Finallyfedora15

Schwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12http://www.
journalofcloudcomputing.
com/content/1/1/12RESEARCHARTICLEOpenAccessIncreasingvirtualmachinesecurityincloudenvironmentsRolandSchwarzkopf*,MatthiasSchmidt,ChristianStrack,SimonMartinandBerndFreislebenAbstractAcommonapproachinInfrastructure-as-a-ServiceCloudsorvirtualizedGridcomputingistoprovidevirtualmachinestocustomerstoexecutetheirsoftwareonremoteresources.
Givingfullsuperuserpermissionstocustomerseasestheinstallationanduseofusersoftware,butitmayleadtosecurityissues.
Theprovidersusuallydelegatethetaskofkeepingvirtualmachinesuptodatetothecustomers,whilethecustomersexpecttheproviderstoperformthistask.
Consequently,alargenumberofvirtualmachines(eitherrunningordormant)arenotpatchedagainstthelatestsoftwarevulnerabilities.
Theapproachpresentedinthisarticledealswiththeseproblemsbyhelpingusersaswellasproviderstokeepvirtualmachinesuptodate.
Priortotheupdatestep,itiscrucialtoknowwhichsoftwareisactuallyoutdatedoraectedbyremotesecurityvulnerabilities.
Whilethesetasksseemtobestraightforward,developingasolutionthathandlesmultiplesoftwarerepositoriesfromdierentvendorsandidentiesthecorrectpackagesisachallengingtask.
TheUpdateCheckerpresentedinthisarticleidentiesoutdatedsoftwarepackagesinvirtualmachines,regardlessifthevirtualmachineisrunningordormantondisk.
TheproposedOnlinePenetrationSuiteperformspre-rolloutscansofvirtualmachinesforsecurityvulnerabilitiesusingestablishedtechniquesandpreventsexecutionofawedvirtualmachines.
Thearticlepresentsthedesign,theimplementationandanexperimentalevaluationofthetwocomponents.
IntroductionInfrastructure-as-a-Service(IaaS)Clouds[1]andvirtual-izedGridcomputingarebasedontheideathatusersbuildindividualvirtualmachinesasexecutionenvironmentsfortheirtasks,allowingthemtoprovidetherequiredsoft-warestackwithouthavingtodealwithCloudor(multiple)Gridsiteadministrators[2].
Whiletheuseofvirtualmachinesisbenecialforser-viceandinfrastructureproviders(usersandprovidersintheCloudnomenclature),byloweringthecostsfortheformerandimprovingutilizationandmanagementcapabilitiesforthelatter,therearealsosomedrawbacks.
Sincevirtualmachinesarecheapandeasytocreate,userstendtocreatedistinctvirtualmachinesfordierenttasks.
Userscanbranchnewvirtualmachinesbasedonoldones,snapshotmachinesorevenrollbackmachinestoapreviousstate.
Whilethesefeaturesprovidegreatexi-bilityforusers,theyposeanenormoussecurityriskforproviders.
Amachinerollback,forexample,couldreveal*Correspondence:rschwarzkopf@mathematik.
uni-marburg.
deDepartmentofMathematicsandComputerScience,UniversityofMarburg,Hans-Meerwein-Str.
3,D-35032Marburg,Germanyanalreadyxedsecurityvulnerability[3].
Whatmakesthetaskofkeepingthesoftwarestackup-to-dateevenmoretime-consumingisthetheincreasingnumberofvirtualmachines,aphenomenoncalledvirtualmachinesprawl[4].
Moreproblemsarisebecausesomeofthevirtualmachinesarelikelytobedormant(notrunning)atsomepointintime.
Thesevirtualmachinescannotbeeasilykeptup-to-date,becausetypicallythiswouldrequirethevirtualmachinestobestarted,updatedandshutdownagain,whichisnotonlytime-consuming,butmayalsobeatediousprocess.
Dierentsolutions[4-6]havebeendevelopedtosolvethemaintenanceproblemof(dormant)virtualmachines.
Whilethesesolutionscanbeusedtoupdatedormantmachines,theysuerfromapotentialcompatibilityproblem.
They"forcibly"installupdates,eitherbychanginganunderlyinglayer[5]orbyreplac-ingles[4,6],andthereisnoguaranteethattheupdatescanbesafelyappliedandthattheyarecompatibletothesoftwarestackandthecongurationofallaectedvirtualmachines.
Moreover,allofthesesolutionslacktheabilitytoprop-erlyidentifywhichapplicationsaretrulyoutdated.
Since2012Schwarzkopfetal.
;licenseeSpringer.
ThisisanOpenAccessarticledistributedunderthetermsoftheCreativeCommonsAttributionLicense(http://creativecommons.
org/licenses/by/2.
0),whichpermitsunrestricteduse,distribution,andreproductioninanymedium,providedtheoriginalworkisproperlycited.
Schwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page2of12http://www.
journalofcloudcomputing.
com/content/1/1/12thisinformationisaprerequisitefortheactualupdateprocess,itisacrucialstepintheprocessofkeeping(dor-mant)virtualmachinesinaCloudoravirtualizedGridcomputingenvironmentup-to-date.
Whilesuchacheckiseasytoperformforrunningvirtualmachines,becauseofthecommonlyusedpackagemanagementsystemsonLinuxplatformsandautomaticupdatefacilitiesonWin-dowsplatforms,itisagainaproblemwithdormantvirtualmachines.
Evenifvirtualmachinesarekeptuptodate,theinstalledsoftwaremightstillcontaindesignawsorsoftwarevulnerabilitiesnotxedwiththelatestupdate.
Thus,onlycheckingforupdatesaloneisnotsucient.
Furthermore,machinesusedinapublicIaaSenviron-mentaresubjecttoexternalattacks,i.
e.
,theymightbeaselectedorrandomtargetchosenbyscripts.
Therefore,itisindispensabletocontinuouslyanalyzetheusedvir-tualmachinesandtakeproactivecountermeasuressuchaspatchingtherevealedaws.
Inthisarticleacombinedapproachthatchecksforsoftwareupdatesandscansvirtualmachinesforknownsecurityvulnerabilitiesispresented.
TherstcomponentcalledUpdateCheckerisproposedtocheckapotentiallyhugenumberofLinux-basedvirtualmachinesforthenecessityofupdates.
SincetheUpdateCheckercopiestheinformationaboutinstalledpackagestoacentraldatabase,thecheckcanbeexecutedonthecentralinstancewithoutbootingthevirtualmachinebeforehandandshuttingitdownafterwards,whichisthemosttime-consumingpartofcheckingforupdatesofavirtualmachine.
Thus,thecheckisindependentofthestatusofthevirtualmachine(runningordormant).
Bothapt/dpkgandyum/rpmaresupportedandthereforeallmajorLinuxdistributions.
Thesolutionallowseasycheckingofallregisteredvir-tualmachines,returningeitherthenumberofavailableupdatesordetailsabouteachoftheavailableupdates.
ThesecondcomponentcalledOnlinePenetrationSuite(OPS)isproposedtoperformperiodicorpre-rolloutonline-scanningofvirtualmachines.
Whileperiodicscanscanbedoneinidletimes,pre-rolloutscansareexecutedbeforemachinesgolive,delayingthestartofamachinebutusingthelatestversionofthescannersforup-to-dateresults.
Virtualmachinesarescannedforsoftwarevul-nerabilities,usingacombinationofwell-knownsecurityproducts.
Furthermore,theproposedsolutionscaninformtheownersaboutrelevantndingsviae-mail.
UsinganAPI,othermanagementtoolscanutilizetheresults.
Tolever-ageexistingsoftware,ourproposalisbasedontheXenGridEngine(XGE)[2]andtheImageCreationStation(ICS)[7]introducedinpreviouspublications.
TheXGEisasoftwaretooltocreateeithervirtualizedGridenviron-mentson-demandortoactasaCloudIaaSmiddleware.
TheICSoersaneasywayforuserstocreate,main-tainandusevirtualmachinesinthepreviouslymentionedenvironments.
AnexemplaryintegrationintotheICS,markingvirtualmachinesthatcontainobsoletepackagesinvirtualmachinelistsandprovidingdetailsaboutavail-ableupdatesindetailviews,andtheXGE,preventingvirtualmachinescontainingobsoletepackagesfrombeingstarted,isprovided.
TheOPSscanprocessistriggeredeitherbytheICSasaperiodicmaintenanceoperationor,iftheadditionaloverheadisacceptable,bytheXGEasapre-rolloutcheckthatmightpreventavirtualmachinefrombeingstarted.
Asanalternativetopreventingvir-tualmachinesfrombeingstarted,thosevirtualmachinescanbestartedasusualandtheownerisinformedthathis/herrunningmachineispotentiallyunsafe.
Thiscanhelpadministratorsbygivingthemanoverviewoftheirdormantvirtualmachines,butalsouserswithoutexperi-enceintheareaofsystemmaintenance(e.
g.
scientiststhatbuildcustomvirtualmachinestoexecutetheirjobs),bymakingthemawareoftheproblem.
Thearticleisorganizedasfollows.
Thenextsectionpresentstheproposeddesign.
Then,itsimplementationisdiscussed,followedbythepresentationofexperimen-talresults.
Afterwards,relatedworkisdiscussed.
Thenalsectionconcludesthearticleandoutlinesareasforfutureresearch.
DesignThefollowingsectionspresentthedesignoftheproposedapproach.
TherstsectionoutlinestheUpdateChecker,asolutionforcheckingforupdatesinvirtualmachines.
ThesecondsectiondescribestheOnlinePenetrationSuite,anapproachforonline-scanningvirtualmachinesforknownsoftwarevulnerabilities.
UpdatecheckerSincetheprimarygoaloftheUpdateCheckerisdetect-ingobsoletesoftwarein(dormant)virtualmachines,thetermvirtualmachineisusedthroughoutthisarticle.
Nev-ertheless,thesolutionisapplicabletophysicalmachinesaswell.
TheconceptoftheUpdateCheckeristobuildacen-traldatabasethatcontainsalltheinformationrequiredforthetaskofcheckingforupdates.
Thisincludesthelistofinstalledpackages,includingtheexactversionoftheinstalledpackageaswellasthelistofrepositoriesthatareusedforeachvirtualmachine.
Thisinformationhastobeimportedintothecentraldatabasewhenthevirtualmachineisrstregistered,andupdatedaftereachchangeofthevirtualmachine,i.
e.
,aftertheinstallationofnewsoftwareortheupdateofalreadyinstalledsoftware.
SincetheUpdateCheckerisnottargetedatasin-gleLinuxdistribution(comparedto,e.
g.
,LandscapeforUbuntu[8]),atleastthetwoprevalentsoftwaremanage-mentsolutionsaresupported:apt/dpkg,usedforexampleSchwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page3of12http://www.
journalofcloudcomputing.
com/content/1/1/12inDebianandUbuntu,aswellasyum/rpm,usedforexampleinRedHatandFedoraaswellasSuSE.
Bothsolutionsuseaspecicpackagedatabaseformataswellasaspecicrepositoryformat.
Whileapt/dpkgusesthesameplaintextleformatbothaspackagedatabaseandasrepositorydatabase,yum/rpmusesaBerkeleydatabaseaspackagedatabaseandanXMLleasrepositorydatabase.
Nevertheless,thishasnoinuenceonthestructureofthedatabaseusedtostoretherequiredinformation,sincebothsystemshavetheconceptofdistinctpackagenamesandaconsistentversioningschemeincommon.
ThedesignofthesolutionisshowninFigure1.
Therearespecicimportersforthepackagedatabasesandfortherepositorydatabasesofthedierentsoftwareman-agementsolutions.
ThismakestheUpdateCheckereasilyadaptabletoothersoftwaremanagementsolutions.
Infor-mationabouttheinstalledpackagesofavirtualmachineisstoredinthePackageDB.
MetadataabouttheVM,i.
e.
,thetimestampoftheimport,therepositoriesused,etc.
,isstoredintheMetadataDB.
InformationabouttheavailablepackagesonthedierentrepositoriesisstoredintheRepositoryCache.
Wheninvoked,theUpdateCheckertakestheinformationfromthesedatabasesandRemoteImporterUpdateCheckerClientDataCollectorUpdateCheckerAPIPackageDBRepo.
CacheMetadataDBResultCacheRepositoryImporterCLIMachineImporterScanEngineFigure1UpdateCheckerarchitecture.
ThearchitectureoftheUpdateChecker.
theRepositoryCacheandmatchesinstalledandavailablepackagestodetectobsoletesoftwareandstorestheresultsintheResultCache.
Whenaqueryforthestateofoneormorevirtualmachinesisissued,theUpdateCheckerrstcheckstoseeiftheresultofthatqueryisalreadyavailableintheResultCacheandreturnsthecachedresultifitisnotobsolete.
Cachedresultsareconsideredobsoleteafteracong-urableamountoftime,dependingonfactorssuchasthefrequencyofupdatesortheneedforsecurity.
Otherwise,itchecksifthepackagelistsofallrepositoriesassignedtothevirtualmachineareavailableintheRepositoryCacheandnotobsolete,i.
e.
,theconguredvalidityperiodhasnotyetexpired.
Ifthisisnotthecase,thepackagelistsaredownloadedfromthesoftwarevendor'sreposi-tory,parsedandstoredintheRepositoryCacheforfutureuse.
WhenusingtheRepositoryCacheinsteadoftherealrepositories,thereisthechancethattheUpdateCheckerfailstoidentifyanoutdatedpackage.
Nevertheless,theRepositoryCacheisveryusefulforcheckingmanyvir-tualmachinesandbyusingasmallvalidityperiod,theriskcanbeminimized.
Finally,theactualcheckofthevir-tualmachineisstarted,comparingtheversionofeachinstalledpackagewiththeversionavailableatthereposi-tory.
InformationaboutoutdatedpackagesisthenstoredintheResultCache,sothatsubsequentqueriesregardingthesamevirtualmachinecanbeansweredfaster.
Tohelptheusertojudgewhethertheidentiedout-datedsoftwareposesarisktothevirtualmachine,theUpdateCheckerinfersinformationaboutthepriorityofanupdate.
Unfortunately,thereisnocommonwaytodothisformultipledistributions.
Asarstapproach,thesourcerepositoryoftheupdatedpackagesisevalu-ated,sincedistributionslikeDebianorUbuntuusespecialrepositoriesforsecurityupdates.
Thesourceofanupdatecanthereforebeusedasahintofitssignicance.
TheUpdateCheckerallowstoqueryforthenumberofavailableupdatesforasingleormultiplevirtualmachinesaswellasfordetailsabouttheoutdatedpackagesandavailableupdatesforasinglevirtualmachine.
Theformerqueryallowsagoodestimationofthestateofthevirtualmachine,wherezeromeansthevirtualmachineisuptodate,whileanumbergreaterthanzeromeansthatthereareupdatesavailable.
Ifsignicanceinformationisavail-able,individualnumbersforeachlevelofsignicanceaswellasthesumofthenumbersarereturned.
Thiscaneitherbeusedinsituationswhereanoverviewoveranumberofvirtualmachinesisrequired,e.
g.
,alistofvir-tualmachinesinamanagementtoolliketheICS,orasastatuscheckforaspecicvirtualmachine,e.
g.
,beforeitisstartedbytheXGE.
Sincetheavailabilityofupdatesitselfallowsnojudg-mentaboutthethreatresultingfromtheoutdatedpack-ages,evenwhensignicanceinformationisavailable,theSchwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page4of12http://www.
journalofcloudcomputing.
com/content/1/1/12latterqueryallowsadetailedexaminationofthestatusofavirtualmachine,bygivingalistofoutdatedpackages.
Thisallowstheuserofthevirtualmachinetodoathreatanal-ysisbasedontheoutdatedpackagesanddecidewhetherimmediateactionisrequiredornot.
Thedescribedfunc-tionalityisusedasanexampleoftheintegrationoftheUpdateCheckerwithothercomponents.
ThecompletesolutionisshowninFigure2.
TwodierentinterfacesareprovidedbytheUpdateChecker:acommandlineinterface(CLI)andanAPIforusebyothersoftware.
Theformercanbeused,whenanadministratormanuallywantstoexecuteanupdatecheckorregisteravirtualmachine.
ThelatterisprovidedforothertoolsliketheICSorXGE,allowingthemtoeasilyaccessthestatusinformation.
Thisinterfaceisprovidedusingthelanguage-independentprotocolXML-RPC[9],tobeavailabletotoolswritteninanylanguage.
TheUpdateCheckercanalsobeconguredtorunthechecksatregularintervals,e.
g.
,dailyorweekly.
Thisspeedsupqueriesbyothertools,becausetheinformationisalreadyavailable.
Userscanbeinformedaboutobsoletesoftwareintheirvirtualmachinesviaemail.
Addition-ally,administratorscanalsobeinformedaboutallvirtualmachinesusingobsoletesoftware,togetanoverviewofthesecurityofallvirtualmachinesrunningontheirinfrastructure.
Toeasetheregistrationofvirtualmachines,theremoteimporterisprovided(seeFigure1).
Itusessoftwareman-agementsolutionspecicDataCollectorstogathertheinformationrequiredfortheUpdateChecker,sendsittothemachinetheUpdateCheckerisrunningonandtriggerstheregistrationprocess.
Itmightseemcumbersometomanuallyre-registervir-tualmachinesaftereverychange,butwiththeremoteimporteritismerelyasinglecommand.
Furthermore,itcanbeeasilyautomatedwhensoftwareformanagementandmaintenanceofvirtualmachinesisused.
OnlinepenetrationsuiteThissectionpresentstheOnlinePenetrationSuite(OPS)toscananarbitrarynumberofvirtualmachinesforsecurityvulnerabilitiesutilizingmultiplesecurityscan-ners.
TheOPScombinesandinterpretsthedierentresultsandgeneratesamachine-readableandahuman-readablereport.
Furthermore,theOPSisabletoman-age(start,stop,migrate,etc.
)virtualmachinesifneces-sary.
Thisallowsautomatictestingofvirtualmachinesinavirtualizedinfrastructuretodetectknownsecurityvulnerabilities.
Oncethevulnerabilitiesareknown,theadministratorsanduserscanxthemtoprotecttheirsystemswithrespecttounwantedattacks.
ArchitectureTheOPSisdividedintotwoparts:thelogicpart,con-tainingtheowcontrolandthereportgenerator,andthebackendpart,operatingtheregisteredvulnerabilityscan-nersandthevirtualmachines.
ThearchitectureoftheOPSisshowninFigure3,containingtwoadaptersforOpenVAS[10]andNessus[11].
TheOPSLogicmodulecontrolstheprocessesoftheOPS.
Itconguresthesecurityscanners,bootsthevir-tualmachinestotest(ifrequired)andstartstheactualscans.
Sincethevulnerabilityscannersarebasicallythird-partyproductswithindividualcharacteristicsandmodesofoperation,theyareabstractedbyAdaptersthathidethedierencesandprovideanuniedinterfacetostartandmonitorthevulnerabilityscanners.
TheyallowtheOPSnotonlytostarttheactualscans,butalsotowatchthescannersduringtheexecutiontodetectanyfailuresandreactaccordingly.
ICSResourcesnodenodenodenodenodenodeXGEIIUpdateCheckerRepo-sitoryRepo-sitoryreadsDBmaintainsprovidesimagesregistersandchecksVMschecksVMsPoolofVMImagesFigure2Usagescenario.
ThearchitectureofacompletesystemforvirtualizedGridcomputing,consistingoftheICS,theXGEandtheUpdateChecker.
ThegureshowstheXGEdeployingandstartingavirtualmachine,aftertheUpdateCheckerhasattestedthevirtualmachineasbeingup-to-date.
Schwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page5of12http://www.
journalofcloudcomputing.
com/content/1/1/12OnlinePenetrationSuiteLogicBackendAdaptersNessusOpenVASVMControllerLibVirtOpenVASCLINessusAPIXMLRPCOPSLogicReportGeneratorSummaryCombinedReportToolInvocationOPSReportOpenVASReportNessusReportFigure3OnlinePenetrationSuitearchitecture.
ThearchitectureoftheOnlinePenetrationSuite.
Forascan,theOPSneedstwoinputparameters:thenamesofthetargetvirtualmachinesandthename(s)ofoneormorevulnerabilityscanners.
Ifnoscannersareprovided,theOPSchoosesallscannersbydefault.
AnameuniquelyidentiesavirtualmachineandallowstheOPStoobtainfurtherinformationliketheIPandMACaddress,pathtothediskimage(s),etc.
TheReportGeneratormodulecollectsthereportsfromthedierentscannersandgeneratesthenalresult:asummary,containingthenumberofdetectedvulnerabil-itiescategorizedbyariskfactor,andacombinedreport,containingtheresultsfromthesecurityscannersinauni-edformat.
ToenabletheReportGeneratortoanalyzeandunderstandthereports,theadaptershavetoconvertthereportsfromthenativeformatofthescannertotheuniedOPSformat.
ThebackendpartofOPSconsistsofadapterstotherequiredtoolsandlibraries.
Itprovidesamoduletocon-trolvirtualmachinesusingthelibvirt[12]libraryaswellasthevulnerabilityscanneradapters.
Currently,theOPSsupportstwodierentscanners:OpenVAS[10]andNessus[11],bothwell-knownandestablishedsecurity-products.
RunningvulnerabilityscansOpenVASisbuiltasaclient-server-architecture.
Theserverisdividedintothreeparts:administrator,man-agerandscanner.
Allclientscommunicatewitheitherthemanagerortheadministratorthatbothcallthescanner.
TheOPSusesomp,atoolfromtheOpenVAScommandlineclientforinteraction.
Inordertoguaranteeaseam-lessscan,someofthecountlessoptionsofOpenVASarepresetbytheOpenVASadaptermoduleusingacongu-rationle.
Thispreventstheuserfromchoosingwrongoptionsthatcouldpossiblyleadtofalseresults.
Never-theless,bymodifyingtheadaptercongurationleitispossibleforanadministratortoenable/disabletestsorset/unsetoptions.
Nessus,beingtheancestorofOpenVAS,isalsobuiltasaclient-server-architecture.
Tocontrolit,anXML-RPCinterfaceisused.
Nessusneedsanumberofparameterstostartthescanprocess:theIPaddressoftheserver,authenticationdataandascanconguration.
SimilartotheOpenVASadapter,theNessusadaptermodulepresetsanumberofoptionstoguaranteeaseamlessscanprocess.
StructureofthereportsThecombinedreportgeneratedbytheReportGeneratorishierarchicallydividedintoseveralparts.
Itstartswithasummaryofallreportsandcontainstheresultsofeachscannerstructuredbyeachtestedvirtualmachine.
Finally,themachine-specicreportcontainsthevulnerabilitiesofthishost.
Thisincludesadetaileddescriptionofthevul-nerability,theseveritylevelandifapplicable,portnumberandtransportprotocol.
Thefollowingparagraphshowsanexcerptofareport:MicrosoftOutlookSMBAttachmentRemoteCodeExecutionVulnerability(978212)general/tcpHIGHSchwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page6of12http://www.
journalofcloudcomputing.
com/content/1/1/12Overview:ThishosthascriticalsecurityupdatemissingaccordingtoMicrosoftBulletinMS10-045.
[.
.
.
]CVE:CVE-2010-0266BID:41446ImplementationInthissection,theimplementationoftheUpdateCheckerandtheOPSisoutlined.
UpdatecheckerThissectiondescribesimportantpartsoftheimple-mentationoftheUpdateChecker,workingfromthetoptothebottomofFigure1.
First,themachineandrepositoryimportersandtheirsourcesofinformationaredescribedusingtheDebianPackageManager(dpkg)andtheAdvancedPackagingTool(apt)ofDebiananditsderivatesasanexample.
Afterwards,theinternaldatabasesandcaches,theScanEngineandthedierentinterfacesaredescribed.
Thissectionisconcludedwithdetailsabouttheremoteimporterandtheintegrationwithothercomponents.
Furtherimplementationdetailscanbefoundinapreviouslypublishedpaper[13]oftheauthors.
TheimplementationoftheUpdateCheckerhasbeendoneusingtheRubyprogramminglanguage.
MachineimporterAmachineimporterisresponsibleforimportingthelistofinstalledpackagesandenabledrepositoriesofamachineintothePackageDBandMetadataDB,respectively.
Thisinformationiscollectedfromthepackagedatabase,thatkeepstrackofinstalledpackages,versions,lesbelongingtoeachpackage,etc.
,andfromthecongurationlesofthesoftwaremanagementsolution.
Thepackagedatabaseofdpkgisstoredin/var/lib/dpkgandconsistsofseveraltextles,ofwhichthelestatusisofparticularinterest,becauseitcontainsthemetadataforeachpackagethathaseverbeeninstalledonthesystem.
Foreachpackageitcontainsaboutadozenkey-value-pairs,ofwhichthreearerequiredtoextracttheinformation:Package,whichcontainsthepackagename,Status,whichcontainsthestateofthepackage(installedornotinstalled),andVersion,whichcontainstheexactversionofthepackage.
Thefollowingsnippetshowstheparsedpartsofadpkgpackagemanagementdatabaseentry:Package:openssh-serverStatus:installokinstalledVersion:1:5.
1p1-5Therepositoriesusedbyaptarestoredin/etc/apt/sources.
list.
Thislecontainsmultipledenitions,oneperline,inthefollowingformat:debROOTARCHIVECOMPONENT(COMPONENT.
.
.
)Themeaningoftheseeldsisexplainedinthenextsection.
TheyarerequiredtobuildtheURLfortheactualrepositorythatisrequiredtoloadthelistofavailablepackages.
RepositoryimportersArepositoryimporterisresponsibleforimportingthelistofavailablepackagesinarepositoryintotheRepositoryCache.
Thisinformationisgatheredfromthereposi-torydatabaseofthesoftwaremanagementsolution.
TherepositorydatabaseofanaptrepositorycanbefoundusingthefollowingURLthatisbuiltusinginformationfromtheeldsinthecongle.
ROOT/dists/ARCHIVE/COMPONENT/'binary-ARCHITECTURE/Packages.
TYPETheROOTeldcontainstherootURLoftherepositoryormirror.
Thenexttwoeldspartitiontherepository:DebianandUbuntuuseARCHIVEtodividethereposi-torybytherelease(e.
g.
stableortesting)andCOMPO-NENTtodividebylicensetypeandlevelofsupport(e.
g.
main,contribornon-free).
Thelasttwoeldsspecifythesystemarchitectureandthecompressionformatoftherepositorydatabase.
Therepositorydatabaseusesthesameformatasthepackagedatabaseofdpkg.
Thus,parsingcanbedoneusingthesametechnique.
InternaldatabasesandcachesThePackageDBisusedtostoreaname-version-pairforeachinstalledpackageoneverymachine.
Itscoun-terpartistheRepositoryCachethatstoresaname-version-pairforeachavailablepackageoneveryrepos-itory.
Initially,itwasplannedtostorethisinforma-tioninadatabase.
Unfortunately,importingavirtualmachineorupdatingthelistofavailablepackagesofarepositorywasveryslowusingthistechnique.
Asafasteralternative,ahashencodedinJSON[14]wascho-sen,writtentoanindividuallepervirtualmachineorrepository,respectively.
Thiswasfasterbyafac-torofmorethan23whenmeasuredfortheimportoftwoDebianrepositories(2.
16secusingthehashver-sus50.
02secusingthedatabase).
Theequivalenttothedatabasesnippetsshownaboveintheinternalformatisthefollowing:.
.
.
,"openssh-server:"1:5.
1p1-5,.
.
.
Schwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page7of12http://www.
journalofcloudcomputing.
com/content/1/1/12InformationaboutoutdatedpackagesisstoredintheResultCache.
Itstoresname-oldversion-newversion-priority-quadrupletsinaJSONencodedlist,writtentoanindividuallepervirtualmachine.
TheMetadataDBstoresalistofallregisteredvir-tualmachinesandrepositoriesaswellasthemappingbetweenthem.
Furthermore,itstoresthenamesofalllesthatbuildthePackageDB,RepositoryCacheandResultCache,togetherwithanexpirationdateforeachleofthetwocaches.
ScanengineInthiscomponent,theactualidenticationofoutdatedpackagestakesplace.
Wheneveraqueryforavailableupdatesofavirtualmachineissubmittedandthereisnocurrentresultintheresultcache,theUpdateCheckerrstdeterminestherequiredrepositoriesusingtheMetadataDB.
Iftherepositorycachedoesnotcontaincurrentver-sionsoftherequiredrepositories,arepositoryimporterisusedtoupdatethecache.
Afterwards,thelistofinstalledpackagesisretrievedfromthePackageDBandtheversionofeachpackageiscomparedwiththeversionofthatpack-agestoredintherepositorycache.
Outdatedpackagesarestoredintheresultcachewithinstalledandavailablever-sion,sothatsubsequentqueriescanbehandledfaster.
Finally,thenumberofoutdatedpackagesorthelistofoutdatedpackagesisreturnedtotheissuerofthequery.
Oneparticularproblemdiscoveredduringtheimple-mentationoftheUpdateCheckeristheformatofthever-sionnumbersusedbythedierentpackagemanagementsystemsordistributions,respectively.
Whilemostofthedistributionsuseversionscomposedoftheeldsepoch,versionandrelease,therearesubtledierencesbetweenthedistributions,e.
g.
,separators,formatofthereleaseeld,etc.
Eventheversionomygem,aRubylibraryespe-ciallydesignedforversioncomparisons,failedtocorrectlycompareDebianversionnumbers.
Onepossibilityistheuseofthedpgkbinarywhichpro-videsanoptiontocompareversions.
Thisisveryslow,sinceeachcomparisonrequiresforkinganewprocess.
ARubylibrarynameddpkg-rubyimplementsversioncom-parisonusinganativelibrary.
AnoldversionofthislibrarycontainsaRuby-onlyversionoftheversioncomparison.
Althoughslower,thissolutionispreferredtobeinde-pendentofnativelibraries.
Byusinganadditionalstringcomparisonbeforehand,performancelossescanbecutdown.
Exceptforsomeminortweaks,thisversioncom-parisonlibraryworkedwithallversionnumbersthatwereencounteredinDebianandFedora.
Adaemonisusedtoprovidesomeautomation.
Allvir-tualmachinescanbecheckedforupdatesautomaticallyatregularintervals.
Asdescribedabove,thisfrequentlyupdatesthecachedrepositorydatabasesandcachestheresultsforallvirtualmachines.
QueriesusingtheAPIorthecommandlineinterfacecanthenbeservedfromthecache,requiringalmostnotime(onlyalehastoberead).
Thedaemonalsoallowstonotifyusersbyemailaboutout-datedpackagesintheirvirtualmachines.
Additionally,thedaemoncanbeconguredtosendemailsaboutthestatusofallvirtualmachinestoadministrators.
OnlinepenetrationsuiteTheOnlinePenetrationSuiteisimplementedintheJavaprogramminglanguage.
VirtualmachinesarecontrolledusingtheJavabindingofthelibvirtlibrary,theNessusscannerisinvokedusingtheApacheXML-RPClibraryandthereportsofthevulnerabilityscannersareprocessedandconvertedusingtheJavaAPIforXMLProcessing(JAXP).
Dependingonthetestcongurationspeciedviathecommandline,theOPSfrontendselectstherequiredvulnerabilityscanners,startstheirservercomponents(ifrequired),bootsthevirtualmachinestoscan(iftheyarenotrunningalready)andnallyinitiatesandmoni-torstheactualscanprocesses.
Alloftheseoperationsarehiddenbehindaninterfacethatisimplementedbytheadapters,makingtheOPSeasilyextensiblewithnewscan-ners.
SincethereportgenerationprocessisbasedentirelyonreportsintheuniedOPSformat,novulnerabilityscannerdependentcodeisrequiredforthisstepinthefrontend.
Theadaptersusedierenttechniquestocontrolandmonitortheactualvulnerabilityscanners.
OpenVASpro-videsacommandlineinterface,soitsadapterneedstocreateatestcongurationintheformofanXMLleandpassitasanargumenttotheompbinary.
MonitoringofOpenVASrequiresanalyzingtheoutputofitsclient.
ForNessus,theprovidedXMLRPCAPIisused.
Itcontainsmethodstostartandmonitortheactualscanprocess.
BothadapterscontaincodetoconverttheproprietaryreportformatsintotheuniedOPSformat.
ExperimentalresultsThefollowingsectionpresentsanevaluationofthepre-sentedcomponents.
UpdatecheckerMeasurementshavebeenconductedtoevaluatetheUpdateCheckeronanIntelXeonE5220machinewith1GBmemory.
Therstmeasurementisalocalmeasure-menttestingallcomponentsoftheUpdateChecker,i.
e.
,machineimport,repositoryimportandupdatechecking.
ThreeDebianandthreeFedoravirtualmachineshavebeenusedinthistest,withvaryingnumbersofinstalledpackagesandenabledrepositories.
Eachtesthasbeenexe-cuted20timesandaveragevalueshavebeencalculated.
TheresultsareshowninTable1.
Intherstpartofthisevaluation,thedierentmachineimportersweretested.
AllrequiredleswerecopiedtotheSchwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page8of12http://www.
journalofcloudcomputing.
com/content/1/1/12Table1UpdateCheckercomponentbenchmarkDistributionInstalledMachineRepositoryUpdatepackagesimportimportimportDebian5630.
04secs2.
39secs0.
44secsDebian8670.
06secs2.
80secs0.
44secsDebian14930.
07secs2.
68secs0.
78secsFedora5910.
03secs13.
59secs0.
38secsFedora10630.
04secs14.
84secs1.
00secsFedora21590.
05secs15.
38secs2.
10secsBenchmarkofallindividualcomponentsoftheUpdateChecker.
machinethetestwasexecutedonpriortotheevaluation,thusnonetworkcommunicationisinvolved.
Further-more,beforethemeasurementrpm-qawasexecutedonthesourcemachinetogeneratealistofinstalledpack-agesincludingtheirversion.
Thisisrequiredtoworkaroundincompatibilities(i.
e.
,therpmbinaryonDebiansqueezecouldnotreadtherpmdatabaseofaFedora15installation).
Thegrowingimporttimescanbeexplainedwiththegrowingnumberofinstalledpackagesthatmustbeparsed.
Thesecondpartofthetestmeasuredthetimerequiredtodownloadandparseallrepositorydatabasesforthevir-tualmachines(eachmachinehadbetween2and4reposi-toriescongured)withoutusingtherepositorycache.
Thetimesmeasuredarethusarticialandareonlyoflittlerelevanceforactualusage,butallowevaluatingtherepos-itoryimportandupdatechecking.
WhilethetimesfortheDebianmachinesarequitestable,theincreaseofthetimeforFedoraiscausedbythenumberofrepositoriesused(2,3and4,respectively).
TheverybadperformanceoftheFedorarepositoryimportiscausedbytheuseofXMLintherepositorydatabase.
Thelastpartofthetestevaluatesthealgorithmthatactuallychecksforupdates.
Again,theincreaseinthetimesiscausedbythegrowingnumberofpackages.
ThereasonfortheworseresultsforFedoraareproba-blythelongerandmorecomplexversionnumbersusedinFedora,makingthecomparisonharderandmoretime-consuming.
Themeasuredvaluesarepromising.
CheckingforupdatesisaveryfastprocesswiththeUpdateChecker.
BecauseoftheindividuallesusedforthePackageDBandRepositoryCache,wedonotexpectperfor-mancedegradationwhenthenumberofvirtualmachinesincreases.
Therelativelylongtimerequiredforimportingyumrepositoriesiscompensatedbytherepositorycache,thatresultsineveryrepositorybeingdownloadedandparsedonlyonceduringthecongurablevalidityperiodofthecache.
Toevaluatetheinuenceoftherepositorycache,anothermeasurementhasbeenconductedthatrepresentsamorerealisticscenario:checkingallimportedvirtualmachinesforupdates.
Thesixmachinesfromthelastmeasurementwerecheckedatonce,takingadvantageoftherepositorycache.
Theexperimentwasrepeated20timesandtheaveragetimesareshowninFigure4.
Theresultsindicatethattherepositorycacheisveryeec-tiveincuttingdownthetimerequiredtocheckmultiplevirtualmachinesforupdates.
Toevaluatethescalability(andapplicabilityforphysi-calmachines)oftheUpdateChecker,115physicalnodesfromourcomputeclusterwereimported.
Allmachineswerecheckedatonceusingtherepositorycache.
Theexperimentwasrepeated20timesandthetimerequiredtocheckallvirtualmachineswascalculated.
TheresultsshowninFigure5provideevidenceforthescalabilityoftheUpdateChecker.
Theaveragechecktimewas34.
53secondsforall115machines,thatis0.
30secondspermachine.
Anothermeasurementwasconductedtoevaluatetheimporttimeofthevirtualmachines,whentheremoteimporterisused.
Thisinvolvesgatheringallrequiredles,executingrpm-qainthecaseofrpmbaseddis-tributions,sendingeverythingtotheUpdateCheckerandstartingtheimportprocess.
Foreachvirtualmachine,10importswereexecuted.
TheresultsareshowninFigure6.
Asexpected,theamountoftimetheimportpro-cessrequiresgrowswiththenumberofpackagesinthedatabase.
Generally,theimportprocessisfasterforapt/dpgkbasedvirtualmachinesthanforyum/rpmbasedvirtualmachines.
Thesourceofthisproblemseemstobetheuseoftherpmbinarytoextracttheinformationfromthedatabase.
02468101214123timeinsecondsvirtualmachineDebianFedoraFigure4Updatecheckingperformance.
Benchmarkoftheupdatecheckingprocessformultiplevirtualmachinesusingtherepositorycache.
Schwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page9of12http://www.
journalofcloudcomputing.
com/content/1/1/123434.
37534.
7535.
12535.
5135791113151719timeinsecondstrialsFigure5Resultsofthescalabilityevaluation.
Benchmarkoftheupdatecheckingprocessfor115machinesusingtherepositorycache.
OnlinepenetrationsuiteThefollowingsectionpresentsmeasurementsrelatedtotheOPS.
AlltestedsystemsareXendomainUvirtualmachinesrunningDebianSqueezeandlocatedonPen-tiumIVsystemswith1GBmemory.
TheOPSnodeisanIntelXeonE5220machineand1GBmemory.
AllsystemsareinterconnectedwithswitchedfastEthernet.
TherstexperimentmeasuresthetotalruntimeoftheOPSdependingonthenumberofvirtualmachines.
Figure7showstheresults.
TheOPSusedbothvulner-abilityscannersinparallelwhilethenumberoftargetvirtualmachineswasincreasedwitheveryrun.
Togetarobustmean,100trialswereperformed.
Testingonevirtualmachinetook684secondsonaverage,testingtwomachinestook859seconds,testingthreemachines1056seconds,andittook1279secondstotestallfourmachines.
Obviously,themeasurementrevealsthattheruntimeincreaseslinearlywiththenumberoftestedsys-tems.
Furthermore,itrevealsthatitismoreecienttotestmultipletargetsinparallelinsteadofscanningoneafteranother.
InordertotesttheeciencyoftheOPS,multipletestsagainstvirtualmachinesrunningdierentversionsoftheDebianoperatingsystemswereconducted.
TheunpatchedreleaseversionofDebianEtch(releasedApril2007),Lenny(releasedFebruary2009),Squeeze(releasedFebruary2011)andWheezy(currentunstableversion)wereused.
TheresultsofthetestsareshowninTable2.
TheOPSsuccessfullyrevealedanumberofsecurityvul-nerabilitiesinalltestedversions,includingtwohigh-riskawsineachversion.
DebianEtchistheoldestreleaseandcontainsthelowestnumberofvulnerabilitiesbecauseitcontainslessfeatures(intermsofinstalledservices)thanallotherversions.
Otherawsarerelatedtotheinstalledkernelversion.
Theawsappearedwithnewerkernelversionsandthus,onlyinnewerDebianversions.
RelatedworkTheCloudcomputingriskreportwrittenbyENISA[15]mentionsthefailureofcustomerhardeningproceduresasoneoftheresearchproblemsneededtobesolved.
Cus-tomersfailingtosecurethecomputingenvironmentmayposeavulnerabilitytotheCloudinfrastructure.
Automationofsystemadministration,includingsystemadministrationandupdatingsystemsisoneoftherelevantresearchtopicsmentionedintheExpertGroupReport[16]createdbytheEuropeanCommission.
1234512345678910timeinsecondstrialsDebian(563)Debian(867)Debian(1493)Fedora(592)Fedora(1064)Fedora(2283)Figure6Remoteimportperformance.
Totaltimerequiredtoimporteachofthe6virtualmachinesusingtheremoteimporter.
Schwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page10of12http://www.
journalofcloudcomputing.
com/content/1/1/1205101520250102030405060708090100timeinminutestrials1vm2vms3vms4vmsFigure7ResultsoftheOPSevaluation.
BenchmarkoftheruntimeoftheOPSdependingonthenumberoftestedsystems.
Animagemanagementsystem,calledMirage,ispre-sentedbyWeietal.
[6].
Mirageaddressessecuritycon-cernsofavirtualmachineimagepublisher,customerandadministrator.
Toreducethepublisher'srisk,anaccesscontrolframeworkregulatesthesharingofvirtualmachinesimages.
Imageltersremoveunwantedinfor-mation(e.
g.
,logs,sensitiveinformation,etc)fromimagespriortopublishing.
Theauthorsalsopresentamechanismtoupdatedormantimagesandapplysecurityupdates.
WhileMirageoersacompletesolutionforvirtualdiskimagemaintenance,itlacksthefeaturespresentedinthisarticle.
Miragecannotshowwhetherthepackagesinasystemareoutdatedandworkwithmultiplepackagemanagementsystems.
BasedonMirage,Reimeretal.
[4]presenttheMirageimageformat(MIF),anewstorageformatforvirtualmachinediskimages.
MIFsolvestheproblemofvirtualmachineimagesprawl,i.
e.
,thecomplexityofmaintain-ingdiskimagecontentthatchangescontinuouslyduetocloningorsnapshotting.
MIFstoresthediskimagecontentinacentralrepositoryandsupportssearching,installingandupdatingapplicationsinallimages.
Byusingaspecialstoragedevice,diskimagessharecommonblocksTable2OPSresultsforDebianRisklevelRisklevelRisklevelRisklevelDistributionnoneLowmediumhighDebianEtch14202DebianLenny43232DebianSqueeze44232DebianWheezy43232NumberofsecurityvulnerabilitiestheOPSdetectedindierentversionsofDebianLinux.
andthustakeuponlyafractionoftheactualdiskspace.
UsingMIFitisalsopossibletoupdatepackagesonasystemalthoughtheupdateprocedureisquitecomplex.
Atrst,itisquiteunclearhowthesystemdetermineswhetherthereisaneedforanupdate.
Furthermore,thesystemneedsamodiedversionofdpkg,thus,itisnotusablewitho-the-shelfinstallationsorotherpackagemanagementsolutions.
Theauthorsstatethat"theopti-mizedDpkgdoesnotsupportsomeofDpkg'sfeatures".
Asystemforunscheduledsystemupdates,calledAuto-Pod,waspresentedbyPotteretal.
[17].
AutoPodisbasedonsystemcallinterpositionandthechrootutilityandisabletocreatelesystemnamespaces,calledpods.
Everyprocessinapodcanbeoine-migratedtoanotherphys-icalmachinebyusingacheckpointmechanism.
Unfortu-nately,AutoPodisboundtoDebianLinuxandcannotbeusedwithotherpackagemanagers.
Furthermore,italsoupdatesasystemautomatically,whichcouldleadtoprob-lemsincaseofanincompleteupdate.
Incontrasttothepresentedsolution,AutoPodisbasedonchroot,whichisknownforhavingseveralmajorsecurityawsinthepast.
Sapuntzakisetal.
[18]developedautility,calledtheCollective,whichassignsvirtualappliancestohardwaredynamicallyandautomatically.
Bykeepingsoftwareuptodate,theirapproachpreventssecuritybreak-insduetoxedvulnerabilities.
Whiletheirapproachallowupdat-ingwholevirtualmachineappliances,itdoesnotallowtheupdateofcertainpackageswithintheappliance.
Fur-thermore,itisnotpossibletodeterminewhethercertainpackagesareoutdated.
Layeredvirtualmachines[5]canbeusedtosolvethemaintenanceproblemofdormantvirtualmachines.
Thesemachinesaresplitupindierentlayers,suchasacommonbaselayer,containingabasesystemwithsomecommonlyrequiredlibrariesandtools,anuserlayercontainingSchwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page11of12http://www.
journalofcloudcomputing.
com/content/1/1/12specicapplicationsrequiredbytheuserandpotentiallyotherlayers.
Besidesbenetswhenitcomestostorageandtransferofthosevirtualmachines,consideringsharedlay-ersthatneedtobestoredandtransferredonlyonceandreusedbymanyvirtualmachines,thisarchitecturealsohelpswiththeproblemofkeepingmachinesup-to-date.
Becauseabaselayerissharedbymanyvirtualmachines,updatingthebaselayerwillaectallvirtualmachinesbuiltontop.
Althoughnotthecompletesoftwarestackisaectedbythoseupdates,someofthemostimportantpartsofthesystem(e.
g.
,theSSHlibraries,whichwereaectedbyaseriousbugintheDebianimplementationbackin2008[19])canbexedthisway.
Canonical,thecompanybehindUbuntuLinux,oersacommercialproductcalledLandscape[8].
LandscapecanbeusedtomanageUbuntu(virtual)machines,includingpackagemanagementandmonitoring.
WhileLandscapeisabletodetectandupdateoutdatedapplicationswithinvirtualmachines,itcanonlyhandletheDebianpackageformatandisnotabletoupdatedormantmachines.
How-ever,Landscapecanupdateoutdatedmachinesoncetheyarelivethenexttime.
SAVEly,atooltocheckAmazonMachineImages(AMIs)forvulnerabilitieswaspresentedbyBleikertzetal.
[20].
TheauthorsconstructanattackgraphbasedonthesecuritypolicesusedinEC2.
Thesepoliciesareusedtogroupmachineswhilerestrictingthecommunicationbetweenthem.
Basedonthegraph,theauthorsusetheOpenVASscannertochecktheAMIforremotevulnera-bilities.
TheirapproachistightlycoupledtoAmazon'sEC2andcannotbeusedwithotherIaaSimplementationsorinvirtualizedGridenvironments.
YoonandSim[21]presentanautomatednetworkvul-nerabilityassessmentframework.
Itusesacombinationofascanmanager,messagerelayserverandscannerstocheckthehostsinanetworkforvulnerabilities.
Theirapproachusessimilartechniquesastheonespresented,butitlackstheabilitytoworkinaCloudcomputingenvi-ronment.
Itisneitherabletocontrolvirtualmachines,nortoinstrumentanIaaSsolutionliketheXGE.
ConclusionsInthisarticle,anewapproachtoincreasethesecurityofvirtualmachinesineithervirtualizedGridorCloudcomputingenvironmentshasbeenpresented.
Itisbasedontwocomponents:arstcomponentcalledUpdateCheckertoidentifyoutdatedpackagescancheckeitherrunningordormantvirtualmachineimageseciently.
ItsupportsthetwomajorLinuxsoftwaremanagementsolu-tions,namelyapt/dpkgandyum/rpm,andthusallmajorLinuxdistributionscurrentlyusedinGridorCloudenvi-ronments.
Duetoitsexibledesign,pluginsforothersoft-waremanagementsolutionscanbeeasilyadded.
Theuseofmultiplecachesspeedsupthecheckprocess,resultinginatimelessthanasecondforacompletecheckofanaveragevirtualmachine.
AsecondcomponentcalledOnlinePenetrationSuitescansvirtualmachinesforsoft-warevulnerabilitiesusingestablishedsecuritytechniques.
Itcanidentifyawsinsoftwarecomponentslisteningonthenetwork.
Bothcomponentsareintegratedintotwoalreadyexistingsolutions(XGEandICS)thatleveragetheircapabilitiestodenyrunningtoooutdatedmachinesorprovidetheuserwiththeabilitytoupdatehisorhermachines.
Thereareseveralareasforfuturework.
Forexample,thecurrentimplementationoftheUpdateCheckeronlysup-portssoftwareinstalledusingthepackagemanagementsystemsofcurrentLinuxdistributions.
Nevertheless,therearecaseswheresoftwareisinstalledinotherways,eitherbycompilingitmanuallyorbyinstallingsoftwarefrombinarypackagesthatarenotavailableinrepositories.
Theideaofagenericframeworkwithsoftwarespecicpluginsthatcandeterminetheinstalledversionseemstobepromising.
Problemstosolvearebinarieswithoutaversionparameterandevenmorelocatingthesoftwarethatwasinstalledwithoutusingthepackagemanagementsystem.
Furthermore,thecurrentapproachtoinferthesignicanceofupdatesisaverybasicapproach.
Compar-ingthelistofoutdatedpackagestothesecurityadvisoriesofthedistribution,ifavailable,seemstobepromising.
Thiswouldrequiredistributionspecicparsersfortheadvisories,sincethereisnouniedadvisoryformat,andmanualcongurationoftheadvisorysourcesforeachdis-tribution.
TheOPScurrentlycontrolstwovulnerabilityscanners.
Inthefuture,itwouldbedesirabletosupportalargernumberofscanners.
CompetinginterestsTheauthorsdeclarethattheyhavenocompetinginterests.
Authors'contributionsAllauthorscontributedequally.
Allauthorsreadandapprovedthenalmanuscript.
AcknowledgementsThisworkispartlysupportedbytheGermanMinistryofEducationandResearch(BMBF)(D-GridInitiativeandHPC-Call)andtheHessianMinistryofScienceandArt(HMWK).
Received:30January2012Accepted:5June2012Published:17July2012References1.
ArmbrustM,FoxA,GrithR,JosephA(2009)AbovetheClouds:ABerkeleyViewofCloudComputing,TechnicalReportUCBEECS20092853(UCB/EECS-2009-28).
EECSDepartmentUniversityofCaliforniaBerkeley2.
SmithM,SchmidtM,FallenbeckN,D¨ornemannT,SchriddeC,FreislebenB(2009)SecureOn-demandGridComputing.
JFutureGenerationComputSyst25(3):315–3253.
GarnkelT,RosenblumM(2005)WhenVirtualisHarderthanReal:SecurityChallengesinVirtualMachineBasedComputing.
In10thWorkshoponHotTopicsinOperatingSystems121–126Schwarzkopfetal.
JournalofCloudComputing:Advances,SystemsandApplications2012,1:12Page12of12http://www.
journalofcloudcomputing.
com/content/1/1/124.
ReimerD,ThomasA,AmmonsG,MummertT,AlpernB,BalaV(2008)OpeningBlack,Boxes:UsingSemanticInformationtoCombatVirtualMachineImageSprawl.
InProceedingsoftheFourthACMSIGPLAN/SIGOPSInternationalConferenceonVirtualExecutionEnvironments111–120.
Seattle:ACM5.
SchwarzkopfR,SchmidtM,FallenbeckN,FreislebenB(2009)Multi-LayeredVirtualMachinesforSecurityUpdatesinGridEnvironments.
InProceedingsof35thEuromicroConferenceonInternetTechnologies,QualityofServiceandApplications(ITQSA)563–570.
Patras:IEEEPress6.
WeiJ,ZhangX,AmmonsG,BalaV,NingP(2009)ManagingSecurityofVirtualMachineImagesinaCloudEnvironment.
InProceedingsofthe2009ACMWorkshopon,CloudComputingSecurity,CCSW'0991–96.
NewYork:ACM7.
FallenbeckN,SchmidtM,SchwarzkopfR,FreislebenB(2010)Inter-SiteVirtualMachineImageTransferinGridsandClouds.
InProceedingsofthe2ndInternationalICSTConferenceonCloudComputing(CloudComp2010)1–19.
Barcelona:Springer,LNICST8.
CanonicalInc(2011)UbuntuAdvantageLandscape.
http://www.
canonical.
com/enterprise-services/ubuntu-advantage/landscape9.
WinerD(2003)XML-RPCSpecication.
http://www.
xml-rpc.
com/spec10.
OpenVASDevelopers(2012)TheOpenVulnerabilityAssessmentSystem(OpenVAS).
http://www.
openvas.
org/11.
TenableNetworkSecurity(2012)NessusSecurityScanner.
http://www.
nessus.
org/products/nessus12.
LibvirtDevelopers(2012)Libvirt-TheVirtualizationAPI.
http://libvirt.
org/13.
SchwarzkopfR,SchmidtM,StrackC,FreislebenB(2011)CheckingRunningandDormantVirtualMachinesfortheNecessityofSecurityUpdatesinCloudEnvironments.
InProceedingsofthe3rdIEEEInternationalConferenceonCloudComputingTechnologyandScience(CloudCom)239–246.
Athens:IEEEPress14.
CrockfordD(2006)Theapplication/jsonMediaTypeforJavaScriptObjectNotation(JSON).
http://www.
ietf.
org/rfc/rfc462715.
ENISAEuropeanNetworkandInformationSecurityAgency(2009)CloudComputingRiskAssessment.
http://www.
enisa.
europa.
eu/act/rm/les/deliverables/cloud-computing-risk-assessment16.
LillardTV,GarrisonCP,SchillerCA,SteeleJ(2010)TheFutureofCloudComputing.
InDigitalForensicsforNetwork,Internet,andCloudComputing319–339.
Boston:Syngress17.
PotterS,NiehJ(2005)AutoPod:UnscheduledSystemUpdateswithZeroDataLoss.
InAutonomicComputing,InternationalConferenceon367–36818.
SapuntzakisC,BrumleyD,ChandraR,ZeldovichN,ChowJ,LamMS,RosenblumM(2003)VirtualAppliancesforDeployingandMaintainingSoftware.
InProceedingsofthe17thUSENIXConferenceonSystemAdministration181–194.
Berkeley:USENIXAssociation19.
DebianSecurityAdvisory1576-1OpenSSH(2008)PredictableRandomNumberGenerator.
http://www.
debian.
org/security/2008/dsa-157620.
BleikertzS,SchunterM,ProbstCW,PendarakisD,ErikssonK(2010)SecurityAuditsofMulti-tierVirtualInfrastructuresinPublicInfrastructureClouds.
InProceedingsofthe2010ACMWorkshoponCloudComputingSecurity,CCSW'1093–102.
Chicago21.
YoonJ,SimW(2007)Implementationofthe,AutomatedNetworkVulnerabilityAssessmentFramework.
InProceedingsofthe4thInternationalConferenceonInnovationsinInformationTechnology153–157.
Dubai:IEEEdoi:10.
1186/2192-113X-1-12Citethisarticleas:Schwarzkopfetal.
:Increasingvirtualmachinesecurityincloudenvironments.
JournalofCloudComputing:Advances,SystemsandApplications20121:12.
Submityourmanuscripttoajournalandbenetfrom:7Convenientonlinesubmission7Rigorouspeerreview7Immediatepublicationonacceptance7Openaccess:articlesfreelyavailableonline7Highvisibilitywithintheeld7RetainingthecopyrighttoyourarticleSubmityournextmanuscriptat7springeropen.
com