An experimental study of cascading performance interference in a virtualized environment

In a consolidated virtualized environment, multiple virtual machines (VMs) are hosted atop a shared physical substrate. They share the underlying hardware resources as well as the software virtualization components. Thus, one VM can generate performance interference to another co-resident VM. This work explores the adverse impact of performance interference from a security perspective. We present a new class of attacks, namely the cascade attacks, in which an adversary seeks to generate performance interference using a malicious VM. One distinct property of the cascade attacks is that when the malicious VM exhausts one type of hardware resources, it will bring "cascading" interference to another type of hardware resources. We present four different implementations of cascade attacks and evaluate their effectiveness atop the Xen virtualization platform. We show that a victim VM can see significant performance degradation (e.g., throughput drops in network and disk I/Os) due to the cascade attacks.

[1]  Willy Zwaenepoel,et al.  Diagnosing performance overheads in the xen virtual machine environment , 2005, VEE '05.

[2]  Alan L. Cox,et al.  Achieving 10 Gb/s using safe and transparent network interface virtualization , 2009, VEE '09.

[3]  Xiaomin Zhang,et al.  Characterization & analysis of a server consolidation benchmark , 2008, VEE '08.

[4]  Sanjay Chaudhary,et al.  Application Performance Isolation in Virtualization , 2009, 2009 IEEE International Conference on Cloud Computing.

[5]  Ramana Rao Kompella,et al.  Opportunistic flooding to improve TCP transmit performance in virtualized clouds , 2011, SOCC '11.

[6]  Jie Liu,et al.  Cuanta: quantifying effects of shared on-chip resource interference for consolidated virtual machines , 2011, SoCC.

[7]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[8]  Alan L. Cox,et al.  Protection Strategies for Direct Access to Virtualized I/O Devices , 2008, USENIX Annual Technical Conference.

[9]  Prashant J. Shenoy,et al.  Profiling and Modeling Resource Usage of Virtualized Applications , 2008, Middleware.

[10]  Peter J. Varman,et al.  mClock: Handling Throughput Variability for Hypervisor IO Scheduling , 2010, OSDI.

[11]  Andrew Warfield,et al.  Safe Hardware Access with the Xen Virtual Machine Monitor , 2007 .

[12]  Srihari Makineni,et al.  Characterization of network processing overheads in Xen , 2006, First International Workshop on Virtualization Technology in Distributed Computing (VTDC 2006).

[13]  Calton Pu,et al.  An Analysis of Performance Interference Effects in Virtual Environments , 2007, 2007 IEEE International Symposium on Performance Analysis of Systems & Software.

[14]  David Mazières,et al.  EyeQ: Practical Network Performance Isolation for the Multi-tenant Cloud , 2012, HotCloud.

[15]  Kang G. Shin,et al.  Performance Evaluation of Virtualization Technologies for Server Consolidation , 2007 .

[16]  Xiaohui Gu,et al.  CloudScale: elastic resource scaling for multi-tenant cloud systems , 2011, SoCC.

[17]  David A. Patterson,et al.  Computer Architecture, Fifth Edition: A Quantitative Approach , 2011 .

[18]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[19]  Alan L. Cox,et al.  Scheduling I/O in virtual machine monitors , 2008, VEE '08.

[20]  David A. Patterson,et al.  Computer Architecture: A Quantitative Approach , 1969 .

[21]  Jennifer Rexford,et al.  Eliminating the hypervisor attack surface for a more secure cloud , 2011, CCS '11.

[22]  Peng Ning,et al.  SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms , 2011, CCS '11.

[23]  Amin Vahdat,et al.  Enforcing Performance Isolation Across Virtual Machines in Xen , 2006, Middleware.

[24]  Jose Renato Santos,et al.  Bridging the Gap between Software and Hardware Techniques for I/O Virtualization , 2008, USENIX Annual Technical Conference.

[25]  Huan Liu,et al.  A new form of DOS attack in a cloud and its avoidance mechanism , 2010, CCSW '10.

[26]  Aman Kansal,et al.  Q-clouds: managing performance interference effects for QoS-aware clouds , 2010, EuroSys '10.

[27]  Xing Pu,et al.  Performance Measurements and Analysis of Network I/O Applications in Virtualized Cloud , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[28]  Muli Ben-Yehuda,et al.  Quantitative Comparison of Xen and KVM , 2008 .

[29]  Alan L. Cox,et al.  Optimizing network virtualization in Xen , 2006 .

[30]  Alan L. Cox,et al.  Concurrent Direct Network Access for Virtual Machine Monitors , 2007, 2007 IEEE 13th International Symposium on High Performance Computer Architecture.