Smart Resource Allocation to Improve Cloud Security

Virtualization is now widely used in modern datacenters. Thanks to mature software stacks and the widespread availability of plaforms all over the world, the Cloud is now available for many applications of different kinds. Security and performance are the main goal users want to achieve when porting applications over IaaS or PaaS platforms. Security has been proven to be sometimes difficult to obtain [3, 60, 85] and several issues have been raised in public Clouds and public domain virtualization software stacks. Several different kinds of attacks and security issues can be observed that may lower the impact of Clouds. On the performance side, the expectations are higher than what can be actually obtained on today’s public Clouds. Shared nodes lead to performance degradation that are not appropriate for high performance applications. Isolation is then a critical issue both for security and performance concerns.

[1]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[2]  Michael D. Smith,et al.  Improving Performance Isolation on Chip Multiprocessors via an Operating System Scheduler , 2007, 16th International Conference on Parallel Architecture and Compilation Techniques (PACT 2007).

[3]  Dan Page,et al.  Partitioned Cache Architecture as a Side-Channel Defence Mechanism , 2005, IACR Cryptology ePrint Archive.

[4]  Sally A. McKee,et al.  An approach to resource-aware co-scheduling for CMPs , 2010, ICS '10.

[5]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[6]  Rafal Wojtczuk Subverting the Xen hypervisor , 2008 .

[7]  Sanjay Chaudhary,et al.  Policy based resource allocation in IaaS cloud , 2012, Future Gener. Comput. Syst..

[8]  Christine Morin,et al.  Snooze: A Scalable, Fault-Tolerant and Distributed Consolidation Manager for Large-Scale Clusters , 2010, 2010 IEEE/ACM Int'l Conference on Green Computing and Communications & Int'l Conference on Cyber, Physical and Social Computing.

[9]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[10]  Parastoo Mohagheghi,et al.  Towards a Domain-Specific Language to Deploy Applications in the Clouds , 2012, CLOUD 2012.

[11]  Samuel Kounev,et al.  Evaluating and Modeling Virtualization Performance Overhead for Cloud Environments , 2011, CLOSER.

[12]  Calton Pu,et al.  Understanding Performance Interference of I/O Workload in Virtualized Cloud Environments , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[13]  David Breitgand,et al.  Improving consolidation of virtual machines with risk-aware bandwidth oversubscription in compute clouds , 2012, 2012 Proceedings IEEE INFOCOM.

[14]  Johan Tordsson,et al.  Cloud brokering mechanisms for optimized placement of virtual machines across multiple providers , 2012, Future Gener. Comput. Syst..

[15]  Kuang-Ching Wang,et al.  Elastic IP and security groups implementation using OpenFlow , 2012, VTDC '12.

[16]  Luis Miguel Vaquero Gonzalez,et al.  Building safe PaaS clouds: A survey on security in multitenant software platforms , 2012, Comput. Secur..

[17]  Benny Rochwerger,et al.  A case for overlays in DCN virtualization , 2011 .

[18]  Zibin Zheng,et al.  Topology-Aware Deployment of Scientific Applications in Cloud Computing , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.

[19]  Rubén S. Montero,et al.  Dynamic placement of virtual machines for cost optimization in multi-cloud environments , 2011, 2011 International Conference on High Performance Computing & Simulation.

[20]  Eliza Varney Distributed Management Task Force, Inc , 2010 .

[21]  Peter A. Dinda,et al.  Towards Virtual Networks for Virtual Machine Grid Computing , 2004, Virtual Machine Research and Technology Symposium.

[22]  Anoop Gupta,et al.  Performance isolation: sharing and isolation in shared-memory multiprocessors , 1998, ASPLOS VIII.

[23]  José A. B. Fortes,et al.  A virtual network (ViNe) architecture for grid computing , 2006, Proceedings 20th IEEE International Parallel & Distributed Processing Symposium.

[24]  Zhenyu Wu,et al.  Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[25]  Albert G. Greenberg,et al.  VL2: a scalable and flexible data center network , 2009, SIGCOMM '09.

[26]  Ravi Iyer,et al.  Modeling virtual machine performance: challenges and approaches , 2010, PERV.

[27]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[28]  Jennifer Rexford,et al.  Eliminating the hypervisor attack surface for a more secure cloud , 2011, CCS '11.

[29]  Yuki Hayashi,et al.  Improving Fairness of Quantized Congestion Notification for Data Center Ethernet Networks , 2011, 2011 31st International Conference on Distributed Computing Systems Workshops.

[30]  Peter A. Dinda,et al.  VNET/P: bridging the cloud and high performance computing through fast overlay networking , 2012, HPDC '12.

[31]  Judith Kelner,et al.  CloudML: An Integrated Language for Resource, Service and Request Description for D-Clouds , 2011, 2011 IEEE Third International Conference on Cloud Computing Technology and Science.

[32]  Frank Bellosa,et al.  Resource-conscious scheduling for energy efficiency on multicore processors , 2010, EuroSys '10.

[33]  Benny Pinkas,et al.  Side Channels in Cloud Services: Deduplication in Cloud Storage , 2010, IEEE Security & Privacy.

[34]  Kevin R. B. Butler,et al.  Detecting co-residency with active traffic analysis techniques , 2012, CCSW '12.

[35]  Josh Simons,et al.  Performance Evaluation of HPC Benchmarks on VMware's ESXi Server , 2011, Euro-Par Workshops.

[36]  Franck Cappello,et al.  Grid'5000: a large scale and highly reconfigurable grid experimental testbed , 2005, The 6th IEEE/ACM International Workshop on Grid Computing, 2005..

[37]  Peter J. Varman,et al.  mClock: Handling Throughput Variability for Hypervisor IO Scheduling , 2010, OSDI.

[38]  Feng Zhao,et al.  Energy aware consolidation for cloud computing , 2008, CLUSTER 2008.

[39]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[40]  P. Oscar Boykin,et al.  IP over P2P: enabling self-configuring virtual IP networks for grid computing , 2006, Proceedings 20th IEEE International Parallel & Distributed Processing Symposium.

[41]  Calton Pu,et al.  Improving Performance and Availability of Services Hosted on IaaS Clouds with Structural Constraint-Aware Virtual Machine Placement , 2011, 2011 IEEE International Conference on Services Computing.

[42]  Prashant J. Shenoy,et al.  Empirical evaluation of latency-sensitive application performance in the cloud , 2010, MMSys '10.

[43]  Jean-Marc Menaud,et al.  Autonomic virtual resource management for service hosting platforms , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[44]  Christian Pérez,et al.  A network topology description model for grid application deployment , 2004, Fifth IEEE/ACM International Workshop on Grid Computing.

[45]  Vasileios Pappas,et al.  Improving the Scalability of Data Center Networks with Traffic-aware Virtual Machine Placement , 2010, 2010 Proceedings IEEE INFOCOM.

[46]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[47]  Borja Sotomayor,et al.  Combining batch execution and leasing using virtual machines , 2008, HPDC '08.

[48]  Amin Vahdat,et al.  A scalable, commodity data center network architecture , 2008, SIGCOMM '08.

[49]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[50]  Meikang Qiu,et al.  Feedback Dynamic Algorithms for Preemptable Job Scheduling in Cloud Systems , 2010 .

[51]  Thomas Groß,et al.  A Virtualization Assurance Language for Isolation and Deployment , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[52]  Wonjun Lee,et al.  Virtual machines placement for network isolation in clouds , 2012, RACS.

[53]  Jonathan Rouzaud-Cornabas,et al.  MAC protection of the OpenNebula Cloud environment , 2012, 2012 International Conference on High Performance Computing & Simulation (HPCS).

[54]  Brice Goglin,et al.  Dodging Non-uniform I/O Access in Hierarchical Collective Operations for Multicore Clusters , 2011, 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum.

[55]  Trent Jaeger,et al.  An architecture for enforcing end-to-end access control over web applications , 2010, SACMAT '10.

[56]  Albert G. Greenberg,et al.  Seawall: Performance Isolation for Cloud Datacenter Networks , 2010, HotCloud.

[57]  T. S. Eugene Ng,et al.  The Impact of Virtualization on Network Performance of Amazon EC2 Data Center , 2010, 2010 Proceedings IEEE INFOCOM.

[58]  Meng Wang,et al.  Consolidating virtual machines with dynamic bandwidth demand in data centers , 2011, 2011 Proceedings IEEE INFOCOM.

[59]  James J. Filliben,et al.  Comparing VM-Placement Algorithms for On-Demand Clouds , 2011, CloudCom.

[60]  Alex Landau,et al.  Plugging the hypervisor abstraction leaks caused by virtual networking , 2010, SYSTOR '10.

[61]  Christine Morin,et al.  Energy-Aware Ant Colony Based Workload Placement in Clouds , 2011, 2011 IEEE/ACM 12th International Conference on Grid Computing.

[62]  Benjamin Farley,et al.  Resource-freeing attacks: improve your cloud performance (at your neighbor's expense) , 2012, CCS.

[63]  Antonio Corradi,et al.  A Stable Network-Aware VM Placement for Cloud Systems , 2012, 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (ccgrid 2012).

[64]  Matti A. Hiltunen,et al.  An exploration of L2 cache covert channels in virtualized environments , 2011, CCSW '11.

[65]  Hitesh Ballani,et al.  Towards predictable datacenter networks , 2011, SIGCOMM 2011.

[66]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[67]  Guillaume Mercier,et al.  hwloc: A Generic Framework for Managing Hardware Affinities in HPC Applications , 2010, 2010 18th Euromicro Conference on Parallel, Distributed and Network-based Processing.

[68]  Jorge-Arnulfo Quiané-Ruiz,et al.  Runtime measurements in the cloud , 2010, Proc. VLDB Endow..

[69]  Luis Miguel Vaquero Gonzalez,et al.  Service specification in cloud environments based on extensions to open standards , 2009, COMSWARE '09.

[70]  Koichi Onoue,et al.  Host-based multi-tenant technology for scalable data center networks , 2012, 2012 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[71]  Borja Sotomayor,et al.  Virtual Infrastructure Management in Private and Hybrid Clouds , 2009, IEEE Internet Computing.

[72]  Paul England,et al.  Resource management for isolation enhanced cloud services , 2009, CCSW '09.

[73]  Yoshihiro Oyama,et al.  Load-based covert channels between Xen virtual machines , 2010, SAC '10.

[74]  Onur Mutlu,et al.  Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems , 2007, USENIX Security Symposium.

[75]  Alexandra Fedorova,et al.  Addressing shared resource contention in multicore processors via scheduling , 2010, ASPLOS 2010.

[76]  Xuxian Jiang,et al.  VIOLIN: Virtual Internetworking on Overlay Infrastructure , 2004, ISPA.

[77]  Henri Casanova,et al.  Resource Allocation Using Virtual Clusters , 2009, 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid.

[78]  Paul Millar,et al.  GLUE Specification v. 2.0 , 2009 .