Defense-in-Depth Against Malicious Insiders in the Cloud

A critical challenge in cloud computing is assuring confidentiality and integrity for the execution of arbitrary software in a consumer´s virtual machine. The problem arises from having multiple virtual machines sharing hardware resources in the same physical host. A security critical resource is random access memory, which in the current version of the Xen hyper visor is vulnerable to attacks. Like previous work demonstrated, this vulnerability originates from Xen adopting avery permissive memory access model for its management virtual machine (Dom0). The model assumes it is safe to grant Dom0full access to the memory space allocated to consumer´s virtual machines. In this paper, we first present a sophisticated attack which makes it possible to compromise security-sensitive information resident in the memory area of a particular process executing in a virtual machine. The attack demonstration consists in subverting the new inter-virtual machine communication mechanism, libvchan, which is under development for the Xen hyper visor. This attack allows us to propose and implement a proof of concept for a lightweight mandatory memory access control mechanism for Xen, which achieves a better overall memory access model forDom0. We then propose an architecture which takes advantage of our memory protection mechanism and previous work to achievedefense in depth in cloud computing.