Jens Lindemann
ABSTRACT
VMs in cloud environments are at threat of attacks from VMs co-located on the same server, e. g. through side-channels. Reducing the ability of attackers to achieve co-location with specific VMs can alleviate the risk of targeted attacks. This paper presents the simulation framework VMPlaceSim, which allows to evaluate resource utilisation and resistance against co-location attacks of VM placement strategies. A new strategy based on the proportion of known users on servers is proposed and evaluated on real-world cloud workload data alongside existing strategies. The evaluation takes attacks into account in which malicious VMs are either launched in regular intervals or their launch is timed around the launch of target VMs. The results indicate that the new known-users strategy is significantly more resistant to co-location attacks than existing strategies aimed at optimising resource utilisation, while retaining a relatively high resource utilisation exceeding that of strategies aimed at thwarting co-location attacks.
- Amit Agarwal and Ta Nguyen Binh Duong. 2019. Secure virtual machine placement in cloud data centers. Future Gener. Comput. Syst. 100 (2019), 210–222.Google Scholar
Digital Library
- Amazon AWS. 2021. Amazon EC2 Dedicated Instances. https://aws.amazon.com/ec2/pricing/dedicated-instances/ (visited 2023-03-16).Google Scholar
- Ahmed Osama Fathy Atya, Zhiyun Qian, Srikanth V. Krishnamurthy, Thomas La Porta, Patrick D. McDaniel, and Lisa M. Marvel. 2019. Catch Me if You Can: A Closer Look at Malicious Co-Residency on the Cloud. IEEE/ACM Trans. Netw. 27, 2 (2019), 560–576.Google ScholarDigital Library
- Yossi Azar, Seny Kamara, Ishai Menache, Mariana Raykova, and F. Bruce Shepherd. 2014. Co-Location-Resistant Clouds. In ACM Cloud Computing Security Workshop, CCSW. ACM, 9–20.Google Scholar
- Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross. 2015. CAIN: Silently Breaking ASLR in the Cloud. In USENIX Workshop on Offensive Technologies, WOOT. USENIX Association.Google Scholar
- D. F. C. Brewer and Michael J. Nash. 1989. The Chinese Wall Security Policy. In IEEE Symposium on Security and Privacy,. IEEE Computer Society, 206–214.Google Scholar
- Rodrigo N. Calheiros, Rajiv Ranjan, Anton Beloglazov, César A. F. De Rose, and Rajkumar Buyya. 2011. CloudSim: a toolkit for modeling and simulation of cloud computing environments and evaluation of resource provisioning algorithms. Softw. Pract. Exp. 41, 1 (2011), 23–50.Google ScholarDigital Library
- Ron Chi-Lung Chiang, Sundaresan Rajasekaran, Nan Zhang, and H. Howie Huang. 2015. Swiper: Exploiting Virtual Machine Vulnerability in Third-Party Clouds with Competition for I/O Resources. IEEE Trans. Parallel Distributed Syst. 26, 6 (2015), 1732–1742.Google ScholarDigital Library
- Eli Cortez. 2017. AzurePublicDatasetV1. https://github.com/Azure/AzurePublicDataset/blob/79bca52b02b87d64e332de5533d417981abb3f90/AzurePublicDatasetV1.md (visited 2023-03-16).Google Scholar
- Eli Cortez. 2019. AzurePublicDatasetV2. https://github.com/Azure/AzurePublicDataset/blob/79bca52b02b87d64e332de5533d417981abb3f90/AzurePublicDatasetV2.md (visited 2023-03-16).Google Scholar
- Eli Cortez, Anand Bonde, Alexandre Muzio, Mark Russinovich, Marcus Fontoura, and Ricardo Bianchini. 2017. Resource Central: Understanding and Predicting Workloads for Improved Resource Management in Large Cloud Platforms. In Symposium on Operating Systems Principles, SOSP. ACM, 153–167.Google ScholarDigital Library
- Daniel Espling, Lars Larsson, Wubin Li, Johan Tordsson, and Erik Elmroth. 2016. Modeling and Placement of Cloud Services with Internal Structure. IEEE Trans. Cloud Comput. 4, 4 (2016), 429–439.Google ScholarCross Ref
- Mauro Gaggero and Luca Caviglione. 2019. Model Predictive Control for Energy-Efficient, Quality-Aware, and Secure Virtual Machine Placement. IEEE Trans Autom. Sci. Eng. 16, 1 (2019), 420–432. https://doi.org/10.1109/TASE.2018.2826723Google ScholarCross Ref
- Berk Gülmezoglu, Thomas Eisenbarth, and Berk Sunar. 2017. Cache-Based Application Detection in the Cloud Using Machine Learning. In ACM ASIA Conference on Computer and Communications Security, ASIACCS. ACM, 288–300.Google Scholar
- Ori Hadary, Luke Marshall, Ishai Menache, Abhisek Pan, Esaias E. Greeff, David Dion, Star Dorminey, Shailesh Joshi, Yang Chen, Mark Russinovich, and Thomas Moscibroda. 2020. Protean: VM Allocation Service at Scale. In USENIX Symposium on Operating Systems Design and Implementation, OSDI. USENIX Association, 845–861.Google Scholar
- Yi Han, Tansu Alpcan, Jeffrey Chan, and Christopher Leckie. 2013. Security Games for Virtual Machine Allocation in Cloud Computing. In Conference Decision and Game Theory for Security, GameSec. Springer, 99–118.Google Scholar
- Yi Han, Jeffrey Chan, Tansu Alpcan, and Christopher Leckie. 2017. Using Virtual Machine Allocation Policies to Defend against Co-Resident Attacks in Cloud Computing. IEEE Trans. Dependable Secur. Comput. 14, 1 (2017), 95–108.Google ScholarDigital Library
- Brian Hay, Kara L. Nance, and Matt Bishop. 2011. Storm Clouds Rising: Security Challenges for IaaS Cloud Computing. In Hawaii International Conference on System Sciences, HICSS. IEEE Computer Society.Google Scholar
- Yoongu Kim, Ross Daly, Jeremie S. Kim, Chris Fallin, Ji-Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ACM/IEEE International Symposium on Computer Architecture, ISCA. IEEE Computer Society, 361–372.Google ScholarDigital Library
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In IEEE Symposium on Security and Privacy. IEEE, 1–19.Google Scholar
- Younggyun Koh, Rob C. Knauerhase, Paul Brett, Mic Bowman, Zhihua Wen, and Calton Pu. 2007. An Analysis of Performance Interference Effects in Virtual Environments. In IEEE International Symposium on Performance Analysis of Systems and Software, ISPASS. IEEE Computer Society, 200–209.Google Scholar
- Jens Lindemann and Mathias Fischer. 2018. A memory-deduplication side-channel attack to detect applications in co-resident virtual machines. In ACM Symposium on Applied Computing, SAC. ACM, 183–192.Google ScholarDigital Library
- Mohammad Masdari, Sayyid Shahab Nabavi, and Vafa Ahmadi. 2016. An overview of virtual machine placement schemes in cloud computing. J. Netw. Comput. Appl. 66 (2016), 106–127.Google ScholarDigital Library
- Soo-Jin Moon, Vyas Sekar, and Michael K. Reiter. 2015. Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration. In ACM Conference on Computer and Communications Security, CCS. ACM, 1595–1606.Google ScholarDigital Library
- Diego Perez-Botero, Jakub Szefer, and Ruby B. Lee. 2013. Characterizing hypervisor vulnerabilities in cloud computing servers. In International Workshop on Security in Cloud Computing, SCC. ACM, 3–10.Google ScholarDigital Library
- Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In ACM Conference on Computer and Communications Security, CCS. ACM, 199–212.Google ScholarDigital Library
- Venkatanathan Varadarajan, Yinqian Zhang, Thomas Ristenpart, and Michael M. Swift. 2015. A Placement Vulnerability Study in Multi-Tenant Public Clouds. In USENIX Security Symposium. USENIX Association, 913–928.Google Scholar
- Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F Wenisch, and Yuval Yarom. 2018. Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution. Technical Report. KU Leuven. https://lirias.kuleuven.be/2089352?limo=0 (visited 2023-03-16).Google Scholar
- Yiming Xiao, Liang Liu, Zuchao Ma, Zijie Wang, and Weizhi Meng. 2021. Defending co-resident attack using reputation-based virtual machine deployment policy in cloud computing. Trans. Emerg. Telecommun. Technol. 32, 9 (2021).Google Scholar
- Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, and Radu Teodorescu. 2016. One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation. In USENIX Security Symposium. USENIX Association, 19–35.Google Scholar
- Zhang Xu, Haining Wang, and Zhenyu Wu. 2015. A Measurement Study on Co-residence Threat inside the Cloud. In USENIX Security Symposium. USENIX Association, 929–944.Google Scholar
- Shungeng Zhang, Huasong Shan, Qingyang Wang, Jianshu Liu, Qiben Yan, and Jinpeng Wei. 2019. Tail Amplification in n-Tier Systems: A Study of Transient Cross-Resource Contention Attacks. In IEEE International Conference on Distributed Computing Systems, ICDCS. IEEE, 1527–1538.Google ScholarCross Ref
- Tianwei Zhang, Yinqian Zhang, and Ruby B. Lee. 2017. DoS Attacks on Your Memory in Cloud. In ACM ASIA Conference on Computer and Communications Security, AsiaCCS, Ramesh Karri, Ozgur Sinanoglu, Ahmad-Reza Sadeghi, and Xun Yi (Eds.). ACM, 253–265.Google Scholar
- Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2012. Cross-VM side channels and their use to extract private keys. In ACM Conference on Computer and Communications Security, CCS. ACM, 305–316.Google ScholarDigital Library
Index Terms
- How to hide your VM from the big bad wolf? Co-location resistance vs. resource utilisation in VM placement strategies
Recommendations
Implementation and performance analysis of various VM placement strategies in CloudSim
Infrastructure as a Service (IaaS) has become one of the most dominant features that cloud computing offers nowadays. IaaS enables datacenter's hardware to get virtualized which allows Cloud providers to create multiple Virtual Machine (VM) instances on ...
Utilisation-aware VM placement policy for workload consolidation in cloud data centres
In recent years, the demand for cloud services has risen. Data centres must have a growing number of servers to accommodate rising demand for cloud services, and data centres consume a lot of energy. Virtual machine consolidation (VMC) is a strategy for ...
Performance Evaluation of VM Placement Using Classical Bin Packing and Genetic Algorithm for Cloud Environment
In current era, the trend of cloud computing is increasing with every passing day due to one of its dominant service i.e. Infrastructure as a service IAAS, which virtualizes the hardware by creating multiple instances of VMs on single physical machine. ...
Comments