Secure virtualization in cloud computing

Cloud computing aims at flexibly scalable infrastructures using virtualized resources. Although virtualization improves efficiency and flexibility, it also introduces new threats. We mitigate these threats by means of new security technologies for protecting virtual environments. Moreover, we design novel mechanisms that provide protection levels beyond those of today's non-virtualized systems.

Our projects follow two goals:

1. to ensure that virtual infrastructures are at least as secure as traditional infrastructures.
2. to leverage new capabilities to further strengthen security.

The first goal ensures that virtualized infrastructures provide a level of confidentiality, integrity, and availability which is similar to that of traditional infrastructures. One important requirement is the proper insulation of multiple customers. One example of a project in this space is the virtual systems security auditing project.

The second goal aims at using virtualization to provide stronger or more efficient security. For example, one goal we are pursuing in our virtualization project is the use of virtualized intrusion detection.

This project performs configuration audits of heterogeneous virtual infrastructures. This includes storage, networks, and virtual machines on multiple types of hosts.

Our system discovers the actual detailed configuration of virtual systems and displays the logical layout, i.e., what network security zones exist and which virtual machine is connected to which networks and storage volumes.

We furthermore audit whether VM network monitoring tools (such as emerging tools from ISS) are correctly set up on each host. Our objective is to perform automatic validation of a virtual data center configuration against given security policies and best practices.

The main benefits of this project are

• Transparency of the configuration of virtual environments (machines, networks, storage),
• Detection of misconfiguration of virtual infrastructures,
• Discovery and display of internal configuration of different hypervisors,
• Composition/stitching into overall configuration data for virtual data centers, and
• Validation against given best practices.

Virtual-machine introspection (VMI) is the ability to inspect or modify the state of a virtual machine (VM) from the "outside", e.g. from the hypervisor or a service VM. This technique can be used to create a layered set of security services, where the trust model is rooted in an isolated secure VM, without the knowledge or indeed the cooperation of the inspected VM.

Introspection-based security covers a range of projects, both in research and development, to explore and exploit the capabilities of VMI in order to improve security in virtualized environments. These projects include the following.

The Phantom project is a collaboration between IBM Research and ISS for providing security in virtualized environments. Phantom uses VMI to provide intrusion detection, prevention and protection services for virtual infrastructures, focused initially on the VMware platform using the VMsafe introspection API.

Introspection-based context agent injection aims to design and implement a mechanism to inject and protect a context agent into a running VM using VMI without the cooperation of the monitored VM. This will allow us to address the problem of obtaining reliable high-level information about the internal operation of the VM while having confidence that the in-guest agent has not been compromised.

Hyperjacking is a technique that uses hardware support for virtualization in modern CPUs to move an operating system running directly on hardware to a VM, transparently to the user. This technique has been discussed extensively as a vehicle for malware, but we have been exploring its potential applications for security, which include on-the-fly protection of memory and other resources, live system migration, and VM-based "parallel universes", which provide extensive rollback and reply capabilities useful for software development and testing, system configuration, system forensics, etc.