SECURITY AND PRIVACY OF SENSITIVE DATA IN CLOUD COMPUTING: A SURVEY OF RECENT...
SECURITY AND PRIVACY OF SENSITIVE DATA IN CLOUD COMPUTING: A SURVEY OF RECENT...SECURITY AND PRIVACY OF SENSITIVE DATA IN CLOUD COMPUTING: A SURVEY OF RECENT...
SECURITY AND PRIVACY OF SENSITIVE DATA IN CLOUD COMPUTING: A SURVEY OF RECENT...
 
Virtual machine security
Virtual machine securityVirtual machine security
Virtual machine security
 
Advantages And Disadvantages Of Software Virtualization (DHL)
Advantages And Disadvantages Of Software Virtualization (DHL)Advantages And Disadvantages Of Software Virtualization (DHL)
Advantages And Disadvantages Of Software Virtualization (DHL)
 

Plus de IJERD Editor

Mitigation of Voltage Sag/Swell with Fuzzy Control Reduced Rating DVR
Mitigation of Voltage Sag/Swell with Fuzzy Control Reduced Rating DVRMitigation of Voltage Sag/Swell with Fuzzy Control Reduced Rating DVR
Mitigation of Voltage Sag/Swell with Fuzzy Control Reduced Rating DVRIJERD Editor
 
Study on the Fused Deposition Modelling In Additive Manufacturing
Study on the Fused Deposition Modelling In Additive ManufacturingStudy on the Fused Deposition Modelling In Additive Manufacturing
Study on the Fused Deposition Modelling In Additive ManufacturingIJERD Editor
 
Spyware triggering system by particular string value
Spyware triggering system by particular string valueSpyware triggering system by particular string value
Spyware triggering system by particular string valueIJERD Editor
 
A Blind Steganalysis on JPEG Gray Level Image Based on Statistical Features a...
A Blind Steganalysis on JPEG Gray Level Image Based on Statistical Features a...A Blind Steganalysis on JPEG Gray Level Image Based on Statistical Features a...
A Blind Steganalysis on JPEG Gray Level Image Based on Statistical Features a...IJERD Editor
 
Secure Image Transmission for Cloud Storage System Using Hybrid Scheme
Secure Image Transmission for Cloud Storage System Using Hybrid SchemeSecure Image Transmission for Cloud Storage System Using Hybrid Scheme
Secure Image Transmission for Cloud Storage System Using Hybrid SchemeIJERD Editor
 
Application of Buckley-Leverett Equation in Modeling the Radius of Invasion i...
Application of Buckley-Leverett Equation in Modeling the Radius of Invasion i...Application of Buckley-Leverett Equation in Modeling the Radius of Invasion i...
Application of Buckley-Leverett Equation in Modeling the Radius of Invasion i...IJERD Editor
 
Gesture Gaming on the World Wide Web Using an Ordinary Web Camera
Gesture Gaming on the World Wide Web Using an Ordinary Web CameraGesture Gaming on the World Wide Web Using an Ordinary Web Camera
Gesture Gaming on the World Wide Web Using an Ordinary Web CameraIJERD Editor
 
Hardware Analysis of Resonant Frequency Converter Using Isolated Circuits And...
Hardware Analysis of Resonant Frequency Converter Using Isolated Circuits And...Hardware Analysis of Resonant Frequency Converter Using Isolated Circuits And...
Hardware Analysis of Resonant Frequency Converter Using Isolated Circuits And...IJERD Editor
 
Simulated Analysis of Resonant Frequency Converter Using Different Tank Circu...
Simulated Analysis of Resonant Frequency Converter Using Different Tank Circu...Simulated Analysis of Resonant Frequency Converter Using Different Tank Circu...
Simulated Analysis of Resonant Frequency Converter Using Different Tank Circu...IJERD Editor
 
Moon-bounce: A Boon for VHF Dxing
Moon-bounce: A Boon for VHF DxingMoon-bounce: A Boon for VHF Dxing
Moon-bounce: A Boon for VHF DxingIJERD Editor
 
“MS-Extractor: An Innovative Approach to Extract Microsatellites on „Y‟ Chrom...
“MS-Extractor: An Innovative Approach to Extract Microsatellites on „Y‟ Chrom...“MS-Extractor: An Innovative Approach to Extract Microsatellites on „Y‟ Chrom...
“MS-Extractor: An Innovative Approach to Extract Microsatellites on „Y‟ Chrom...IJERD Editor
 
Importance of Measurements in Smart Grid
Importance of Measurements in Smart GridImportance of Measurements in Smart Grid
Importance of Measurements in Smart GridIJERD Editor
 
Study of Macro level Properties of SCC using GGBS and Lime stone powder
Study of Macro level Properties of SCC using GGBS and Lime stone powderStudy of Macro level Properties of SCC using GGBS and Lime stone powder
Study of Macro level Properties of SCC using GGBS and Lime stone powderIJERD Editor
 
Seismic Drift Consideration in soft storied RCC buildings: A Critical Review
Seismic Drift Consideration in soft storied RCC buildings: A Critical ReviewSeismic Drift Consideration in soft storied RCC buildings: A Critical Review
Seismic Drift Consideration in soft storied RCC buildings: A Critical ReviewIJERD Editor
 
Post processing of SLM Ti-6Al-4V Alloy in accordance with AMS 4928 standards
Post processing of SLM Ti-6Al-4V Alloy in accordance with AMS 4928 standardsPost processing of SLM Ti-6Al-4V Alloy in accordance with AMS 4928 standards
Post processing of SLM Ti-6Al-4V Alloy in accordance with AMS 4928 standardsIJERD Editor
 
Treatment of Waste Water from Organic Fraction Incineration of Municipal Soli...
Treatment of Waste Water from Organic Fraction Incineration of Municipal Soli...Treatment of Waste Water from Organic Fraction Incineration of Municipal Soli...
Treatment of Waste Water from Organic Fraction Incineration of Municipal Soli...IJERD Editor
 
Content Based Video Retrieval Using Integrated Feature Extraction and Persona...
Content Based Video Retrieval Using Integrated Feature Extraction and Persona...Content Based Video Retrieval Using Integrated Feature Extraction and Persona...
Content Based Video Retrieval Using Integrated Feature Extraction and Persona...IJERD Editor
 
Planar Internal Antenna Design for Cellular Applications & SAR Analysis
Planar Internal Antenna Design for Cellular Applications & SAR AnalysisPlanar Internal Antenna Design for Cellular Applications & SAR Analysis
Planar Internal Antenna Design for Cellular Applications & SAR AnalysisIJERD Editor
 
Intelligent learning management system starters
Intelligent learning management system startersIntelligent learning management system starters
Intelligent learning management system startersIJERD Editor
 
Joint State and Parameter Estimation by Extended Kalman Filter (EKF) technique
Joint State and Parameter Estimation by Extended Kalman Filter (EKF) techniqueJoint State and Parameter Estimation by Extended Kalman Filter (EKF) technique
Joint State and Parameter Estimation by Extended Kalman Filter (EKF) techniqueIJERD Editor
 

Plus de IJERD Editor (20)

Mitigation of Voltage Sag/Swell with Fuzzy Control Reduced Rating DVR
Mitigation of Voltage Sag/Swell with Fuzzy Control Reduced Rating DVRMitigation of Voltage Sag/Swell with Fuzzy Control Reduced Rating DVR
Mitigation of Voltage Sag/Swell with Fuzzy Control Reduced Rating DVR
 
Study on the Fused Deposition Modelling In Additive Manufacturing
Study on the Fused Deposition Modelling In Additive ManufacturingStudy on the Fused Deposition Modelling In Additive Manufacturing
Study on the Fused Deposition Modelling In Additive Manufacturing
 
Spyware triggering system by particular string value
Spyware triggering system by particular string valueSpyware triggering system by particular string value
Spyware triggering system by particular string value
 
A Blind Steganalysis on JPEG Gray Level Image Based on Statistical Features a...
A Blind Steganalysis on JPEG Gray Level Image Based on Statistical Features a...A Blind Steganalysis on JPEG Gray Level Image Based on Statistical Features a...
A Blind Steganalysis on JPEG Gray Level Image Based on Statistical Features a...
 
Secure Image Transmission for Cloud Storage System Using Hybrid Scheme
Secure Image Transmission for Cloud Storage System Using Hybrid SchemeSecure Image Transmission for Cloud Storage System Using Hybrid Scheme
Secure Image Transmission for Cloud Storage System Using Hybrid Scheme
 
Application of Buckley-Leverett Equation in Modeling the Radius of Invasion i...
Application of Buckley-Leverett Equation in Modeling the Radius of Invasion i...Application of Buckley-Leverett Equation in Modeling the Radius of Invasion i...
Application of Buckley-Leverett Equation in Modeling the Radius of Invasion i...
 
Gesture Gaming on the World Wide Web Using an Ordinary Web Camera
Gesture Gaming on the World Wide Web Using an Ordinary Web CameraGesture Gaming on the World Wide Web Using an Ordinary Web Camera
Gesture Gaming on the World Wide Web Using an Ordinary Web Camera
 
Hardware Analysis of Resonant Frequency Converter Using Isolated Circuits And...
Hardware Analysis of Resonant Frequency Converter Using Isolated Circuits And...Hardware Analysis of Resonant Frequency Converter Using Isolated Circuits And...
Hardware Analysis of Resonant Frequency Converter Using Isolated Circuits And...
 
Simulated Analysis of Resonant Frequency Converter Using Different Tank Circu...
Simulated Analysis of Resonant Frequency Converter Using Different Tank Circu...Simulated Analysis of Resonant Frequency Converter Using Different Tank Circu...
Simulated Analysis of Resonant Frequency Converter Using Different Tank Circu...
 
Moon-bounce: A Boon for VHF Dxing
Moon-bounce: A Boon for VHF DxingMoon-bounce: A Boon for VHF Dxing
Moon-bounce: A Boon for VHF Dxing
 
“MS-Extractor: An Innovative Approach to Extract Microsatellites on „Y‟ Chrom...
“MS-Extractor: An Innovative Approach to Extract Microsatellites on „Y‟ Chrom...“MS-Extractor: An Innovative Approach to Extract Microsatellites on „Y‟ Chrom...
“MS-Extractor: An Innovative Approach to Extract Microsatellites on „Y‟ Chrom...
 
Importance of Measurements in Smart Grid
Importance of Measurements in Smart GridImportance of Measurements in Smart Grid
Importance of Measurements in Smart Grid
 
Study of Macro level Properties of SCC using GGBS and Lime stone powder
Study of Macro level Properties of SCC using GGBS and Lime stone powderStudy of Macro level Properties of SCC using GGBS and Lime stone powder
Study of Macro level Properties of SCC using GGBS and Lime stone powder
 
Seismic Drift Consideration in soft storied RCC buildings: A Critical Review
Seismic Drift Consideration in soft storied RCC buildings: A Critical ReviewSeismic Drift Consideration in soft storied RCC buildings: A Critical Review
Seismic Drift Consideration in soft storied RCC buildings: A Critical Review
 
Post processing of SLM Ti-6Al-4V Alloy in accordance with AMS 4928 standards
Post processing of SLM Ti-6Al-4V Alloy in accordance with AMS 4928 standardsPost processing of SLM Ti-6Al-4V Alloy in accordance with AMS 4928 standards
Post processing of SLM Ti-6Al-4V Alloy in accordance with AMS 4928 standards
 
Treatment of Waste Water from Organic Fraction Incineration of Municipal Soli...
Treatment of Waste Water from Organic Fraction Incineration of Municipal Soli...Treatment of Waste Water from Organic Fraction Incineration of Municipal Soli...
Treatment of Waste Water from Organic Fraction Incineration of Municipal Soli...
 
Content Based Video Retrieval Using Integrated Feature Extraction and Persona...
Content Based Video Retrieval Using Integrated Feature Extraction and Persona...Content Based Video Retrieval Using Integrated Feature Extraction and Persona...
Content Based Video Retrieval Using Integrated Feature Extraction and Persona...
 
Planar Internal Antenna Design for Cellular Applications & SAR Analysis
Planar Internal Antenna Design for Cellular Applications & SAR AnalysisPlanar Internal Antenna Design for Cellular Applications & SAR Analysis
Planar Internal Antenna Design for Cellular Applications & SAR Analysis
 
Intelligent learning management system starters
Intelligent learning management system startersIntelligent learning management system starters
Intelligent learning management system starters
 
Joint State and Parameter Estimation by Extended Kalman Filter (EKF) technique
Joint State and Parameter Estimation by Extended Kalman Filter (EKF) techniqueJoint State and Parameter Estimation by Extended Kalman Filter (EKF) technique
Joint State and Parameter Estimation by Extended Kalman Filter (EKF) technique
 

Dernier

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 

Dernier (20)

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 

IJERD (www.ijerd.com) International Journal of Engineering Research and Development

  • 1. International Journal of Engineering Research and Development eISSN : 2278-067X, pISSN : 2278-800X, www.ijerd.com Volume 2, Issue 3 (July 2012), PP. 40-45 Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines Omkar Kulkarni, Niu Xinli, Pamu Kumar Swamy Abstract––Virtualization and cloud computing is rapidly changing the enterprise landscape with enterprises and even individual users opting for cloud based solutions. With the large number of benefits that it provides it also increases security risk and needs immediate attention owing to its wide adoptability. We present in this paper an analysis of two attacks on virtual machines which run on xen hypervisor concentrating on insider as well as outsider intruder. In xen, pygrub is the commonly used bootloader for domU, but posses most of the security breaches. We present a DoS attack that occurs due to the inherent behavior of pygrub. We also present another attack where it is possible to compromise passwords of guest domain either through the control domains root user or through an external user that gains these root privileges. We present some of the architectural pitfalls in xen that leads to these security breaches and suggest the importance of utilizing stub-domains that separates the functionality of control domain (dom0) to make xen a more secure hypervisor. I. INTRODUCTION Enterprises today are increasingly inclined towards utilizing a dynamic IT infrastructure as enabled by Cloud computing and Virtualization technology. Cloud computing enables enterprises to deploy and manage their services such as enterprise applications, e-commerce, content delivering and web hosting at a minimal expense of actual resources utilized. Thus, the enterprises data and services will be managed by some “trusted” corporation‟s data center. Virtualization is a key technology adopted for enabling cloud computing at data centers, where the applications or services run inside virtual machines mapped onto physical servers. Multiple virtual machines can run on one physical server depending on the need and resource utilizations of the applications. A software layer, virtual machine monitor (VMM) provides a virtual hardware abstraction that reflects the underlying physical machine. In some architectures such as Xen[1] there is an additional management domain that manages other virtual machines. Virtualization provides several advantages such as performance isolation, security, and easy management of resources. Given the constant increase in the tendency of enterprises and individual users, offloading their data and computing services to the data center for number of usage scenarios, security of user‟s sensitive data has emerged as a major concern. The data present in data centers is beyond direct control of individual users and enterprises, is constantly under attack from internal and external attacks. Either intended data access or accidentally employees of cloud providers can malice user‟s sensitive data. External attacks such as Denial of services can cause service breakdowns for the enterprises cloud hosting services. This fact of security threats have been well studied by researchers [6,7,4] and brings out the significance of the need for improved security at these data centers. Taking a closer look at the virtual machines based architecture that enables these data center, a major question arises around the trustworthiness of the VMM or the hypervisor together with the management domains if present. We can identify two major security loopholes, first one being the dependence on the additional privileged domain for drivers for physical devices and administrative tools which manages access controls along with the hypervisor but fails to manage implicit information flows [4]. The second one which emerges as a subsidiary of this is the higher privileges that the user of this domain enjoys leading to a potential internal threat. Also compromising this domain leads to the compromise of all the VMs running on that physical system. This enforces the need for a better and secure architecture for the virtualized architectural environments. In this paper, we first discuss xen‟s architecture and the role of management domain. We then showcase a typical attack scenario that presents a potential for Denial of Service attack. We then discuss another approach to circumvent this attack and in the following section we present need for stub domain based architecture. II. RELATED WORK Virtualization technology and virtual machines provides numerous technical and cost advantages. But these advantages doesn't come for free, it also brings some risks with it too. The work by Keisuke Okamura[4] shows a technique to create load based covert channels between xen virtual machines. Here they use cpu load as covert channels. They have developed CCCV, a system that creates a covert channel and communicates data secretly using CPU loads.The work by Rafal Woitczuk[7] outlines the recent work by the author to design and develop a backdoor for machines running the Xen hypervisor. An attacker can gain backdoor control over the host by overwriting xen code and datastructures. The work by Ristenpart et al. [8] shows an attack that identifies whether a particular virtual machine is likely to reside on the same physical server of a cloud infrastructure. It also demonstrates a side-channel attack that causes information leakage across 40
  • 2. Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines virtual machines. These different attacks demonstrated in the above mentioned research work alleviate the security concerns. In our work we present analysis of a denial of service (DoS) attack and other attack scenarios to demonstrate the need for better security architecture for Xen. The work by Fengzhe Zhang et al[9] shows the design and working of cloudvisor, a retrofitting protection of virtual machines in multi-tanent cloud with nested virtualization. This approach protects the privacy and integrity of customers virtual machines on virtualized infrastructures. sHype [10] is a MAC-based security extension to Xen. sHype enables administrators to apply various security policies to virtual machines running on an sHype-extended hypervisor. The work by Jon Oberheide et al [11] describes the Empirical Exploitation of Live Virtual Machine Migration. They defined and investigated three classes of threats to virtual machine migration: control plane, data plane, and migration module threats. Then showed how a malicious party using these attack strategies can exploit the latest versions of the popular Xen and VMware virtual machine monitors and presented a tool to automate the manipulation of a guest operating system‟s memory during a live virtual machine migration. Patrick Colp et al [12] presented Xoar, a modified version of Xen that retrofit the modularity and isolation principles used in xen. Xoar breaks the control domain into single purpose components and showed numerous advantages of this componentization. With the study of these security architectures, in this paper we present our thoughts for making xen less vulnerable. III. XEN AT A GLANCE Xen, a virtual machine monitor(VMM) known as hypervisor too, is the basic abstraction layer of software which directly sits on the hardware (i.e. bare-metal or type1 hypervisor) that lies below any operating system and allows execution of multiple virtual guest operating systems simultaneously on a single physical machine. The architecture diagram is shown in figure1. Xen is responsible for CPU scheduling and memory partitioning of various virtual machines running on hardware device. It also controls the execution of virtual machines as they share the common processing environment. 3.1.Domain0(Dom0): Xen runs guests in environments known as domains, which encapsulate a complete running virtual environment. When Xen boots, it does load a Domain0 (dom0) guest kernel. Domain 0 is the first guest to run, and has elevated privileges. All Xen virtualization environments require Domain 0 to be running before any other virtual machines can be started. Xen does not include any device drivers by itself, nor a user interface. These are all provided by the operating system and userspace tools running in the dom0 guest. Domain 0 has special rights to access physical I/O resources as well as it interact with the other virtual machines (Domain U: PV and HVM Guests) running on the system. Figure 1: Xen architecture 3.2.DomainU(DomU): An unprivileged domain (domU) guest is more restricted. DomainU guests have no direct access to physical hardware on the machine. Unlike dom0 guests, you can have an arbitrary number of domU guests on a single machine, and they may be able to be migrated. Xen supports Para and full virtualization. All paravirtualized virtual machines running on a Xen hypervisor are referred to as Domain U PV Guests and are modified Linux operating systems, Solaris, FreeBSD, and other UNIX operating systems. All fully virtualized machines running on a Xen hypervisor are referred to as Domain U HVM Guests and run standard Windows or any other unchanged operating system. The Domain U PV Guest virtual machine is aware that it does not have direct access to the hardware and recognizes that other virtual machines are running on the same machine. The Domain U HVM Guest virtual machine is not aware that it is sharing processing time on the hardware and that other virtual machines are present. For each HVM a special daemon is started in domain0, Qemu-dm. Qemu-dm supports the DomainU HVM Guest for networking and disk access requests. IV. PYGRUB The bootloader most commonly used to boot domU is PyGrub or python grub. PyGrub is a part of xen-utils package. DomU's boot configurations are specified in config file using kernel, ramdisk and some extra lines. PyGrub is the alternate method which specifies a 'bootloader' line in config file and uses that to load a kernel from domU's filesystem. 41
  • 3. Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines PyGrub enable us to start linux domUs with a kernel inside domU‟s filesystem instead of a kernel that lies in the filesystem of dom0. This means easier management i.e. domU manages its own kernel and initrd. This enables easier kernel update from domU or migration of HVMed linuxes. When we try to load/start a domU(PV Guest), a request is sent to domain loader from xen to load the required domain. Domain loader runs pyGrub Utility. PyGrub itself runs in dom0 root privileges. It opens PV guest disk image and reads grub menu.lst from disk. PyGrub copies the required kernel image and ramdisk image in /tmp i.e. dom0 filesystem and closes the disk. The domain loader reads /tmp and loads particular kernel and domU get started. The architecture diagram is shown as below in figure2. Figure2: PyGrub Problems with pygrub: 1. PyGrub runs in root privileges of dom0. It reads the data directly provided by domU user. Such a dom0 root process that parses user-provided data is a potential security breach. 2. pyGrub bootloader used to boot Xen para-virtualized guests did not have support for password command as supported by normal grub. If this option was used in grub.conf, it did not restrict users with access to para- virtualized guest's console from booting guest or changing kernel boot parameters without providing configured password. This could allow user with access to VMs console to get root privileges on the guest's operating system.[16] 3. pyGrub does not check the size of bzip2-compressed kernel. This can be a security breach and can be used as a DoS to guest PV domains 4. PyGrub (the version we use anyway) is unfortunately not a complete re-implementation of GRUB, so functionality such as the menu does not readily exist. It serves mainly to allow specification of the kernel, initial ramdisk and boot-time parameters. 5. It does not provide network boot functionality. V. DENIAL OF SERVICE ATTACK(DoS) A denial of service attack (DoS) is an incident in which a user is deprived of the service of resource they would normally expect to have. Here we present a scenario that shows a DoS type attack on guest virtual machines hosted by an hypervisor. Let a hypervisor is hosting n-domUs, say domain-A, domain-B and so on. Each domain is provided with its own separate disk space. All domains are given equal weightage. Required resources are provided and VCPUs are mapped to core CPU in fair scheduling policy. Let user of domain-A is an attacker/intruder. The pygrub i.e. pv bootloader [python bootloader] doesn't check the size of a bzip2 or lzma compressed kernel image. Denial of service can be caused by padding a large file at the end of the kernel image, which can be used by a malicious domU root i.e. by domain-A user. Attacker takes advantage of this breach. What an attacker actually does is, he compiles a bzip2 compressed kernel, attaches a large file of size approximately 10GB to kernel image and boots through the newly compiled kernel. To start this heavy kernel, most of the resources are occupied by domain A denying rest of the domains from those resources for particular time till that domain get booted. These resources are occupied by domain a till it gets started, then the resources are released. The attacker will reboots the domain a in tolerant time interval so that resources are occupied by this domain a most of the time, denying other domains to use those resources. 42
  • 4. Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines VI. EVALUATION OF DoS The test environment platform was a single desktop machine with an Intel core2 duo processor and 4GB main memory(RAM). The cloud infrastructure was emulated by xen 4.1-amd64 hypervisor. The management VM was dom0 running ubuntu server 11.10 with inbuilt xen enabled kernel 3.0.0-12-generic. We ran ubuntu 10.10 with kernel 2.6.35-22- generic as domU. First to compress a kernel in bzip2 and to compile the bzip2 compressed kernel we downloaded a kernel which has domU support. For our experiments we used Linux-3.1. We compiled this bzip2-compressed kernel in domU. Then we padded a file of large size approximately of size 2GB(generated by dd from /dev/zero) to this compiled kernel image. After trying for booting the system through this heavy kernel we got actual results. When we allocated 2GB memory to dom0 with 4.3GB swap space, the domU can't be started because of lack of memory. The system was busy in swapping but eventually ran out of memory and swap space. See figures 3 and 4 for references. Figure3: system out of memory Figure4: xen related processes occupy the cpus, and kswapd is busying swapping The most of the resources were occupied by this booting process to boot domU. It took nearly 10 minutes and pygrub got crashed due to lack of memory, shown in figure5. Figure5: PyGrub crashed Then we allocated 4GB memory to dom0, now domU can be started but with a great cost, as shown in figure6. Figure6: domU boots successfully at great cost At the same time when the booting was going on we tried to use some resources from other domUs running but got denied. If the domU with heavy kernel is rebooted in some xen tolerant interval, the most of the resources are occupied by malicious domU all the time. VII. CLERATEXT PASSWORDS IN MEMORY SNAPSHOTS In this section we are going to discuss a problem of a malicious insider in a cloud which is based on Infrastructure as a service(IaaS) model. The service availing user mostly trusts the service provider for the storage and safety of his data. The attack demonstrated below shows that how a malicious insider can steal confidential data of a cloud user. Thus, concluding that how unwise it is to trust a cloud service provider mostly for safety of stored data. [15]What an intruder does is, he just simply issues a dump-core command, which is a part of xen management(xm) user interface. By issuing this command on a target VM, malicious insider takes a snapshot/dump of a target VM. The dump- core command performs a dump of the memory region reserved to the targeted VM. The attacker only needs to identify the VM in the command. In our case, to confirm the presence of passwords in the dump file, we used the cat command to send the dump into the standard output that was redirected to the strings and grep commands in order to locate the known password. See the figures, 7,8 and 9 for more details. 43
  • 5. Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines Figure7: xm list Figure8: dump-core command Figure9: Analyzing the dump for presence of password VIII. THE ANALYSIS AND SOLUTION PHILOSOPHY FOR DoS AND PASSWORD STEALING ATTACK An in depth analysis for finding the root cause of the DoS attack and the determining of passwords in memory dump and other similar attacks demonstrated is the inappropriate architecture of the control domain i.e. the dom0 in security point of view. This control VM enjoys highly elevated priveldges and is responsible for all major tasks including the booting of VM, enabling the transfer of network data, disk access, migration of VM etc. This poses us with an important question, is this domain worth of these highly elevated privileges? From the functional working of Xen architecture point of view, this domain actually requires such high privileges. If this is required then how do we solve the root cause for the security breaches presented? Let us first analyze a possible solution for the DoS attack. Pv-Grub: PV-GRUB is a real GRUB source code recompiled against Mini-OS, and works more like a usual, full fledged bootloader so overcoming the drawbacks of pygrub, which is not a usual bootloader. In PV domU it is just required to provide a path to PV-GRUB kernel in configuration file. PV-GRUB replaces PyGrub to boot domU image safely. It runs regular grub inside created domain itself and uses regular domU facilities to read the disk, so it reduces the overload of tasks of dom0. It can fetch from network too i.e. provide network boot facility. It reads domU disk and network interface of domain and access menu.lst of PV guest. Then uses the regular PV console to show grub menu and loads the required kernel image. The actual architecture and working of PV-GRUB is shown in figure10 below. Figure10: PV-Grub pv-grub lies in philosophy with breaking the control VM into parts[12]. The functionality of dom0 is broken into different stub-domains those run as normal domains on xen hypervisor. This breaking is useful in management as well as security point of view. Looking at the password attack, there is no necessity of allowing dom0 a full control of guest domain. Activities such as guest OS dump must not be allowed at all from dom0. If at all required for all such tasks like taking memory dumps etc. must be delegated to a new VM that is executed only on active involvement of Enterprises or user whose data lies on the cloud. 44
  • 6. Cutting-Edge Perspective of Security Analysis for Xen Virtual Machines Thus breaking up the functionality of control VM can reduce the security risks. To break a management domain(dom0), we need to define the classes of interaction where dom0 is required for domU and this can be used as a basis for breaking. IX. CONCLUSION The Cloud computing and virtualization is a most promising paradigm with acceptance worldwide. The paper focused on the malicious insider as well as outsider threat. We also discussed the detailed analysis of these threats and a philosophical solution for these attacks. The Py-grub is responsible for DoS based attack. The dom0 is provided with all privileges and is responsible for all important tasks. To avoid internal threats, the stub-domains concept must be implemented and dom0 should not have the privileges alone like taking a dump of guest domU. REFERENCES [1]. Paul Rarham, Boris Dragovic, Keir Fraser, „Xen and the Art of Virtualization‟, ACM2003 [2]. Reiner Sailer, Enriquillo Valdez, Trent Jaeger, „sHype: Secure Hypervisor Approach to Trusted Virtualized Systems‟, IBM Research Report, February 2, 2005 [3]. Flavio Lombardi, Roberto Di Pietro, „KvmSec: A Security Extension for Linux Kernel Virtual Machines‟, ACM 2009 [4]. Keisuke Okamaura, Yoshihiro Oyama, „Load based Covert Channels between Xen Virtual Machines‟, ACM 2010 [5]. David Chisnall, „The Definitive Guide to the Xen Hypervisor‟, Prentice Hall Publications, 2008 [6]. Understanding Cloud Computing Vulnerabilities, Article in 2011 IEEE journal [7]. Rafal Wojtczuk, „Subverting the Xen hypervisor‟, Black Hat USA 2008 [8]. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third- Party Compute Clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), 2009. [9]. Fengzhe Zhang, Jin Chen, Haibo Chen and Binyu Zang, „Cloudvisor: Retrofitting Protection of Virtual Machines in Multi-tanent cloud with nested Virtualization‟ [10]. R. Sailer, T. Jaeger, E. Valdez, R. C´aceres, R. Perez,S. Berger, J. L. Griffin, and L. van Doorn. Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. In Proceedings of the 21st Annual Computer Security Applications Conference, pages 276–285, 2005. [11]. Jon Oberheide, Evan Cooke, Farnam Jahanian, „Empirical Exploitation of Live Virtual Machine Migration‟, ACM [12]. Patrick Colp, Mihir Nanavati, Jun Zhu, William Aiello, „Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor‟, SOSP ’11, October 23-26, 2011, Cascais, Portugal. ACM 2011 [13]. Xen 4.1, http://bits.xensource.com/oss-xen/release/4.1.0/xen-4.1.0.tar.gz [14]. VMware Workstation. http://www.vmware.com/products/ws/ [15]. Francisco Rocha, Miguel Correia, 'Lucy In The Sky without diamonds: Stealing confidential data in the cloud' [16]. www.google.co.in [17]. https://bugzilla.redhat.com/show_bug.cgi?id=525740 45