Module 4

CLOUD COMPUTING
Module 4: Cloud Security: Risks, Top concern for cloud users, privacy impact assessment, trust, OS security,
VM Security, Security Risks posed by shared images and management OS.

The rise of interconnected systems has significantly increased security risks, allowing malware to spread
globally and making national infrastructures vulnerable to cyberattacks. The concept of cyberwarfare has
emerged, where nation-states can target other nations' systems, as seen with incidents like the Stuxnet virus.

ud
Cloud computing, while offering new capabilities, also introduces new security and privacy challenges. Some
mistakenly believe that outsourcing to the cloud mitigates internal security risks, but it actually creates new
vulnerabilities.

Moreover, legal protections for cloud users are often insufficient, leaving organizations exposed to risks beyond
their control. With cloud providers' resources dispersed across countries, there is a pressing need for
international regulations to manage the complexities of cloud security and ensure data protection across
borders.
lo
9.1 Cloud security risks Some believe that it is very easy, possibly too easy, to start using cloud services without
a proper understanding of the security risks and without the commitment to follow the ethics rules for cloud
computing. A first question is: What are the security risks faced by cloud users? There is also the possibility
C
that a cloud could be used to launch large-scale attacks against other components of the cyber infrastructure.
The next question is: How can the nefarious use of cloud resources be prevented? There are multiple ways to
look at the security risks for cloud computing. A recent paper identifies three broad classes of risk [83]:
traditional security threats, threats related to system availability, and threats related to third-party data control.
tu

Traditional threats are those experienced for some time by any system connected to the Internet, but with some
cloud-specific twists. The impact of traditional threats is amplified due to the vast amount of cloud resources
and the large user population that can be affected. The fuzzy bounds of responsibility between the providers of
cloud services and users and the difficulties in accurately identifying the cause of a problem add to cloud users’
concerns. The traditional threats begin at the user site. The user must protect the infrastructure used to connect
V

to the cloud and to interact with the application running on the cloud. This task is more difficult because some
components of this infrastructure are outside the firewall protecting the user. The next threat is related to the
authentication and authorization process. The procedures in place for one individual do not extend to an
enterprise. In this case the cloud access of the members of an organization must be nuanced; individuals should

RNSIT,2024-25 1
 Module 4

be assigned distinct levels of privilege based on their roles in the organization. It is also nontrivial to merge or
adapt the internal policies and security metrics of an organization with the ones of the cloud. Moving from the
user to the cloud, we see that the traditional types of attack have already affected cloud service providers. The
favorite means of attack are distributed denial-of-service (DDoS) attacks, which prevent legitimate users
accessing cloud services; phishing;2 SQL injection;3 or cross-site scripting.

Cloud servers hosting multiple virtual machines (VMs) create vulnerabilities, especially with multitenancy and
virtual machine monitor (VMM) flaws, opening new attack paths for malicious users. Identifying these attacks

ud
is harder in cloud environments due to shared resources and the rapid overwriting of event traces. Additionally,
cloud availability is a major concern, as system failures, power outages, or data lock-ins can disrupt services
and prevent organizations from functioning. Users also face risks due to third-party control, subcontractors,
and cloud provider espionage. Many cloud service agreements, like Amazon Web Services, place the
responsibility for data security on users, leaving them vulnerable to data loss or unauthorized access.

The Cloud Security Alliance (CSA) report outlines top threats to cloud computing, including abuse of cloud

lo
resources, insecure APIs, malicious insiders, shared technology risks, account hijacking, and data loss or
leakage. The report highlights how different cloud models (IaaS, PaaS, and SaaS) are affected by various risks.
Malicious insiders, data loss, and insecure APIs are particularly concerning, as they can lead to significant
harm. The CSA report also discusses the challenges of maintaining data integrity and avoiding service
hijacking, emphasizing the need for users to be aware of and mitigate these risks.
C
The three actors involved in the model considered are the user, the service, and the cloud infrastructure, and
there are six types of attacks possible (see Figure 9.1).

The user can be attacked from two directions: from the service and from the cloud. SSL certificate spoofing,
tu

attacks on browser caches, or phishing attacks are examples of attacks that originate at the service. The user
can also be a victim of attacks that either originate at the cloud or spoofs that originate from the cloud
infrastructure. The service can be attacked from the user. Buffer overflow, SQL injection, and privilege
escalation are the common types of attacks from the service. The service can also be subject to attack by the
cloud infrastructure; this is probably the most serious line of attack. Limiting access to resources,
V

privilege related attacks, data distortion, and injecting additional operations are only a few of the many
possible lines of attack originated at the cloud. The cloud infrastructure can be attacked by a user who targets
the cloud control system. The types of attack are the same ones that a user directs toward any other cloud
service. The cloud infrastructure may also be targeted by a service requesting an excessive amount of resources
and causing the exhaustion of the resources.

RNSIT,2024-25 2
 Module 4

ud
FIGURE 9.1 Surfaces of attacks in a cloud computing environment

Security remains the foremost concern for cloud users, who are accustomed to controlling their own systems within
the safety of corporate firewalls. Transitioning to cloud services means placing trust in cloud service providers

lo
(CSPs), a shift that can be challenging due to risks such as unauthorized access, data theft, and insider threats. Data
in storage, which remains vulnerable for extended periods, requires particular attention. Users also face significant
concerns about data control, including uncertainty about whether deleted data is truly erased and the risks posed
by seamless backups that occur without their knowledge. The lack of standardization and auditing within cloud
computing further complicates compliance and transparency, leaving users with unresolved issues regarding data
C
handling and legal protection.

Multitenancy, a core aspect of cloud computing that enables cost savings, also introduces heightened security risks,
especially when sensitive user information is stored on shared servers. The threats vary depending on the cloud
tu

delivery model, but all users are vulnerable to breaches when systems are compromised. The legal implications of
cloud computing are another critical concern. With CSP data centers located in different countries, it becomes
difficult to determine which laws govern the storage and transfer of data, especially when CSPs subcontract
services to third parties. In some cases, CSPs may be legally required to share private data with law enforcement,
adding to the complexity of securing sensitive information.
V

To minimize security risks, cloud users must carefully evaluate CSPs' security policies and the mechanisms in
place to protect sensitive data. It's essential to scrutinize the contractual obligations, ensuring clarity around data
ownership, geographical storage limits, and CSP liability in cases of mishandling or data loss. Users may also
implement additional security measures like encryption to protect data, although encryption can limit functionality
in certain applications. Solutions like Google’s Secure Data Connector allow for controlled access to data behind

RNSIT,2024-25 3
 Module 4

firewalls, but for some workflows and sensitive data, stronger protections such as homomorphic encryption may
eventually offer a viable solution despite current inefficiencies.

9.3 Privacy and privacy impact assessment: Privacy refers to the right of individuals, groups, or organizations
to protect personal or proprietary information from disclosure. Many nations consider privacy a fundamental
human right, with the Universal Declaration of Human Rights explicitly addressing privacy protection. However,
privacy laws vary globally, and the digital age has introduced new privacy challenges, such as identity theft from
stolen or misused personal information. Some regions, like the European Union (EU), have enacted stringent laws

ud
to safeguard personal data, including the "right to be forgotten." This right seeks to address the lasting impact of
digital footprints, where personal information remains indefinitely accessible online. Privacy concerns are
particularly acute in cloud environments, where data often resides on servers owned by cloud service providers
(CSPs) and can include sensitive personal details, making it harder to ensure data protection.

In cloud computing, privacy concerns differ across the three cloud delivery models—SaaS, PaaS, and IaaS—and

lo
depend on the specific context. For instance, in Gmail, a popular SaaS platform, Google's privacy policy outlines
the collection of user data, such as names, contact information, and device details, which can be shared with
external entities under certain legal or security circumstances. This creates risks such as unauthorized access,
secondary usage for advertising, and data proliferation. Users lose control over their data once it is stored in the
cloud, including its exact location, access, and the length of retention. For example, Gmail users have no say in
C
where their data is stored or for how long old emails remain in backups.

Key privacy issues in cloud computing include the lack of user control, unauthorized secondary use of data, and
tu

dynamic provisioning, which refers to the risks posed by outsourcing data management to third-party
subcontractors. This introduces uncertainty regarding who has access to the data and what happens to it during
events such as mergers or bankruptcies. Without proper regulations and technological safeguards, users cannot
fully control or protect their data from being exploited or mishandled by CSPs or their subcontractors.

“Consumer-oriented commercial Web sites that collect personal identifying information from or about consumers
V

online would be required to comply with the four widely accepted fair information practices:

1. Notice. Web sites would be required to provide consumers clear and conspicuous notice of their information
practices, including what information they collect, how they collect it (e.g., directly or through nonobvious means
such as cookies), how they use it, how they provide Choice, Access, and Security to consumers, whether they

RNSIT,2024-25 4
 Module 4

disclose the information collected to other entities, and whether other entities are collecting information through
the site.

2. Choice. Web sites would be required to offer consumers choices as to how their personal identifying information
is used beyond the use for which the information was provided (e.g., to consummate a transaction). Such choice
would encompass both internal secondary uses (such as marketing back to consumers) and external secondary uses
(such as disclosing data to other entities).

3. Access. Web sites would be required to offer consumers reasonable access to the information a Web site has

ud
collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete
information.

4. Security.Web sites would be required to take reasonable steps to protect the security of the information they
collect from consumers. The Commission recognizes that the implementation of these practices may vary with the
nature of the information collected and the uses to which it is put, as well as with technological developments. For
this reason, the Commission recommends that any legislation be phrased in general terms and be technologically

lo
neutral. Thus, the definitions of fair information practices set forth in the statute should be broad enough to provide
flexibility to the implementing agency in promulgating its rules or regulations.”

4. Security.Web sites would be required to take reasonable steps to protect the security of the information they
C
collect from consumers. The Commission recognizes that the implementation of these practices may vary with the
nature of the information collected and the uses to which it is put, as well as with technological developments. For
this reason, the Commission recommends that any legislation be phrased in general terms and be technologically
neutral. Thus, the definitions of fair information practices set forth in the statute should be broad enough to provide
tu

flexibility to the implementing agency in promulgating its rules or regulations.”

9.4 Trust: Trust in cloud computing is closely tied to the broader issue of trust in online activities. Traditionally,
trust is defined as "assured reliance on the character, ability, strength, or truth of someone or something." Trust is
crucial for cooperation, reduces conflict, and fosters effective crisis responses. For trust to develop, two conditions
are necessary: risk, which introduces uncertainty, and interdependence, where one entity relies on another to
V

achieve its interests. Trust progresses through three phases: building, stability, and dissolution. Different forms of
trust exist, such as deterrence-based trust, which relies on penalties for breaches, and calculus-based trust, where
mutual self-interest fosters cooperation. Trust built through repeated interactions can lead to relational trust, but
trust is fragile and easily lost with a single violation.

RNSIT,2024-25 5
 Module 4

Online trust differs from traditional trust as it lacks the clear markers of identity and personal characteristics found
in face-to-face interactions. Anonymity on the internet reduces the cues needed for making trust judgments, as
identities are often obscured. This makes it challenging to verify whether entities are who they claim to be, and it
diminishes accountability. To compensate, security mechanisms such as access control, identity transparency, and
surveillance are used. Digital signatures, certificates, and biometric identification help ensure that virtual agents
represent real individuals. Additionally, surveillance methods like intrusion detection and auditing help monitor

ud
transactions and interactions to maintain trustworthiness in online environments.

In cloud computing, trust is further established through policies, reputation, and credentials. Policies define the
conditions for trust and verify credentials, such as digital signatures, which serve as indicators of reliability.
Reputation, based on a history of interactions, is another important factor in assessing trustworthiness.
Recommendations from other trusted entities also influence trust decisions. In the context of computer science,

lo
trust is defined as the measurable belief that one party will behave dependably within a given context. Assurance
in the operation of hardware or software components can lead to persistent trust in cloud systems, reinforcing the
belief in the security and reliability of cloud services.

9.5 Operating system security

C
An operating system (OS) plays a crucial role in managing hardware resources and ensuring the security of
applications from various malicious attacks. Key security mechanisms within an OS include mandatory
security policies that control access, authentication, and cryptography. These mechanisms ensure that users
and applications cannot bypass security measures. Trusted applications, which perform security-related tasks,
tu

are restricted to the minimal privileges necessary to reduce the risk of exploitation. Unlike discretionary
security mechanisms, which place responsibility on users, mandatory policies are enforced by system
administrators, providing a stronger and more reliable security framework. However, most commercial
operating systems offer limited support for multilayered security, leading to potential vulnerabilities.
V

One of the challenges in operating system security is ensuring trusted paths for user interactions with trusted
software. Without trusted paths, malicious software can impersonate legitimate applications, leading to
breaches in system integrity. The complexity of security mechanisms often leads to decomposing them into
smaller components, such as enforcers and deciders, to manage access control effectively. Additionally,

RNSIT,2024-25 6
 Module 4

cryptographic functions should be separated from invocation mechanisms to avoid tampering. While some
systems, like Java's Security Manager, attempt to secure mobile code through type-safety and sandboxing,
they still face vulnerabilities. The need for digitally signed applets from trusted sources presents another
challenge, as the all-or-nothing security model may not fully protect against sophisticated attacks.

In general, commodity operating systems provide low assurance due to their complexity and susceptibility to
various threats. Poor isolation between applications means that if one application is compromised, the entire

ud
system and all other applications are at risk. This makes the security of a platform dependent on the weakest
application running on it. Furthermore, these operating systems offer weak mechanisms for inter-application
authentication, leaving users and applications vulnerable to impersonation attacks. As a result, higher security
demands, especially in distributed environments like financial applications, may require solutions beyond the
OS level to protect against unauthorized access and malicious impersonations.

9.6 Virtual machine security

lo
C
tu

FIGURE 9.2 (a) Virtual security services provided by the VMM. (b) A dedicated security VM

The hybrid and the hosted VM models in Figures 5.3(c) and (d), respectively, expose the entire system to the
vulnerability of the host operating system; thus, we will not analyze these models. Our discussion of virtual
V

machine security is restricted to the traditional system VM model in Figure 5.3(b), where the VMM controls
access to the hardware. Virtual security services are typically provided by the VMM, as shown in Figure
9.2(a). Another alternative is to have a dedicated security services VM, as shown in Figure 9.2(b). A secure
trusted computing base (TCB) is a necessary condition for security in a virtual machine environment; if the
TCB is compromised, the security of the entire system is affected. The analysis of Xen and vBlades in

RNSIT,2024-25 7
 Module 4

Sections 5.8 and 5.10 shows that VM technology provides a stricter isolation of virtual machines from one
another than the isolation of processes in a traditional operating system. Indeed, a VMM controls the
execution of privileged operations and can thus enforce memory isolation as well as disk and network access.
The VMMs are considerably less complex and better structured than traditional operating systems; thus, they
are in a better position to respond to security attacks. A major challenge is that a VMM sees only raw data
regarding the state of a guest operating system, whereas security services typically operate at a higher logical
level, e.g., at the level of a file rather than a disk block. A guest OS runs on simulated hardware, and the
VMM has access to the state of all virtual machines operating on the same hardware. The state of a guest

ud
virtual machine can be saved, restored, cloned, and encrypted by the VMM. Not only can replication ensure
reliability, it can also support security, whereas cloning could be used to recognize a malicious application
by testing it on a cloned system and observing whether it behaves normally. We can also clone a running
system and examine the effect of potentially dangerous applications. Another interesting possibility is to have
the guest VM’s files moved to a dedicated VM and thus, protect it from attacks [389]; this is possible because
inter-VM communication is faster than communication between two physical machines. Sophisticated

lo
attackers are able to fingerprint virtual machines and avoid VM honeypots designed to study the methods of
attack. They can also attempt to access VM-logging files and thus recover sensitive data; such files have to
be very carefully protected to prevent unauthorized access to cryptographic keys and other sensitive data.
There is no free lunch; thus, we expect to pay some price for the better security provided by virtualiza tion.
C
This price includes: higher hardware costs, because a virtual system requires more resources, such as CPU
cycles, memory, disk, and network bandwidth; the cost of developing VMMs and modifying the host
operating systems in case of paravirtualization; and the overhead of virtualization because the VMM is
involved in privileged operations.
tu

The security group involved with the NIST project has identified the following VMM- and VM-based threats:
• VMM-based threats:

1. Starvation of resources and denial of service for some VMs. Probable causes:

(a) badly configured resource limits for some VMs;

V

(b) a rogue VM with the capability to bypass resource limits set in the VMM.

2. VM side-channel attacks. Malicious attacks on one or more VMs by a rogue VM under the same VMM.
Probable causes:

(a) lack of proper isolation of inter-VM traffic due to misconfiguration of the virtual network residing

RNSIT,2024-25 8
 Module 4

in the VMM;

(b) limitation of packet inspection devices to handle high-speed traffic, e.g., video traffic;

(c) presence of VM instances built from insecure VM images, e.g., a VM image having a guest OS
without the latest patches.

3. Buffer overflow attacks. •

VM-based threats:

ud
1. Deployment of rogue or insecure VM. Unauthorized users may create insecure instances from images or
may perform unauthorized administrative actions on existing VMs. Probable cause: improper configuration
of access controls on VM administrative tasks such as instance creation, launching, suspension, reactivation,
and so on.

2. Presence of insecure and tampered VM images in the VM image repository. Probable causes:

(a) lack of access control to the VM image repository;

lo
(b) lack of mechanisms to verify the integrity of the images, e.g., digitally signed image.

9.8 Security risks posed by shared images: Even when we assume that a cloud service provider is
trustworthy, many users either ignore or underestimate the danger posed by other sources of concern. One of
C
them, especially critical to the IaaS cloud delivery model, is image sharing. For example, a user of AWS has
the option to choose between Amazon Machine Images (AMIs), accessible through the Quick Start or the
Community AMI menus of the EC2 service. The option of using one of these AMIs is especially tempting
for a first-time or less sophisticated user. First, let’s review the process to create an AMI. We can start from
tu

a running system, from another AMI, or from the image of a VM and copy the contents of the file system to
the S3, the so-called bundling. The first of the three steps in bundling is to create an image, the second step
is to compress and encrypt the image, and the last step is to split the image into several segments and then
upload the segments to the S3. Two procedures for the creation of an image are available: ec2-bundle-image
and ec2- bundle-volume. The first is used for images prepared as loopback files10 when the data is transferred
V

to the image in blocks. To bundle a running system, the creator of the image can use the second procedure
when bundling works at the level of the file system and files are copied recursively to the image. To use an
image, a user has to specify the resources, provide the credentials for login, provide a firewall configuration,
and specify the region, as discussed in Section 3.1. Once instantiated, the user is informed about the public

RNSIT,2024-25 9
 Module 4

DNS and the virtual machine is made available. A Linux system can be accessed using ssh at port 22, whereas
the Remote Desktop at port 3389 is used for Windows.

Three types of security risks were analyzed: (1) backdoors and leftover credentials, (2) unsolicited
connections, and (3) malware. An astounding finding is that about 22% of the scanned Linux AMIs contained
credentials allowing an intruder to remotely log into the system. Some 100 passwords, 995 ssh keys, and 90
cases in which both passwords and keys could be retrieved were identified. To rent a Linux AMI, a user must
provide the public part of the ssh key, and this key is stored in the authorized_keys in the home directory.

ud
This opens a backdoor for a malicious creator of an AMI who does not remove his own public key from the
image and can remotely log into any instance of this AMI. Another backdoor is opened when the ssh server
allows password-based authentication and the malicious creator of an AMI does not remove his own
password. This backdoor is opened even wider as one can extract the password hashes and then crack the
passwords using a tool such as John the Ripper (see www.openwall.com/john). Another threat is posed by
the omission of the cloud-init script that should be invoked when the image is booted. This script, provided

lo
by Amazon, regenerates the host key an ssh server uses to identify itself; the public part of this key is used to
authenticate the server. When this key is shared among several systems, these systems become vulnerable to
man-in-the middle11 attacks. When this script does not run, an attacker can use the NMap tool12 to match
the ssh keys discovered in the AMI images with the keys obtained via NMap. The study reports that the
authors were able to identify more than 2,100 instances following this procedure. Unsolicited connections
C
pose a serious threat to a system. Outgoing connections allow an outside entity to receive privileged
information, e.g., the IP address of an instance and events recorded by a syslog daemon to files in the var/log
directory of a Linux system. Such information is available only to users with administrative privileges. The
audit detected two Linux instances with modified syslog daemons, which forwarded to an outside agent
tu

information about events such as login and incoming requests to a Web server. Some of the unsolicited
connections are legitimate – for example, connections to a software update site. It is next to impossible to
distinguish legitimate from malicious connections. Malware, including viruses, worms, spyware, and trojans,
were identified using ClamAV, a software tool with a database of some 850,000 malware signatures, available
from www.clamav.net. Two infected Windows AMIs were discovered, one with a Trojan-Spy (variant 50112)
V

and a second one with a Trojan-Agent (variant 173287). The first trojan carries out keylogging and allows
stealing data from the files system and monitoring processes; the AMI also included a tool called
Trojan.Firepass to decrypt and recover passwords stored by the Firefox browser. The creator of a shared AMI
assumes some privacy risks; his private keys, IP addresses, browser history, shell history, and deleted files

RNSIT,2024-25 10
 Module 4

can be recovered from the published images. A malicious agent can recover the AWS API keys that are not
password protected. Then the malicious agent can start AMIs and run cloud applications at no cost to herself,
since the computing charges are passed on to the owner of the API key. The search can target files with names
such as pk − [0 − 9A − Z] ∗.pem or cert − [0 − 9A − Z] ∗.pem used to store API keys. Another avenue for a
malicious agent is to recover ssh keys stored in files named id_dsa and id_rsa. Though ssh keys can be
protected by a passphrase, 13 the audit determined that the majority of ssh keys (54 out of 56) were not
password protected. Recovery of IP addresses of other systems owned by the same user requires access to the
lastlog or the lastb databases. The audit found 187 AMIs with a total of more than 66,000 entries in their lastb

ud
databases. Nine AMIs contained Firefox browser history and allowed the auditor to identify the domains
contacted by the user. In addition, 612 AMIs contained at least one shell history file. The audit analyzed 869
history files named ∼/.history, ∼/.bash_history, and ∼/.sh_history, containing some, 160,000 lines of
command history, and identified 74 identification credentials. Users should be aware that when HTTP is used
to transfer information from a user to a Web site, the GET requests are stored in the logs of the Web server.
Passwords and credit card numbers communicated via a GET request can be exploited by a malicious agent

lo
with access to such logs. When remote credentials such as the DNS management password are available, a
malicious agent can redirect traffic from its original destination to her own system.

Recovery of deleted files containing sensitive information poses another risk for the provider of an image.
When the sectors on the disk containing sensitive information are actually overwritten by another file,
C
recovery of sensitive information is much harder. To be safe, the creator of the image effort should use utilities
such as shred,scrub,zerofree, or wipe to make recovery of sensitive information next to impossible. If the
image is created with the block-level tool discussed at the beginning of this section, the image will contain
blocks of the file system marked as free; such blocks may contain information from deleted files. The audit
tu

process was able to recover files from 98% of the AMIs using the exundelete utility. The number of files
recovered from an AMI was as low as 6 and as high as 40,000.

9.9 Security risks posed by a management OS

V

RNSIT,2024-25 11
 Module 4

ud
FIGURE 9.3 The trusted computing base of a Xen-based environment includes the hardware, Xen, and the
management operating system running in Dom0. The management OS supports administrative tools, live
migration, device drivers, and device emulators. A guest operating system and applications running under it

lo reside in a DomU

A hypervisor supports stronger isolation between the VMs running under it than the isolation between
processes supported by a traditional operating system. Yet the hypervisor must rely on a management OS to
C
create VMs and to transfer data in and out from a guest VM to storage devices and network interfaces. A
small VMM can be carefully analyzed; thus, one could conclude that the security risks in a virtual
environment are diminished. We have to be cautious with such sweeping statements. Indeed, the trusted
computer base (TCB)15 of a cloud computing environment includes not only the hypervisor but also the
tu

management OS. The management OS supports administrative tools, live migration, device drivers, and
device emulators. For example, the TCB of an environment based on Xen includes not only the hardware and
the hypervisor but also the management operating system running in the so-called Dom0 (see Figure 9.3).
System vulnerabilities can be introduced by both software components, Xen, and the management operating
system. An analysis of Xen vulnerabilities reports that 21 of the 23 attacks were against service components
V

of the control VM [90]; 11 attacks were attributed to problems in the guest OS caused by buffer overflow16
and 8 were denial-of-service attacks.

Dom0 manages the building of all user domains (DomU), a process consisting of several steps:

1. Allocate memory in the Dom0 address space and load the kernel of the guest operating system from

RNSIT,2024-25 12
 Module 4

secondary storage.

2. Allocate memory for the new VM and use foreign mapping17 to load the kernel to the new VM.

3. Set up the initial page tables for the new VM.

4. Release the foreign mapping on the new VM memory, set up the virtual CPU registers, and launch the new
VM.

A malicious Dom0 can play several nasty tricks at the time when it creates a DomU [215]: • Refuse to carry
out the steps necessary to start the new VM, an action that can be considered a denial-of-service attack. •

ud
Modify the kernel of the guest operating system in ways that will allow a third party to monitor and control
the execution of applications running under the new VM. • Undermine the integrity of the new VM by setting
the wrong page tables and/or setting up incorrect virtual CPU registers. • Refuse to release the foreign
mapping and access the memory while the new VM is running. Let us now turn our attention to the run-time
interaction between Dom0 and a DomU. Recall that Dom0 exposes a set of abstract devices to the guest
operating systems using split drivers. The front end of such a driver is in the DomU and its back end in Dom0,

lo
and the two communicate via a ring in shared memory (see Section 5.8). In the original implementation of
Xen a service running in a DomU sends data to or receives data from a client located outside the cloud using
a network interface in Dom0; it transfers the data to I/O devices using a device driver in Dom0. 18 Therefore,
we have to ensure that run-time communication through Dom0 is encrypted. Yet, Transport Layer Security
C
(TLS) does not guarantee that Dom0 cannot extract cryptographic keys from the memory of the OS and
applications running in DomU. A significant security weakness of Dom0 is that the entire state of the system
is maintained by XenStore (see Section 5.8). A malicious VM can deny access to this critical element of the
system to other VMs; it can also gain access to the memory of a DomU. This brings us to additional
tu

requirements for confidentiality and integrity imposed on Dom0. Dom0 should be prohibited from using
foreign mapping for sharing memory with a DomU unless a DomU initiates the procedure in response to a
hypercall from Dom0. When this happens, Dom0 should be provided with an encrypted copy of the memory
pages and of the virtual CPU registers. The entire process should be closely monitored by the hypervisor,
which, after the access, should check the integrity of the affected DomU. A virtualization architecture that
V

guarantees confidentiality, integrity, and availability for the TCB of a Xen-based system is presented in [215].
A secure environment when Dom0 cannot be trusted can only be ensured if the guest application is able to
store, communicate, and process data safely. Thus, the guest software should have access to secure secondary
storage on a remote storage server for keeping sensitive data and network interfaces to communicate with the
user. We also need a secure run-time system. To implement a secure run-time system we have to intercept

RNSIT,2024-25 13
 Module 4

and control the hypercalls used for communication between a Dom0 that cannot be trusted and a DomU we
want to protect. Hypercalls issued by Dom0 that do not read or write to the memory of a DomU or to its
virtual registers should be allowed. Other hypercalls should be restricted either completely or during specific
time windows. For example, hypercalls used by Dom0 for debugging or for the control of the IOMMU19
should be prohibited. We cannot restrict some of the hypercalls issued by Dom0, even though they can be
harmful to the security of a DomU. For example, foreign mapping and access to the virtual registers are
needed to save and restore the state of a DomU. We should check the integrity of a DomU after the execution
of such security-critical hypercalls. New hypercalls are necessary to protect: • The privacy and integrity of

ud
the virtual CPU of a VM. When Dom0 wants to save the state of the VM, the hypercall should be intercepted
and the contents of the virtual CPU registers should be encrypted. When a DomU is restored, the virtual CPU
context should be decrypted and then an integrity check should be carried out. • The privacy and integrity of
the VM virtual memory. The page table update hypercall should be intercepted and the page should be
encrypted so that Dom0 handles only encrypted pages of the VM. To guarantee integrity, the hypervisor
should calculate a hash of all the memory pages before they are saved by Dom0. Because a restored DomU

lo
may be allocated a different memory region, an address translation is necessary (see [215]). • The freshness
of the virtual CPU and the memory of the VM. The solution is to add to the hash a version number.
C
tu
V

RNSIT,2024-25 14