An empirical study on the software integrity of virtual appliances: Are you really getting what you paid for?

Jun Ho Huh, Mirko Montanari, Derek Dagit, Rakesh B. Bobba, Dong Wook Kim, Yoonjoo Choi, Roy Campbell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Virtual appliances (VAs) are ready-to-use virtual machine images that are configured for specific purposes. For example, a virtual machine image that contains all the software necessary to develop and host a JSP-based website is typically available as a "Java Web Starter" VA. Currently there are many VA repositories from which users can download VAs and instantiate them on Infrastructure-as-a-Service (IaaS) clouds, allowing them to quickly launch their services. This marketplace, however, lacks adequate mechanisms that allow users to a priori assess whether a specific VA is really configured with the software that it is expected to be configured with. This paper evaluates the integrity of software packages installed on real-world VAs, through the use of a software whitelist-based framework, and finds that indeed there is a lot of variance in the software integrity of packages across VAs. Analysis of 151 Amazon VAs using this framework shows that about 9% of real-world VAs have significant numbers of software packages that contain unknown files, making them potentially untrusted. Virus scanners flagged just half of the VAs in that 9% as malicious, demonstrating that virus scanning alone is not sufficient to help users select a trustable VA and that a priori software integrity assessment has a role to play.

Original languageEnglish (US)
Title of host publicationASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security
Pages231-242
Number of pages12
DOIs
StatePublished - May 27 2013
Event8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013 - Hangzhou, China
Duration: May 8 2013May 10 2013

Publication series

NameASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security

Other

Other8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013
CountryChina
CityHangzhou
Period5/8/135/10/13

Keywords

  • iaas
  • software integrity
  • virtual appliances
  • whitelists

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems

Fingerprint Dive into the research topics of 'An empirical study on the software integrity of virtual appliances: Are you really getting what you paid for?'. Together they form a unique fingerprint.

  • Cite this

    Huh, J. H., Montanari, M., Dagit, D., Bobba, R. B., Kim, D. W., Choi, Y., & Campbell, R. (2013). An empirical study on the software integrity of virtual appliances: Are you really getting what you paid for? In ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (pp. 231-242). (ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security). https://doi.org/10.1145/2484313.2484343