Challenge and Research in migration

Challenge in VM migration Resource management issues during migrationinappropriate access control policies An inappropriate access control policy allows an unauthorized user to initiate, migrate and terminate a virtual machine. The access control policy also decides access to hypervisor (Domain 0), isolation between VMs on same machine and resource sharing etc.

Unprotected transmission channel The insecure and unprotected transmission channel is result of the migration protocol. The migration protocol does not encrypt the data as it travels over the network, thussusceptible to active and passive attacks.

Loop holes in migration module Vulnerabilities in migration module are stack overflow, heap overflow and integer overflow etc. Such vulnerabilities can be exploited by an attacker to inject malicious code or even halt the process.

Challenge in VM migration Resource management issues during migration Example: CVE-2015-3241 :Resize/delete combo allows to overload nova-compute

Description: OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then deleting an instance.

Research Progress in VM migration

1.CloudMonatt(ISCA’15, June 13-17, 2015)Tianwei Zhang and Ruby B. Lee of Princeton University come up with an architecture for security health monitoring and attestation of virtual machines in cloud computing named CloudMonatt[1] .CloutMonatt is able to conduct property-based attestations at runtime and for VM migrations, not just at boot up and VM launch time.

[1] Zhang T, Lee R B. CloudMonatt: an architecture for security health monitoring and attestation of virtual machines in cloud computing[C]//Proceedings of the 42nd Annual International Symposium on Computer Architecture. ACM, 2015: 362-374.

Research Progress in VM migration

2.MOSE(ACSAC '15, December 07-11, 2015)The researchers from Florida International University and Air Force Research Lab/RIGA propose live migration based on-the-fly software emulation named mose[1].It combines the performance advantages of hardware virtualization and the fine-grained analysis capability (comprehensiveness) of whole-system softwareemulation. Namely, a system can run as normal on a hardware virtualized platform at near native speed, but when needed, it can be live-migrated to an emulator, not necessarily running on the same physical system, for in-depth analysis and triage; when the analysis is complete, the virtual machine can be migrated back to benefit from full hardware-virtualization again.

[1] Wei J, Yan L K, Hakim M A. MOSE: Live Migration Based On-the-Fly Software Emulation[C]//Proceedings of the 31st Annual Computer Security Applications Conference. ACM, 2015: 221-230.