350 rub
Journal Highly available systems №3 for 2013 г.
Article in number:
Hypervisor threat model in cloud systems
Keywords: cloud systems hypervisor security virtualization vulnerability threat model
Authors:
D.P. Zegzhda - Dr.Sc. (Eng.), Professor department IBKS, National Research University St. Petersburg State Polytechnical University. E-mail: zeg@ibks.ftk.spbstu.ru
A.V. Nikolskiy - Assistant department IBKS, National Research University St. Petersburg State Polytechnical University. E-mail: alexei.nikolsky@ibks.ftk.spbstu.ru
Abstract:
Today specialized packet filtering solutions (including software implementations in operating systems) are used to provide network access control - firewalls, Intrusion Prevention Systems, network antiviruses, application layer proxy servers (including WAF - web application firewalls). Because of enormous growth of Internet throughput their efficiency reduces, however the cost remains high. Firewalls are installed in one certain point of network topology, so the rules syntax should allow to accurately distinguish the flows originating from different applications and clients. For this reason, the logic of firewalls becomes more complex; they need to perform more operations with each packet header to resolve which action to perform. At the same time it is known that source based filtering performed closer to the source node and the destination based filtering closer to the destination node or application allows simplifying the policy rules and therefore making filtering logic cheaper. In terms of client devices mobility, network configuration is changing rapidly and the information about network topology changes could not be used directly for access control. That is why the problem of network access control based on the information about the expected behavior (flows) of network applications is becoming more and more important. New SDN concept allows not only to escape the necessity for dedicated hardware firewalls, but to maximize the overall L2 network throughput. We claim that any given firewall configuration which specifies access control policy between applications in the network may be implemented as an SDN Flow Policy which preserves the reachability matrix on a network graph and maximizes the throughput of the L2 networking infrastructure. In this paper we formally show how to solve the problem of migration from traditional network with dedicated firewalls to SDN while preserving the nodes reachability (the connection matrix). The proposed approach was implemented as application for the POX SDN controller. The input of application is the existing network topology and a rule set for each firewall in Extended Cisco ACL format; the result is SDN access control policy of rule sets for every OpenFlow switch in SDN topology. The experimental evaluation with physical SDN testbed built upon 5 NEC Programmable Flow series switches was performed and obtained quantitative results confirm assumption of the applicability of the proposed method. The themes for further research are presented in the conclusion. They are based on records optimization in Flow Tables of OF switches.
Pages: 70-78
References

  1. Chappell D. Introducing Windows Azure [E'lektronny'j resurs] / Chappell, D. - DavidChappell&Associates: 2009. Rezhim dostupa: http://www.davidchappell.com/writing/white_papers/introducing_windows_azure_v1-chappell.pdf - Jaz. angl.
  2. Kepes B. Understanding the cloud computing stack SaaS, Paas, IaaS [E'lektronny'j resurs] / Kepes, B. - Diversity Limited: 2011. Rezhim dostupa: http: // broadcast.rackspace.com/hosting_knowledge/whitepapers/Understanding-the-Cloud-Computing-Stack.pdf - Jaz. angl.
  3. Zegzhda P.D. Ugrozy' bezopasnosti oblachny'm vy'chisleniyam [Tekst]: tez. dokl. na Naczional'nom forume informaczionnoj bezopasnosti «INFOFORUM-2011» (M.: 07.02.2011).
  4. Catteddu D., Hogben G. Cloud Computing. Benefits, risks and recommendations for information security [E'lektronny'j resurs]. European Network and Information Security Agency (ENISA): 2009. - Rezhim dostupa: http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport - Jaz. angl
  5. Zegzhda D.P., Nikol'skij A.V. Formal'naya model' bezopasnosti gipervizorov virtual'ny'x mashin v sistemax oblachny'x vy'chislenij [Tekst]. Problemy' informaczionnoj bezopasnosti. Komp'yuterny'e sistemy'. 2013. № 1.
  6. IBM X-Force Mid-year Trend and Risk Report [E'lektronny'j resurs] / IBM Security Solutions: 2010 c.50-53. Rezhim dostupa: ftp: // public.dhe.ibm.com/common/ssi/ecm/en/wgl03003usen/WGL03003USEN.PDF. Jaz. angl.
  7. CORE−2011−0203 − MS HyperV Persistent DoS Vulnerability [E'lektronny'j resurs] / Rezhim dostupa: http://www.derkeiler.com/pdf/Mailing-Lists/Full-Disclosure/2011-06/msg00312.pdf - Jaz. angl.
  8. Vulnerability Summary for CVE-2010-3609 [E'lektronny'j resurs] / National Cyber Awareness System. ? Rezhim dostupa: http://web.nvd.nist.gov/view/vuln/detail-vulnId=CVE-2010-3609 ? Jaz. angl.
  9. Jones R. CVE-2011-4127: privilege escalation from qemu. KVM guests [E'lektronny'j resurs] / Jones, R. - Rezhim dostupa: http://rwmj.wordpress.com/2011/12/22/cve-2011-4127-privilege-escalation-from-qemu-kvm-guests/ Zagl. s e'krana.
  10. Elhage, N.Virtunoid: Breaking out of KVM [E'lektronny'j resurs] / Elhage, N. - Black Hat: USA 2011. - Rezhim dostupa: http://media.blackhat.com/bh-us-11/Elhage/BH_US_11_Elhage_Virtunoid_Slides.pdf.
  11. Gruskovnjak J. Advanced Exploitation of Xen Hypervisor Sysret VM Escape Vulnerability [E'lektronny'j resurs] / Gruskovnjak, J. - Security Researcher VUPEN: 2012. Rezhim dostupa: http:// www. vupen.com/blog/ 20120904. Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php.
  12. Oberheide J. Empirical Exploitation of Live Virtual Machine Migration [E'lektronny'j resurs] / Jon Oberheide E. Cooke, Jahanian F. University of Michigan: Electrical Engineering and Computer Science Department, Ann Arbor, MI 48109. Rezhim dostupa: http: // www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php.
  13. Stealing V.M. The Nmap way (CVE-2009-3733 exploit) [E'lektronny'j resurs] / SkullSecurity: 2010. Rezhim dostupa: http://www.skullsecurity.org/blog/2010/how-to-install-an-nmap-script - Jaz. angl