Abstract
Two key issues exist during virtual machine (VM) migration in cloud computing. One is when to start migration, and the other is how to determine a reliable target, both of which totally depend on whether the source hypervisor is trusted or not in previous studies. However, once the source hypervisor is not trusted any more, migration will be facing unprecedented challenges. To address the problems, we propose a secure architecture SMIG (secure migration), which defines a new concept of Region Critical TCB and leverages an innovative adjacent integrity measurement (AIM) mechanism. AIM dynamically monitors the integrity of its adjacent hypervisor, and passes the results to the Region Critical TCB, which then determines whether to start migration and where to migrate according to a table named integrity validation table. We have implemented a prototype of SMIG based on the Xen hypervisor. Experimental evaluation result shows that SMIG could detect amalicious hypervisor and start migration to a trusted one rapidly, only incurring a moderate overhead for computing intensive and I/O intensive tasks, and small for others.
Similar content being viewed by others
References
Zhang F Z, Chen J, Chen H B, Zang B Y. Cloud Visor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of the 23rd ACM Symposium on Operating Systems Principles. 2011, 203–216
Szefer J, Lee R B. Architectural support for hypervisor-secure virtualization. In: Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems. 2012, 437–450
Jin S, Ahn J, Cha S, Huh J. Architectural support for secure virtualization under a vulnerable hypervisor. In: Proceedings of the 44th Annual IEEE/ACMInternational Symposium on Microarchitecture. 2011, 272–283
Clark C, Fraser K, Hand S, Hansen J G, Jul E, Limpach C, Pratt I, Warfield A. Live migration of virtual machines. In: Proceedings of the 2nd Symposium on Networked Systems Design and Implementation. 2005, 273–286
Travostino F, Daspit P, Gommans L, Jog C, Laat C, Mambretti J, Monga I, Oudenaarde B V, Raghuath S, Wang P Y. Seamless live migration of virtual machines over the MAN/WAN. Future Generation Computer Systems, 2006, 22(8): 901–907
Bradford R, Kotsovinos E, Feldmann A, Schioberg H. Live wide-area migration of virtual machines including local persistent state. In: Proceedings of the 3rd International ACM Conference on Virtual Execution Environments. 2007, 169–179
Chanchio K, Thaenkaew P. Time-bound, thread-based live migration of virtual machines. In: Proceedings of the 14th IEEE/ACMInternational Symposium on Cluster, Cloud and Grid Computing. 2014, 364–373
Luo Y W, Zhang B B, Wang X L, Wang Z L, Sun Y F, Chen H G. Live and incremental whole-system migration of virtual machines using block-bitmap. In: Proceedings of IEEE International Conference on Cluster Computing. 2008, 99–106
Zhang F Z, Chen H B. Security-preserving live migration of virtual machines in the cloud. Journal of Network and Systems Management, 2013, 21(4): 562–587
McCune J M, Li Y L, Qu N, Zhou Z W, Datta A, Gligor V, Perrig A. Trustvisor: efficient TCB reduction and attestation. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 143–158
Wang Z, Wu C, Grace M C, Jiang X X. Isolating commodity hosted hypervisors with Hyperlock. In: Proceedings of the 7th European conference on Computer systems. 2012, 127–140
Szefer J, Lee R B. A case for hardware protection of guest VMs from compromised hypervisors in cloud computing. In: Proceedings of the 31st IEEE International Conference on Distributed Computing Systems Workshops. 2011, 248–252
Xia Y B, Liu Y T, Chen H B. Architecture support for guest-transparent VMprotection from untrusted hypervisor and physical attacks. In: Proceedings of the 19th IEEE International Symposium on High Performance Computer Architecture. 2013, 246–257
Takemura C, Crawford L S. The Book of Xen: A Practical Guide for the System Administrator. San Francisco, CA: No Starch Press, 2009
Chiang J H, Li H L, Chiueh T. Introspection-based memory deduplication and migration. In: Proceedings of the 9th ACM SIGPLAN/ SIGOPS International Conference on Virtual Execution Environments. 2013, 51–62
Galloway M, Loewen G, Vrbsky S. Performance metrics of virtual machine live migration. In: Proceedings of the 8th IEEE International Conference on Cloud Computing. 2015, 637–644
Zhu G D, Li K, Liao Y B. Toward automatically deducing key device states for the live migration of virtual machines. In: Proceedings of the 8th IEEE International Conference on Cloud Computing. 2015, 1025–1028
Keahey K, Deshpande U. Traffic-sensitive live migration of virtual machines. In: Proceedings of the 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing. 2015, 51–60
Hou K Y, Shin K G, Sung J L. Application-assisted live migration of virtual machines with Java applications. In: Proceedings of the 10th European conference on Computer systems. 2015
Song X, Shi J C, Liu R, Yang J, Chen H B. Parallelizing live migration of virtual machines. In: Proceedings of the 9th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. 2013, 85–96
Chen H B, Chen J Y, Mao WB, Yan F. Daonity-grid security from two levels of virtualization. Information Security Technical Report, 2007, 12(3): 123–138
Sailer R, Zhang X, Jaeger T, Van Doorn L. Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of USENIX Security Symposium. 2004, 223–238
Keller E, Szefer J, Rexford J, Lee R B. Nohype: virtualized cloud infrastructure without the virtualization. In: Proceedings of the 37th Annual International Symposium on Computer Architecture. 2010, 350–361
Szefer J, Keller E, Lee R B, Rexford J. Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th Conference on Computer and Communications Security. 2011, 401–412
Steinberg U, Kauer B. NOVA: a microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems. 2010, 209–222
Wang Z, Jiang X X. Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of IEEE Symposium on Security and Privacy. 2010, 380–395
Champagne D, Lee R B. Scalable architectural support for trusted software. In: Proceedings of the 16th IEEE International Conference on High Performance Computer Architecture. 2010, 1–12
Chen X X, Garfinkel T, Lewis E C, Subrahmanyam P, Waldspurger C A, Boneh D, Dwoskin J, Ports D R K. Overshadow: a virtualizationbased approach to retrofitting protection in commodity operating systems. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems. 2008, 2–13
Hofmann O S, Kim S, Dunn A M, Lee M Z, Witchel E. Inktag: secure applications on an untrusted operating system. In: Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems. 2013, 265–278
Criswell J, Dautenhahn N, Adve V. Virtual Ghost: Protecting applications from hostile operating systems. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems. 2014, 81–96
Azab AM, Ning P, Wang Z, Jiang X, Zhang X, Skalsky N C. Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010, 38–49
Azab A M, Ning P, Sezer E C, Zhang X. HIMA: a hypervisor-based integrity measurement agent. In: Proceedings of the 25th Annual Computer Security Applications Conference. 2009, 461–470
Liu Z Y, Lee J, Zeng J Y, Wen Y F, Lin Z Q, Shi W D. CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM. In: Proceedings the 40th Annual International Symposium on Computer Architecture. 2013, 392–403
Wang Z, Jiang X X, Cui W D, Ning P. Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009, 545–554
Al-Ayyoub M, Jararweh Y, Daraghmeh M, Althebyan Q. Multi-agent based dynamic resource provisioning and monitoring for cloud computing systems infrastructure. Cluster Computing, 2015, 18(2): 919–932
Calero J M. Mon PaaS: an adaptive monitoring platform as a service for cloud computing infrastructures and services. IEEE Transactions on Services Computing, 2015, 8(1): 65–78
Zhang TW, Lee R B. Cloud Monatt: an architecture for security health monitoring and attestation of virtual machines in cloud computing. In: Proceedings of the 42nd ACM/IEEE International Symposium on Computer Architecture. 2015, 362–374
Qiu L L, Zhang Y, Wang F, Kyung M, Mahajan H R. Trusted computer system evaluation criteria. National Computer Security Center, 1985
McCune J M, Parno B, Perrig A, Reiter M K, Isozaki H. Flicker: an execution infrastructure for TCB minimization. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European conference on Computer systems. 2008, 315–328
McCune J M, Parno B, Perrig A, Reiter M K, Seshadri A. Minimal TCB code execution. In: Proceedings of IEEE Symposium on Security and Privacy. 2007, 267–272
McCune J M, Parno B, Perrig A, Reiter M K, Seshadri A. How low can you go?: recommendations for hardware-supported minimal TCB code execution. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems. 2008, 14–25
Singaravelu L, Pu C, Härtig H, Helmuth C. Reducing TCB complexity for security-sensitive applications: Three case studies. In: Proceedings of the 1st ACM SIGOPS/EuroSys European conference on Computer systems. 2006, 161–174
Acknowledgements
The subject was sponsored by the National Science and Technology Major Project (2012ZX01039-004) and the National Natural Science Foundation of China (Grant No. 61305054)
Author information
Authors and Affiliations
Corresponding author
Additional information
Tao Wu received his MS degree in computer science from University of Science and Technology Beijing, China in 2010. He is currently a PhD candidate of University of Chinese Academy of Sciences, China. His research interests include system security and cloud security.
Qiusong Yang received his PhD degree in computer science from Graduate University of Chinese Academy of Sciences, China. He is currently a professor of University of Chinese Academy of Sciences. His research interests include system and software security.
Yeping He received his PhD degree from Nanjing University of Aeronautics and Astronautics, China. He is currently a professor of University of Chinese Academy of Sciences, China. His research interests include system security and trusted computing.
Electronic supplementary material
Rights and permissions
About this article
Cite this article
Wu, T., Yang, Q. & He, Y. A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one. Front. Comput. Sci. 11, 821–835 (2017). https://doi.org/10.1007/s11704-016-5190-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11704-016-5190-6