CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model

The Infrastructure-as-a-Service (IaaS) cloud computing model has become a compelling computing solution with a proven ability to reduce costs and improve resource efficiency. Virtualization has a key role in supporting the IaaS model. However, virtualization also makes it a target for potent rootkits because of the loss of control problem over the hosted Virtual Machines (VMs). This makes traditional in-guest security solutions, relying on operating system kernel trustworthiness, no longer an effective solution to secure the virtual infrastructure of the IaaS model. In this paper, we explore briefly the security problem of the IaaS cloud computing model, and present CloudSec, a new virtualization-aware monitoring appliance that provides active, transparent and real-time security monitoring for hosted VMs in the IaaS model. CloudSec utilizes virtual machine introspection techniques to provide fine-grained inspection of VM´s physical memory without installing any monitoring code inside the VM. It actively reconstructs and monitors the dynamically changing kernel data structures instances, as a prior step to enable providing protection for kernel data structures. We have implemented a proof-of-concept prototype using VMsafe libraries on a VMware ESX platform. We have evaluated the system monitoring accuracy and the performance overhead of CloudSec.