The convergence of virtualization with Cloud computing has brought many benefits ... However, addressing the security concerns of disk images used by virtual ...
Securing the virtual machine images in Cloud computing Muhammad Kazim, Rahat Masood, Muhammad Awais Shibli National University of Sciences and Technology H-12 Sector, Islamabad, Pakistan
[muhammad.kazim,10msccsmmasood, awais.shibli]@seecs.edu.pk
ABSTRACT The convergence of virtualization with Cloud computing has brought many benefits to organizations including ease of deployment, reduced costs and high availability of resources over internet. Extensive research has been carried out to increase the security of Cloud virtualization environment. However, addressing the security concerns of disk images used by virtual machines is still an open challenge. Compromising the disk images can result in loss of data integrity and confidentiality. This paper proposes a novel security scheme ”Encrypted Virtual Disk Images in Cloud (EVDIC)” for the protection of stored disk images in Cloud by encryption. EVDIC also includes the security of key management and key exchange process. We integrate EVDIC with OpenStack, which is an open source Cloud platform largely used around the world.
Categories and Subject Descriptors E.3 [Data Encryption]: Standards; C.2.4 [Distributed Systems]
General Terms Design
Keywords Cloud computing, Cloud security, disk images, encryption
1.
INTRODUCTION
Cloud computing technology has evolved as a preferred choice for the IT industry in last decade. It offers benefits such as reduced costs, scalability, increased efficiency and better utilization of resources. Virtualization is the primary feature that makes Cloud computing special. It abstracts the underlying hardware to virtually provide interfaces similar to the hardware’s physical platform. Virtualization was reintroduced in 1997 by Bugnion E. et al. who used virtual
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first p age. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SIN’13, November 26-28, 2013, Aksaray, Turkey. Copyright 2013 ACM 978-1-4503-2498-4/00/10 ...$15.00. http://dx.doi.org/10.1145/2523514.2523576
425
machines to run multiple commodity operating systems on a single PC[7]. Virtual machines use disk images as their hard drives, which are virtual representation of a physical drive. Virtual disk image is a single file or directory representing the hard drive of a guest operating system (operating system running within a virtual machine). It encapsulates all components of a guest OS, including the applications and virtual resources used by guest OS. Disk images present many advantages in a Cloud virtualization environment such as the ability to quickly launch and deploy virtual machines across various hosts[9]. However, along with other virtualization components, disk images are vulnerable to many attacks from outsiders as well as from malicious users and administrators in Cloud. The disk images can be compromised during storage through different ways including unauthorized access to images and by installing malicious software on them. Even though security of disk images in Cloud is a major issue, only few solutions have been proposed in literature for their protection against attacks. This paper focuses on providing security to virtual disk images in Cloud environment by proposing a scheme called Encrypt Disk Images in Cloud (EVDIC). EVDIC keeps the disk images encrypted during their unused state. Encrypting the virtual disk images is a highly recommended solution[9, 6, 8]. However, currently no architecture or prototype has been proposed for the disk images encryption in Cloud except the commercial solutions[1, 2]. EVDIC provides security to disk images during storage through encryption and ensures that their integrity is maintained. EVDIC will also protect data on Cloud even if the Cloud platform is compromised since the encryption keys are stored at a different location from Cloud. Finally, we integrate EVDIC architecture with OpenStack[3] which is widely used for Cloud deployment.
2.
PROPOSED ARCHITECTURE
Encrypt Disk Images in Cloud (EVDIC) addresses the security issues of stored disk images in Cloud by encrypting them in unused state. EVDIC workflow is divided into two parts. One part is the image encryption through EVDIC, before an image is stored on the disk. Other is the image decryption through EVDIC, while retrieving a stored image from the disk to be used by a virtual machine. The major components involved during the image encryption and decryption are Image Encryption Module, Key Management Server and Image Decryption Module. They interact with the other components of Cloud. The major functionalities
of these components are described below:
2.1
Image Encryption Module (IEM)
When a running virtual machine is terminated by user, the virtual disk images have to be stored somewhere in the Cloud. The Image Encryption Module intercepts a request to store an image in the disk. It interacts with the Key Management Server to obtain an encryption key to encrypt the image. The encryption scheme used in IEM is Advanced Encryption Standard with key size of 256 bits (AES-256). To generate the encryption keys the user password is passed to Password-Based Key Derivation Function 2 (PBKDF2)[10]. PBKDF-2 applies pseudorandom function to the input phrase along with a salt value and generates a cryptographically secure key after many cycles. After encrypting the VM image, IEM sends the image to the disk for storage. The encrypted disk image is secure from malwares, trojans, and data leakage due to unauthorized access. Furthermore, the integrity of images is also ensured during storage. The design of EVDIC encryption scheme is shown in figure 1.
2.2
Image Decrypt Module (IDM)
Whenever a virtual machine is to be launched in Cloud, it requests for the virtual disk image. All the disk images will be stored in encrypted form in Cloud. The major function of Image Decryption Module is to decrypt the images. It intercepts a request to retrieve a stored disk image from the disk and interacts with the Key Management Server to obtain user key for decryption. After getting the key from KMS, IDM locates the stored image on disk using the metadata stored with image. Once the image is located, it is retrieved and decrypted by the IDM. IDM sends the decrypted image to the related component in Cloud so that it can be used by the virtual machine. Figure 2 describes the working of EVDIC decryption scheme.
2.3
Key Management Server (KMS)
KMS is responsible for management of keys used for encryption. Once the encryption keys are derived for users, they are stored in KMS. The unique identification of each user is maintained by a field called KeyID and it is used to retrieve and store encryption keys for each user when required. Due to security purposes, the KMS is placed at a separate location form the Cloud. All communication between KMS and EVDIC components takes place through Secure Socket Layer version 3.0 (SSLv3). SSL 3.0 provides the security during key exchange and ensures message confidentiality and integrity. Keeping the KMS outside the Cloud will keep KMS secure even if the complete Cloud infrastructure is compromised. On the other hand, if keys are stored in the Cloud and Cloud infrastructure is compromised, attacker can access the encryption keys in KMS. These encryption keys could then be used to decrypt the encrypted images and access critical data.
libvirt for QEMU or KVM, VMwareAPI for VMware). When a virtual machine is to be launched in OpenStack, novacompute interacts with the Image Service (Glance) to request a VM image through Image Application Programming Interface (Glance API). Glance deals with the retrieval, registering and storage of virtual machine images. Glance API stores the images in Object Storage, Swift (if specified by the user). Swift is a highly scalable object storage, that can store a large amount of data through a RESTful HTTP API. Each image stored in Swift has an image ID and a URL associated with it that is used to locate and upload image from storage. Furthermore, all objects in Swift have their own metadata. The seven major components of Swift are, i) Proxy Servers ii) Accounts iii) Containers iv) Objects v) Rings vi) Zones vii) Partitions. Proxy servers are responsible for handling all the incoming HTTP requests; accounts contain the lists of containers; containers have the list of objects and object is the actual data to be stored such as an image. The collection of all stored data is called a partition and rings are responsible for mapping the physical location on disks[5].
3.1
EVDIC Image Encryption in OpenStack
As the user terminates its virtual machine, Glance API stores the image. Glance interacts with Swift to store the image on it. Swift first determines the partition to store image using account, container and object names. EVDIC can be integrated with OpenStack such that after Swift Proxy server sends a request to the Object Server to upload image through RESTful HTTP API, control is transferred to the EVDIC Image Encryption Module (IEM). IEM performs the image encryption in Object server, as all the write requests pass through it. All the swift servers write data in chunks, therefore each chunk must pass through the IEM before storage. EVDIC uses the same procedure for encryption as mentioned above in EVDIC image encryption scheme. The encryption key for each user is generated through PBKDF-2 and retrieved from KMS using SSL 3.0. This encryption key is used to encrypt each chunk of image through AES-256. The encrypted chunks are written in a temporary file by Swift, before storing them in the partition on disk. Hash of the images is calculated using MD5 before their encryption and stored along with metadata. The Glance API stores the location of stored image in glance-registry including the image ID and URL of image. Disk image encryption through EVDIC in OpenStack is shown in figure 3.
3.2
EVDIC Image Decryption in OpenStack
When the virtual machine of a user is to be launched, novacompute passes request for accessing disk image to Glance using Image API. Glance sends a message to Swift to download the desired image. To locate the image the partition name is produced by Swift in a similar way to one generated during object upload. During the image download from Object server, image is passed through the image decryption module. IDM uses KeyID in metadata of stored image to 3. EVDIC IN OPENSTACK retrieve the encryption key from KMS using SSL 3.0. IDM OpenStack provides a large scale open source Cloud comdecrypts the image and hash of the decrypted image is taken puting platform[3]. The major components of OpenStack by MD5 to compare it with the hash stored in metadata. In are Compute, Image Service, Identity, Dashboard, Network, this way the integrity of image is ensured. IDM sends the Object Storage and Block Storage [4]. The Compute Worker decrypted image to Proxy server, and Proxy server returns (nova-compute) is the component that manages virtual maimage to Glance. Glance returns the image to nova-compute chines life cycle through hypervisor API’s (XenAPI for XenServer, using Glance API. The decrypted image can be used by the
426
6 Image6storage6at6 disk6
VM6termination6 CLOUD666666666666666666666666666666666666666666666666666666666666666666666666661v6Store6the6image 6
2v6Intercept6request6to6store6image
6
Image6Encryption6 66666666666666666666666666665v6Image6encryption6by6IEM66 6 6 6 6 666v6Store6encrypted66 66666666666 6 using6AESk2566 6 6 66 6 6 66666666666image6 6 Module60IEMV 66 3v6Key6request6using6KeyID6 66666666666666664v6Key6exchange6through6SSL63v0 6 6 6666666666666666666666666666666666666666
Key6Management6Server6 0Outside6CloudV6
Figure 1: Disk image encryption through EVDIC
b VMbBootb CLOUDbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb1kbRetrievebthebimage b
2kbInterceptbrequestbtobretrievebimage
Imagebstoragebatb diskb 7kbReturnbImage
b
ImagebDecryptionb bbbbbbbbbbbbbbbbbbbbbbbbbbb6kbImagebdecryptionbbybIDMb b b b b b bb5kbLocatebstoredbb bbbbbbbbbbb b b b b b b b b b bbbbbbbbbbbImageb Moduleb0IDMV bb bbbbbbbbbbbbbbbb4kbKeybexchangebthroughbSSLb3k0 b b 3kbKeybrequestbusingbKeyIDb bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
KeybManagementbServerb 0OutsidebCloudVb
Figure 2: Disk image decryption through EVDIC
(((2w(Upload(Image(as(Object((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
vw PUT(Request( Glance( Swift(Proxy( 2w(EDIC(intercepts((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( (
xRequest((to( store imageh( ((((((((((((((
(
(
(
Swift(Object(
(
((((((((
(
(((((((((((((((3w(Intercept(image(
(
6w(Store(encrypted(image(
store(request ((((((((((((((((((((((((((((((3w(Key(Request( Image(
Encryption( Module(xIEMh( (
4wKey(exchange(
Key(Management( Server(
5w(Encrypt(Image(by(AESG256(
Figure 3: Image encryption through EVDIC in OpenStack virtual machine. The OpenStack image decryption through EVDIC is shown in the figure 4.
427
4.
CONCLUSION
Security of disk images is an important issue in securing the virtualization environment. Disk images are vulnerable to
((2P(Download(Image(as(Object(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
1P GET(Request( Glance( Swift(Proxy( 2P(EDIC(intercepts((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( (
hRequest((to( access image6( ((((((((((((((
(
(
Swift(Object(
(
((((((((
(
(
(((((((((((((((3P(Intercept(image(
(
5P(Download(encrypted(image(
access(request ((((((((((((((((((((((((((((((3P(Key(Request( Image(
Decryption( Module(hIEM6( (
Key(Management( 4PKey(exchange( Server(
6P(Decrypt(Image(by(AESf256
Figure 4: Image decryption through EVDIC in OpenStack different attacks during storage such as data leakage, malware installation on images and snapshot access in storage. Using the architecture defined in this paper (EVDIC), integrity of disk images and confidentiality of data stored on them can be guaranteed during storage. We describe the integration of EVDIC with OpenStack which is an open source Cloud software currently being deployed by several large IT organizations. There will be a performance cost associated with the encryption and decryption of the disk images in a large computing environment such as Cloud where thousands of images are present; however, ”for high security or regulated environments, the performance cost is worth it” [6]. In future, we will deploy EVDIC on OpenStack and evaluate its performance. We will also focus on the performance optimization of EVDIC so that the performance cost associated with EVDIC usage in Cloud is as less as possible.
5.
REFERENCES
[1] Storage made easy: Openstack swift object storage. http://www.storagemadeeasy.com/OpenStack/. Last Accessed: 2013-02-24. [2] Piston cloud computing. http://www.pistoncloud.com. Last Accessed: 2013-02-24. [3] Openstack. http://www.openstack.org. Last Accessed: 2013-06-28.
428
[4] Openstack compute: Administration guide. http: //docs.openstack.org/trunk/openstack-compute/ admin/bk-compute-adminguide-trunk.pdf. Last Accessed: 2013-06-22. [5] Openstack swift architecture. http://swiftstack.com/openstack-swift/. Last Accessed: 2013-08-12. [6] G. Brunette, R. Mogull, et al. Security guidance for critical areas of focus in cloud computing v2.1. Cloud Security Alliance, pages 1–76, 2009. [7] E. Bugnion, S. Devine, K. Govil, and M. Rosenblum. Disco: Running commodity operating systems on scalable multiprocessors. ACM Transactions on Computer Systems (TOCS), 15(4):412–447, 1997. [8] V. S. I. G. P. S. S. Council. Pci dss virtualization guidelines v2.0. pages 1–39, 2011. [9] P. Hoffman, K. Scarfone, and M. Souppaya. Guide to security for full virtualization technologies. National Institute of Standards and Technology (NIST), pages 800–125, 2011. [10] M. Turan, E. Barker, W. Burr, and L. Chen. Special publication 800-132: Recommendation for password-based key derivation. Technical report, Tech. rep., NIST, Computer Security Division, Information Technology Laboratory, 2010.
