CloudMon: Monitoring Virtual Machines in Clouds

In the cloud platform, the startup security of guest virtual machines (VMs) can be guaranteed by existing techniques such as TBoot, however, how to monitor and guarantee their runtime security seems to be a non-trivial challenge, when they are exposed to the Internet. For a practical cloud system, security and performance are two important issues. In this paper, we propose a dynamic framework called CloudMon to detect kernel rootkits and guarantee the runtime security of guest VMs. CloudMon is transparent to a guest VM, neither requires its specific system information, nor has to one-on-one run with it. Meanwhile, CloudMon detects kernel rootkits through self-adjusting monitoring on memory with an acceptable overhead. A working prototype of CloudMon is implemented based on Xen. The case studies on security show that CloudMon is effective to detect kernel rootkits in guest VMs, while the performance experiments demonstrate that it brings a low performance overhead.