Secure VM management with strong user binding in semi-trusted clouds

Abstract

AbstractIn Infrastructure-as-a-Service (IaaS) clouds, remote users access provided virtual machines (VMs) via the management server. The management server is managed by cloud operators, but not all the cloud operators are trusted in semi-trusted clouds. They can execute arbitrary management commands to users’ VMs and redirect users’ commands to malicious VMs. We call the latter attack the VM redirection attack. The root cause is that the binding of remote users to their VMs is weak. In other words, it is difficult to enforce the execution of only users’ management commands to their VMs. In this paper, we propose UVBond for strongly binding users to their VMs to address this issue. UVBond boots user’s VM by decrypting its encrypted disk inside the trusted hypervisor. Then it issues a VM descriptor to securely identify that VM. To bridge the semantic gap between high-level management commands and low-level hypercalls, UVBond uses hypercall automata, which accept the sequences of hypercalls issued by commands. We have implemented UVBond in Xen and created hypercall automata for various management commands. Using UVBond, we confirmed that a VM descriptor and hypercall automata prevented insider attacks and that the overhead was not large in remote VM management.