In Infrastructure-as-a-Service (IaaS) clouds, remote users access provided virtual machines (VMs) via the management server. The management server is managed by cloud operators, but not all the cloud operators are trusted in semi-trusted clouds. They can execute arbitrary management commands to users’ VMs and redirect users’ commands to malicious VMs. We call the latter attack the VM redirection attack. The root cause is that the binding of remote users to their VMs is weak. In other words, it is difficult to enforce the execution of only users’ management commands to their VMs. In this paper, we propose UVBond for strongly binding users to their VMs to address this issue. UVBond boots user’s VM by decrypting its encrypted disk inside the trusted hypervisor. Then it issues a VM descriptor to securely identify that VM. To bridge the semantic gap between high-level management commands and low-level hypercalls, UVBond uses hypercall automata, which accept the sequences of hypercalls issued by commands. We have implemented UVBond in Xen and created hypercall automata for various management commands. Using UVBond, we confirmed that a VM descriptor and hypercall automata prevented insider attacks and that the overhead was not large in remote VM management.

中文翻译：

---

在半信任云中通过强大的用户绑定来保护虚拟机管理

在基础架构即服务（IaaS）云中，远程用户通过管理服务器访问提供的虚拟机（VM）。管理服务器由云运营商管理，但并非所有云运营商在半信任云中都是受信任的。他们可以对用户的VM执行任意管理命令，并将用户的命令重定向到恶意VM。我们将后者称为VM重定向攻击。根本原因是远程用户与其VM的绑定很弱。换句话说，很难将仅用户的管理命令强制执行到其VM。在本文中，我们建议使用UVBond将用户绑定到其VM上，以解决此问题。UVBond通过在受信任的管理程序内部解密其加密磁盘来引导用户的VM。然后，它发出VM描述符以安全地标识该VM。为了弥合高级管理命令和低级超级调用之间的语义鸿沟，UVBond使用超级调用自动机，它接受命令发出的超级调用序列。我们已经在Xen中实现了UVBond，并为各种管理命令创建了hypercall自动机。使用UVBond，我们确认VM描述符和超级调用自动机可以防止内部攻击，并且远程VM管理的开销并不大。