A Game-Theoretic Framework for the Virtual Machines Migration Timing Problem

In a multi-tenant cloud, a number of Virtual Machines (VMs) are collocated on the same physical machine to optimize performance, power consumption and maximize profit. This, however, increases the risk of a malicious VM performing side-channel attacks and leaking sensitive information from neighboring VMs. To this end, this paper develops and analyzes a game-theoretic framework for the VM migration timing problem in which the cloud provider decides \emph{when} to migrate a VM to a different physical machine to reduce the risk of being compromised by a collocated malicious VM. The adversary decides the rate at which she launches new VMs to collocate with the victim VMs. Our formulation captures a data leakage model in which the cost incurred by the cloud provider depends on the duration of collocation with malicious VMs. It also captures costs incurred by the adversary in launching new VMs and by the defender in migrating VMs. We establish sufficient conditions for the existence of Nash equilibria for general cost functions, as well as for specific instantiations, and characterize the best response for both players. Furthermore, we extend our model to characterize its impact on the attacker's payoff when the cloud utilizes intrusion detection systems that detect side-channel attacks. Our theoretical findings are corroborated with extensive numerical results in various settings.

[1]  Ming Zhao,et al.  Game Theoretic Modeling of Security and Interdependency in a Public Cloud , 2014, 2014 IEEE 7th International Conference on Cloud Computing.

[2]  Aron Laszka,et al.  Mitigation of Targeted and Non-targeted Covert Attacks as a Timing Game , 2013, GameSec.

[3]  Prasant Mohapatra,et al.  Stealthy attacks meets insider threats: A three-player game model , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[4]  Carlos Cid,et al.  Are We Compromised? Modelling Security Assessment Games , 2012, GameSec.

[5]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[6]  Weichao Wang,et al.  Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines , 2011, 30th IEEE International Performance Computing and Communications Conference.

[7]  Aron Laszka,et al.  Games of Timing for Security in Dynamic Environments , 2015, GameSec.

[8]  Mina Guirguis,et al.  Combating the Bandits in the Cloud: A Moving Target Defense Approach , 2017, 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID).

[9]  Rajkumar Buyya,et al.  Cost of Virtual Machine Live Migration in Clouds: A Performance Evaluation , 2009, CloudCom.

[10]  Michael K. Reiter,et al.  Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud , 2013, CCS.

[11]  Jens Grossklags,et al.  FlipLeakage: A Game-Theoretic Approach to Protect Against Stealthy Attackers in the Presence of Information Leakage , 2016, GameSec.

[12]  Qian Sun,et al.  SeLance: Secure Load Balancing of Virtual Machines in Cloud , 2016, 2016 IEEE Trustcom/BigDataSE/ISPA.

[13]  Andrew P. Martin,et al.  Cyber-Threats Information Sharing in Cloud Computing: A Game Theoretic Approach , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[14]  Gorka Irazoqui Apecechea,et al.  Wait a Minute! A fast, Cross-VM Attack on AES , 2014, RAID.

[15]  Vyas Sekar,et al.  Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration , 2015, CCS.

[16]  Ming Zhang,et al.  Stealthy attacks and observable defenses: A game theoretic model under strict resource constraints , 2014, 2014 IEEE Global Conference on Signal and Information Processing (GlobalSIP).

[17]  Ruby B. Lee,et al.  CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds , 2016, RAID.

[18]  T. Başar,et al.  Dynamic Noncooperative Game Theory , 1982 .

[19]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[20]  Christopher Leckie,et al.  Security Games for Virtual Machine Allocation in Cloud Computing , 2013, GameSec.

[21]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[22]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[23]  Ruby B. Lee,et al.  Random Fill Cache Architecture , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[24]  Hovav Shacham,et al.  Eliminating fine grained timers in Xen , 2011, CCSW '11.

[25]  Cong Wang,et al.  Security Challenges for the Public Cloud , 2012, IEEE Internet Computing.

[26]  Jin Wang,et al.  A Generic Mitigation Framework against Cross-VM Covert Channels , 2016, 2016 25th International Conference on Computer Communication and Networks (ICCCN).

[27]  Prasant Mohapatra,et al.  Dynamic defense strategy against advanced persistent threat with insiders , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[28]  Kang-Won Lee,et al.  Application-aware virtual machine migration in data centers , 2011, 2011 Proceedings IEEE INFOCOM.

[29]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[30]  Michael P. Wellman,et al.  Empirical Game-Theoretic Analysis for Moving Target Defense , 2015, MTD@CCS.

[31]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[32]  Tadeusz Radzik RESULTS AND PROBLEMS IN GAMES OF TIMING , 1996 .

[33]  Quanyan Zhu,et al.  Flip the Cloud: Cyber-Physical Signaling Games in the Presence of Advanced Persistent Threats , 2015, GameSec.

[34]  Murat Kantarcioglu,et al.  Preventing Cryptographic Key Leakage in Cloud Virtual Machines , 2014, USENIX Security Symposium.

[35]  Srikanth V. Krishnamurthy,et al.  Stealth migration: Hiding virtual machines on the network , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[36]  Peng Li,et al.  StopWatch: A Cloud Architecture for Timing Channel Mitigation , 2014, TSEC.

[37]  Paul England,et al.  Resource management for isolation enhanced cloud services , 2009, CCSW '09.

[38]  Ronald L. Rivest,et al.  FlipIt: The Game of “Stealthy Takeover” , 2012, Journal of Cryptology.

[39]  Andrew P. Martin,et al.  Security-Aware Virtual Machine Allocation in the Cloud: A Game Theoretic Approach , 2015, 2015 IEEE 8th International Conference on Cloud Computing.

[40]  Ruby B. Lee,et al.  A novel cache architecture with enhanced performance and security , 2008, 2008 41st IEEE/ACM International Symposium on Microarchitecture.

[41]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[42]  Inderveer Chana,et al.  A Survey on Resource Scheduling in Cloud Computing: Issues and Challenges , 2016, Journal of Grid Computing.

[43]  Cyrille Artho,et al.  Memory deduplication as a threat to the guest OS , 2011, EUROSEC '11.

[44]  Ronald L. Rivest,et al.  Defending against the Unknown Enemy: Applying FlipIt to System Security , 2012, GameSec.