Improving Users' Isolation in IaaS: Virtual Machine Placement with Security Constraints

Nowadays, virtualization is used as the sole mechanism to isolate different users on Cloud platforms. In this paper, we show that, due to improper virtualization of micro-architectural components, data leak and modification can occur on public Clouds. Furthermore, using the same vector, it is possible to induce performance interferences, i.e. noisy neighbors. Using this approach, a VM can steal resources from, and slow down, concurrent VMs. To counter this, we propose placement heuristics that take into account isolation requirements, thus allowing a user to specify the level of isolation he accepts, and with whom. We modify 3 classical heuristics to take into account these requirements. In addition, we propose 4 new heuristics that take into account the hierarchy of Cloud platforms and isolation requirements. Finally, we evaluate these heuristics and compare them with the modified classical ones. We show that our heuristics perform at least as well as the classical ones, while scaling better and being faster by a few orders of magnitude.

[1]  Mario Cannataro,et al.  Euro-Par 2011: Parallel Processing Workshops , 2011, Lecture Notes in Computer Science.

[2]  Josh Simons,et al.  Performance Evaluation of HPC Benchmarks on VMware's ESXi Server , 2011, Euro-Par Workshops.

[3]  Peter J. Varman,et al.  mClock: Handling Throughput Variability for Hypervisor IO Scheduling , 2010, OSDI.

[4]  Anoop Gupta,et al.  Performance isolation: sharing and isolation in shared-memory multiprocessors , 1998, ASPLOS VIII.

[5]  Cristian Klein,et al.  An RMS for Non-predictably Evolving Applications , 2011, 2011 IEEE International Conference on Cluster Computing.

[6]  Jennifer Rexford,et al.  Eliminating the hypervisor attack surface for a more secure cloud , 2011, CCS '11.

[7]  Meikang Qiu,et al.  Feedback Dynamic Algorithms for Preemptable Job Scheduling in Cloud Systems , 2010 .

[8]  Thomas Groß,et al.  A Virtualization Assurance Language for Isolation and Deployment , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[9]  Rubén S. Montero,et al.  Dynamic placement of virtual machines for cost optimization in multi-cloud environments , 2011, 2011 International Conference on High Performance Computing & Simulation.

[10]  Christine Morin,et al.  Snooze: A Scalable, Fault-Tolerant and Distributed Consolidation Manager for Large-Scale Clusters , 2010, 2010 IEEE/ACM Int'l Conference on Green Computing and Communications & Int'l Conference on Cyber, Physical and Social Computing.

[11]  Alexandra Fedorova,et al.  Addressing shared resource contention in multicore processors via scheduling , 2010, ASPLOS XV.

[12]  Johan Tordsson,et al.  Cloud brokering mechanisms for optimized placement of virtual machines across multiple providers , 2012, Future Gener. Comput. Syst..

[13]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[14]  Christine Morin,et al.  Energy-Aware Ant Colony Based Workload Placement in Clouds , 2011, 2011 IEEE/ACM 12th International Conference on Grid Computing.

[15]  Eddy Caron,et al.  Smart Resource Allocation to Improve Cloud Security , 2014 .

[16]  Prashant J. Shenoy,et al.  Empirical evaluation of latency-sensitive application performance in the cloud , 2010, MMSys '10.

[17]  Brice Goglin,et al.  Dodging Non-uniform I/O Access in Hierarchical Collective Operations for Multicore Clusters , 2011, 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum.

[18]  Jean-Marc Menaud,et al.  Autonomic virtual resource management for service hosting platforms , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[19]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[20]  Paul England,et al.  Resource management for isolation enhanced cloud services , 2009, CCSW '09.

[21]  Calton Pu,et al.  Understanding Performance Interference of I/O Workload in Virtualized Cloud Environments , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[22]  Yoshihiro Oyama,et al.  Load-based covert channels between Xen virtual machines , 2010, SAC '10.

[23]  Onur Mutlu,et al.  Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems , 2007, USENIX Security Symposium.

[24]  Benjamin Farley,et al.  Resource-freeing attacks: improve your cloud performance (at your neighbor's expense) , 2012, CCS.

[25]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[26]  Guillaume Mercier,et al.  hwloc: A Generic Framework for Managing Hardware Affinities in HPC Applications , 2010, 2010 18th Euromicro Conference on Parallel, Distributed and Network-based Processing.

[27]  Jorge-Arnulfo Quiané-Ruiz,et al.  Runtime measurements in the cloud , 2010, Proc. VLDB Endow..

[28]  Franck Cappello,et al.  Grid'5000: A Large Scale And Highly Reconfigurable Experimental Grid Testbed , 2006, Int. J. High Perform. Comput. Appl..

[29]  Frank Bellosa,et al.  Resource-conscious scheduling for energy efficiency on multicore processors , 2010, EuroSys '10.

[30]  Feng Zhao,et al.  Energy aware consolidation for cloud computing , 2008, CLUSTER 2008.

[31]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[32]  Calton Pu,et al.  Improving Performance and Availability of Services Hosted on IaaS Clouds with Structural Constraint-Aware Virtual Machine Placement , 2011, 2011 IEEE International Conference on Services Computing.

[33]  Zhenyu Wu,et al.  Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[34]  Matti A. Hiltunen,et al.  An exploration of L2 cache covert channels in virtualized environments , 2011, CCSW '11.

[35]  Sally A. McKee,et al.  An approach to resource-aware co-scheduling for CMPs , 2010, ICS '10.

[36]  Eddy Caron,et al.  Security-Aware Models for Clouds , 2013, HPDC 2013.

[37]  T. S. Eugene Ng,et al.  The Impact of Virtualization on Network Performance of Amazon EC2 Data Center , 2010, 2010 Proceedings IEEE INFOCOM.

[38]  Albert G. Greenberg,et al.  Seawall: Performance Isolation for Cloud Datacenter Networks , 2010, HotCloud.