A Method for Evaluating Placement Security of New IaaS Cloud … Oral... · 2019. 4. 25. · New...
Transcript of A Method for Evaluating Placement Security of New IaaS Cloud … Oral... · 2019. 4. 25. · New...
A Method for Evaluating Placement Security of New IaaS Cloud Providers
SCSE01 Pan Yue
Mentor: Dr. Ta Nguyen Binh Duong
Overview
Introduction to Problem
Background research
Experimental methodology
Results and analysis
Future development
Introduction to Problem
IaaS clouds- a popular model of cloud computing
• Configurable computing resources shared over the internet
• Hosts Virtual Machines (VM) on shared physical infrastructure(Multi-tenancy)
Co-location Attacks- a security risk in IaaS Clouds
• Launched on victim VMs on the same physical host as attacker
• Extract confidential data or degrade performance of victim
data
Aims of research
I. Examine an evaluation technique of IaaS cloud placement security (memory-bus locking)
II. Explore how the findings can be applied to evaluate commercial IaaS cloud providers
Background Research
Co-location Attack Mechanism
AttackerRequest VM
Attacker VM Victim VM
Co-location
Detection
Co-location Detection
• Covert side channel detection
create contention in shared hardware resources of host
cause observable performance degradation in victim
Attacker Victim
Shared hardware
resource
Intensive
request
Normal
requestRequest
delayed
Co-location Detection
• Memory bus locking
create contention in memory bus of host
observe degraded performance in accessing main memory
Attacker Victim
main memory bus
Continuous
access to memory
Access
delayed
Evaluating Placement Security
Susceptibility to co-location attacks
Susceptibility to co-location detection
indicates
MAY test for
memory bus locking
Hypothesis
Memory bus locking can achieve accurate co-location
detection in both cooperative and uncooperative cases,
and hence prove useful for evaluating placement security
of IaaS cloud providers.
Experimental Methodology
Cooperative memory-bus locking
• Lock and Probe model
• two VMs set up on same local host
• one locks memory-bus (attacker), one performs and measures
affected task(victim)
Cooperative experiment set-up
shared
hardware
memory
bus
Locking: Implementation
reference: github.com/jacnel/co-res
Probing: Implementation
reference: Varadarajan et al., 2017
Uncooperative memory-bus locking
• Lock and Probe model, revised
• Attacker and victim VMs set up retained
• Does not assume control over victim (cannot measure own
performance)
• A third VM (evaluator) on unknown host to measure victim’s
performance
Uncooperative experiment set-up
• Victim: web server• Virtual host with public domain
OR local host domain• Apache 2
• Evaluator• Accesses victim’s domain• Measures server performance• Apache Jmeter
Experiment summary
Attacker locks memory bus by executing Locking code
Victim performs task and
measures own performance
Victim performs task and Evaluator
measures performance
Observe performance degradation in
victim to detect co-location
cooperative uncooperative
Results and Analysis
Cooperative experiment results
Data collected as the number of CPU clock cycles required to execute one run of the probe program, taken for 100 runs
Cooperative experiment results
The average runtime with locking instance sees a 70% increase compared to without locking.
Performance degradation is apparent Co-location successfully detected
Conclusion for cooperative detection
• Memory-bus locking can accurately detect co-location in the cooperative case
• Hence, it can evaluate the placement security of IaaS clouds if a dedicated server can be purchased to ensure the co-location of lock and probe VMs
Overall Conclusion
Memory bus locking is an effective co-location detection technique in the cooperative case, which can be used for evaluating placement security in cloud providers under controlled conditions.
Future Developments
Future developments
• Complete experiments for the uncooperative case
• Apply memory-bus locking detection technique to commercial cloud providers
Thank You
Main ReferencesVaradarajan, V. (2015). A Placement Vulnerability Study in Multi-Tenant Public Clouds.
USENIX.
Delimitrou, C., & Kozyrakis, C. (2017). Bolt: I Know What You Did Last Summer...In the
Cloud. ACM SIGOPS Operating Systems Review,51(2), 599-613.
doi:10.1145/3093315.3037703
Han, Y., Chan, J., Alpcan, T., & Leckie, C. (2015). Using Virtual Machine Allocation Policies
to Defend against Co-resident Attacks in Cloud Computing. IEEE Transactions on Dependable
and Secure Computing,1-1. doi:10.1109/tdsc.2015.2429132
Nelson, J. (2017). Co-residency Detection and Memory Bus Locking.
Ristenpart, T. (n.d.). Hey, You, Get Off of My Cloud: Exploring Information ... Retrieved from
https://hovav.net/ucsd/dist/cloudsec.pdf
Alibaba Cloud Ranks the World's Third Largest Cloud Services Provider for Two Consecutive
Years. (n.d.). Retrieved from https://www.alibabacloud.com/press-room/alibaba-cloud-ranks-
the-worlds-third-largest-cloud-services-provider-for-two-consecutive-
time?spm=a2c5t.10695662.1996646101.searchclickresult.4a645316ZjqxGh