Checking Running and Dormant Virtual Machines for the Necessity of Security Updates in Cloud Environments

A common approach in Infrastructure-as-a-Service Clouds or virtualized Grid computing is to provide virtual machines to customers to execute their software remotely. While giving full super user permissions eases the installation and use of a customer´s software, it may lead to security issues. Providers usually delegate the task of keeping virtual machines up to date to the customer, while the customer expects the provider to perform this task. Consequently, a large number of virtual machines (either running or dormant) are not patched against the latest software vulnerabilities. The approach presented in this paper deals with this problem by helping users as well as providers to keep virtual machines up to date. Prior to the update step, it is crucial to know which software is actually outdated. While this task seems trivial, developing a solution that takes care of multiple, different software repositories and identifies the correct packages is a challenging task. The Update Checker presented in this paper identifies outdated software packages in virtual machines, even if the virtual machines are installed with different repositories. The paper presents the design, the implementation and an experimental evaluation of the approach.