Abstract
While cloud computing provides many advantages in accessibility, scalability and cost efficiency, it also introduces a number of new security risks. This paper concentrates on the co-resident attack, where malicious users aim to co-locate their virtual machines (VMs) with target VMs on the same physical server, and then exploit side channels to extract private information from the victim.Most of the previous work has discussed how to eliminate or mitigate the threat of side channels. However, the presented solutions are impractical for the current commercial cloud platforms. We approach the problem from a different perspective, and study how to minimise the attacker’s possibility of co-locating their VMs with the targets, while maintaining a satisfactory workload balance and low power consumption for the system. Specifically, we introduce a security game model to compare different VM allocation policies. Our analysis shows that rather than deploying one single policy, the cloud provider decreases the attacker’s possibility of achieving co-location by having a policy pool, where each policy is selected with a certain probability. Our solution does not require any changes to the underlying infrastructure. Hence, it can be easily implemented in existing cloud computing platforms.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. Operating Systems Review 37, 164–177 (2003)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In: 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 199–212 (2009)
Zhang, Y., Juels, A., Reiter, M., Ristenpart, T.: Cross-VM Side Channels and Their Use to Extract Private Keys. In: 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 305–316 (2012)
Aviram, A., Hu, S., Ford, B., Gummadi, R.: Determinating Timing Channels in Compute Clouds. In: 2010 ACM Workshop on Cloud Computing Security Workshop, CCSW 2010, pp. 103–108 (2010)
Vattikonda, B., Das, S., Shacham, H.: Eliminating Fine Grained Timers in Xen. In: 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW 2011, pp. 41–46 (2011)
Wu, J., Ding, L., Lin, Y., Min Allah, N., Wang, Y.: XenPump: A New Method to Mitigate Timing Channel in Cloud Computing. In: 2012 IEEE Fifth International Conference on Cloud Computing, pp. 678–685 (2012)
Shi, J., Shi, J., Song, X., Chen, H., Zang, B.: Limiting Cache-based Side-channel in Multi-tenant Cloud using Dynamic Page Coloring. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W), pp. 194–199 (2011)
Jin, S., Ahn, J., Cha, S., Huh, J.: Architectural Support for Secure Virtualization under a Vulnerable Hypervisor. In: 44th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO-44 2011, pp. 272–283 (2011)
Szefer, J., Keller, E., Lee, R., Rexford, J.: Eliminating the Hypervisor Attack Surface for a More Secure Cloud. In: 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 401–412 (2011)
Osvik, D.A., Shamir, A., Tromer, E.: Cache Attacks and Countermeasures: The case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)
Tromer, E., Osvik, D.A., Shamir, A.: Efficient Cache Attacks on AES, and Countermeasures. Journal of Cryptology 23, 37–71 (2010)
Hlavacs, H., Treutner, T., Gelas, J.-P., Lefevre, L., Orgerie, A.-C.: Energy Consumption Side-Channel Attack at Virtual Machines in a Cloud. In: 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, pp. 605–612 (2011)
Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An Exploration of L2 Cache Covert Channels in Virtualized Environments. In: 3rd ACM Workshop on Cloud Computing Security, CCSW 2011, pp. 29–39 (2011)
Okamura, K., Okamura, K., Oyama, Y.: Load-based Covert Channels between Xen Virtual Machines. In: 2010 ACM Symposium on Applied Computing, SAC 2010, pp. 173–180 (2010)
Wu, J., Ding, L., Wang, Y., Han, W.: Identification and Evaluation of Sharing Memory Covert Timing Channel in Xen Virtual Machines. In: 2011 IEEE 4th International Conference on Cloud Computing, pp. 283–291 (2011)
Kadloor, S., Kadloor, S., Kiyavash, N., Venkitasubramaniam, P.: Scheduling with Privacy Constraints. In: 2012 IEEE Information Theory Workshop, pp. 40–44 (2012)
Xia, Y., Yetian, X., Xiaochao, Z., Lihong, Y., Li, P., Jianhua, L.: Constructing the On/Off Covert Channel on Xen. In: 2012 Eighth International Conference on Computational Intelligence and Security, pp. 568–572 (2012)
Bedi, H., Shiva, S.: Securing Cloud Infrastructure Against Co-Resident DoS Attacks Using Game Theoretic Defense Mechanisms. In: International Conference on Advances in Computing, Communications and Informatics, ICACCI 2012, pp. 463–469 (2012)
Varadarajan, V., Kooburat, T., Farley, B., Ristenpart, T., Swift, M.: Resource-Freeing Attacks: Improve Your Cloud Performance (at Your Neighbor’s Expense). In: 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 281–292 (2012)
Yang, Z., Yang, Z., Fang, H., Wu, Y., Li, C., Zhao, B., Huang, H.H.: Understanding the Effects of Hypervisor I/O Scheduling for Virtual Machine Performance Interference. In: 4th IEEE International Conference on Cloud Computing Technology and Science, pp. 34–41 (2012)
Zhou, F.F., Goel, M., Desnoyers, P., Sundaram, R.: Scheduler Vulnerabilities and Coordinated Attacks in Cloud Computing. In: 10th IEEE International Symposium on Network Computing and Applications, NCA (2011)
Zhang, Y., Li, M., Bai, K., Yu, M., Zang, W.: Incentive Compatible Moving Target Defense against VM-Colocation Attacks in Clouds. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) Information Security and Privacy Research, vol. 376, pp. 388–399. Springer, Heidelberg (2012)
Li, M.: Improving cloud survivability through dependency based virtual machine placement. In: The International Conference on Security and Cryptography, SECRYPT 2012, pp. 321–326 (2012)
Alpcan, T., Baar, T.: Network Security: A Decision and Game-Theoretic Approach. Cambridge University Press (2010)
CloudSim, http://www.cloudbus.org/cloudsim/
Calheiros, R., Ranjan, R., Beloglazov, A., De Rose, C.A.F., Buyya, R.: CloudSim: a Toolkit for Modeling and Simulation of Cloud Computing Environments and Evaluation of Resource Provisioning Algorithms. Software, Practice and Experience 41, 23–50 (2011)
Beloglazov, A., Abawajy, J., Buyya, R.: Energy-aware Resource Allocation Heuristics for Efficient Management of Data Centers for Cloud Computing. Future Generation Computer Systems 28, 755–768 (2012)
Han, Y., Chan, J., Leckie, C.: Analysing Virtual Machine Usage in Cloud Computing. In: IEEE 2013 3rd International Workshop on Performance Aspects of Cloud and Service Virtualization, CloudPerf 2013 (to appear, 2013)
Synthetic self-similar traffic generation, http://glenkramer.com/ucdavis/trf_research.html
Buyya, R., Beloglazov, A., Abawajy, J.: Energy-Efficient Management of Data Center Resources for Cloud Computing: A Vision, Architectural Elements, and Open Challenges. In: 2010 International Conference on Parallel and Distributed Processing Techniques and Applications, PDPTA 2010 (2010)
Gambit: Software Tools for Game Theory, http://www.gambit-project.org/gambit13/index.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Han, Y., Alpcan, T., Chan, J., Leckie, C. (2013). Security Games for Virtual Machine Allocation in Cloud Computing. In: Das, S.K., Nita-Rotaru, C., Kantarcioglu, M. (eds) Decision and Game Theory for Security. GameSec 2013. Lecture Notes in Computer Science, vol 8252. Springer, Cham. https://doi.org/10.1007/978-3-319-02786-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-02786-9_7
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-02785-2
Online ISBN: 978-3-319-02786-9
eBook Packages: Computer ScienceComputer Science (R0)