Securing the virtual machine
images in Cloud computing
KTH
Applied
Information
Security
Lab
Muhammad Kazim, Rahat Masood,
Muhammad Awais Shibli
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
Outline




KTH
Applied
Information
Security
Lab


Introduction
Virtual Machine Images
Encrypted Virtual Disk Images in Cloud (EVDIC)
– EVDIC Components
– Virtual Machine Image encryption in Cloud using EVDIC
– Virtual Machine Image decryption in Cloud using EVDIC
OpenStack
OpenStack Swift
– Swift Image Encryption using EVDIC
– Swift Image Decryption using EVDIC
Conclusion
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
1. Introduction
KTH
Applied
Information
Security
Lab

Cloud computing is becoming popular among IT businesses due
to its services being offered at Software, Platform and
Infrastructure level.

Infrastructure as a Service (IaaS) model offers services such as
computing, network, storage and databases via internet.

Virtualization enables a single system to concurrently run
multiple isolated virtual machines (VMs), operating systems or
multiple instances of a single operating system (OS).
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
2. Virtual Machine images
KTH
Applied
Information
Security
Lab

A single file or directory representing the hard drive of a guest
operating system.

Encapsulates all components of a guest OS, including the
applications and virtual resources used by guest OS.

Provides the ability to quickly launch and deploy virtual
machines across various hosts.
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
Virtual Machine images
security in Cloud
KTH
Applied
Information
Security
Lab

Disk images in storage can be compromised through
attacks such as data leakage, malware installation on
images and snapshot access in storage.

NIST, CSA and PCI DSS in their security guidelines
for virtualization have emphasized the importance of
virtualization and disk images security.
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
3. Encrypted Virtual Disk Images
in Cloud (EVDIC)
KTH
Applied
Information
Security
Lab

To secure the virtual machine images from possible
attacks in Cloud, EVDIC is proposed.

EVDIC protects the virtual machine images in Cloud
by encrypting them before storage on Cloud. The
images are decrypted only when required by the
virtual machine.

EVDIC also includes the security of key management
and key exchange process.
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
EVDIC Components
KTH
Applied
Information
Security
Lab

The Image Encryption Module interacts with the Key
Management Server to obtain an encryption key to encrypt the
image. The encryption scheme used in IEM is Advanced
Encryption Standard with key size of 256 bits (AES-256).

The Image Decryption Module interacts with the Key
Management Server to obtain user key for decryption. After
getting the key from KMS, IDM locates the stored image on disk
using the metadata stored with image.
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
EVDIC Components
KTH
Applied
Information
Security
Lab

Key Management Server is responsible for management
of keys used for encryption. Once the encryption keys are
derived for users, they are stored in KMS. The unique
identication of each user is maintained by a field called
KeyID.

Due to security purposes, the KMS is placed at a separate
location form the Cloud. All communication be- tween
KMS and EVDIC components takes place through Secure
Socket Layer version 3.0 (SSLv3).
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
Virtual Machine Image encryption in
Cloud using EVDIC
KTH
Applied
Information
Security
Lab
Figure 1: Image Encryption through EVDIC
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
Virtual Machine Image decryption in
Cloud using EVDIC
KTH
Applied
Information
Security
Lab
Figure 2: Image Decryption through EVDIC
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
4. OpenStack
KTH
Applied
Information
Security
Lab

Used in 178 different countries and more than 850
organizations including NASA, Rackspace.

Collection of open source components

Modular design

IaaS Cloud Services allows users to manage: VMs,
Virtual networks, storage resources.
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
5. OpenStack Swift
KTH
Applied
Information
Security
Lab

Swift is a highly available, distributed, eventually
consistent object/blob store, that can be used to store
virtual machine images.

Is maintained and developed by one of the largest
open-source teams in the world, and is in the top 2%
of all project teams on Ohloh.

Has 53,605 lines of code and is written in Python.
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
Swift Image Encryption using
EVDIC
Glance
1. PUT Request
2. EDIC intercepts
Swift Proxy
2. Upload Image as Object
Swift Object
(Request to
store image)
3. Intercept image
5. Store encrypted image
store request
KTH
Applied
Information
Security
Lab
Image
Encryption
Module (IEM)
3. Key Request
Key Management
Server
4.Key exchange
5. Encrypt Image by AES-256
Figure 3: OpenStack image encryption using EVDIC
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
Swift Image Encryption using
EVDIC
Glance
1. GET Request
2. EDIC intercepts
Swift Proxy
2. Download Image as Object
Swift Object
(Request to
access image)
3. Intercept image
6. Download encrypted image
access request
KTH
Applied
Information
Security
Lab
Image
Decryption
Module (IDM)
3. Key Request
4.Key exchange
Key Management
Server
5. Decrypt Image by AES-256
Figure 4: OpenStack image decryption through EVDIC
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
6. Conclusion
KTH
Applied
Information
Security
Lab

Image encryption module encrypts all virtual disk
images before storage in Cloud. They are decrypted
when required by the virtual machine.

Integrity and confidentiality of virtual machine images
in storage is ensured. They are secure from all
possible storage attacks such as data theft, malware
installation and hypervisor issues.
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
References




KTH
Applied
Information
Security
Lab


Edouard Bugnion , Scott Devine , Mendel Rosenblum, “Disco: running commodity operating
systems on scalable multiprocessors”, Proceedings of the sixteenth ACM symposium on
Operating systems principles, pages 143-156, France, 1997.
Guide to Security for Full Virtualization Technologies, NIST,
http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf, [Last accessed: 17th
Nov, 2012].
Security guidance for critical areas of focus in Cloud computing,
“https://cloudsecurityalliance.org/research/security-guidance/, [Last Accessed: 24th August,
2012]
PCI Data security standards,
https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf, [Last
Accessed: 29th August 2012]
Virtual Machines security guidelines,
http://www.lasr.cs.ucla.edu/classes/239_1.fall10/papers/CIS_VM_Benchmark_v1.0.pdf,
[Last Accessed: 26th September, 2012]
A Guide to Virtualization Hardening Guides, A SANS Whitepaper, 2010,
http://www.sans.org/reading_room/analysts_program/vmware-guide-may-2010.pdf, [Last
accessed: 29th September 2012]
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad
References





KTH
Applied
Information
Security
Lab



storagemadeeasy.com/OpenStack, [Last Accessed: 24 Feb 2013]
www.pistoncloud.com, [Last Accessed: 24 Feb 2013]
www.openstack.org, [Last Accessed: 17 April 2013]
Carl Gebhardt, Allan Tomlinson, "Secure virtual disk images for grid computing", Trusted
Infrastructure Technologies Conference APTC’08, Third Asia-Pacific, pages 19-29, China,
2008.
Mikhail I. Gofman, Ruiqi Luo, Ping Yang, Kartik Gopalan, “SPARC: A security and privacy
aware Virtual Machine checkpointing mechanism”, Proceedings of the 10th annual ACM
workshop on Privacy in the electronic society”, pages 115-124, 2011.
Wu Zhou, Peng Ning, Xiaolan Zhang, “Always up-to-date: scalable offline patching of VM
images in a compute cloud”, Proceedings of the 26th Annual Computer Security
Applications Conference, pages 377-386, 2010.
Jinpeng Wei, Zhang Xiaolan, Ammons Glenn, Bala Vasanth, Ning Peng, “Managing security
of virtual machine images in a cloud environment”. In Proceedings of the 2009 ACM
workshop on Cloud computing security, pages 91-96, 2009.
Sandra Rueda, Rogesh Sreenivasan, Trent Jaeger, “Flexible Security Configuration for
Virtual Machines”, Proceedings of the 2nd ACM workshop on Computer Security
Architectures, pages 35-44 , 2008.
Department of Computing, School of Electrical
Engineering and Computer Sciences, NUST Islamabad