An empirical study on the software integrity of virtual appliances: Are you really getting what you paid for?

Jun Ho Huh, Mirko Montanari, Derek Dagit, Rakesh B. Bobba, Dong Wook Kim, Yoonjoo Choi, R H Campbell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Virtual appliances (VAs) are ready-to-use virtual machine images that are configured for specific purposes. For example, a virtual machine image that contains all the software necessary to develop and host a JSP-based website is typically available as a "Java Web Starter" VA. Currently there are many VA repositories from which users can download VAs and instantiate them on Infrastructure-as-a-Service (IaaS) clouds, allowing them to quickly launch their services. This marketplace, however, lacks adequate mechanisms that allow users to a priori assess whether a specific VA is really configured with the software that it is expected to be configured with. This paper evaluates the integrity of software packages installed on real-world VAs, through the use of a software whitelist-based framework, and finds that indeed there is a lot of variance in the software integrity of packages across VAs. Analysis of 151 Amazon VAs using this framework shows that about 9% of real-world VAs have significant numbers of software packages that contain unknown files, making them potentially untrusted. Virus scanners flagged just half of the VAs in that 9% as malicious, demonstrating that virus scanning alone is not sufficient to help users select a trustable VA and that a priori software integrity assessment has a role to play.

Original languageEnglish (US)
Title of host publicationASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security
Pages231-242
Number of pages12
DOIs
StatePublished - May 27 2013
Event8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013 - Hangzhou, China
Duration: May 8 2013May 10 2013

Publication series

NameASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security

Other

Other8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013
CountryChina
CityHangzhou
Period5/8/135/10/13

Fingerprint

Viruses
Software packages
Starters
World Wide Web
Websites
Scanning
Virtual machine

Keywords

  • iaas
  • software integrity
  • virtual appliances
  • whitelists

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems

Cite this

Huh, J. H., Montanari, M., Dagit, D., Bobba, R. B., Kim, D. W., Choi, Y., & Campbell, R. H. (2013). An empirical study on the software integrity of virtual appliances: Are you really getting what you paid for? In ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (pp. 231-242). (ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security). https://doi.org/10.1145/2484313.2484343

An empirical study on the software integrity of virtual appliances : Are you really getting what you paid for? / Huh, Jun Ho; Montanari, Mirko; Dagit, Derek; Bobba, Rakesh B.; Kim, Dong Wook; Choi, Yoonjoo; Campbell, R H.

ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 2013. p. 231-242 (ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Huh, JH, Montanari, M, Dagit, D, Bobba, RB, Kim, DW, Choi, Y & Campbell, RH 2013, An empirical study on the software integrity of virtual appliances: Are you really getting what you paid for? in ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 231-242, 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013, Hangzhou, China, 5/8/13. https://doi.org/10.1145/2484313.2484343
Huh JH, Montanari M, Dagit D, Bobba RB, Kim DW, Choi Y et al. An empirical study on the software integrity of virtual appliances: Are you really getting what you paid for? In ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 2013. p. 231-242. (ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security). https://doi.org/10.1145/2484313.2484343
Huh, Jun Ho ; Montanari, Mirko ; Dagit, Derek ; Bobba, Rakesh B. ; Kim, Dong Wook ; Choi, Yoonjoo ; Campbell, R H. / An empirical study on the software integrity of virtual appliances : Are you really getting what you paid for?. ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 2013. pp. 231-242 (ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security).
@inproceedings{0ce7c24a7a6c4a7db7901354e2642a78,
title = "An empirical study on the software integrity of virtual appliances: Are you really getting what you paid for?",
abstract = "Virtual appliances (VAs) are ready-to-use virtual machine images that are configured for specific purposes. For example, a virtual machine image that contains all the software necessary to develop and host a JSP-based website is typically available as a {"}Java Web Starter{"} VA. Currently there are many VA repositories from which users can download VAs and instantiate them on Infrastructure-as-a-Service (IaaS) clouds, allowing them to quickly launch their services. This marketplace, however, lacks adequate mechanisms that allow users to a priori assess whether a specific VA is really configured with the software that it is expected to be configured with. This paper evaluates the integrity of software packages installed on real-world VAs, through the use of a software whitelist-based framework, and finds that indeed there is a lot of variance in the software integrity of packages across VAs. Analysis of 151 Amazon VAs using this framework shows that about 9{\%} of real-world VAs have significant numbers of software packages that contain unknown files, making them potentially untrusted. Virus scanners flagged just half of the VAs in that 9{\%} as malicious, demonstrating that virus scanning alone is not sufficient to help users select a trustable VA and that a priori software integrity assessment has a role to play.",
keywords = "iaas, software integrity, virtual appliances, whitelists",
author = "Huh, {Jun Ho} and Mirko Montanari and Derek Dagit and Bobba, {Rakesh B.} and Kim, {Dong Wook} and Yoonjoo Choi and Campbell, {R H}",
year = "2013",
month = "5",
day = "27",
doi = "10.1145/2484313.2484343",
language = "English (US)",
isbn = "9781450317672",
series = "ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security",
pages = "231--242",
booktitle = "ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security",

}

TY - GEN

T1 - An empirical study on the software integrity of virtual appliances

T2 - Are you really getting what you paid for?

AU - Huh, Jun Ho

AU - Montanari, Mirko

AU - Dagit, Derek

AU - Bobba, Rakesh B.

AU - Kim, Dong Wook

AU - Choi, Yoonjoo

AU - Campbell, R H

PY - 2013/5/27

Y1 - 2013/5/27

N2 - Virtual appliances (VAs) are ready-to-use virtual machine images that are configured for specific purposes. For example, a virtual machine image that contains all the software necessary to develop and host a JSP-based website is typically available as a "Java Web Starter" VA. Currently there are many VA repositories from which users can download VAs and instantiate them on Infrastructure-as-a-Service (IaaS) clouds, allowing them to quickly launch their services. This marketplace, however, lacks adequate mechanisms that allow users to a priori assess whether a specific VA is really configured with the software that it is expected to be configured with. This paper evaluates the integrity of software packages installed on real-world VAs, through the use of a software whitelist-based framework, and finds that indeed there is a lot of variance in the software integrity of packages across VAs. Analysis of 151 Amazon VAs using this framework shows that about 9% of real-world VAs have significant numbers of software packages that contain unknown files, making them potentially untrusted. Virus scanners flagged just half of the VAs in that 9% as malicious, demonstrating that virus scanning alone is not sufficient to help users select a trustable VA and that a priori software integrity assessment has a role to play.

AB - Virtual appliances (VAs) are ready-to-use virtual machine images that are configured for specific purposes. For example, a virtual machine image that contains all the software necessary to develop and host a JSP-based website is typically available as a "Java Web Starter" VA. Currently there are many VA repositories from which users can download VAs and instantiate them on Infrastructure-as-a-Service (IaaS) clouds, allowing them to quickly launch their services. This marketplace, however, lacks adequate mechanisms that allow users to a priori assess whether a specific VA is really configured with the software that it is expected to be configured with. This paper evaluates the integrity of software packages installed on real-world VAs, through the use of a software whitelist-based framework, and finds that indeed there is a lot of variance in the software integrity of packages across VAs. Analysis of 151 Amazon VAs using this framework shows that about 9% of real-world VAs have significant numbers of software packages that contain unknown files, making them potentially untrusted. Virus scanners flagged just half of the VAs in that 9% as malicious, demonstrating that virus scanning alone is not sufficient to help users select a trustable VA and that a priori software integrity assessment has a role to play.

KW - iaas

KW - software integrity

KW - virtual appliances

KW - whitelists

UR - http://www.scopus.com/inward/record.url?scp=84877954660&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84877954660&partnerID=8YFLogxK

U2 - 10.1145/2484313.2484343

DO - 10.1145/2484313.2484343

M3 - Conference contribution

AN - SCOPUS:84877954660

SN - 9781450317672

T3 - ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security

SP - 231

EP - 242

BT - ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security

ER -