VM Migration Attack

What is VM Migration?

Virtual Machine (VM) migration is the process of moving a VM from one physical host to
another within a cloud infrastructure. It's used for:

●​ Load balancing​

●​ Hardware maintenance​

●​ Energy efficiency​

●​ Optimized resource allocation​

There are two main types:

●​ Cold Migration – The VM is powered off before migration.​

●​ Hot (Live) Migration – The VM continues to run while being migrated with minimal
downtime.​

What is a VM Migration Attack?

A VM Migration Attack occurs when an attacker exploits vulnerabilities during the migration
process to:

●​ Eavesdrop on data (confidentiality breach)​

●​ Inject malicious code​

●​ Hijack or redirect the VM​

●​ Cause denial of service (DoS)​

Steps in a VM Migration Attack
1.​ Interception of Migration Traffic​

○​ An attacker uses Man-in-the-Middle (MitM) techniques to capture data during

VM migration.​

○​ They gain access to memory dumps, credentials, and application data in transit.​

2.​ Unauthorized VM Migration​

○​ Attackers initiate rogue migrations, transferring VMs to compromised hosts under

their control.​

○​ This allows them full access to the VM environment.​

3.​ Exploiting Migration Channel Vulnerabilities​

○​ If communication protocols are weak, attackers can tamper with the migration,
inject malware, or corrupt the process.​

4.​ Resource Exhaustion Attacks​

○​ Attackers flood network or storage resources to interrupt migrations.​

○​ This may result in VM corruption or a denial of service.​

5.​ VM Rollback Attacks​

○​ During migration, snapshots are taken. Attackers can manipulate or restore

outdated VM states, injecting malicious changes or removing security updates.​

Example Scenario
An attacker within the same cloud data center:

●​ Detects live VM migration traffic (unencrypted).​

●​ Extracts in-transit VM memory, including credentials.​

 ●​ Initiates unauthorized migration of the VM to a rogue host.​

●​ Gains full control over the VM, modifies configurations, or installs spyware.​

Types of VM Migration
Type Description

Cold Migration VM is powered off; no shared storage required; higher downtime.

Warm Migration VM partially suspended; limited service disruption.

Live Migration VM is active; minimal to no downtime; requires shared storage and fast
networks.

Techniques of VM Migration
1. Pre-Copy Migration

●​ Memory pages are copied while VM is running.​

●​ Dirty pages (modified during copy) are recopied.​

●​ Ends with “stop-and-copy” phase to sync remaining data.​

2. Post-Copy Migration

●​ VM is first suspended, minimal state transferred to target.​

●​ Target VM begins running immediately, then pulls missing pages from the source
on-demand.​

●​ May cause performance issues due to network page faults.​

VM Migration Stages (Live Migration Example)
Stage Description

Stage Pre-Migration – VM active on source host

0

Stage Reservation – Resources reserved on target host

1

Stage Iterative Pre-Copy – Memory pages copied, dirty pages

2 tracked

Stage Stop and Copy – VM paused, remaining pages transferred

3

Stage Commitment – Source VM state finalized

4

Stage Activation – VM starts on target host, resumes operation

5

Security Measures to Prevent VM Migration Attacks

1.​ Secure Communication Channels​

○​ Use SSL/TLS to encrypt migration traffic.​

2.​ Strong Authentication & Authorization​

○​ Ensure only authorized users and systems can initiate migrations.​

3.​ Intrusion Detection/Prevention Systems (IDPS)​

○​ Monitor migration paths and detect suspicious behaviors.​

4.​ Network Segmentation​

○​ Separate migration traffic from regular network data.​

5.​ Resource Monitoring​

○​ Detect unusual bandwidth/storage usage that may indicate an attack.​

 6.​ Regular Patching​

○​ Keep hypervisors and migration software up to date.​

7.​ Auditing & Logging​

○​ Log all migration events for forensic investigation.

Guest Hopping in Cloud Computing

Definition

Guest Hopping is a type of attack where a malicious actor gains unauthorized access to one
virtual machine (VM) and then moves laterally to other VMs within the same physical
infrastructure. This compromises the confidentiality, integrity, and availability of other tenant data
in a shared cloud environment.

Causes and Vulnerabilities

1.​ Shared Infrastructure​

○​ Multi-tenant cloud environments often share physical resources.​

○​ A compromise in one VM may provide access to others due to weak isolation.​

2.​ Hypervisor Vulnerabilities​

○​ The hypervisor manages VMs. If it's compromised, an attacker can bypass VM

isolation.​

○​ Exploiting flaws in the hypervisor can enable guest hopping.​

3.​ Misconfigurations​
 ○​ Poor network settings, weak authentication, and inadequate access controls can
open paths for lateral movement.​

○​ Attackers exploit these weaknesses to pivot between VMs.​

4.​ Privilege Escalation​

○​ Attackers may escalate privileges within a VM to gain administrative access and

target other machines.​

5.​ Malware Propagation​

○​ Once inside, attackers can deploy malware to infect other VMs or exfiltrate data.​

Mitigation Strategies
●​ Regularly patch and update hypervisors and VMs.​

●​ Implement robust authentication, network segmentation, and access controls.​

●​ Use intrusion detection and prevention systems (IDPS).​

●​ Enforce security best practices and staff training.​

●​ Apply strong isolation techniques like High Assurance Platform (HAP) or hardware
root of trust.​

Related Cloud Attacks

1.​ SQL Injection​

○​ Injecting malicious SQL to gain unauthorized database access.​

○​ Prevent with parameterized queries and minimal user privileges.​

2.​ Side-Channel Attacks​

 ○​ Attacker places a malicious VM on the same host to gather data via shared
hardware resources.​

3.​ Malicious Insider​

○​ Insider with access privileges may abuse their role.​

○​ Mitigate with logging, auditing, and least-privilege access.​

4.​ Cookie Poisoning​

○​ Altering cookie data to impersonate users.​

○​ Encrypt cookies and validate server-side sessions.​

5.​ Backdoors & Debug Options​

○​ Developers may leave insecure backdoors or debug ports.​

○​ Ensure all such entries are disabled in production.​

6.​ Cloud Malware Injection​

○​ Malicious VMs are introduced into the cloud.​

○​ Validate all new instances before redirecting traffic.​

7.​ ARP Poisoning​

○​ Redirects IP traffic via falsified MAC addresses.​

○​ Mitigate with static ARP tables or port security.​

8.​ Browser Security​

○​ Use TLS and modern cryptographic techniques like XML encryption for secure
web sessions.​
What is Google App Engine?

Google App Engine is a PaaS that enables developers to deploy applications without worrying
about underlying infrastructure. It provides a runtime environment for running applications,
automatically scaling them based on demand. GAE supports languages like Python, Java,
[Link], PHP, Ruby, Go, and .NET, and it offers two primary environments: Standard and
Flexible.

Key Features of Google App Engine

1.​ Serverless Architecture: No need to manage servers, operating systems, or

infrastructure. Google handles everything.
2.​ Automatic Scaling: GAE scales applications up or down based on traffic, ensuring
performance and cost efficiency.
3.​ Built-in Services: Includes tools like Memcache, Task Queues, Cloud Datastore, and
integration with other GCP services (e.g., Cloud Storage, BigQuery).
4.​ Versioning: Deploy multiple versions of an application and route traffic between them for
A/B testing or gradual rollouts.
5.​ Zero Downtime Deployments: Supports rolling updates to minimize disruption.
6.​ Integrated Monitoring and Logging: Built-in integration with Google Cloud Monitoring
and Logging for performance tracking and debugging.
7.​ Security: Automatic SSL/TLS, managed patches, and integration with Identity-Aware
Proxy (IAP) for secure access.
8.​ Pay-as-You-Go Pricing: Charges based on resource usage (e.g., CPU, memory,
storage), with a free tier for small-scale applications.

Google App Engine Environments

GAE offers two environments, each suited for different use cases:

1. Standard Environment

●​ Description: A highly constrained, sandboxed environment optimized for simplicity and

automatic scaling. It uses predefined runtimes with specific versions of supported
languages (e.g., Python 3.9, Java 11, [Link] 14).
●​ Characteristics:
○​ Fast startup times (milliseconds).
○​ Scales to zero (no instances running when idle, reducing costs).
○​ Limited flexibility for custom libraries or dependencies.
○​ Best for stateless, lightweight applications with predictable workloads.
●​ Use Cases: Web apps, APIs, or microservices with bursty traffic.
●​ Supported Languages: Python, Java, [Link], PHP, Ruby, Go, and .NET (specific
versions).
 ●​ Limitations:
○​ Restricted to Google-provided runtimes.
○​ No direct access to the underlying OS.
○​ Limited support for custom software or libraries.

2. Flexible Environment

●​ Description: A more customizable environment that runs applications in Docker

containers on Google Compute Engine VMs. It supports custom runtimes and more
complex configurations.
●​ Characteristics:
○​ Slower startup times (seconds to minutes).
○​ Does not scale to zero (minimum one instance running).
○​ Greater flexibility for custom libraries, frameworks, or OS-level dependencies.
○​ Suitable for applications requiring background processes or custom software.
●​ Use Cases: Complex applications, machine learning workloads, or apps requiring
specific libraries.
●​ Supported Languages: Any language or runtime via custom Docker containers, plus
predefined runtimes for Python, Java, [Link], PHP, Ruby, Go, and .NET.
●​ Limitations:
○​ Higher costs due to always-running instances.
○​ More complex configuration compared to the Standard Environment.

How Google App Engine Works

1.​ Application Deployment:

○​ Developers write code in a supported language and configure it using a simple
configuration file (e.g., [Link] for Standard or Dockerfile for Flexible).
○​ The application is deployed using the gcloud command-line tool or CI/CD
pipelines.
○​ Example command: gcloud app deploy [Link]
2.​ Runtime Environment:
○​ In the Standard Environment, GAE runs the application in a sandbox with a
predefined runtime.
○​ In the Flexible Environment, GAE uses Docker containers to run custom or
predefined runtimes.
3.​ Scaling:
○​ GAE monitors incoming traffic and scales instances up or down based on
configuration settings (e.g., CPU usage, request rate).
○​ Standard Environment scales to zero when idle, while Flexible Environment
maintains at least one instance.
4.​ Services and APIs:
 ○​ GAE provides APIs for tasks like caching (Memcache), task queues, and data
storage (Cloud Datastore or Firestore).
○​ Integration with other GCP services like Cloud SQL, BigQuery, or Cloud Storage
is seamless.
5.​ Traffic Management:
○​ Developers can split traffic between different versions of an application for testing
or gradual rollouts.
○​ Example: Route 80% of traffic to version 1 and 20% to version 2.
6.​ Monitoring and Maintenance:
○​ Google provides automatic updates, security patches, and monitoring via Cloud
Monitoring and Logging.
○​ Developers can access logs and metrics to debug issues or optimize
performance.

Benefits of Google App Engine

1.​ Simplified Deployment: Developers focus on code, not infrastructure.

2.​ Cost Efficiency: Pay only for resources used, with a free tier for small apps.
3.​ Scalability: Handles traffic spikes seamlessly, from zero to millions of users.
4.​ High Availability: Built-in load balancing and redundancy ensure uptime.
5.​ Ecosystem Integration: Tight integration with GCP services like Cloud Storage,
Pub/Sub, and AI/ML tools.
6.​ Developer Productivity: Built-in tools like Task Queues and Cron Jobs simplify common
tasks.

Limitations of Google App Engine

1.​ Vendor Lock-In: GAE’s proprietary APIs (e.g., Datastore, Memcache) may make it
harder to migrate to other platforms.
2.​ Limited Control in Standard Environment: Restricted to specific runtimes and no
OS-level access.
3.​ Cost for Flexible Environment: Always-running instances can increase costs
compared to Standard.
4.​ Learning Curve: Configuring [Link] or Docker for complex apps may require
learning.
5.​ Cold Start Latency: Standard Environment may experience latency during scaling from
zero.
What is AWS in the Cloud Deployment Environment?

AWS is a cloud platform providing over 200 services, including compute, storage, databases,
networking, machine learning, and analytics. In a cloud deployment environment, AWS enables
organizations to host applications, store data, and scale resources dynamically. It supports
various deployment models, such as public, private, or hybrid clouds, and caters to diverse
workloads, from web hosting to big data processing.

Key AWS Services for Cloud Deployment

1.​ Compute:
○​ Amazon EC2 (Elastic Compute Cloud): Virtual servers for running applications.
○​ AWS Lambda: Serverless computing for running code without managing servers.
○​ Elastic Beanstalk: PaaS for deploying and managing applications with minimal
infrastructure setup.
2.​ Storage:
○​ Amazon S3 (Simple Storage Service): Object storage for files, images, and
backups.
○​ Amazon EBS (Elastic Block Store): Block storage for EC2 instances.
 3.​ Database:
○​ Amazon RDS (Relational Database Service): Managed relational databases
(e.g., MySQL, PostgreSQL).
○​ Amazon DynamoDB: NoSQL database for high-performance applications.
4.​ Networking:
○​ Amazon VPC (Virtual Private Cloud): Isolated network for secure resource
deployment.
○​ Elastic Load Balancer (ELB): Distributes incoming traffic across multiple
instances.
5.​ Management and Monitoring:
○​ AWS CloudWatch: Monitors performance metrics and logs.
○​ AWS Auto Scaling: Automatically scales resources based on demand.
6.​ Other Services:
○​ Amazon SQS (Simple Queue Service): Message queuing for asynchronous
processing.
○​ Amazon SNS (Simple Notification Service): Notification service for alerts and
messages.

Key Features of AWS

●​ Scalability: Scale resources up or down based on demand.

●​ Flexibility: Supports multiple languages, frameworks, and custom configurations.
●​ Global Infrastructure: Data centers (Regions and Availability Zones) worldwide for low
latency and redundancy.
●​ Pay-as-You-Go Pricing: Charges based on resource usage, with a free tier for
small-scale projects.
●​ Security: Offers IAM (Identity and Access Management), encryption, and compliance
certifications.
●​ Hybrid Capabilities: Supports hybrid deployments with services like AWS Outposts.

AWS Deployment Environments

AWS supports various deployment environments, each suited for specific use cases:

1.​ IaaS (EC2, VPC): Full control over virtual machines and networking, ideal for custom
applications.
2.​ PaaS (Elastic Beanstalk): Simplified deployment for developers who want to focus on
code, similar to GAE.
3.​ Serverless (Lambda): Run code without managing servers, ideal for event-driven
applications.
4.​ Containerized (ECS, EKS): Deploy applications in Docker containers or Kubernetes
clusters.
Benefits of AWS

●​ Comprehensive Services: Wide range of tools for compute, storage, databases, and
more.
●​ Scalability: Auto Scaling and ELB ensure performance during traffic spikes.
●​ Global Reach: Multiple Regions and Availability Zones for high availability and low
latency.
●​ Cost Flexibility: Free tier and pay-as-you-go model suit startups and enterprises.
●​ Community and Support: Extensive documentation, tutorials, and support plans.
●​ Integration: Seamless integration with third-party tools and other AWS services.

Limitations of AWS

●​ Complexity: Steep learning curve due to the vast number of services and configuration
options.
●​ Cost Management: Costs can escalate without proper monitoring, especially for
always-on resources.
●​ Management Overhead: Unlike GAE, IaaS services like EC2 require manual server
management.
●​ Vendor Lock-In: Heavy reliance on AWS-specific services may complicate migration.
What is Azure in the Cloud Deployment Environment?

Azure is a cloud platform offering over 200 services, including compute, storage, databases,
networking, analytics, and AI. It enables organizations to deploy applications, store data, and
scale resources dynamically in public, private, or hybrid cloud environments. Azure’s services
cater to various use cases, from hosting web applications to running machine learning models,
with strong integration with Microsoft tools like .NET, SQL Server, and Office 365.

Key Azure Services for Cloud Deployment

1.​ Compute:
○​ Azure Virtual Machines (VMs): Virtual servers for running custom applications.
○​ Azure App Service: PaaS for deploying and managing web applications, similar
to GAE and AWS Elastic Beanstalk.
○​ Azure Functions: Serverless computing for event-driven applications, akin to
AWS Lambda.
○​ Azure Kubernetes Service (AKS): Managed Kubernetes for containerized
workloads.
2.​ Storage:
○​ Azure Blob Storage: Object storage for files, images, and backups, similar to
Amazon S3.
○​ Azure Disk Storage: Block storage for VMs.
3.​ Database:
○​ Azure SQL Database: Managed relational database for SQL Server workloads.
○​ Azure Cosmos DB: Globally distributed NoSQL database for high-performance
apps.
4.​ Networking:
○​ Azure Virtual Network (VNet): Isolated network for secure resource
deployment, like AWS VPC.
○​ Azure Load Balancer: Distributes traffic across VMs or app instances.
○​ Azure Application Gateway: Web traffic load balancer with advanced routing
and security.
5.​ Management and Monitoring:
○​ Azure Monitor: Tracks performance metrics and logs, similar to AWS
CloudWatch.
○​ Azure Autoscale: Automatically scales resources based on demand.
6.​ Other Services:
○​ Azure Queue Storage: Message queuing for asynchronous processing, like
AWS SQS.
○​ Azure Service Bus: Messaging service for notifications and workflows.
○​ Azure Active Directory (AAD): Identity management for secure access.

Key Features of Azure

●​ Scalability: Scales resources dynamically based on workload demands.

 ●​ Hybrid Cloud Support: Seamless integration with on-premises infrastructure via Azure
Arc and Azure Stack.
●​ Enterprise Integration: Strong compatibility with Microsoft products (e.g., Windows
Server, Active Directory).
●​ Global Infrastructure: Data centers in multiple regions for low latency and redundancy.
●​ Pay-as-You-Go Pricing: Charges based on usage, with a free tier for small-scale
projects.
●​ Security: Offers Azure Security Center, AAD, and compliance with standards like GDPR
and HIPAA.
●​ Developer Tools: Supports multiple languages (e.g., .NET, Python, Java, [Link]) and
integrates with Visual Studio.

Azure Deployment Environments

Azure supports various deployment models:

1.​ IaaS (Virtual Machines, VNet): Full control over infrastructure for custom applications.
2.​ PaaS (App Service): Simplified deployment for developers, similar to GAE’s Standard
Environment.
3.​ Serverless (Azure Functions): Run code without managing servers, ideal for
event-driven tasks.
4.​ Containerized (AKS): Deploy containerized applications using Kubernetes or Docker.

Benefits of Azure

●​ Flexibility: Supports a wide range of languages, frameworks, and custom

configurations.
●​ Hybrid Cloud: Strong support for hybrid deployments, ideal for enterprises with
on-premises systems.
●​ Integration: Seamless integration with Microsoft tools (e.g., Office 365, Power BI).
●​ Scalability: Autoscale and load balancing ensure performance during traffic spikes.
●​ Global Reach: Extensive network of data centers for high availability.
●​ Free Tier: Offers credits and free services for small projects or testing.
●​ Enterprise Focus: Robust security, compliance, and support for large organizations.

Limitations of Azure

●​ Complexity: Numerous services and configurations can be overwhelming, similar to

AWS.
●​ Cost Management: Costs can escalate without careful monitoring, especially for IaaS
resources.
●​ Learning Curve: Configuring services like VNet or AKS requires expertise.
●​ Vendor Lock-In: Heavy use of Azure-specific services (e.g., Cosmos DB) may
complicate migration.
●​ Management Overhead: Compared to GAE’s fully managed PaaS, Azure’s IaaS and
hybrid options require more setup.
Cloud Security: Identity and Access Management (IAM)

Identity and Access Management (IAM) is a critical component of cloud security, providing a
framework to control and manage user identities, their authentication, and their access to
resources in a cloud environment. IAM ensures that the right individuals or systems access the
right resources at the right time for the right reasons, adhering to the principle of least privilege.
In cloud platforms like Google Cloud Platform (GCP), Amazon Web Services (AWS), and
Microsoft Azure, IAM is foundational for securing applications, data, and infrastructure.

What is IAM in Cloud Security?

IAM in the cloud involves policies, tools, and processes to manage user identities, authenticate
users or services, and authorize access to cloud resources. It ensures security by controlling
who (or what) can perform specific actions (e.g., read, write, delete) on resources like compute
instances, databases, or storage.

Key Components of IAM

1.​ Identity Management:

○​ Managing user identities (e.g., employees, applications, or devices) via accounts
or roles.
○​ Examples: User accounts in Azure Active Directory (AAD), AWS IAM users, or
GCP service accounts.
2.​ Authentication:
○​ Verifying the identity of users or systems (e.g., via passwords, multi-factor
authentication (MFA), or API keys).
○​ Examples: AWS IAM access keys, Azure AD MFA, GCP OAuth 2.0.
3.​ Authorization:
○​ Defining permissions through policies that specify what actions an identity can
perform on which resources.
○​ Examples: AWS IAM policies, Azure Role-Based Access Control (RBAC), GCP
IAM roles.
4.​ Access Control:
○​ Enforcing policies to grant or deny access based on authentication and
authorization.
○​ Examples: Granular permissions for accessing S3 buckets, Azure Blob Storage,
or GCP Cloud Datastore.
5.​ Auditing and Monitoring:
○​ Tracking and logging access activities for compliance and security analysis.
○​ Examples: AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs.
IAM Challenges in Cloud Security
[Link] of Policy Management

[Link] Across Multi-Cloud and Hybrid Environments

[Link] Management and Security

[Link] Threats and Over-Privileged Accounts

[Link] Explosion and Maintenance

[Link] and Auditing

[Link] Training and Awareness

[Link] with Legacy Systems

EUCALYPTUS​
[Link]

OPENSTACK​
[Link]