Scalable Cloud Security via Asynchronous Virtual Machine Introspection

Authors: 

Sundaresan Rajasekaran, Zhen Ni, Harpreet Singh Chawla, Neel Shah, and Timothy Wood, George Washington University; Emery Berger, University of Massachusetts Amherst

Abstract: 

Software will always be vulnerable to attacks. Although techniques exist that could prevent or limit the risk of exploits, performance overhead blocks their adoption. Services deployed into the cloud are typically customer facing, leaving them even more exposed to attacks from malicious users. However, the use of virtual machines, and the economy of scale found in cloud platforms, provides an opportunity to offer strong security guarantees to tenants at low cost to the cloud provider. We present ScaaS, a security Scanning as a Service framework for cloud platforms that uses frequent virtual machine checkpointing coupled with memory introspection techniques to detect bugs and malicious behavior in real time. By buffering VM outputs (i.e., outgoing network packets and disk writes) until a scan has been completed, ScaaS gives strong guarantees about the amount of damage an attack can do, while minimizing overheads.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {196342,
author = {Sundaresan Rajasekaran and Zhen Ni and Harpreet Singh Chawla and Neel Shah and Timothy Wood and Emery Berger},
title = {Scalable Cloud Security via Asynchronous Virtual Machine Introspection},
booktitle = {8th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 16)},
year = {2016},
address = {Denver, CO},
url = {https://www.usenix.org/conference/hotcloud16/workshop-program/presentation/rajasekaran},
publisher = {USENIX Association},
month = jun
}
Download
Rajasekaran PDF
View the slides