Increasing virtual machine security in cloud environments

A common approach in Infrastructure-as-a-Service Clouds or virtualized Grid computing is to provide virtual machines to customers to execute their software on remote resources. Giving full superuser permissions to customers eases the installation and use of user software, but it may lead to security issues. The providers usually delegate the task of keeping virtual machines up to date to the customers, while the customers expect the providers to perform this task. Consequently, a large number of virtual machines (either running or dormant) are not patched against the latest software vulnerabilities. The approach presented in this article deals with these problems by helping users as well as providers to keep virtual machines up to date. Prior to the update step, it is crucial to know which software is actually outdated or affected by remote security vulnerabilities. While these tasks seem to be straightforward, developing a solution that handles multiple software repositories from different vendors and identifies the correct packages is a challenging task. The Update Checker presented in this article identifies outdated software packages in virtual machines, regardless if the virtual machine is running or dormant on disk. The proposed Online Penetration Suite performs pre-rollout scans of virtual machines for security vulnerabilities using established techniques and prevents execution of flawed virtual machines. The article presents the design, the implementation and an experimental evaluation of the two components.