1Security improvements in virtualized environmentsIrina Mihai, Raluca Voinescu

Automatic Control and Computers FacultyPOLITEHNICA University of Bucharest

Email: oana.irina.mihai@gmail.com, raluca.voinescu@gmail.com

Abstract

In the last years the Cloud environment has become a major attraction not only for developers, but even for ordinary users.Not worrying about where to keep your data or where to run your applications most definitely describes an ideal context in thedigital world of today. If we add scalability, flexibility and low costs to that we could just say Evrika and enjoy using the Cloud.A thing that should not be forgotten is that such massive and popular services have always become main targets for cybercriminalswho plan attacks not necessarily for money or fame, but sometimes out of pure curiosity.

The Cloud is the largest virtualized environment known until now, used on such a great scale that is basically impossible todetermine the number of its users. Given these, security becomes a real problem and providing solutions for the still-evolvingCloud has become a hot topic. The scope of this paper is to describe the Cloud virtualized structure, to analyze and validate itsmain vulnerabilities, together with a number of attacks that exploit these vulnerabilities. For building our case and studying thisproblem, we have chosen OpenStack as a Cloud solution.

I. INTRODUCTIONThere is a very real phenomenon that people are not aware what the software they use is doing behind its nice interface.

Sometimes people dont know if and how a software is using the Internet, furthermore the Cloud [17]. Another phenomenonjust as real is that other people are very much aware that others have no idea that they are using the Cloud. With the continuousgrowth of this new type of environment, who could really keep track of everything?

The Cloud impresses not only with its novelty status, but mostly with what is wants and has to offer: flexibility, redundancy,fast data transfers, practically unlimited pool of resources, everything on demand and not at a high price. There hasnt been yetfound a complete definition for this new emerged paradigm, but until now it has been worldwide agreed that the Cloud comeswith three types of services - Infrastructure as a Service, Platform as a Service, Software as a Service - and four deploymentmodels - Private Cloud, Public Cloud, Hybrid Cloud, Community Cloud.

This popularity has its advantages and disadvantages. While the advantages have been mentioned earlier, one of the main issuesis that such a popular service draws the attention of attackers. The bigger and complex a system is, the higher the probabilityof finding a breach, exploiting it and getting away with it. This is why studying the security of virtualized environments isa must: to develop the tools for detecting malicious behavior and to try and suggest improvements for avoiding data loss ortampering and confidentiality violation.

This paper will focus on general security issues of the virtualized environments and several attacks that have happened alongthe time. As an example of virtualized environment, we will use OpenStack, not only for studying its vulnerabilities, but alsoto implement some of those attacks and try to propose security improvements. We have chosen OpenStack not only because itsan opensource software, but mainly because its a mature framework, extremely popular, and with a considerable communitycontributing to its progress. It also comes with a development solution, DevStack[2], which provides the OpenStack centralservices and creates an environment destined for development and testing. We have chosen two attack directions: one on nonOpenStack specific components - the virtualization solutions used (Zen/KVM) and one on specific OpenStack components(Keystone, Nova, Swift, Glance, Cinder).

II. SECURITY ISSUES IN VIRTUALIZED ENVIRONMENTSIn this section we will focus on specific problems for different kind of attacks in virtualized environments: Denial of Service

attack, Malware-Injection attack, Side Channel attack, and Man-In-The-Middle Cryptographic attacks.

A. Denial-of-Service attackIn a cloud infrastructure, services and resources such as RAM, CPU, network, disk storage are shared between users. If these

resources are extensively used, services performance will be low. Denial-of-service (DoS) attack is one of the most commonand damaging attacks on the cloud. The purpose of the DoS attack is to prevent users from using computing resources. Anattacker will attempt to overload the network with connection requests, in order to reduce users bandwidth, prevent access toservices and disrupt services. If a cloud service is overloaded, it will try to cope with the workload. Therefore, in order tomeet the requirements, the system will provide more computational power, thus actually helping the attacker in rendering aservice unavailable.

2B. Distributed Denial-of-Service attack

DDoS attacks are amongst the classical forms of attack hackers can inflict upon web servers. Unlike data breaches, DDoSattacks do not steal anything, but they do cause downtime for the network [16]. Sonys PlayStation Network and EntertainmentNetwork were victims in August 2014 in this type of attack, when they were rendered inaccessible and offline for almost 1whole day. Unfortunately for Sony, the last DDoS attack they experienced back in 2011 led to a major data breach whichexposed more than 100 million accounts of their customers. Typically, hackers can rent so-called botnets (networks of infectedcomputers controlled by cyber criminals) in order to initiate such acts. Ironically, it gets even worse nowadays, when they cansimply just rent greater computing power from cloud services to complete their malicious intent. Statistics from Verizon reportthat the bandwidth used by DDoS attacks nearly doubled since 2011, ranging from 4.7 Gbps to 10.1 Gbps in 2014[6].

C. Malware-Injection attack

Malware injection attack is one category of web-based attacks, in which hackers exploit web application for vulnerabilitiesand embed malicious codes into them, effectively changing the course of their normal expected execution. Similar to web-basedapplications, cloud systems are also prone to malware injection attacks. Hackers can either craft a malicious application, aprogram or a virtual machine and inject them into target cloud service models. Among the most used form of malware injectionattacks are SQL injection and XSS (cross site scripting) [19]. A well-known security blog reported that a type of SQL injectionattack had compromised Sony PlayStation. The attack had successfully planted unauthorized code to more than 200 web pagespromoting Sonys videogames [10]. Computer security experts interest should be triggered by XSS attacks as they representthe most dangerous and malicious form of malware injection attack. A group of researchers from Germany demonstrated aXSS attack against Amazon by hijacking a current cloud service session, further allowing them access to customer data suchas authentication data, tokens and even plain text passwords [20].

D. Side Channel attack

Side Channel attack involves two stages: Virtual Machine Co-Residence and Placement and Virtual Machine Extraction. Thefirst stage implies the attacker to place a malicious virtual machine on the same physical machine as a target instance. Aftersuccessfully completing the first stage, the malicious instance will use side channels to learn information about coresidentinstances.[22]

E. Data breaches

A data breach relates to the unauthorized release of sensitive data from targeted systems or networks which may result in dataloss, including financial, personal and health information. The authors from [25] managed to extract private cryptographic keysthrough side-channel timing information. Even if this required a great deal of work, a malicious hacker would not have to goto such extent have the same results. Should a multitenant cloud service system have even one flaw, all of the clients data mayget into the wrong hands. For example, hackers managed to gain access to the Targets cloud network through the monitoringstore climate systems. Furthermore, they uploaded a grabber program to mirror all payment data to an unused Target server.This went by unnoticed for two months and resulted in having the CIO and CEO lose their jobs, a $400 million worth ofholiday shoppers information and most important, the loss of their customers trust. Another example is LinkedIn, the largestprofessional networking website boasting 175 million users, which reported that their password database was compromiseddue to data breach. Approximately 200.000 hashed passwords were cracked from a total of 6.5 million, after being posted ona Russian web forum[9].

F. Data loss

Data loss, also known as data leakage, is another major issue cloud computing users could face. Deletion of records withouta backup of the original content is an obvious example of ways to compromise data. If data loss may occur when a disk drivedeteriorates, it certainly occurs when one owner of encrypted data loses the encryption key. The architectural and operationalcharacteristics of the cloud environment could threaten the integrity of stored data. Amazon Web Service customers sufferedan involuntary loss of data when their proprietary Elastic Compute Cloud experienced a re-mirroring storm in 2011 (largenumber of nodes trying to replicate themselves on an incorrectly upgraded primary network capacity) caused by human operatorerror[12]. On the other hand, Mat Honan, a writer for Wired magazine, lost all his personal pictures when his Gmail, Twitterand Apple accounts had been compromised by an intruder intentionally.

3G. Man-In-The-Middle Cryptographic attacks

This attack implies the adversary to place himself between two valid entities with the aim to intercept or modify communi-cations. An example of MITM attack is the Impersonating attack in which the adversary pretends being a valid user or serverand deceives a valid entity to disclose his credentials in order to use them to gain unauthorised access to the system.[14]

As technology evolves to meet the needs of users, security threats are constantly evolving and adapting as well. Cloud Computingoffers benefits such as mobility or flexibility, but it also provides malicious users new ways of breaching security. Perhapsthe most devastating threats for both organizations and individual users are data loss and data breaches. Companies fear thatimportant information not reach the hands of competitors, while individual users are afraid of abuses.

III. OPENSTACK SECURITY ISSUES

A. OpenStack overview

This Private Cloud model can also be considered internal cloud or enterprise cloud[13]. The infrastructure of the Cloudis specifically designed to provide services for a single organization which usually owns the location of the site. Multiplesolutions for setting up a private Cloud are used by organizations: VMWare, VirtualBox, OpenStack.

The OpenStack Project, initially developed by NASA[18] offers an IaaS model which not so long ago had only sevencomponents[5], but now has developed three more. The OpenStack architecture contains [3]:

Dashboard (Horizon) comes with a Web GUI for the others OpenStack services. Compute (Nova) offers the necessary software for working with virtual machines. It is similar to Amazon EC2, assuring

scalability and redundancy. Network (Neutron) ensures connectivity between machines running OpenStack software. Object Store (Swift) offers the software for managing the storage of data to the order of petabytes for long periods of

time. Block Storage (Cinder) offers, as the name suggests, block storages for guest only virtual machines. Image Service (Glance) provides services for virtual disk images. Identity (Keystone) manages the security for the OpenStack services. Telemetry (Ceilometer) is responsible for billing, metering, rating, autoscaling. Orchestration (Heat) conducts the interactions between different Cloud applications. Database Service (Trove) offers support for relational and non-relational databases.The interaction of the components presented above are illustrated in Figure 1.

Figure 1: OpenStack architecture [5].

If an user wants to use OpenStack he will do that either through the Dashboard service, either through the APIs everyservice provides. The Identity services ensures the authentication and after that, all the other services are accessible.

The project was developed in Python and runs with an Apache2 license. The provided GUI offers the user the liberty to

4create not only virtual machines with default values of CPU and RAM, but to set those numbers [21]. Given the fact that theOpenStack Project aims to be able to support a considerable large infrastructure, it uses more hypervisors for creating andrunning the virtual machines: Xen, KVM, HyperV, Qemu[15].

B. Security threats

Several security issues of OpenStack architecture are presented in [24]:

1) Identity access and user management: In OpenStack Object Storage (Swift), authentication and authorization are providedthrough two mechanisms: tempAuth and swAuth [4]. The two methods have different approaches in keeping the usersdata: tempAuth keeps users data in clear, using configuration files, while swAuth uses encoded JSON files. In both cases,authentication is made through username and password and once the user has been granted, the user receives a token thatidentifies him for 24 hours, after which it expires. A problem here is that OpenStack has no password requirements andno dictionary verification, meaning that any password, no matter how simple, is accepted as valid. Since tempAuth usesconfiguration files for keeping the data, including the usernames and passwords, even those of the super user, a normal usercould find the passwords of other users. To avoid this situation, special permissions should be set for that configuration fileduring the site bringup.

SwAuth for the other hand, uses clear permissions rights for the file containing the username and password, but in that file, thedata is kept in clear-text. Hashing the passwords or encrypting them should definitely be a thing to consider for OpenStack.

2) Data management: One of the main concerns in the virtualized environment is maintaining the isolation and keeping theusers data integrity and confidentiality. OpenStack isolates the data using path hashing, which is highly insecure, as seen in[24]. There have been several attacks studies on OpenStack isolation: preimage attack, collision attack and it has been shownthat in these cases, OpenStack is not flawed, offering mechanisms for preventing this kind of attacks.

Another problem in OpenStack is that backup and recovery are not supported in the case of a file with a name which alreadyexists. Although the server process, replicator, copies the data to other cluster sites, uploading a file which does not have aunique name overwrites the other files and makes them irretrievable.

IV. ARCHITECTURE

As presented in Section 2, there are so many threats against a systems, that studying its vulnerabilities becomes a majorpriority. The steps towards improving a system is to reproduce the issue, find its cause and only then to propose a solution. Inthis paper, we are trying to develop at least one of the attacks presented in the second section: man in the middle attack andthen to give solutions for preventing this type of attack in the virtualized environment. For doing these, we chose to use thefollowing elements:

DevStack - is a script that quickly builds an OpenStack development environment. Its primary purpose is to providethe necessary tools and services of OpenStack, approprite not only for development actions, but also for operational andsecurity testing. It also provides the needeed documentation for confuguring, running anf maintaining the OpenStackservices. Although DevStacks purpose was not to become a replacement for OpenStack, it has evolved into an interestingalternative that offers many options for configurating all the services on a large number of platforms.

Host machine - a machine on which DevStack will be installed. We have chosen an Oracle Linux Server release 6.5,Red Hat Enterprise Linux Server release 6.5 (Santiago) with the following configuration:

MemTotal : 4048544 kBMemFree : 3308024 kBB u f f e r s : 49116 kBCached : 438548 kBA c t i v e : 430504 kBI n a c t i v e : 180308 kBA c t i v e ( anon ) : 125044 kBI n a c t i v e ( anon ) : 3948 kBA c t i v e ( f i l e ) : 305460 kBI n a c t i v e ( f i l e ) : 176360 kBU n e v i c t a b l e : 1716 kBAnonPages : 124920 kBMapped : 42528 kBShmem : 4132 kB

Slab : 80396 kBS R e c l a i m a b l e : 35920 kBSUnrec la im : 44476 kBK e r n e l S t a c k : 1696 kBP a g e T a b l e s : 12780 kBCommitLimit : 2024272 kBCommitted AS : 427148 kBV m a l l o c T o t a l : 34359738367 kBVmallocUsed : 7580 kBVmallocChunk : 34359730671 kBHugepages i ze : 2048 kBDirectMap4k : 10232 kBDirectMap2M : 4184064 kB

5Figure 2: Man-In-The-Middle.

The idea of the project is to install DevStack on the host machine and, in the beginning, to create two users - tenants, Aliceand Mallroy 2. Each one of the users will create at least one virtual machine. The second step would be to explore how thedata associated to these users is kept, where, the encryption mechanisms and the way authentication and authorization aremade, what vulnerabilities could be exploited and if, indeed, the security issues presented in the Security threats subsectionare valid. The scenario is for Alice to perform basic actions - authentication, logout, virtual machine creation and for Mallroyto try and obtain vital information from the former user, such as the password or its token.

The first step in succeeding this is for Mallroy to perform a sniffing action and to act as a passive attacker who just collectsinformation about the system and about Alice. Based on that information, we can create a script that automatically obtains thenecessary data from the system, processes it and completes the MITM1 attack.

V. IMPLEMENTATION AND RESULTS

Since OpenStack - and in consequence, also DevStack - uses KVM 2 and Qemu 3, we will validate our attack first on twomachines[1] with the roles previously presented, but created not directly from the DevStack environmenet, but from Qemu.

A. Setting up the environment

The first step in doing this is to install the necessary tools.

Firstly, check if the processor of the host machine supports virtualisation:e g r e p c ( vmx | svm ) / p roc / c p u i n f o

If the result of the previous command is 0 (zero), than the CPU does not support hardware virtualisation. If the result is 1(one) or higher, than the CPU supports hardware virtualisation, but this has to be enabled from BIOS.

The following step is to install the necessary packages:sudo ap tg e t i n s t a l l qemukvm l i b v i r t b i n ubuntuvmb u i l d e r b r i d g eu t i l s

1Man-In-The-Middle2Kernel-based Virtual Machine - virtualization infrastructure for the Linux kernel that turns it into a hypervisor[8]3Open source machine emulator and virtualizer

6 libvirt-bin comes with the libvirtd daemon which uses libvirt to manage the qemu and kvm instances. qemu-kvm represents the backend of the whole virtualized architecture. bridge-utils manages a bridge from the virtual machine to the local network. virtual manager its a desktop user interface application whose purpose is to manage virtual machines through libvirt. It

primarily targets KVM VMs, but it can also manage Xen and LXC (linux containers). [11]In the Virtual Manager, Alices and Mallroys machines will be created. As seen in 3, Alice will have a machine hosting

an Ubuntu 14.04, while Mallroys will use Kali, a Linux distribution specialised for Penetration Testing, Ethical Hacking andnetwork security assessments[7].

Figure 3: Allices and Mallroys machines.

B. Designing the attack

While Alice is enjoying her Ubuntu experience, Mallroy will put his Kali to work.1) Attack tools: The first step in developing the MITM attack, is to have Arpspoof and SSLStrip installed. Since Kali is a

distribution specialised for these kind of actions, these tools should be already installed.2) IP Forwarding: IP forwarding needs to be installed so that traffic could flow through Mallroys machine.

echo 1 > / p roc / s y s / n e t / i pv4 / i p f o r w a r d

3) Redirect traffic to SSLStrip using IPTables: An IPTables rule which will take the traffic originated from the victim,destined for port 80 (HTTP), and redirect it to the port on which SSLStrip will be running (8080).i p t a b l e s t n a t A PREROUTING p t c p d e s t i n a t i o np o r t 80 j REDIRECT top o r t 8080

4) IP Addresses: For this to perfectly work, we need to find out the identity of the target 4 and the IP Address of theGateway 5. This information is necessary for constructing the ARP Spoofing and can be easily found out using nmap.

Figure 4: Get Target IP

7Figure 5: Get Gateway IP

5) ARP Spoofing: Since ARP maps the IP addresses to MAC addresses, the ARP spoofing attack sends erronated data toAlices machine telling it that the IP address of the gateway has changed to the address of Mallroys machine. Now, Alicethinks that the gateway is Mallroy and will send all its data there. The actual gateway also needs to be spoofed to think thatMallroys machine is actually Alices machine. This way, Mallroy has become the Man in the middle.

6) SSLStrip: What SSLStrip does 6 is to send to Alice an unencrypted HTTP page, even if she requieres an HTTPS one.Now, since Alice is sending unencrypted data, Mallroy can easily inspect it and get all her credentials if she logs into herFacebook, Gmail, Yahoo or any other account.

Figure 6: SSLStrip command

VI. CONCLUSION

As it could be seen, deploying a man in the middle attack on a virtualized environment is not so difficult, especially for aperson using the same physical machine. All you need is the right tools. In the Cloud the situation is even much more tragic,since there are many people sharing the same machine and thus, the consequences of such an attack would be way vast andthe chances for the attacker to get undepicted just as high.

For future development, the same attack, with the same scenario, will be developed in an OpenStack environment.

REFERENCES[1] attack. http://robospatula.blogspot.ro/2013/12/man-in-the-middle-attack-arpspoof-sslstrip.html.[2] DevStack. https://wiki.openstack.org/wiki/DevStack.[3] http://docs.openstack.org/admin-guide-cloud/content/ch getting-started-with-openstack.html. Technical report.[4] http://docs.openstack.org/developer/swift/overview auth.html. Technical report.[5] http://ken.pepple.info/. Technical report.[6] http://www.bloomberg.com/bw/articles/2014-08-26/ddos-attacks-are-soaring. Technical report.[7] Kali. https://www.kali.org/.[8] KVM. http://en.wikipedia.org/wiki/Kernel-based Virtual Machine.[9] Linkedin. http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/.

[10] Sopho. http://www.sophos.com/en-us/press-office/press-releases/2008/07/playstation.aspx.[11] Virtual Manager. https://virt-manager.org.[12] When Amazons cloud turned on itself. http://www.informationweek.com/cloud/infrastructure-as-a-service/post-mortem-when-amazons-cloud-turned-on-

itself/d/d-id/1097465 .[13] Networks Aerohive. Public or private cloud: The choice is yours.[14] M.Misbahuddin B.Sumitra, C.R. Pethuru. A survey of cloud authentication attacks and solution approaches.[15] Srivatsan Jagannathan. Comparison and evaluation of open-source cloud management software. 2012.[16] Bansidhar Joshi, A Santhana Vijayan, and Bineet Kumar Joshi. Securing cloud computing environment against ddos attacks. In Computer Communication

and Informatics (ICCCI), 2012 International Conference on, pages 15. IEEE, 2012.[17] Peter Mell and Tim Grance. The nist definition of cloud computing. 2011.[18] Ken Pepple. Deploying openstack. OReilly Media, Inc., 2011.[19] Niels Provos, Moheeb Abu Rajab, and Panayiotis Mavrommatis. Cybercrime 2.0: when the cloud turns dark. Communications of the ACM, 52(4):4247,

2009.[20] Thomas Roth. Breaking encryptions using gpu accelerated cloud instances. In BlackHat Conference, Conf, 2011.[21] Omar Sefraoui, Mohammed Aissaoui, and Mohsine Eleuldj. Openstack: toward an open-source solution for cloud computing. International Journal of

Computer Applications, 55(3):3842, 2012.[22] Bhrugu Sevak. Security against side channel attack in cloud computing. International Journal of Engineering and Advanced Technology (IJEAT),

2(2):183, 2013.[23] Ajey Singh and Maneesh Shrivastava. Overview of attacks on cloud computing. International Journal of Engineering and Innovative Technology (IJEIT),

1(4), 2012.[24] Rostyslav Slipetskyy. Security issues in openstack. Masters thesis, Norwegian University of Science and Technology, 2011.[25] Yinqian Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. Cross-vm side channels and their use to extract private keys. In Proceedings of

the 2012 ACM conference on Computer and communications security, pages 305316. ACM, 2012.[26] Kazi Zunnurhain and S Vrbsky. Security attacks and solutions in clouds. Citeseer.

IntroductionSecurity issues in virtualized environmentsDenial-of-Service attackDistributed Denial-of-Service attackMalware-Injection attackSide Channel attackData breachesData lossMan-In-The-Middle Cryptographic attacks

OpenStack security issuesOpenStack overviewSecurity threatsIdentity access and user managementData management

ArchitectureImplementation and ResultsSetting up the environmentDesigning the attackAttack toolsIP ForwardingRedirect traffic to SSLStrip using IPTablesIP AddressesARP SpoofingSSLStrip

ConclusionReferences