ISSN (Print) : 0974-6846

Indian Journal of Science and Technology, Vol 9(43), DOI: 10.17485/ijst/2016/v9i44/104390, November 2016 ISSN (Online) : 0974-5645

A Review on Cloud Security Challenges and Issues

K.Balaji* and P. Sai Kiran
Department of CSE,KL University, Vijayawada – 520001, Andhra Pradesh, india
[email protected], [email protected]

Abstract
Background/Objectives: Cloud computing offers various services with minimum management effort while provisioning
resources via internet. Cloud clients are allowed to store their personal data at data centers, it will minimize storage
maintenance in local systems. Methods/Statistical Analysis: Cloud computing environment facing huge issues with
hardware and software vulnerabilities in maintenance and resources provisioning process. These vulnerabilities pose
huge loss of data, confidentiality, privacy and availability. Findings: In this paper, we studied and concentrated on various
attacks in Virtualization environment and the possible attack scenarios in each platform. Application/Improvements: In
the final section, we studied and described all types of attacks.

Keywords: Confidentiality, Integrity, Privacy, Provisioning, Virtualization.

1. Introduction multiple users and scalability i.e., Content Security Policy

(CSP) can increase or decrease Virtual Machine (VM’s) in
Cloud computing has been defined by National Institute dynamic environment3.
of Standards and Technology (NIST) as “a model for
enabling convenient, on-demand network access to a
shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal
management effort or cloud provider interaction”. Cloud
computing integrates various technologies to provide
effective and efficient services to the cloud clients1. The
NIST cloud computing definition is most widely accepted.
The NIST cloud computing model provides the three
parts of cloud services such as (i) Essential characteristics
(ii) Service models (iii) Deployment models. In this paper
we concentrated on cloud virtual environment and its
vulnerabilities. Virtualization is a promising technology
which enable us to virtualize various resources in cloud
environment. Virtualization provides an isolation
a) Para Virtualization
environment, resource on-demand sharing among

* Author for correspondence

 A Review on Cloud Security Challenges and Issues
Figure 1.b) Full Virtualization
The full virtualization is a process of hosting guest
operating system’s on Virtual Machine Monitor (VMM)
or hypervisor. Through hypervisor any guest VM
can access the physical resources in cloud computing
environment2,4. The VMM contains a special domain that
acts as a root level or host operating system to control
other operating system’s ie. , domain’s. Figure 1 a) gives
a brief idea about the Para virtualization and it prevents
users to execute some dangerous system calls on physical
resources. This leads to prevention of denial of service
attacks on physical resources. The full virtualization
provides an infrastructure to run VM’s with full access
of physical resources in virtual environment. Figure
1 b) shows, virtualization technique provides a direct
access to the physical resources so that it can execute any
instruction without any involvement of host Operating
System (OS). It leads to denial of service attacks on
physical machine5-7. The benefits of virtualization are
resource sharing, dynamic and scalability, cost effective,
reduces power consumption, isolation and it helps CSP to
manage resource in effective manner.
The paper organized as follows: section 2, gives the
details of vulnerability in various hardware platforms
that describes Trusted computing Failures in cloud
environment and section 3 described about possible
security vulnerability in software which is actually located
at cloud infrastructure. In section 4, we described possible
attacks while execution live migration of VM from one
cloud environment and finally concluded about the paper
in the conclusion.
2. Security Issues in Cloud
Infrastructure
The entire state of the virtual machine is exposed to the
2 Vol 9 (43) | November 2016 | www.indjst.org
device module or the hypervisor and if in case the attacker
gains access of the hypervisor all the data of the virtual
machine including the kernel states as well as the inputs
from the keyboard will be compromised8,9.
2.1Unauthorized Access to Hardware
A ring0 authorized domain or administrator gives a
privileged access to lower level domains in the virtual
environment in improper way. It leads to vulnerability
of entire system and access granted system can directly
utilize the hardware resources of host OS or hypervisor.
It leads to a system failure and denial of service attacks.
These attacks are entitled as “confused deputy attack”10.
An example of this attacks are [CVE-2005-0204], [CVE-
2007-5633] states that OS or hypervisor wrongly grants
the access permissions to unauthorized domains in the
virtual environment and provides an open access to
hardware access such as Port I/O,MSR, etc10.
2.2Hardware Reflected Injection Attack
A cloud user may store malicious data (worm, virus, etc)
on store location of cloud service provider side. When it
traverses from client to storage media it does nothing,
later when it is accessed by higher privileged user it
causes a vulnerability in data processing. It targets specific
software on CSP side and performs malicious activities
once it gets triggered. These attacks pose great risk to CSP
such as data breach, data corruption and denial of service
attacks. An example of these attacks is: [CVE-2010-4530].
2.3 Access by a Parallel Executing Entity
The cloud provider contains many platforms to make
it characteristics to possible to client and resources are
executed in parallel and/or independent manner. Some
resources, like servers having a possibility of parallel
execution with multiple core CPU’s by using hardware
assisted threads. A server shares features like memory,
CPU, etc. In this regards, we are considering memory
as a major component for implementing these attacks.
Suppose client wants to execute or access memory
location, CSP has to ensure that all other clients are
passive for that memory location when legitimate client
is trying to access. All other client usages are temporarily
blocked by CSP to prevent illegal access of memory
location. An attack [CVE-2005-0109] specifies how
it is possible to access high privileged resources with
Indian Journal of Science and Technology
 K.Balaji and P. Sai Kiran

least privileged clients on their locations using parallel while communication with local system. This allows
execution of resources on cloud infrastructure. All the cloud user to launch a denial of service attacks. These two
security codes, hardware failure, reasons & loses are more methods pose unintended threats to linux machine:
mentioned in below Table 1. PTRACE_SETREGSET and PTRACE_GETREGSET.
This attack impacts on confidentiality, integrity, access
Table 1. Hardware vulnerabilities
complexity and availability of data storage system and
Code Hardware Reasons Impact Loses
authentication is never required to exploit a vulnerabilities
failure (10)
of system12.
CVE- Confused Assigning of 7.8 Confi-
2007-5633 Deputy root access dentiality,
rights to Integrity, 3.3. Xen Hypervisor Vulnerability
cloud client Availability Xen hypervisor 4.1 has much vulnerability as specified in10
to pooled and it has a lot of security aspects of a guest user (Domain
resources U). When Domain U using PCI based pass-through on
CVE- Reflected Hardware 8.1 Integrity, VT-d chipset that doesn’t remains interrupts remapping
2010-4530 Injection failure that as- Availability technique, it leads guest OS users to gain privileges by
signs root level
raising Message Signalled Interrupts (MSIs) that leads
access other
to write interrupt injection registers. Once domain U
clients
CVE- Parallel Unautho- 9.8 Confi-
obtains a privilege that provides an evidence of losing
2005-0109 execution rized access dentiality, confidentiality, authentication and availability of other
threat of resource Integrity domain user data in cloud environment13.
while blocking
resource for 3.4. Sparc Hypervisor Vulnerability
specified client A sun micro system’s Sparc hypervisor firmware 6.6.3
3. Software Based Security to 7.1.3 on ultra-sparc processors T1 to T2+ system
processors allows guest users to access the memory via
Attacks unknown vectors with any need of authentication bypass
on root level system. This attack leads to severe problem
3.1 Allow User to Access Root Level to cloud computing when it is configured with sparc
SVGAlib zgv 3.0 allows user gain root level access via hypervisor system. This attack makes the loss of data
a privileged leak of the iopl privileges to child process availability and confidentiality14.
[CVE-1999-1482]. This allows cloud client to access root
level resources without any barriers from security group.
This attack leads to failure of complete confidentiality, 3.5. VMM Vulnerability
integrity and availability. This attack doesn’t require any In Microsoft virtual machine server 2005 Release 2 SP1
authentication and access complexity is very low11. doesn’t maintain root level privileges for all host level
machine instruction execution. This allows guest VM to
execute malware code in kernel level and obtain other
3.2 Denial of Service Attack VM privileges within the virtual environment via special
In Linux kernel 3.2.10 and earlier, the regset method software like aka. This poses great issue to the entire
doesn’t manage .set and .get methods in case absence

Vol 9 (43) | November 2016 | www.indjst.org Indian Journal of Science and Technology 3
 A Review on Cloud Security Challenges and Issues

virtual environment such data breaches, data loss, data message contains authentication tokens those used for
confidentiality and privacy15.Software vulnerabilities earlier communication and it sniffed by the intruder or
with different parameters are mentioned in Table 2. attacker to launch a replay attack. These attacks can be
mitigated through the nonce values in authentication
messages and continues changing of message content. It
Table 2. Software vulnerabilities takes an intruder to analyze message content from the
Code Attack Reasons Im- Loses original data format but random generation of nonce
pact(10) values provide more secure for replay attack. In cloud
CVE- SVGAlib Allows cloud 7.4 Confi- environment, cloud user and cloud service provider
1999-1482 client to dentiality,
has authenticated the user before start the session and
access root Integrity
the session will be established by synchronizing with
level resources
each other. It is highly difficult to implement timestamp
without any
barriers concept in distributed cloud computing environment
CVE- Denial of Allows cloud 6.8 Integrity, and it poses huge risk in terms of replay attacks. In live
2012-1097 service user to launch Availabil- VM migration, control messages are sent in unprotected
attack a denial of ity mode and attacker can access the credentials and reply
service attacks to live migration process by sending its VM to actual or
CVE- Xen MSI inter- 8.3 Confi- host OS. Possible platforms to implement an attack are
2011-1898 injection rupts that dentiality, Xen hypervisor and Micro soft Hyper-v17.
attack leads to write Integrity,
interrupt Availabil-
injection ity 4.3.Masquerading
registers A masquerader attack refers to a way to obtain legitimate
CVE- Sparc Authentica- 7.8 Integrity, credentials from actual user with fake identity. Detection
2008-4992 vulnera- tion bypass Availabil- of these attacks made by analyzing the masquerader
bility on root level ity activities on victim resource in cloud paradigm. After
system obtaining the credential of host OS, an attacker simply
CVE- VMM obtain other 7.6 Confi- launch an attack on VM migration module to stop or
2009-1542 host VM privileges dentiality, suspend current migrating VM process and attacker
access within the Integrity VM acts like an original source of a system18. Possible
virtual envi- platforms to implement an attack are Xen hypervisor and
ronment
Oracle Virtual box17.

4. Possible Attacks on VM
Migration
4.1Software vulnerabilities
An intruder can use several software vulnerabilities in
VM migration like integer overflow, stack overflow and
heap overflow to launch several attacks in migration code
module. Possible platforms to implement an attack are
Xen hypervisor and Oracle virtual box16.
5. Conclusion
Cloud computing provides an effective way of delivering
services over an internet with various service models and
different infrastructure resources those are configured
and pooled. In this paper, we investigated and studied
various practical attacks on cloud infrastructure with
possible attack vectors. We identified hardware level and
software level threats and possibility of attack nature in
cloud infrastructure.

4.2. Replay Attack 6. References

While authenticating the cloud user, an authentication 1. Abbas A, Khan SU A review on the state-of-the-art privacy

4 Vol 9 (43) | November 2016 | www.indjst.org Indian Journal of Science and Technology

preserving approaches in e-health clouds,
2. IEEE Journal Biomedical Health Information. 2014 July;
18(4):1431–41.
3. Abbas A, Bilal K, Zhang L, Khan SU. A cloud based health
insurance plan recommendation system: A
4. user centered approach. Future Generation Computer Sys-
tems. 2015 Feb;43(44):99–109..
5. Agrawal R. Legal issues in cloud computing. IndicThreads,
Conference on Cloud Computing, 2011.
6. Alhamazani K, Ranjan R, Mitra K, Rabhi F, Khan SU,
Guabtni A, Bhatnagar V. An Overview of the Commer-
cial Cloud Monitoring Tools: Research Dimensions, De-
sign Issues, and State-of-the-Art. Computing. 2015 April;
97(4):357–77.
7. Ali M, Dhamotharan R, Khan E, Khan SU, Vasilakos AV,
Li K, Zomaya AY. SeDaSC: secure data sharing in clouds.
IEEE Systems Journal. 2015 Jan; PP(99):1–10.
8. Alowolodu OD, Alese BK, Adetunmbi AO, Adewale OS,
Ogundele OS. Elliptic curve cryptography for securing
cloud computing applications. International Journal Of
Computer Applications. 2013 March; 66(23).
9. Anala MR, Shetty J, Shobha G. A framework for secure live
migration of virtual machines. International Conference
on Advances in Computing, Communications and Infor-
mations.IEEE;2013.
10. Andrieux A, Czajkowski K, Dan A, Keahey K, Ludwig H,
Nakata T, Pruyne J, Rofrano J, Tuecke S, Xu M. Web ser-
vices agreement specification (WSagreement). Internation-
al Conference on Advances in Computing, Communica-
tions and Informatics. 2013, 243–8.
11. Aslam M, Gehrmann C, Bjorkman M. Security and trust
preserving VM migrations in public clouds.11th Interna-
tional Conference on Trust, Security and Privacy in Com-
puting and Communications (TrustCom). IEEE; 2012.
869–76.
Vol 9 (43) | November 2016 | www.indjst.org
K.Balaji and P. Sai Kiran
12. Balduzzi M, Zaddach J, Balzarotti D, Kirda E, Loureiro S. A
security analysis of amazon’s elastic compute cloud service.
Proceedings of the 27th Annual ACM Symposium on Ap-
plied Computing. 2012 March; 1427–34.
13. CERT civis :http://cert.civis.net/index.php?ac-
tion=alert&param=CVE-1999-1482
14. Gunasekhar T, Thirupathi Rao K, Trinath Basu M. Under-
standing insider attack problem and scope in cloudCircuit,
Power and Computing Technologies. International Confer-
ence on Circuits, Power and Computing Technologies (IC-
CPCT).IEEE; 2015.
15. Gunasekhar T, Rao KT, Saikiran P, Lakshmi PS.A Survey on
Denial of Service Attacks.
16. Gunasekhar T, Rao KT, Reddy VK, Kiran PS, Rao BT. Mit-
igation of Insider Attacks through Multi-Cloud. Interna-
tional Journal of Electrical and Computer Engineering.
2015 Feb; 5(1):136–41.
17. Durairaj M,Manimaran A. A Study on security is-
sues in cloud based E-learning. Indian Journal of
Science and Technology. 2015 April; 8(8): 757–65.
18. Sugumar R, Sheik Imam SB. Symmetric Encryp-
tion Algorithm to Secure Outsourced Data in Pub-
lic Cloud Storage. Indian Journal of Science and
Technology. 2015 Sep; 8(23).
19. Karthik K. et al. A Study on IP Network Recovery
through Routing Protocols. Indonesian Journal of
Electrical Engineering and Informatics (IJEEI).
2016; 4(3):176–80.
20. Sastry K, Narasimha B. Thirumala Rao, Gu-
nasekhar T. Novel Approach for Control Data Theft
Attack in Cloud Computing. International Journal
of Electrical and Computer Engineering. 2015
Dec;5(6):1545–52.
Indian Journal of Science and Technology 5