See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/331197914

A Taxonomy of Virtualization Security Issues in Cloud Computing Environments

Article in Indian Journal of Science and Technology · January 2019

DOI: 10.17485/ijst/2019/v12i3/139557

CITATIONS READS
0 246

3 authors, including:

Khalil Al-Shqeerat Husam Ahmad AlHamad

Qassim University Amman Arab University
12 PUBLICATIONS 11 CITATIONS 22 PUBLICATIONS 102 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Security issues and chellenges of cloud computing View project

Arabic Center for Document Analysis and Recognition (ACDAR) - www.acdar.org View project

All content following this page was uploaded by Khalil Al-Shqeerat on 19 February 2019.

The user has requested enhancement of the downloaded file.

 ISSN (Print): 0974-6846
ISSN (Online): 0974-5645
Indian Journal of Science and Technology, Vol 12(3), DOI: 10.17485/ijst/2019/v12i3/139557, January 2019

A Taxonomy of Virtualization Security Issues in Cloud

Computing Environments
Nadiah M. Almutairy1, Khalil H. A. Al-Shqeerat1 and Husam Ahmed Al Hamad2
Department of Computer Science, Qassim University, Saudi Arabia;
1

[email protected], [email protected]
2
Department of Computer Science, Amman Arab University, Jordan; [email protected]

Abstract
Objectives: To identify the main challenges and security issues of virtualization in cloud computing environments.
It reviews the alleviation techniques for improving the security of cloud virtualization systems. Methods/
Statistical Analysis: Virtualization is a fundamental technology for cloud computing, and for this reason, any cloud
vulnerabilities and threats affect virtualization. In this study, the systematic literature review is performed to find out
the vulnerabilities and risks of virtualization in cloud computing and to identify threats, and attacks result from those
vulnerabilities. Furthermore, we discover and analyze the effective mitigation techniques that are used to protect, secure,
and manage virtualization environments. Findings: Thirty vulnerabilities are identified, explained, and classified into
six proposed classes. Furthermore, fifteen main virtualization threats and attacks are defined according to exploited
vulnerabilities in a cloud environment. Application/Improvements: A set of common mitigation solutions are recognized
and discovered to alleviate the virtualization security risks. These reviewed techniques are analyzed and evaluated
according to five specified security criteria.

Keywords: Challenges, Cloud Computing, Security, Taxonomy, Virtualization

1. Introduction Virtualization is an innovative technology, which is

significantly expanding in the Information Technology
Cloud computing has been developed to enable the industry. It provides multiple logical resources on a single
Information Technology world for utilizing computer server. Various benefits that can be provided by the vir-
resources efficiently and more proficiently1. The cloud tualization are hardware utilization, resources protection,
users have an advantage of unlimited computing power remote access, and other resources5. This technique gives
available on demand, in which they can access and pay organizations and people an opportunity to improve the
for services when need it. Users will be able to accomplish use of hardware by increasing the number of tasks that
computing services without the need for any significant one machine can handle.
investment in information technology infrastructure2. Two significant benefits that can be provided by a
Cloud computing is an efficient way to increase the virtual machine are resources sharing and isolation6.
capacity dynamic scalability or add capabilities using Traditionally, the physical machine dedicates available
virtualization resources, platform, infrastructure and resources permanently to all applications that are run-
software as service that can be accessed over the inter- ning on the computer, and this may cause waste in some
net3. To improve the utilization of cloud resources we use resources such as memory and storage space. Whereas,
Virtual Machines (VMs). The virtual machine is a virtual in the virtual environment, resources are shared among
computer similar to a physical computer in which appli- numerous VMs and entirely used on demand. Isolation
cation or operating system can be installed and run4. means failure in any VM will not affect the performance
 A Taxonomy of Virtualization Security Issues in Cloud Computing Environments

or efficiency of other VMs running on the same host. tual machines by operating system directly8. Therefore, it
The virtual environment enables VM to isolate data from turns out to be more straightforward for an attacker to
other VMs, i.e., a program runs in one VM cannot see inject malicious attacks or DoS attacks to the kernel of the
programs that are running on other VMs. operating system. The entire virtualization infrastructure
Virtualization is used to match the customers’ require- can be influenced, and the attacker can have control over
ments for security, control, economy, scaling, speed, and all virtual machines and might able to damage the virtual
so forth. It may affect the choice of cloud service provider. machines later. In the second architecture, the hypervisor
Furthermore, it empowers the cloud users to start up and runs directly on the host hardware. Like hosted archi-
shut down their resources rapidly, which can be in some tecture, VMs and higher layer applications are installed
applications has its advantage7. above the hypervisor.
The cloud-computing environment can be virtual-
1.1 Virtualization Architecture ized on every layer of cloud computing services, such as
IaaS resources including virtualized storage, networking,
Virtualization architecture is a model, which determines
and servers, or virtualized datasets, and development
the interrelationships among particular virtual compo-
environments in PaaS, and any software application
nents, such as an operating system, network resources,
instances. The rapid expanding of cloud computing and
servers, and storage spaces. In general, the virtualization
virtualization technology make cloud infrastructure
is based on a hypervisor. The hypervisor isolates operat-
more complicated and have brought a series of security
ing systems and applications from system hardware,
threats. This study aims to identify the main challenges
whereas the host can run multiple Virtual Machines
and security issues of virtualization in cloud computing
(VM) as guests that sharing the physical resources of the
environments. Furthermore, it reviews the alleviation
system, such as processors, memory, network bandwidth,
techniques for improving the security of cloud virtualiza-
and so forth. Virtualization architecture might be divided
tion systems. The rest of the paper is organized as follows.
into two types, hosted and bare-metal architectures as
The method used in this study is presented in the next
shown in Figure 1.
section. The third section presents an overview of the secu-
rity challenges and vulnerabilities. Then, we review the
security threats and attacks on the virtual environment.
Finally, some solutions and techniques proposed in the
literature review to alleviate potential threats and attacks
are discussed.

2. Methodology
A Systematic Literature Review (SLR) is performed to pro-
vide comprehensive summary of existing literature relevant
Figure 1. Hosted vs. bare-metal architecture. to a research since it helps in collecting research evidence
from current relevant studies. In SLR, we try to have as
In hosted architecture, first, an essential Operating many researches as possible that answer our research ques-
System (OS) is installed on the host system, and then a tions and help us achieve objectives of the study.
hypervisor or VM monitor software is installed on the
top of OS. This OS-based architecture entirely enables the 2.1 Terminology
user to control multiple guests OSs, or VMs installed on In this section, the main terms are defined and adopted
the hardware. Hosted virtualization architecture is sub- as follows:
stantially less complex to implement, and it is more useful Challenge: something new, difficult, or complex, which
for software development, running legacy applications, requires great effort by user to determine and solve it.
and supporting different operating systems. However, it Vulnerability: an occurrence of weakness in opera-
has some severe disadvantages due to controlling the vir- tion, in software, and in the infrastructure that can be

2 Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology
 Nadiah M. Almutairy, Khalil H. A. Al-Shqeerat and Husam Ahmed Al Hamad

exploited by a party to perform malicious actions. The Table 1. Results before and after removal
vulnerability can also be in the existence of an error in The number of
design or implementation that can cause unexpected, Sources After removal
result
undesirable actions. ACM Digital
Risk: the potential that the vulnerability is exploited 6052 5224
Library
to cause a threat as well as the effect resulting from this EBSCO 2500 1489
serious event on the organization. Google Scholar 2000 1271
Threat: any circumstance or action that exploit one or
IEEE Xplore 20100 18248
more vulnerabilities to harm the assets.
ISI Web of Science 541 99
Attack: an assault on the security of the system from
a deep threat; which is an attempt to alter, expose, steal, ProQuest 1171 700
destroy, disable or get unauthorized access to assets. ScienceDirect 5738 1865
Scopus 3051 1158
2.2 Research Questions Springer Link 8771 3428

The research questions are the major core of a systematic Wiley Online 3400 1793
literature review. In order to get existing studies, the fol- Total 53324 35275
lowing research questions have been formulated:
Q1. What are the main vulnerabilities and risks of vir- The important step in the process of selection a study
tualization in cloud computing environments? is to identify exclusion and inclusion criteria. Studies that
Q2. What are the potential threats or attacks that were excluded:
exploit virtualization vulnerabilities? • None English research.
Q3. What are the major security techniques and • That indicates to very specific and limited domain.
approaches used to alleviate the security risks? • That do not relate to virtualization security issues in
cloud computing.
3. Results and Discussion • That do not relate to mitigate the security issues of
virtualization
In this step, we search for relevant work that satisfies the • That is discussing cloud without relating it to virtual-
certain criteria. When we started to research, we made a ization security issues.
great effort due to the wide scope of our research ques- • That is discussing cloud without point to mitigation of
tions. After several trials, the search strategy was agreed security issues of virtualization.
upon. The keywords that are used during the research: • That is editorial papers prepared for special issues.
challenge, vulnerability, risk, threat, attack, approach, • We included all the studies that:
solution, and framework. To be more precise, we used the • Discuss virtualization vulnerabilities, risks, threats, or
virtualization term with keywords. attacks in cloud computing environment.
As we sometimes used AND or OR to be more • Propose the appropriate security techniques to miti-
accurate results, we used the keywords in the differ- gate the virtualization security issues.
ent databases such as ACM Digital Library, EBSCO,
Google Scholar, IEEE Xplore, ISI Web of Science, The steps of the selection process are described below:
ProQuest, ScienceDirect, Scopus, Springer Link, and 1. By using a SQL query, 21389 of results were dis-
Wiley Online. We did not restrict the results of the carded based on some keywords, such as storage
search based on publication year because we want to security, management, VLAN, trust, industry, digital,
be as inclusive as possible. Therefore, for each database, E-Commerce, E-learning, mobile, and VM backup.
we used the default settings for the start year of pub- 2. By reading the title, the abstract, and sometimes the
lication. Table 1 shows the number of results for each conclusion of the remaining 13886 papers, we dis-
sources. We got 53324 of results after the search opera- carded 13486 papers.
tion. After we remove based on title we had 35275 of 3. By reading 400 of results completely, we left with 148
results. of results.

Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology 3
 A Taxonomy of Virtualization Security Issues in Cloud Computing Environments

Figure 2. Security vulnerabilities and risks categories.

4. Taxonomy of Virtualization Incorrect VM Isolation (VC1): The hypervisor is

responsible for ensuring isolation between the different
Challenges VMs9. The isolation between virtual machines prevents
Many vulnerabilities and risks are existing in current the VM from direct access to others’ virtual disks, appli-
virtualization technologies that an attacker can exploit cations, or memory on the same host10. Isolation of virtual
to penetrate the security and privacy systems in cloud machine limits the scope of the attack. Furthermore, iso-
computing environments. In this study, we have classi- lation of virtual machine makes more difficult for the
fied vulnerabilities into several categories regarding their attacker accessing resources and access unauthorized
characteristics and relevance to virtualization technology. data on the physical machine11. Each VM is isolated from
Figure 2 shows these defined categories and its vulner- each other virtualized machines and its host physical
abilities and risks. system12, so if one VM is break-down, it does not affect
any of the other VMs on the same host. A violation of the
4.1 Virtualization Characteristic-Related isolation principal happens when the attacker uses a com-
promised VM for communicating with other VMs on the
Issues
same host (Unauthorized communication). Moreover,
The essential characteristics that make virtualization violation of the isolation principal occurs when one VM
technology suitable for cloud computing are mobil- affects other VMs located on the same host13. Therefore,
ity, transience, state recording, isolation, and scalability. a shared environment requires an accurate configuration
Although all these characteristics constitute a successful for maintaining strong isolation.
virtualization environment, the characteristic of virtual- Unsecured VM Migration/Mobility (VC2):
ization technology causes some risks to cloud systems. Migration technique is one of many advantages of
This section demonstrates common vulnerabilities and Virtualization. It enables the application to be transpar-
risks that may arise due to a characteristic of virtualiza- ently transmission from one host machine to another
tion technology.

4 Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology
 Nadiah M. Almutairy, Khalil H. A. Al-Shqeerat and Husam Ahmed Al Hamad

without halting the virtual machine14. After migration, If the computer is online most of the time, then it is
the application continues in execution without any loss of more vulnerable to be attacked, since the offline server
progress. VM migration is done by transmitting the appli- cannot be accessed. By enabling users to start and stop
cation along with its VM’s entire system state, including virtual machines remotely, attackers have no enough time
memory, the state of CPU, and sometimes disk too, to in preparation for attacking the VM. Although VM tran-
the destination host. VM migration offers many valuable sience limits the chance in which attackers can exploit for
advantages such as load balancing, and conserves energy. compromising the system, it makes security audits and
Moreover, the migration of virtual machines is useful maintenance more challenging because machines must
in case of hardware failure. It migrates the VM to another be online when scanned or patched. Compromised VMs
execution host and performs maintenance or repair can infect other vulnerable machines and can go offline
operations on the source execution host15. Although before detection.
migration technology introduced many advantages, it Non-updated Snapshot & Restore VM (VC6): The
raises some security issues. Live migration is relatively a ability of a virtual machine to recover from an error to
new term where its security issue is yet to be discussed. a previously defined state is often considered a security
It is potential that the attacker may passively steal and benefit for restoring a guest VM to a pre-attack state.
snoop or actively modify confidential information during Most VMs pick a snapshot of the virtual disk content on
migration. Therefore, the transmission channel has to be a time interval or when changes are made20. Although the
protected and secured against different passive and active system can be restored smoothly and quickly, some secu-
attacks. rity issues appear through a rollback system. If the VM
VM Diversity (VC3): Many IT enterprises over- restored to a compromised or unpatched state, this leads to
come the problem of security by enforcing homogeneity, exploit old vulnerabilities until updating state in the next
as all devices must have the latest patching software. cycle. Furthermore, the rollback can re-enable the secu-
Virtualization can facilitate more efficient usage models rity credentials that were previously disabled. The most
that get the benefit of implementing older or unpatched severe risk through Rollback could reveal stream ciphers
versions of the software. This solution causes a set of chal- that were used for encryption and an attacker could easily
lenges such as the need to maintain patches or provide acquire the original plaintext. So critical information is
other protection for different operating systems in addi- compromised, and if it is not detected, every encrypted
tion to addressing the risk posed by the presence of many data from this point on will not be safe21.
unpatched or old devices on the network16.
Uncontrolled Scaling (VC4): Virtualization technol- 4.2 Infrastructure Issues
ogy allows the creation of new virtual machines easily and
The Infrastructure of virtualization includes any hard-
quickly on demand. Scalability provides a very cost-effec-
ware and software components required to support
tive way to handle business expansion and any additional
virtualization purposes. Much vulnerability may arise
resources of the server requirements. Users can have sev-
from virtualization infrastructure.
eral particular purpose virtual machines, for example,
Insecure Hypervisor (I1): Utilizing the hypervisor
for testing or viewing purposes. The growth in the num-
or virtual machine manager (VMM) to support many
ber of VMs depends on the available space on the host.
VMs on a single physical machine has become popular
Generally, the scalability of cloud facilities gives greater
recently. It increases hardware usage and provides flex-
availability17. The number of VMs can overgrow, and this
ibility in system management. The hypervisor provides
makes management tasks more exacerbated, where all
an abstraction layer to separate VMs from the physical
machines must be scanned, and patched for vulnerabili-
hardware and isolates them from each other. It controls
ties18.
all aspects of the underlying VMs, including communi-
VM Transience (VC5): In the physical computing
cating with each other. This communication never goes
environment, users have one or more devices that run
to the real network22. On the other hand, the hypervisor
online most of the time and are in a stable state. In con-
must support a strong security base for VMs. If it is not
trast, VMs in a virtualized environment can come and
secure, the attacker can gain control over the hypervisor
go from the network intermittently19 (i.e., it is never in a
and compromise any VMs running on it. Furthermore,
stable state).

Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology 5
 A Taxonomy of Virtualization Security Issues in Cloud Computing Environments

if an attacker exploits the vulnerable hypervisor, he can resources reduces the security of connected VMs because
control the hypervisor, and get access to or redirect sensi- an infected VM can access other VMs through resources
tive data23. they share. Organizations with permission to access the
VMs Image Sharing (I2): A VM image is a pre-pack- infrastructure can control the infrastructure or view other
aged software template that contains the configuration data29, For example, the cloud services provider has differ-
files that are used to create VMs. The VM images provide ent instances for each user but uses the same application
an easy way for deploying and restoring virtual systems code. Moreover, data of different customers will be loaded
efficiently and quickly across numerous of physical on the same database server, which leads to data leakage
servers24. Sharing VM images is commonly used in some among these tenants30, giving the attackers opportunity
environments of cloud computing as a quick method to for hijacking user credentials, controlling and eavesdrop-
get started. Users of cloud computing can create their VM ping information of other users31.
image from scratch or can make utilization of existing Poor VMM Resource Allocation (I6): The physical
images in the shared repository. For example, Amazon layer interacts with the virtual layer through the hyper-
introduces a public image repository where legitimate visor or VMM, which allocates required resources to
customers can upload or download a VM image25. each VM on demand. The VM must be restricted to spe-
Although of these benefits or advantages, VM image cific isolation. The VMM is responsible for preventing
introduces some risks that in turn effect on the security VMs from requesting more resources whereas the VM
of the cloud computing. Therefore, the integrity of these is missing its reserved resources32. Poor VMM resource
images is an essential security requirement for services allocation allows a VM to use resources that are not
provided by cloud computing. within its allocated resources, thus preventing the other
Unprotected Shared Clipboard (I3): A shared clip- VMs from using their resources, in some cases, this leads
board is a feature that allows data to be transferred among to denial of service.
VMs on one side and between VMs and host on the other. Insecure APIs (I7): A cloud-computing provider pro-
The host can monitor the traffic between the underlying vides infrastructure, software, and platform services to
VMs because the network packets that come from or go the users and enables them to access and manage services
to a virtual machine pass over the host. However, it may by the published Application Programming Interfaces
cause the hacked host to compromise all VMs operat- (APIs) via Internet33. APIs may impose a variety of secu-
ing on it. It can serve as a gateway to attack the system. rity issues such as improper authorizations, clear-text
Moreover, unprotected shared clipboard allows exchang- authentication, or data discovery during transmission,
ing data between the cooperating malicious programs in which affect the availability and security of the cloud
VMs26. services34. An attacker could use APIs to undermine the
Co-location of Multiple VMs (I4): Co-location of confidentiality and integrity of customers’ data. He uses
multiple VMs is a presence of multiple VMs on the same the token that used by customers to get access to the ser-
host that share resources in order to ensure improved effi- vice through API for manipulating their data.
ciency, flexibility, and thus reduced the operational cost27.
Co-location of multiple VMs on a single server increases 4.3 Access and Communication Security
the surface of potential attack and the risk of VM-to- Issues
hypervisor or VM-to-VM.
The user interaction with the cloud begins when he
Resource Sharing (I5): Cloud service providers need
attempts to access cloud services. The user must first
Virtualization technology to deliver their services in a
authenticate his identity before accessing cloud services.
scalable manner when sharing infrastructure, platforms,
The communication process arises when the user and the
and applications. Although the ability to share hard-
cloud exchange data or services.
ware resources of one physical device among multiple
Furthermore, there are communications between
isolated VMs to optimize hardware used and save cost,
VMs within the cloud that introduce vulnerabilities that
it may cause security vulnerabilities to the virtual environ-
may affect the host machine and all VMs running on it.
ment. Sharing resources such as CPU, memory, storage
An illegal user can exploit access and communication vul-
space among VMs, may result in unauthorized com-
nerabilities related to access and communication security.
munication between guests VMs28. In general, sharing

6 Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology
 Nadiah M. Almutairy, Khalil H. A. Al-Shqeerat and Husam Ahmed Al Hamad

Hidden Identity (AC1): In physical computing envi- 4.4 Data Security Issues
ronments, there is usually a custom identity correlated to
The significant challenge in data security is how to share
a physical device such as MAC addresses, or device ID.
sensitive data in a virtual insecure environment-Data
It is used to differentiate between devices and determine
Security concerns about data protection from intentional
who the owner of a machine is. This static method is not
modification by an unauthorized person.
effective in virtual environments due to creating VMs
Improper Data Sanitization (D1): Elasticity and
dynamically or mobility of VMs that make it very diffi-
resource pooling features allow a set of resources to be
cult to identify or track the owner of a VM running on a
allocated to different users later. When the user accesses
particular physical host35.
a memory service or storage space, he can recover data
Insecure Channel (AC2): The cloud service provid-
from another user who previously used the same stor-
ers use the Internet as a communication infrastructure
age space40,41. Sanitization is a method to clean or destroy
to provide services to customers or transfer their data.
data from a storage resource when it is available for other
An efficient and secure transmission channel is a critical
users42. In the public cloud, sometimes the data must be
component in a cloud environment and forms the basis
deleted entirely at the request of the client, including the
for managing information and any related processes36.
log files and backup replicas prepared for recovery43,44.
When transmitting the data from users to the cloud envi-
The data destruction might be complicated because
ronment, the data must be sent using an encrypted secure
many replicas of data can be distributed in many loca-
transmission channel such as SSL/TLS. It protects net-
tions. Thus, it is difficult to guarantee a service provider
work traffic against a potential interception attack.
can remove all copies of the backup45. Data sanitization
VMs-VMs or VMs-Host Communications (AC3):
is a significant task to discard appropriately physical
In a cloud-computing environment, communication
resources and data that are sent to the trash. Improper data
mechanisms in virtual networks are similar to those used
sanitization may expose the data to the risk, for example,
in real networks. In the same way that physical devices are
may lead to data loss or data disclosure since hard disk
connected, virtual machines are connected and built on a
may be disposed of without being wiped entirely or may
network infrastructure of the host to connect to the public
not be destroyed due to continued use of other tenants46.
network37. VMs need to communicate and share data. If
Improper Management of Credentials (D2):
the connection does not meet critical security standards,
Organizations need user credentials to control and allow
they become a target for attacks. The virtual network
the user to access his sensitive data. The deployment of
uses virtual switches or bridges that connect the virtual
the credential management system is an essential way
network interface cards to the physical network interface
to manage user credentials. Improper management of
card of the host machine to exchange data38. However, the
credentials indicates to weaknesses in the way used to
virtual network traffics are visible for all VMs that share
manage the credentials such as lack of enforcement or
the same physical data-link, which potentially leads to
verification of password strength47. This vulnerability
security risk.
is exacerbated in Virtualized environments that share
Weak Authentication and Session Management
unprotected transport channels, which may increase the
(AC4): Authentication is a mechanism used to deter-
number of actors who can sniff credentials during trans-
mine whether something or someone is what or who
mission.
it is declared to be. Authentication techniques protect
Insufficient Verification of Data Authenticity (D3):
the system against bad actors that masquerade as legiti-
If the system fails to verify the validity or origin of the
mate users, developers, or operator to read, delete, and
data, it may accept invalid data. Lack of data authentic-
modify data. In a virtual environment, the authentica-
ity might arise in different situations. It includes the poor
tion mechanism applies to end users and to components
design and implementation, such as the improper chosen
of the system. Most of the widely utilized authentica-
of data-authenticity mechanisms, improperly verifying
tion methods are poor and may affect access and control
the signatures, cross-site request forgery, and improper or
policy. Sometimes, it is easy to break some authentication
missing verification of integrity47.
mechanisms that have weakness in their design, such as
Security Misconfiguration (D4): Virtual systems
one-factor authentication mechanisms, to get access to
often rely on many interoperating software components
the system39.

Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology 7
 A Taxonomy of Virtualization Security Issues in Cloud Computing Environments

that must be dynamically configured to support on the same host. Therefore, physical network security
virtualization in many applications. The security con- mechanisms, like network-based intrusion detection
figuration is vital for providing security to customers. and prevention systems, cannot monitor the inter-VM
Misconfiguration can compromise the security of users, traffic24, because the traffic over a virtualized environ-
applications, and the entire system. It arises when security ment never goes through the physical network. This issue
settings are defined and maintained as a default setting39. becomes a significant challenge as malicious activities
The impact of virtualization vulnerabilities increases of the VMs bypass the security monitoring tools. Some
when a security configuration fails, mainly if the behavior hypervisors enable network monitoring their capabili-
of the virtual component depends on another component. ties not as strong as those in tools utilized to monitor the
Permissions and Privileges Management (D5): environment of the physical networks17.
Authentication mechanisms are used to verify the user Monitoring VMs from the host (C2): The most sig-
identity and to enable the authorization policy. Thus, nificant issue is to secure the host rather than monitoring
authorization policies are implemented using security each VM individually, as long as the control point in the
measures to grant or deny access to resources. Improper virtual environment is the host device. Inter-VMs traffic
permissions and privileges management refers to fail- passes through the host, which manages these VMs. A
ure in privileges management, permissions, and other breach of the host may lead to compromise all VMs run-
security features used for enforcing access control. In ning on it48.
particular, it incorporates issues caused by implementing
without the required privileges or assigning an incorrect 4.6 Security Policies and Rules
privilege, dropping or reducing errors and preserved or
Security policies refer to the plans, practices, and rules
insecure inherited permissions44. In virtualized envi-
that must be well defined, comprehensive, and clear for
ronments, the complex nature of the privileges and the
regulating access to the system or for addressing con-
multiplicity of the layers of administrative required for a
straints on functions of the system and flow between
virtualized environment lead to emphasize this weakness,
them. Any vulnerability in these policies leads to differ-
mainly when thinking about its dynamics, and scenarios
ent threats.
where federations and migrations are in place.
Lack of Security Policies (P1): It is needed to develop
Improper Input Validation (D6): It means the sys-
virtualization security policies, where virtual machine
tem does not check user input or fails to validate input.
deployment, management, migration, and shutdown
Therefore, the system may be exposed to and accept
requirements are established securely. The lack of secu-
malicious input, which may cause the system to execute
rity policies may cause some vulnerability that lead to an
arbitrary code, or modify control flow47.
unsafe environment for the host device, virtual machines,
and virtual administration tools.
4.5 Control and Monitoring User Awareness (P2): Cloud service users are the
In a traditional network environment, the physical weakest point in any information security because cloud
machines use the specific port on the monitored switch service providers do not check the surrounding of their
for connecting to the network. In a virtual environment, customers. Suspicious user accounts can give attackers
the deployment of the vast VMs can be appended to the an opportunity to do any malicious work without being
same physical port on the network. identified. Furthermore, there are attack vectors for vari-
The communication between these virtual ous social engineering that an attacker might use to trick a
machines never goes through the physical port, i.e., victim into entering a malicious site, and then gain access
they can communicate with each other, as they are part to the user’s computer. From this point, it can monitor
of one single virtual switch. The nature of the virtualiza- user actions and view the same data as the user sees and
tion environment introduces some vulnerability that can can steal user credentials to authenticate the cloud ser-
be exploited by the attackers such as lack of visibility and vice itself. Security awareness is a security concern that
monitoring VMs from the host. is often overlooked49. The misuse of open cloud services
Lack of Visibility (C1): The hypervisor is responsible by users often allows an attacker to access the system, so
for establishing communication between VMs located users should learn about different potential attacks and

8 Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology
 Nadiah M. Almutairy, Khalil H. A. Al-Shqeerat and Husam Ahmed Al Hamad

how to avoid them to ensure that users understand and VM Hoping/Guest jumping: An attacker is mali-
assume their responsibilities. ciously getting access to different virtual machines
Static Policies (P3): VMs can be moved between belonging to other customers54. He can monitor the target
physical environments as needed to get additional VM’s resource utilization, and affect VM’s integrity, avail-
resources. Accordingly, baseline security policies of VMs ability, and confidentiality55.
must be transferred as they move from one environment Malicious Insider: A malicious insider intentionally
to another. If the security policy of the VM does not con- misuses the authorized access in a manner that negatively
form to the new environment, VM becomes vulnerable50. affects information systems56,57.
Furthermore, when the VM moves, it loses its perfor- Malicious VM image: A user may use a VM image
mance history and must re-evaluate its baselines. that contains malicious code to create own VM. This
Loss of Governance (P4): The cloud provider is image makes the entire system vulnerable to attack58.
responsible for data security while handling and storing VM escape: An attacker gets access to the hypervi-
it. Rules or policies must be clear between the cloud pro- sor and escapes from its control59. An infected VM can
vider and individuals or enterprises. In many cases, the completely bypass the isolation between the VMs and
client essentially gives up control to the cloud service the host60. Consequently, can get privileges to access the
provider on many security-related issues, but sometimes resources shared, with other VMs61.
the service providers themselves may not be trusted51. Hyper-jacking/VM-based Rootkit: Hyper-jacking
Furthermore, they unaware of any security or control attack inserts VM-based root kits to control the entire
mechanisms specified by the cloud provider52. The loss virtual environment62.
of control and governance can have a significant impact Virtual memory Leak: A system failure may occur
on the organization’s strategy and consequently affect between the allocation and deallocation of the shared
the ability to fulfill its mission and objectives. The loss memory area in the hypervisor, which may lead to virtual
of governance and control can also lead to a lack of data memory leaks63.
availability, integrity, and confidentiality8. Reducing pro- Theft-of-Service: Use cloud services or resources for
cessing and data storage costs is an essential requirement a long time without being registered in a billing cycle or at
for any company, whereas data analysis always is a man- the expense of another user64,65.
datory task for decision-making. Therefore, companies VM sprawl/VM Spawl: Increase the number of VMs
will not transfer their data to the cloud environment until continuously, while some of them are in idle state, this
they trust the security procedures by service providers. may lead to waste the resources in the host machine66.
Lack of Reliability and Availability of Service (P5): VM poaching: It occurs when malicious VM exhausts
Reliability issues in virtualization can affect cloud perfor- resources and completely consumes the hypervisor
mance. Collecting many VMs may cause performance against other VMs running in the same host67.
problems3. Some challenges like limited CPU or I/O bot- Accounting, Service, and Traffic Hijacking: It
tlenecks lead to performance problems. These problems occurs when the attacker gets access to users credential
occur more in virtualization environment more than in and becomes able to spy on their transactions, manipu-
the traditional environment due to connecting the physi- late data, return falsified information and redirect them
cal server to many VMs that compete to access critical to illegal sites68,69.
resources. IT organizations should be able to monitor the Cross-VM: It occurs when a malicious VM bypasses
usage of VMs and physical servers in real time. This capa- virtual isolation between VMs to attack other VMs in
bility avoids overuse of server resources and reallocates the same host70. It could exploit vulnerabilities in the OS
resources according to given business requirements53. guest or hypervisor to obtain confidential leakage data
from other VMs through the side-channel attack71,72.
Co-location/Co-resident: Unlike cross-VM attack,
5. Security Threats and Attacks the attacker has a clear target VM and aims to co-locate
This section identifies common threats and potential own VM with victim VM on the same physical host. With
attacks of virtualization security by performing a system- co-residence, the attacker constructs covert side channels
atic literature survey. to obtain sensitive information from the victim73.

Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology 9
 A Taxonomy of Virtualization Security Issues in Cloud Computing Environments

Foot-printing: It occurs when an attacker intelli- 6. Virtualization Security Solutions

gently collects information indicate to vulnerabilities of
a victim platform operates in a virtualized environment. Many types of research offer solutions in virtualization
This information might be used to carry outmalicious security. These solutions may be useful for centers and
activities on the system74. organizations interested in developing cloud security
VM rollback attack: The attacker exploits the sus- solutions and standards. In this section, we focus on some
pend/resume feature in a virtualized environment to solutions covered in the literature survey. HyperSafe61 is
attack VMs75. When the hypervisor suspends a victim an approach proposed to provide control-flow integrity
VM at any points and makes a snapshot of its state, the for the Type-I bare-metal hypervisors. This approach
attacker triggers a pre-defined infected snapshot to the relies on two techniques. The first one protects code
VM at resume time. As a result of missing some secu- integrity of hypervisor by preventing memory pages from
rity updates, an attacker could bypass certain security being manipulated at execution time. Authors have used
checks in the VM to achieve the attack target76. Write Protect bit (WP bit) to check how the supervisor
Data leakage/Data loss: Data leakage occurs when code acts with write-protection bits in page tables. The
sensitive information falls into the wrong hands when it write-protection is skipped if the WP is off, otherwise, it
is audited, stored, processed, or even transmitted77. While is decided if the supervisor can write or not to the mem-
Data loss occurs when data is lost due to loss of encryp- ory page. In order to allow the good updates to proceed,
tion key, accidental deletion, or natural disaster78. Table 2 the WP bit is temporarily cleared right before each update
shows security threats and correlates them with their and then re-enabled immediately after the update.
exploited vulnerabilities in cloud computing environ- The other techniques protect control data by con-
ments. verting them into restricted pointer indexes. It extends
the protection provided by the first technique from code
Table 2. Mapping between threats and vulnerabilities integrity to control-flow integrity to prevent attacker form
controlling the flow of the system. HyperSafe aggregates
Threat Vul.
control data into target tables and then replaces them
VM Hoping/Guest jumping I1, I3, I4, I5, VC1, VC2
with a restricted pointer index.
Malicious Insider P1, P4
A VM security monitoring model based on memory
Malicious VM image I2 introspection has been proposed79. Security of host or VM
VM escape VC1, VC2, I1, I4, I6, C1, C2, can be recognized by using a hardware-based approach to
D4, D6 obtain real-time physical memory of the host. Moreover,
Hyper-jacking/VM-based a VM Control Structure (VMCS) based approach is pro-
I1, I2, I3, AC3, VC2
rootkit
posed for VM memory forensics. Based on the results of
Virtual memory leak D1, I6 memory forensics of host/VM malicious behavior can be
Theft-of-service attack P4, D4, I1 detected. These techniques were used to develop a proto-
VM sprawl/VM Spawl VC2, VC3, VC4, I2, P4 type of a VM defense system that is called VEDefender,
VM poaching I6 which incorporates a PCI device and a terminal program.
Accounting, service and The VEDefender prototype was implemented on top of
D2, P4, P1, AC4, I7
traffic hijacking kernel-based VM (KVM).
Cross-VM attack VC1, VC2, I1, I4, I5, I7, D1, VEDefender is transparent to the guest machines, and
D4 it is hard to be accessed even from a compromised VM.
Co-location/Co-resident It can gather and analyze data for discovering any mali-
I4, VC1
attacks cious activity whether being on the host or guest machine.
Foot-printing attack AC2 Experiments results show that the proposed system can
VM rollback attack VC2, VC6, P1 deal with virtual machines from different OS versions
Data leakage/Data loss D1, P4, D5, AC4, P5, P1, I6, and has an acceptable execution time.Authors80 leveraged
I1, I5, I7, AC3 the nested virtualization to propose an in-the-box way
for monitoring the hypervisor - In-Hypervisor Memory

10 Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology
 Nadiah M. Almutairy, Khalil H. A. Al-Shqeerat and Husam Ahmed Al Hamad

Introspection (IHMI). In the proposed architecture, letting the VMM allocate and manage resources for VMs.
Hypervisor Address Space and the Monitor Address Space CloudVisor interposes interactions in-between the guest
are separated from each other, and Virtualization Exception VMs and VMM through a clearly defined entry and exit
(VE) handler operates between them. In order to protect points. Differently, from traditional virtualization systems
and isolate the monitor from the untrusted hypervisor, a that have a composite TCB including VMM and manage-
protected address space is used. The hypervisor and the ment tools that are more prone to attacks, CloudVisor
monitor are isolated from one another through Extended excludes them from TCB. With CloudVisor all accesses
Page Table (EPT). The memory content of the hypervisor that are not from VM itself only can view encrypted VM’s
is protected by setting it non-writable to the hypervisor, data. CloudVisor architecture is organized in such a way
and any attempt to modify it will generate an EPT viola- that VMM is still responsible for resource management,
tion or VE, which means that the hypervisor’s execution is VM construction and destruction, and scheduling, but
suspended. The hypervisor and monitor memory isolation it is monitored transparently by CloudVisor to ensure
is achieved using a unidirectional mapping, which allows the protection and isolation. In the nested virtualization
the monitor to have access to the hypervisor’s memory scheme, host mode runs CloudVisor, while in guest mode
while forbidding the reverse. By using VMFUNC instruc- runs VMM and guest VMs. To secure control transition,
tion, the switch between the hypervisor and the monitor CloudVisor keeps a VM control structure for each VM,
can be performed without involving the nested hypervisor, by which it controls what kind of instruction or events
which leads to improved performance. For secure context lead to a VM exit. To protect memory, it uses a two-step
switching between the hypervisor and the monitor, the address translation, using page table and EPT. Among
VE handler is non-writable for the hypervisor. To disable others, CloudVisor provides memory isolation, tracking
the untrusted hypervisor’s influence, the checker disables memory ownership, legal memory accesses, handling
interrupts and uses a new stack, and checks the VE infor- data exchange with I/O storage, disk I/O privacy and
mation area. integrity.
HyperSentry81 is a framework allows stealthy and in- Secure MMU83 and HyperWall84 also separate the
context integrity measurement of the running hypervisor memory resources management from the security pro-
or other highest privileged software. Taking advantage of tection, but with no need of a nested hypervisor. Secure
the Intelligent Platform Management Interface (IPMI) an MMU is a hardware-based mechanism aims to isolate
out-of-band communication channel is used to trigger and protect the guest VMs memory from other VMs
the System Management Interrupt (SMI), which trig- that share the same physical system and even from an
gers the HyperSentry for integrity measurement. When untrusted hypervisor. Secure MMU makes a separation
an SMI occurs, the current CPU state is saved, and the so that the hypervisor still performs resource manage-
context is switched to the System Management Mode ment but with limitations. A hardware controller is used
(SMM). HyperSentry constitutes of two components: the to update the page mapping and set a pointer to the nested
SMI handler and the Measurement Agent. Trust on the page table. TCB of the proposed approach contains only
SMI handler is obtained during the boot when its code is the hardware system, excluding the hypervisor.
copied to the SMRAM, and then the SMRAM is locked to Hardware-assisted secure virtual machine85 (H-SVM)
prevent from access or modification. When a request for is an extension of Secure MMU. It is hardware-based
integrity measurement is received, HyperSentry requires virtual machine isolation and protection that intends
the access to the hypervisor’s code, data and CPU state to minimize the architectural changes that support vir-
needed for measurement. tualization. Direct updates of page tables by hypervisor
Unlike many works that try to protect the Virtual are blocked by H-SVM to ensure memory isolation. All
Machine Monitor (VMM) from malicious VMs attacks, changes that a hypervisor needs to make in nested tables
an approach proposed to protect VMs from a compro- are made by requesting to H-SVM. H-SVM protects the
mised VMM. CloudVisor82 is a transparent prototype integrity and confidentiality of guest VMs, excluding the
system that resides below a commodity VMM leveraging availability.
the hardware-assisted (nested) virtualization. HyperWall is a hardware-based architecture developed
It protects the privacy and integrity of VMs owned to support hypervisor-secure virtualization. Even though
resources (such as CPU, memory and I/O device), by still the hypervisor is not trusted, HyperWall still allows it to

Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology 11
 A Taxonomy of Virtualization Security Issues in Cloud Computing Environments

manage the platform resources freely. According to cus- the HyperCoffer, so it requires memory encryption and
tomer requirements/specifications, the guest VM’s are integrity checking. Due to low overhead, HyperCoffer
protected by Confidentiality and Integrity Protection (CIP) uses address-independent seed encryption87 (AISE) for
tables from hypervisor or DMA access. Furthermore, this encrypting memory, and Bonsai Merkle Tree (BMT) for
architecture allows the server to verify the provided hard- checking integrity, in addition to VM-Table for multiplex-
ware protections to the cloud customer and cleans the ing. VM-Table contains the VMID, which is the unique
VM’s memory and state in case of termination. index of a VM. It is stored in a portion of the physical
CIP tables protect VM memory, which includes map- memory of CPU that is accessible only to the processor.
ping of access rights for the hypervisor and DMA to the Logging and auditing are used by HyperCoffer to secure
memory pages. Even if a page is not protected, thus, it against VM rollback attack. Since every time the pro-
allows access to the hypervisor and DMA; it is assigned to cessor installs or resumes a VM, the hash of a vector
a VM so that the compromised hypervisor cannot assign containing some necessary information for AISE and
it to another VM. Whenever a new VM is created, termi- BMT is added to a chain in a nonvolatile register, which
nated or there is a change in the memory assigned to a can be audited from the user. In the meantime, the mem-
VM, the CIP tables are updated. CIP tables are stored in a ory snapshot image is encrypted and protected by BTM,
portion of DRAM not accessible to any software. Physical which is encrypted further by an encryption key assigned
memory used by VM during runtime, physical to machine to a VM during runtime.
memory mapping tables and the protection specified by The proposed framework14 called secure live virtual
users (pre-CIP data) also are protected. Encryption keys machine migration (SLVM). This framework aims to
are used for customer verification, to protect the proces- protect against network intrusions, viruses, attacks and
sor state of a VM when it is terminated, and for external preserves the integrity and the confidentiality of migra-
communication. The HyperWall prevents VM rollback tion data. SLVM has two modules: Common Security
attack by disabling some functionalities of the hypervisor modules that apply to both the host VM and the Guest
such as suspend/resume function. VMs underlying this host and Individual/Per VM security
As compared to HyperWall, a solution to protect from module that is specified separately the security require-
VM rollback attack has been proposed75, while keeping the ments for each virtual machine running over the host.
virtualization functions such as VM suspend/resume and To protect the virtual machine migration process
VM migration. This goal is achieved by logging all VM from data tampering by a Man-in-the-Middle (MitM)
rollback activities, and then the user can audit the log and and time-of-check-to-time-of-use (TOCTTOU) prob-
examine suspicious rollbacks. This solution requires min- lem, a two-level security framework88 has been proposed.
imal user interaction, and it is based on the CloudVisor. A After selecting a VM for migration to reduce power con-
NoHype86 architecture has been introduced for removing sumption in a cloud environment, a destination host
the virtualization layer. It prepares a more secure virtu- needs to be selected for that VM. The second task is more
alization layer by minimizing its size or securing it with complicated because it can create a situation that the des-
additional hardware. In the NoHype architecture, each tination host cannot fulfill the VMs requested resources.
processor core is allocated to run just one VM. It means To secure the system from TOCTTOU, Authors have
guest VMs cannot share processor cores, which eliminate proposed to use a token system. Before the request for
the need for the hypervisor. The number of VMs is lim- available resources in the network is made, the node first
ited to the number of processor cores, while the memory asks for the token. If the token is not already in use, then
is partitioned between the VMs. Thus, each guest OS it can broadcast its request.
can access a dedicated physical memory on a host. Every The components of CoM framework38 are virtual
guest OS can access its assigned physical device directly machine migration agent (VMMA), security context
at a given time. migration agent (SCMA), and live migration control-
Unlike HyperWall, H-SVM, NoHype, HyperCoffer76 ler (LMC). Five steps are used to perform the migration.
can protect against physical attacks. Hardware and First, The VMMA allocates resources at the hypervisor
Software frameworks aim to provide integrity and pri- where VM is going to migrate. In step 2, The VMMA
vacy for VMs by trusting only the processor chip. copies VM’s pages in an incremental way whereas SC set
External memory or devices are considered untrusted by of migrated VM is transferred by the SCMA.

12 Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology
 Nadiah M. Almutairy, Khalil H. A. Al-Shqeerat and Husam Ahmed Al Hamad

In the third step, VM stop working on the source them. sHype implements a secure reference monitor
hypervisor. Then the VMMA copies remanding memory interface to enforce constraints on the information flow
pages and the CPU state to destination hypervisor. The between VMs. In the sHype access control architecture,
destination SEs will receive the changed SC set at the the reference monitor is implemented by enforcement
source. Finally, the migrated VM continues in execu- hooks, which get access decisions from the access control
tion on the destination host. Trusted cloud computing module (ACM). ACM defines and applies access rules
platform89 (TCCP) provides a closed box execution envi- based on the formal security policy.
ronment. It ensures a confidential execution for guest Another work to provide strong isolation between
VMs. TCCP guaranties that the privileged administrator numerous of VMs is a Second level VMM92 (SeVMM).
of the cloud provider cannot investigate or tamper with SeVMM aims to control the sharing resources and provides
the customer’s VM. Furthermore, it provides an attesta- isolation between VMs. Moreover, it manages and controls
tion feature to the user, so that the users before launching the virtual resources such as virtual processor by intercept-
their VM they can know if the IaaS service is secure or ing the entire security-related calls among guest and host
not. To achieve this, the TCCP should enforce a security operating system. SeVMM supports a different of security
perimeter and restrict the VM execution inside it. If the policies such as the CW, BLP, TE, to guarantee the integrity
admin remotely logs to a VM, he cannot have access to of the inter-domain data flow and the system. Flask frame-
VMs memory. work is used to configure security strategy in SeVMM. It is
The TCCP extends the concepts of the trusted plat- composed of three modules to achieve objectives. The first
form to a whole IaaS backend service. The TCCP trusted module is the Security Policy Management module, which
computing base is composed of two parts: a trusted VMM manages the whole security policies and protects the modi-
(TVMM), and a trusted coordinator (TC). Each node in fication and update of security policy in the third module.
the cluster runs a TVMM to host customer’s VMs. The When the resource is initialized, the security attribute is
TC manages the set of trusted nodes that are placed allocated according to the security policy in this module.
inside the security perimeter and run the TVMM.VNSS90 The second module is a Safety Hook module responsible
is a framework that aims to ensure distinct security level for controlling access to the shared virtual resources by
requirement for VMs as well as full lifecycle protection gaining some information about VMs such as types of
for VMs. The framework is composed of security sand- operations and attributes of virtual resources and then
box controller (SSC), security policies create an agent transfer this information into the third module.
(SPCA), virtual machine creates agent (VMCA), virtual The third one is a Security Policy Enforcement mod-
machine migration agent (VMMA), security context ule, which takes a decision based on the security policy
migration agent (SCMA) and security policies migration and information given by hook.Researchers54 proposed a
agent (SPMA). SSC maintains the schedule of all these scheme for securing the inter-VM communication traffic
agents. During VM creation, the SCC calls the VMCA by limiting the access to the critical resources. The control-
which will create an instance of the virtual machine, and ling and analyzing inter-VM traffic are done via an addition
then the SPMA that will generate security policies for the frame tag through an agent to the payload of the packet. It
VM. Initially, SSC triggers VMMA, SCMA, and SPMA aims to recognize sending the application in a communica-
upon VM migration. VMMA is responsible for moving tion within the same tenant. Virtual Firewall architecture
the VM instance, while SCMA synchronizes the security (V-firewall)8 aims to protect and inspect the inter-commu-
context of VM, and then SPMA resumes security policies nication of VMs to protect against potential attacks in the
of VM on the destination host. internal and external networks. In addition to protection
sHype91 is a secure hypervisor architecture which against flooding and spoofing attacks. In this architecture,
controls information flow between different operating V-firewall is installed on the hypervisor whereas Agent is
systems that share the same hardware platform. It pro- on guest OS. The gent is used to monitor outbound and
vides mechanisms that control resource sharing since inbound traffic to VM and send logs to V-firewall to decide
resource sharing is inevitable in distributed services. The grant or deny traffic according to security policies.
mandatory security controls implemented by the hypervi- Hypervisor-based virtualization technology3 aims to
sor are the isolation of VMs and resource sharing among secure the cloud environment. It adds some reliability/

Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology 13
 A Taxonomy of Virtualization Security Issues in Cloud Computing Environments

security monitoring units: VM security monitor (VSEM), by introspecting the processes executing on the guest VM
VM reliability monitor (VREM) which are in the VM level. and assessing the legitimacy of such processes. First, it
Two monitoring units also are added in the hypervisor attempts to identify the sending/receiving VM depending
level, hypervisor security monitor (HSEM) and hypervisor on the packet’s source/destination IP, and then finds the
reliability monitor (HREM). There are VSEM and VREM process bounded to the source/destination port.
units within each running VM. VSEM monitors the VM If the user agent does not find a process (in its
behavior and sends a report to HSEM. VREM monitors whitelist) bounded to the port, it will block the connection.
some parameters that are related to the reliability such as Otherwise, it will allow the connection. To overcome the
the workload. It sends useful information to the HREM theft-of-service attack against cloud services, an external
and gives a resource to VM according to its state. HREM API66 has been proposed for calculating the power con-
detects the attacks overflow depending on the requests sumptions of VM at different times while the user is using
and then notifies HSEM about it. A Virtual Machine the VM. This API will detect and prevent theft-of-service
Introspection93 (VMI) Based Architecture takes advantage attack depending on the statistics of power consumptions
of virtual machine monitor (VMM) technology for estab- of a VM. The API is stored on an external cloud so that
lishing intrusion detection systems. It allows good visibility the API’s integrity can be maintained in case the cloud
of the monitored host’s state, while still maintaining strong that hosts VMs is compromised during the attack. The
isolation between the monitored host and the IDS because API computes the power consumption of VM’s processes
it resides “outside” of the host it monitors. by adding the measured power consumption at different
Virtual Machine Monitor provides isolation of IDS from intervals of time. Later, API can compare the calculated
the monitored host in the VMI IDS architecture. VMM pro- VM’s power consumption from this API with the calcu-
vides a communication interface between itself and VMI lated power consumption from the internal cloud. In case
IDS, which allows the later one to send inspection, monitor, that there is a difference, the API can notify the adminis-
and administrative commands. VMwall94 is presented for trator about this, or the user can be charged depending on
inspecting the Internet traffic. VMwall is a tamper-resistant the external calculated power consumption.
application-oriented firewall that takes advantage of appli-
cation-level firewalls and isolation provided by the virtual
machine. Isolation of application-level firewall is achieved
6.1 Comparison of Mitigation Techniques
by placing it in a trusted VM, which depends on the The reviewed mitigation techniques and solutions, in the
hypervisor to restrict the attack between trusted VM and previous section, are compared in this study based on the
malicious VM. VMwall uses VM introspection to detect following five criteria:
another VMs process connected to a suspected network. It 1. Data Confidentiality: any solutions encrypt the data
depends on the requirement to find the head of linked data in transit, disk, or memory satisfy the data encryption
structures, correct order in addition to the length of data criterion.
structure fields, so the attacker cannot alter them. 2. Data Integrity: any solutions protect VM data from
VMwall provides a tamper-resistant, independent and being altered satisfy the integrity criterion. In addi-
lightweight verification architecture using VM isolation tion, any solutions compute the hash of data in transit
and VMI. The design VMwall has two major components: satisfy this criterion. Solutions that maintain the
a kernel module and a user agent. The kernel component integrity of the hypervisor code satisfy this criterion.
intercepts all incoming or outgoing guest VMs network 3. Securing the Hypervisor: any solutions protect the
packets and applies per-packet policy provided from the code of hypervisor or detect the malicious activity in
user agent to decide whether to allow or drop every packet. hypervisor satisfy the securing hypervisor criterion.
On interception process, if a firewall rule for the packet 4. Securing the VM: any solutions present mechanisms
exists on its rule table, it acts depending on that rule to to secure VM satisfy securing VM criterion.
allow or drop the packet. Otherwise, it calls the user agent 5. Control access: solutions that imposed policies to
to create a rule for it. Until the user agent provides the rule, access the resources.
the kernel module queues the incoming packets. Then, Table 3 summarizes the comparison between the
the rest of the packets from that connection are handled reviewed solutions mitigation techniques and the
depending on that rule. The user agent obtains the policy specified security criteria.

14 Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology
 Nadiah M. Almutairy, Khalil H. A. Al-Shqeerat and Husam Ahmed Al Hamad

Table 3. Comparison of the mitigation techniques

Security Criteria
Solutions Data Securing the
Data Integrity Securing the VM Control access
Confidentiality hypervisor
HyperSafe √ √
VEDefender √ √
IHMI √ √
HyperSentry √ √
NoHype √ √
CloudVisor √ √ √
Secure MMU √ √ √
H-SVM √ √ √
HyperWall √ √ √
HyperCoffer √ √ √
SLVM √ √ √
A two-level
√
framework
CoM framework √
TCCP √ √ √
VNSS √
sHype √
SeVMM √
Securing inter-VM
√
traffic
V-firewall √
VMI √
VMwall √

7. Conclusion data confidentiality, data integrity, securing the hypervi-

sor, securing the VM, and access control.
The rapid expanding of cloud computing and virtu-
alization technology make cloud infrastructure more
complicated and have brought a series of security chal- 8. References
lenges. This research has identified critical security issues 1. Subashini S, Kavitha V. A survey on security issues in
of virtualization technology in cloud computing environ- service delivery models of cloud computing. Journal of
ments. The collective security vulnerabilities and risks Network and Computer Applications. 2011; 34(1):1–11.
have been classified into several categories according to https://doi.org/10.1016/j.jnca.2010.07.006.
their effect on virtual environments. Furthermore, secu- 2. Al-Shqeerat K, Al-Shrouf F, Hassan M, Fajraoui H. Cloud
rity threats and virtual-based attacks have been presented computing security challenges in higher educational insti-
according to virtualization uses of the vulnerabilities and tutions- A survey. International Journal of Computer
security risks. In this study, we have reviewed some solu- Applications. 2017; 161(6):22–9. https://doi.org/10.5120/
ijca2017913217.
tions and alleviation techniques suggested in the literature
3. Sabahi F. Secure virtualization for cloud environment
review for improving the security of cloud virtualization
using hypervisor-based technology. International Journal
systems. Finally, these reviewed mitigation techniques of Machine Learning and Computing. 2012; 2(1):39–45.
are compared according to five specified security criteria; https://doi.org/10.7763/IJMLC.2012.V2.87.

Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology 15
 A Taxonomy of Virtualization Security Issues in Cloud Computing Environments

4. A taxonomy and survey of cloud computing sys- 21. Security threats to evolving data centers; 2015. Available
tems. Available from: https://ieeexplore.ieee.org/ from: http://www.trendmicro.es/media/wp/security-
document/5331755. threats-to-evolving-data-centers-en.pdf.
5. Chatzikyriakidis I. Trends and risks in Virtualization. 22. Nagar N, Suman U. Analyzing virtualization vulner-
Kingston University London. 2011. p. 1–97. abilities and design a secure cloud environment to
6. Virtual machine security guidelines; 2017. Available from: prevent from XSS attack. International Journal of Cloud
https://www.cisecurity.org/wpcontent/uploads/2017/04/ Applications and Computing (IJCAC). 2016; 6(1):1–14.
CIS_VM_Benchmark_v1.0.pdf. https://doi.org/10.4018/IJCAC.2016010101.
7. Demystifying the cloud: Important opportunities, crucial 23. Vaughan-Nichols S. Virtualization sparks security con-
choices. Global Netoptex Incorporated; 2009. p. 4–14. cerns. Computer. 2008; 41(8):13–5. https://doi.org/10.1109/
8. Haeberlen T, Dupré L. Cloud computing: benefits, risks MC.2008.276.
and recommendations for information security. European 24. Cloud security alliance. Best Practices for Mitigating Risks
Network and Information Security Agency; 2016. p. 1–50. in Virtualized Environments. 2015. p. 1–35.
9. Bulusu S, Sudia K. A study on cloud computing security 25. Wei J, Zhang X, Ammons G, Bala V, Ning P. Managing
challenges. Blekinge Institute of Technology. 2012. p. security of virtual machine images in a cloud environ-
1–137. ment. Proceedings of the 2009 ACM workshop on
10. Infrastructure as a Service Security: Challenges and Cloud Computing Security; 2009. p. 91–6. https://doi.
Solutions. Available from: org/10.1145/1655008.1655021.
11. A survey on the security of virtual machines. Available 26. Modi CN, AchaK. Virtualization layer security chal-
from: http://www.cs.wustl.edu/~jain/cse571-09/ftp/vmsec/ lenges and intrusion detection/prevention systems in
12. Birje M. Security issues and countermeasures in cloud cloud computing: A comprehensive review. The Journal
computing. International Journal of Applied Engineering of Supercomputing. 2017; 73(3):1192–234. https://doi.
Research. 2015; 10(86):71–5. org/10.1007/s11227-016-1805-9.
13. Wu H, Ding Y, Winer C, Yao L. Network security for virtual 27. Reuben JS. A survey on virtual machine security. Seminar
machine in cloud computing. 5th International Conference on Network Security. 2007. p. 1–5.
on Computer Sciences and Convergence Information 28. Ranjith P, Priya C, Shalini K. On covert channels between
Technology; 2010. p. 1–4. virtual machines. Journal in Computer Virology. 2012;
14. Anala M, Shetty J, Shobha G. A framework for secure live 8(3):85–97. https://doi.org/10.1007/s11416-012-0168-x.
migration of virtual machines. International Conference 29. Cloud Computing: Security Risk, SLA and Trust. Jönköping
on Advances in Computing, Communications and University. Available from: http://hj.diva-portal.org/smash/
Informatics; 2013. p. 243–8. https://doi.org/10.1109/ record.jsf?pid=diva2%3A323596&dswid=-3340.
ICACCI.2013.6637178. 30. Batra S, Applications C, Group C. Preliminary analysis of
15. Schwarzkopf R. Virtual machine lifecycle management in cloud computing vulnerabilities. International Journal of
grid and cloud computing. University of Marburg; 2015. p. Innovation Science and Research. 2013; 2(5):49–51.
1–349. 31. Khorshed T, Ali A, Wasimi S. A survey on gaps, threat
16. Garfinkel T, Rosenblum M. When virtual is harder than remediation challenges and some thoughts for proactive
real: Security challenges in virtual machine based comput- attack detection in cloud computing. Future Generation
ing environments. Proceedings of the 10th Conference on Computer Systems. 2012; 28(6):833–51. https://doi.
Hot Topics in Operating Systems; 2005. p. 20–5. org/10.1016/j.future.2012.01.006.
17. Guidelines on security and privacy in public cloud com- 32. Singh S. Virtualization and information security: A virtual-
puting. Available from: https://www.nist.gov/publications/ ized DMZ design consideration using VMware ESXi 4.1.
guidelines-security-and-privacy-public-cloud-computing Unitec Institute of Technology; 2012. p. 1–130.
18. Winkler V. Security concerns, risk issues, and 33. Modi C, Patel D, Borisaniya B, Patel A, Rajarajan
legal aspects. Securing the Cloud. 2011. p. 55–81. M. A survey on security issues and solutions at different layers
https://doi.org/10.1016/B978-1-59749-592-9.00003-8. of Cloud computing. The Journal of Supercomputing. 2013;
19. Studnia I. Survey of security problems in cloud comput- 63(2):561–92. https://doi.org/10.1007/s11227-012-0831-5.
ing virtual machines. Computer and Electronics Security 34. Bamiah M, Brohi S. Seven deadly threats and vulnerabili-
Applications Rendez-vous (C&ESAR); 2012. p. 61–74. ties in cloud computing. International Journal of Advanced
20. Hashizume K, Rosado D, Fernández-medina E, Fernandez Engineering Sciences and Technologies. 2011; 9(1):87–90.
E. An analysis of security issues for cloud computing. Journal 35. Douglas H, Gehrmann C. Secure virtualization and mul-
of Internet Services and Applications. 2013; 4(5):1–13. ticore platforms. Swedish Institute of Computer Science;
https://doi.org/10.1186/1869-0238-4-5. 2009. p. 1–71.

16 Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology
 Nadiah M. Almutairy, Khalil H. A. Al-Shqeerat and Husam Ahmed Al Hamad

36. Security issues in cloud computing. Available from: https:// and Trusted Computing; 2010. p. 364–8. https://doi.
ieeexplore.ieee.org/document/6513028. org/10.1109/IPTC.2010.11.
37. Threats to virtual environments. Security Response. 52. Behl A. Emerging security challenges in cloud comput-
Available from: https://www.symantec.com/content/dam/ ing. World Congress on Information and Communication
symantec/docs/security-center/white-papers/threats-to- Technologies; 2011. p. 217–22.
virtual-environments-14-en.pdf. 53. Parashar A, Borde A. Management cloud computing :
38. Xianqin C, Han W, Sumei W, Xiang L. Seamless virtual Security issues and its detection methods. International
machine live migration on network security enhanced Journal of Engineering Sciences and Management. 2015;
hypervisor. IEEE International Conference on Broadband 5(2):136–40.
Network and Multimedia Technology; 2009. p. 847–53. 54. Toward inter-VM visibility in a Cloud environment using
https://doi.org/10.1109/ICBNMT.2009.5347800. packet inspection. Available from: https://ieeexplore.ieee.
39. OWASP the ten most critical web application security org/document/6632122.
risks. Available from: https://www.owasp.org/images/7/72/ 55. Althobaiti AFS. Analyzing security threats to virtual
OWASP_Top_10-2017_%28en%29.pdf. machines monitor in cloud computing environment.
40. Afshan N. Analysis and assessment of the vulnerabilities Journal of Information Security. 2017; 8(1):1–7. https://doi.
in cloud computing. International Journal of Advanced org/10.4236/jis.2017.81001.
Research in Computer Science. 2017; 8(2):1–4. 56. Ahuja SP, Komathukattil D. A survey of the state of cloud
41. Grobauer B, Walloschek T, Stocker E. Understanding cloud security. Network and Communication Technologies. 2012;
computing vulnerabilities. IEEE Security and Privacy. 2011; 1(2):66–75. https://doi.org/10.5539/nct.v1n2p12.
9(2):50–7. https://doi.org/10.1109/MSP.2010.115. 57. Shahzad A, Litchfield A. Virtualization technology:
42. Fernandes DAB, Soares LFB, Gomes JV, Freire MM, Cross-VM cache side channel attacks make it vulnerable.
Inácio PRM. Security issues in cloud environments: A sur- Australasian Conference on Information Systems; 2015. p.
vey. International Journal of Information Security. 2014; 1–14. PMid:25616160.
13(2):113–70. https://doi.org/10.1007/s10207-013-0208-7. 58. Tsai H, Chiao N, Steinmetz R, Darmstadt TU. Threat as
43. Gonzalez N. A quantitative analysis of current security con- a service: Virtualization’s impact on cloud security. IT
cerns and solutions for cloud computing. 3rd International Professional. 2012; 14(1):32–7. https://doi.org/10.1109/
Conference on Cloud Computing Technology and Science; MITP.2011.117.
2011. p. 231–8. https://doi.org/10.1109/CloudCom.2011.39. 59. Kedia P. A survey on virtualization service providers, secu-
44. Islam T, Manivannan D. A classification and characteriza- rity issues, tools and future trends. International Journal of
tion of security threats in cloud computing. International Computer Applications. 2013; 69(24):36–42. https://doi.
Journal Next-Generation Computing. 2016; 7(1):1–17. org/10.5120/12123-8491.
45. Tang Y, Lee PPC, Lui JCS, Perlman R. FADE: Secure overlay 60. Pearce M, Zeadally S, Hunt R. Virtualization: Issues, secu-
cloud storage with file assured deletion. Lecture Notes of rity threats, and solutions. ACM Computing Surveys. 2013;
the Institute for Computer Sciences, Social Informatics and 45(2):1–17. https://doi.org/10.1145/2431211.2431216.
Telecommunications Engineering; 2010. p. 1–18. 61. Wang Z. HyperSafe : A lightweight approach to provide life-
46. Sobey CH, Orto L, Sakaguchi G. Drive-independent data time hypervisor control-flow integrity. IEEE Symposium
recovery: The current state-of-the-art. IEEE Transactions on Security and Privacy; 2010. p. 380–95. https://doi.
on Magnetics. 2006; 42(2):188–93. https://doi.org/10.1109/ org/10.1109/SP.2010.30.
TMAG.2005.861757. 62. Rakotondravony N. Classifying malware attacks in IaaS
47. Security aspects of virtualization. Available from: cloud environments. Journal of Cloud Computing:
WP2016%201-3%203%20Study%20on%20security%20 Advances, Systems and Applications. 2017; 6(26):1–12.
aspects%20of%20virtualization%20(1).pdf. 63. Wang X, Wang Z, Liu Y, Luo Y, Li X. Detecting memory
48. Luo S, Lin Z, Chen X, Yang Z, Chen J. Virtualization secu- leak using virtualization technology. Information. 2013;
rity for cloud computing service. International Conference 16(3):1693–707.
on Cloud and Service Computing; 2011. p. 174–9. https:// 64. Khalil I, Khreishah A, Azeem M. Cloud comput-
doi.org/10.1109/CSC.2011.6138516.. ing security: a survey. Computers. 2014; 3(1):1–35.
49. The notorious nine cloud computing top threats in 2013. https://doi.org/10.3390/computers3010001.
Cloud Security Alliance; 2013. p. 1–21. 65. Zhou F, Goel M, Desnoyers P, Sundaram R. Scheduler vul-
50. Owens K. Securing virtual compute infrastructure in the nerabilities and Coordinated attacks in cloud computing.
cloud. Savvis; 2009. p. 1–13. PMCid:PMC4781541. Proceedings of the 2011 IEEE 10th International Symposium
51. Kong J. Protecting the confidentiality of virtual machines on Network Computing and Applications. 2011. p. 123–30.
against untrusted host. Intelligence Information Processing https://doi.org/10.1109/NCA.2011.24.

Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology 17
 A Taxonomy of Virtualization Security Issues in Cloud Computing Environments

66. An identification and prevention of theft-of-service attack Security and Communication Networks. 2018. p. 1–16.
on cloud computing. Available from: https://ieeexplore. https://doi.org/10.1155/2018/3780407.
ieee.org/document/7496632. 80. Tang W, Mi Z. Secure and efficient in-hypervisor memory
67. Sabahi F. Cloud computing Reliability, Availability and introspection using nested virtualization. IEEE Symposium
Serviceability (RAS): Issues and challenges. International on Service-Oriented System Engineering; 2018. p. 186–91.
Journal on Advances in ICT for Emerging Regions. 2011; https://doi.org/10.1109/SOSE.2018.00031.
4(2):12–23. 81. Azab AM, Skalsky NC. Hyper sentry : Enabling stealthy
68. Kalpana G, Kumar PV, Krishnaiah RV. A brief sur- in-context measurement of hypervisor integrity. ACM
vey on security issues in cloud and its service models. Conference on Computer and Communications Security;
International Journal of Advanced Research in Computer 2010. p. 38–49.
and Communication Engineering. 2015; 4(6):457–63. 82. Zhang F, Chen J, Chen H, Zang B, Cloud visor: Retrofitting
69. Cloud computing security considerations. Available from: protection of virtual machines in multi-tenant cloud with
https://etherealmind.com/wpcontent/uploads/2011/04/ nested virtualization. 23rd ACM Symposium on Operating
Cloud_Computing_Security_Considerations-1.pdf. Systems Principles; 2011. p. 203–16.
70. Azar Y, Kamara S, Menache I, Raykova M, Shepherd B. 83. Jin S, Huh J. Secure MMU: Architectural support for
Co-location-resistant clouds. Proceedings of the 6th Edition memory isolation among virtual machines. International
of the ACM Workshop on Cloud Computing Security; Conference on Dependable Systems and Networks
2014. p. 9–20. https://doi.org/10.1145/2664168.2664179. Workshops; 2011. p. 217–22. https://doi.org/10.1109/
71. Varadarajan V. Isolation in public clouds: Threats, chal- DSNW.2011.5958816.
lenges and defenses. University of Wisconsin-Madison; 84. Szefer J, Lee RB. Architectural support for hypervi-
2015. p. 1–227. sor-secure virtualization. International Conference on
72. Cloud computing: Issues and challenges. Available from: Architectural Support for Programming Languages
https://ieeexplore.ieee.org/document/5474674. and Operating Systems; 2012. p. 1–13. https://doi.
73. Lombardi F, Pietro R, Soriente C. CReW: Cloud resilience org/10.1145/2150976.2151022.
for windows guests through monitored virtualization. IEEE 85. Jin S, Ahn J, Cha S, Huh J. Architectural support for secure
Symposium on Reliable Distributed Systems; 2010. p. 338–42. virtualization under a vulnerable hypervisor. Annual IEEE/
https://doi.org/10.1109/SRDS.2010.48. ACM International Symposium on Microarchitecture;
74. Brooks T, Caicedo C, Park J. Security challenges and 2011. p. 1–12. https://doi.org/10.1145/2155620.2155652.
countermeasures for trusted virtualized computing envi- 86. Keller E, Szefer J, Lee RB. NoHype : Virtualized cloud infra-
ronments. World Congress on Internet Security; 2012. p. structure without the virtualization. Annual International
117–22. Symposium on Computer Architecture; 2010. p. 350–61.
75. Xia Y, Liu Y, Chen H, Zang B. Defending against VM https://doi.org/10.1145/1815961.1816010.
rollback attack. IEEE/IFIP International Conference on 87. Rogers B, Chhabra S, Solihin Y, Prvulovic M. Using
Dependable Systems and Networks Workshops; 2012. p. address independent seed encryption and bonsai merkle
1–5. trees to make secure processors OS-and performance-
76. Xia Y, Liu Y, Chen H. Architecture support for guest- friendly. Annual IEEE/ACM International Symposium
transparent VM protection from untrusted hypervisor on Microarchitecture; 2007. p. 183–94. https://doi.
and physical attacks. International Symposium on High org/10.1109/MICRO.2007.16.
Performance Computer Architecture; 2013. p. 23–7. 88. Yashveer Y, Krishna CR. Two-level security framework for
77. Durairaj M, Manimaran A. A study on security issues in virtual machine migration in cloud computing. i-Manag-
cloud based e-learning a study on security issues in cloud er’s Journal on Information Technology. 2018; 7(1):34–44.
based e-learning. Indian Journal of Science and Technology. https://doi.org/10.26634/jit.7.1.14095.
2015; 8(8):757–65. https://doi.org/10.17485/ijst/2015/ 89. Santos N, Gummadi K, Rodrigues R. Towards trusted
v8i8/69307. cloud computing. 2009 Conference on Hot Topics in Cloud
78. Cheng G, Jin H, Zou D, Ohoussou AK, Zhao F. A prioritized Computing; 2009. p. 1–5. PMCid:PMC2831950.
Chinese wall model for managing the covert information 90. Xiaopeng G, Sumei W, Xianqin C. VNSS: A network
flows in virtual machine systems. International Conference security sandbox for virtual computing environment.
for Young Computer Scientists; 2008. p. 1481–7. https://doi. IEEE Youth Conference on Information, Computing
org/10.1109/ICYCS.2008.534. and Telecommunications; 2010. p. 395–8. https://doi.
79. Zhang S, Meng X, Wang L, Xu L, Han X. Secure virtualization org/10.1109/YCICT.2010.5713128.
environment based on advanced memory introspection.

18 Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology
 Nadiah M. Almutairy, Khalil H. A. Al-Shqeerat and Husam Ahmed Al Hamad

91. Sailer R. sHype : Secure hypervisor approach to trusted vir- Distributed Systems Security Symposium; 2003. p. 1–16.
tualized systems. IBM Research Report; 2005. p. 1–13. PMid:12522106.
92. Chen WZ, Zhu HW, Huang W. SeVMM: VMM-based 94. Srivastava A, Giffin J. Tamper-resistant, application-aware
security control model. International Conference on blocking of malicious network connections. International
Cyberworlds; 2008. p. 820–3. Workshop on Recent Advances in Intrusion Detection;
93. Garfinkel T, Rosenblum M. A virtual machine introspection 2008. p. 39–58. https://doi.org/10.1007/978-3-540-87403-
based architecture for intrusion detection. Network and 4_3.

Vol 12 (3) | January 2019 | www.indjst.org Indian Journal of Science and Technology 19

View publication stats