Assessment of Hypervisor Vulnerabilities
| Title | Assessment of Hypervisor Vulnerabilities |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Thongthua, A., Ngamsuriyaroj, S. |
| Conference Name | 2016 International Conference on Cloud Computing Research and Innovations (ICCCRI) |
| Keywords | Citrix XenServer, cloud computing, cloud computing systems, Collaboration, CVE, CVSS, CVSS information, CWE, ESXi Web interface, governance, Government, HTTP response splitting, Human Behavior, hypervisor security, hypervisor vulnerability assessment, KVM, Metrics, NIST 800-115 security testing framework, policy, policy-based governance, Ports (Computers), pubcrawl, Resiliency, security, security of data, Security weakness, security weaknesses, Software, Testing, virtual machine management, Virtual machine monitors, virtual machines, Virtual machining, virtualisation, virtualization, VMware ESXi, Vulnerability Analysis and Assessment |
| Abstract | Hypervisors are the main components for managing virtual machines on cloud computing systems. Thus, the security of hypervisors is very crucial as the whole system could be compromised when just one vulnerability is exploited. In this paper, we assess the vulnerabilities of widely used hypervisors including VMware ESXi, Citrix XenServer and KVM using the NIST 800-115 security testing framework. We perform real experiments to assess the vulnerabilities of those hypervisors using security testing tools. The results are evaluated using weakness information from CWE, and using vulnerability information from CVE. We also compute the severity scores using CVSS information. All vulnerabilities found of three hypervisors will be compared in terms of weaknesses, severity scores and impact. The experimental results showed that ESXi and XenServer have common weaknesses and vulnerabilities whereas KVM has fewer vulnerabilities. In addition, we discover a new vulnerability called HTTP response splitting on ESXi Web interface. |
| URL | https://ieeexplore.ieee.org/document/7600180/ |
| DOI | 10.1109/ICCCRI.2016.19 |
| Citation Key | thongthua_assessment_2016 |
- testing
- policy-based governance
- Ports (Computers)
- pubcrawl
- Resiliency
- security
- security of data
- Security weakness
- security weaknesses
- Software
- Policy
- virtual machine management
- Virtual machine monitors
- virtual machines
- Virtual machining
- virtualisation
- Virtualization
- VMware ESXi
- Vulnerability Analysis and Assessment
- Governance
- Cloud Computing
- cloud computing systems
- collaboration
- CVE
- CVSS
- CVSS information
- CWE
- ESXi Web interface
- Citrix XenServer
- Government
- HTTP response splitting
- Human behavior
- hypervisor security
- hypervisor vulnerability assessment
- KVM
- Metrics
- NIST 800-115 security testing framework