AbstractCloud computing environment supportshighly scalable hardware and software resource sharing platform through theInternet. The cloud provider shares the hardware resources with the cloudcustomers through the Virtual Machines (VM). Virtual Machines (VM) running onthe same physical server are denoted as Co-resident VMs. The Co-residentVirtual Machines are logically isolated from each other.
The logical isolationis violated by the side channels of the malicious users. The sensitiveinformation from the Co-resident VMS are accessed by the malicious users isdefined as Co-resident attacks. The Cryptographic keys, workloads and webtraffic rates are the sensitive information accessed by the malicioususers. The Co-resident attack is alsoreferred as co-location, co-residence or co-residency attacks.G1 G2 G3 The Virtual Machine allocationpolicy is used to place the Virtual Machines on the physical server. Themalicious user co-locates their VM to the target VM. The security, workloadbalance and power consumption parameters are considered in the Virtual Machineplacement process. Secure metrics are defined to measure the safety of the VMallocation policy.
The Balanced VM Allocation Policy is built to assign VMs tothe physical servers. The Previous Selected Server First (PSSF) policy is usedwith security metrics. Least VM allocation policy, Most VM allocation policy,and Random allocation policy are used with the workload balance parameter. Thedata centers are connected to the Virtual Machines within the same environment.
G4 G5 G6 G7 G8 G9 G10 The attack resistant Virtual MachineManagement framework is built with centralized and distributed schedulingschemes. The live VM migration is protected from the side channel attacks. Thesystem is enhanced with multiple data center management mechanisms.
TheDistributed VM Placement (DVMP) policy is build to allocate the virtualmachines on the physical server.G11 G12 G13 Index Terms: CloudResources, Virtual Machine Allocation Policies, Side Channel Attacks,Co-residential Attacks and Distributed Scheduling 1. IntroductionPublic infrastructure-as-a-service(IaaS) clouds enable the increasingly realistic threat of malicious customersmounting side-channel attacks. An attacker obtains tenancy on the same physicalserver as a target and then uses the careful timing of shared hardwarecomponents to steal confidential data. Damaging attacks enable theft ofcryptographic secrets by way of shared per-core CPU state such as L1 data andinstruction caches, despite customers running within distinct virtual machines(VMs).G14 G15 Ageneral solution to prevent side-channel attacks is hard isolation: completelyprevent sharing of particular sensitive resources. Such isolation can beobtained by avoiding multi-tenancy, new hardware that enforces cache isolation,cache coloring, or software systems such as StealthMem.
Hard isolation reducesefficiency and raises costs because of stranded resources that are allocated toa virtual machine yet left unused. Another approach has been to prevent attacksby adding noise to the cache. For example, in the D¨uppel system, the guestoperating system protects against CPU cache side-channels by making spuriousmemory requests to obfuscate cache usage. This incurs overheads, and alsorequires users to identify the particular processes that should be protected.G16 A final approach has been tointerfere with the ability to obtain accurate measurements of shared hardwareby removing or obscuring time sources. This can be done by removing hardwaretiming sources, reducing the granularity of clocks exposed to guest VMs,allowing only deterministic computations, or using replication of VMs tonormalize timing.
These solutions either have significant overheads, as in thelast solution or severely limit functionality for workloads that need accuratetiming.G17 In addition to sharing resources andhaving access to fine-grained clocks, shared-core side-channel attacks alsorequire the ability to measure the state of the cache frequently 10. Forexample, Zhang et al.’s cross-VM attack on ElGamal preempted the victim every 16?s on average.
With less frequent interruptions, the attacker’s view of howhardware state changes in response to a victim become obscured. Perhapssurprisingly, then, is the lack of any investigation of the relationshipbetween CPU scheduling policies and side channel efficacy. In particular,scheduling may enable what we call soft isolation: limiting the frequency ofpotentially dangerous cross-VM interactions.G18 2. Related workAvariety of cross-VM side channels have been demonstrated in the academic literature.
Deficiencies in performance isolation, similar to those leveraged in this work,have been exploited for a variety of purposes 7. Noting that cache andnetwork utilization are often contested between VMs, a resource freeing attack(RFA) has been proposed that allows a greedy customer to manipulate theperformance of co-resident VMs by shifting their resource bottlenecks 4. Thiswork operates under a similar attack model as our own, targeting public networkcloud services and manipulating VMs from a helper host. However, where RFA is aperformance enhancement strategy for the cloud, co-resident watermarking is amethod of information extraction.Cache-basedside-channel attacks, in which timing differences in access latencies betweenthe cache and main memory are exploited, have attracted the most attention forcloud computing.
Most notably, Zhang et al. 6 demonstrated that the machineinstructions of a co-resident VM can be recovered from shared L1 caches,permitting the reconstruction of secret keys in the circumstance that theyinfluence the code path of a decryption routine. Ristenpart et al. showed thatcache usage can be examined as a means to measure the activity of otherinstances co-resident with the attacker. Furthermore, they demonstrated thatthey can detect co-residency with a victim’s instance if they have informationabout the instance’s computational load. In contrast, Zhang et al. 5 utilizedcache-based side channels as a defensive mechanism.
Their scheme works bymeasuring cache footprints for evidence of other VMs. Leveraging this scheme,they can challenge correct functionality on the part of the cloud provider anddiscover other unanticipated instances sharing the same host.G19 Bowerset al. 8 have proposed the use of a different network timing side channel inorder to challenge fault tolerance guarantees in storage clouds. This workmeasures the response time of random data reads in order to confirm that agiven file’s storage redundancy meets expectations. This scheme can be used todetect drive-failure vulnerabilities and expose cloud provider negligence.
Weintend to investigate the applicability of storage cloud co-residentwatermarking in future work.G20 Rajet al. proposed two other mechanisms for preventing cache-based side channels,cache hierarchy aware core assignment, and page-coloring-based cachepartitioning. The former groups CPU cores based on last level cache (LLC)organization and checks whether such organization has any conflict with the SLAof the clients.
The latter is a software method that monitors how the physicalmemory used by applications maps to cache hardware, grouping applicationsaccordingly to isolate clients. Another effective defense against cache-basedside channels is changing how caches assign memory to applications, such asnon-deterministic caches. Non-deterministic caches control the lifetime ofcache items. By assigning a random decay interval to cache items, the cachebehavior becomes nondeterministic, and hence, side channels cannot exploit it.
Work in performance isolation in Xen can also lead to added security benefits.G21 vm22 Otherwork aims to combat virtualization vulnerabilities by reducing the role andsize of the hypervisor. Most drastically, Keller et al.
2 eliminate a largeattack surface by proposing the near elimination of the hypervisor. This isachieved through pre-allocation of resources, limited virtualized I/O devices,and modified guest operating systems. While this approach inarguably reducesthe likelihood of exploitable implementation flaws in the virtualization codebase, it necessarily places VMs closer to the underlying hardware. Intuitively,this can only increase the bandwidth of the isolation-compromising side channelthat we explore in this work. Other proposals reduce the hypervisor attacksurface by considering only specific virtualization applications such asrootkit detection or integrity assurance for critical portions ofsecurity-sensitive code 3 or by distributing administrative responsibilitiesacross multiple VMs 10.
We do not consider these systems in our work becausethey are not intended for the third-party compute cloud model.G23 G24 3. Virtual Machine Allocation Policies Security is one of the major concerns against cloud computing. Fromthe customer’s perspective, migrating to the cloud means they are exposed tothe additional risks brought about by the other tenants with whom they sharethe resources?are these neighbors trustworthy, or they may compromise theintegrity of others? This paper concentrates on one form of this securityproblem: the co-resident attack.
Virtual machines (VM) area commonly used the resource in cloud computingenvironments. For cloud providers, VMs help increases the utilization rate ofthe underlying hardware platforms. For cloud customers, it enables on-demandresource scaling and outsources the maintenance of computing resources.
However, apart from all these benefits, it also brings a new security threat.In theory, VMs running on the same physical server are logically isolated fromeach other. In practice, nevertheless, malicious users can build various sidechannels to circumvent the logical isolation, and obtain sensitive informationfrom co-resident VMs, ranging from the coarse-grained, e.g., workloads and webtraffic rates to the fine-grained, e.g.
, cryptographic keys For cleverattackers, even seemingly innocuous information like workload statistics can beuseful 9. For example, such data can be used to identify when the system ismost vulnerable, i.e., the time to launch further attacks, such asDenial-of-Service attacks. G25 G26 G27 A straightforward solution to this novel attackis to eliminate the side channels, which has been the focus of most previousworks. However, most of these methods are not suitable for immediate deploymentdue to the required modifications to current cloud platforms. In our work, weapproach this problem from a completely different perspective. Before theattacker is able to extract any private information from the victim, they firstneed to co-locate their VMs with the target VMs.
It has been shown that theattacker can achieve an efficiency rate of as high as 40%, which means 4 out of10 attacker’s VMs can co-locate with the target. This motivates us to study howto effectively minimise this value. From a cloud provider’s point of view, theVM allocation policy (also known as VM placement?we use these two termsinterchangeably in this paper)is the most important and direct control that canbe used to influence the probability of co-location.
Consequently, we aim todesign a security policy that can substantially increase the difficulty forattackers to achieve co-residence.G28 G29 G30 G31 In our earlier work, we haveproposed a prototype of such a security policy, called the previous-selected-server-firstpolicy (PSSF). However, this prototype policy only focuses on the problem ofsecurity, and hence has obvious limitations in terms of:G32 G33 G34 1. Workload balance?Workload here refers to the VM requests. From thecloud provider’s point of view, spreading VMs among the servers that have already been switched on can helpreduce the probability of servers being over-utilized, which may cause SLA(service level agreement) breaches.
From the customer’s perspective, it is alsopreferable if their VMs are distributed across the system, rather than beingallocated together on the same server. Otherwise, the failure of one serverwill impact all the VMs of a user.2. Power consumption?It has been estimated that the power consumptionof an average datacentre is as much as 25,000 households and it is expected todouble every 5 years. Therefore, managing the servers in an energy efficientway is crucial for cloud providers in order to reduce the power consumption andhence the overall cost. This has also been the focus of many previous works.In this paper, we take all threeaspects of security, workload balance, and power consumption into considerationto make PSSF more applicable to existing commercial cloud platforms. Sincethese three objectives are conflicting to some extent, we improve our earlierpolicy by applying multi-objective optimisation techniques.
In addition, wehave implemented PSSF on the simulation environment CloudSim as well as on thereal cloud platform OpenStack and performed large-scale experiments thatinvolve hundreds of servers and thousands of VMs, to demonstrate that it meetsthe requirements of all three criteria.G35 G36 G37 Specifically, our contributions include: (1) we definesecure metrics that measure the safety of a VM allocation policy, in terms ofits ability to defend against co-resident attacks; (2) we model these metricsunder three basic but commonly used VM allocation policies, and conductextensive experiments on the widely used simulation plat-form CloudSim tovalidate the models; (3) we propose a new security policy, which not onlysignificantly decreases the probability of attackers co-locating with theirtargets but also satisfies the constraints in workload balance and powerconsumption; and (4) we implement and verify the effectiveness of our newpolicy using the popular open-source cloud software OpenStack as well as onCloudSim.G38 G39 G40 4. Issues on VM Allocation Policies The Virtual Machine allocation policy is used to place the VirtualMachines on the physical server. The malicious user co-locates their VM to thetarget VM. The security, workload balance and power consumption parameters areconsidered in the Virtual Machine placement process.
Secure metrics are definedto measure the safety of the VM allocation policy. The Balanced VM AllocationPolicy is built to assign VMs to the physical servers. The Previous SelectedServer First (PSSF) policy is used with security metrics. Least VM allocationpolicy, Most VM allocation policy, and Random allocation policy are used withthe workload balance parameter. The data centers are connected to the VirtualMachines within the same environment. The following issues are discovered fromthe current virtual machine allocation policies against co-residential attacks.G41 G42 G43 G44 G45 G46 G47 G48 • The system supports centralizedallocation policy only• Live VM migration is not protected• Multiple data center management isnot supported• The system state information isrequired for the scheduling process 5. Distributed Scheduling and Virtual Machine ManagementFramework The virtual machine placement operations are performed withcentralized and distributed manner.
The virtual machines are placed withworkload and energy levels. The data center selection process is used to detectthe suitable data center for the workloads. The system is divided into sixmajor modules. They are Physical server deployment, Data center management,Workload controller, Security Analyzer, Centralized VM placement andDistributed VM placement.G49 G50 G51 G52 The physical servers and virtual machines are configured Ithe deployment process. The data center management is build to organize thedata centers and shared data items. The workload controller is used to collectworkloads from the users.
The security analyzer is built to estimate thesecurity metrics for the VMs. The centralized VM placement is employed tocontrol co-resident attacks. Live VM migration and multiple data center basedallocation is performed under the distributed VM placement model.G53 G54 G55 G56 5.1. Physical Server DeploymentThephysical server deployment is used to set up the cloud with shared resources.The physical servers and configuration levels are collected from the cloudprovider. The virtual machine configurations are assigned with provider choice.
The physical server and virtual machine association levels are updated underthe deployment process.5.2. Data Center Management The data centers and its contentsare maintained under the data center management.
Data center storage and usagelevels are monitored at intervals. Shared data and its request frequency aremaintained in the data centerG57 . Virtual machines and data centercommunication is controlled with security levels.G58 G59 G60 5.3. Workload ControllerTheworkload controller monitors the workload execution process. The workloads arecollected from the cloud users. The workloads and data association are verifiedby the controller.
The workload status is monitored and updated by thecontroller.5.4. Security AnalyzerThe security analyzer is used toestimate the security levels for the virtual machines.
The secure metrics areused to estimate the security levels. The workload balance parameter isconsidered in the security metrics. The power consumption levels are estimatedin the secure metric estimation process.G61 G62 5.5. Centralized VM PlacementThe centralized VM placement iscarried out with the balanced VM allocation policy.
The Previous SelectedServer First (PSSF) algorithm is used for the VM placement process. The singledata center is used to provide the data values. The secure metrics are used inthe VM placement process.
G63 G64 5.6. Distributed VM PlacementThesecure metrics estimation and initial VM placement operation are tuned for thedistributed scheduling model. The Distributed VM placement algorithm is used toallocate the virtual machines in a distributed manner.
The Datacenterallocation algorithm is used to select data centers for the virtual machines.The live VM migration operations are secured with the Attack resistant VMmigration algorithm.G65 G66 6.ConclusionCloud computing environment providesIT resources to the users based on their demand. The Co-resident attacks areraised by the co-located malicious users with side channels.
The PreviousSelected Server First (PSSF) policy is applied for the VM placement withsecurity. The attack resistant VM placement is built with centralized anddistributed scheduling, Live VM migration and Multiple data center management.The Virtual Machine placement operations are carried out with side channelattack control mechanism. The VM placement policies are improved to managecentralized and distributed placement models. The co-location control model istuned to handle the VM migration tasks. Data center communications are alsoprotected in the allocation scheme.
G67 G68 References1 Hao Wu, Shangping Ren, GabrieleGarzoglio, Keith Chadwick and Seo-Young Noh, “A Reference Model for VirtualMachine Launching Overhead”, IEEE Transactions On Cloud Computing,July-September 2016.2 Keller, E., Szefer, J.
, Rexford,J., Lee, R.B.: Eliminating the hypervisor attack surface for a more securecloud. In: Proceedings of ACM Conference on Computer and Communications,Security (CCS’11) (2011)3 McCune, J.M., Li, Y., Qu, N.
,Zhou, Z., Datta, A., Gligor, V.
, Perrig, A.: TrustVisor: efficient TCBreduction and attestation. In: Proceedings of 2010 IEEE Symposium on Securityand Privacy, Oakland (2010)4 Varadarajan, T.
, Farley, B.,Ristenpart, T., Swift, M.M.
: Resource-freeing attacks: improve your cloudperformance. In: Proceedings of ACM Conference on Computer and CommunicationsSecurity, Raleigh (2012)5 Zhang, Y., Juels, A., Oprea, A.,Reiter, M.K.
: Home Alone: Co- Residency Detection in the Cloud via Side-ChannelAnalysis. In: Proceedings of 2011 IEEE Symposium on Security and Privacy,Berkeley (2011)5 Zhang, Y., Juels, A., Reiter,M.K., Reiter, M., Ristenpart, T.
: Cross- VM side channels and their use toextract private keys. In: Proceedings of 2012 ACM Conference on Computer andCommunications Security, Raleigh (2012)7 Adam Bates,Benjamin Mood, Joe Pletcher, HannahPruse, Masoud Valafar and Kevin Butler, “On detecting co-resident cloudinstances using network flow watermarking techniques”, Springer-Verlag BerlinHeidelberg 20138 Bowers, K.D., van Dijk, M.,Juels, A.
, Oprea, A., Rivest R.L.: How to tell if your cloud files arevulnerable to drive crashes. In: CCS ’11: Proceedings of 18th ACM Conference onComputer and Communications Security, Chicago, (2011)9 Eun Kyung Lee, HariharasudhanViswanathan and Dario Pompili, “Proactive Thermal-aware Resource Management inVirtualized HPC Cloud Datacenters”, IEEE Transactions on Cloud Computing, June2017.10 Butt, S.
, Lagar-Cavilla, H.A.,Srivastava, A., Ganapathy V.: Self-service cloud computing. In: Proceedings of2012 ACM Conference on Computer and Communications Security, Raleigh (2012)G69