When dynamic VM migration falls under the control of VM user… Kahi hina na LAZ AZRI, Sylvie LANIEPCE, Haiming ZHENG IMT/OLPS/ASE/SEC/NPS Orange Labs, Caen Jalel Ben-Othman L2TI laboratory Paris13 Symposium sur la sécurité des technologies de l'information et des communications. SSTIC’14. Friday 6 th June, 2014. Rennes. unrestricted
Outline Problem Definition Dynamic Resource Management Vulnerability – VMware Distributed Resource Scheduler (DRS) algorithm analysis – Attack scheme – Cluster vulnerability assessment Demonstration Conclusion 1 unrestricted
Scope Domain of new vulnerabilities appeared with cloud (virtualization) Resource Sharing & Multi-tenancy: cross-Virtual Machine attacks (cross-VM) Dynamic resource management Elasticity <-> Dynamicity (today) – Resource Overcommitment – VM Migration 1 unrestricted
Resource sharing and dynamic resource allocation Output : Dynamic Resource Input : Decision ons impact Management System Quantity ty of consummed Normal VMs resource ces Infrastructure (Malicious+Normal VMs) Normal Normal Malicio ious Normal Malicio ious Normal VM VM VM VM VM VM VM VM Shared Resource Pool -> Fate-shari ring Demonstrate that dynamic resource management systems might be vulnerable to malicious manipulation of VM resource consumption Abuse: cause the resource management system to trigger er VM migrat ation ions Cost for both the infrastructure and migrated VMs 2 unrestricted
Distributed Resource Scheduler Algorithm (DRS, VMware) Constraint Correction calculate chlsd yes I c > I t no no While cluster imbalanced: GetBestMove Do nothing For each VM in the cluster simulate vMotion and calculate CHLSD I c : Curr rren ent Imbalan lance ce While cluster imbalanced: GetBestMove (chlsd: Curr rrent t Host Load S Standard Deviation tion) ed nced I t : Target et Imbalance lance Weight Costs vs. Benefits vs. Risks balanc (thlsd: : Target t Host Load Standard Deviation tion) unba Return migration that does not exceed CBR threshold Add to migration recommendation list and give a priority rating ulate I c Re-ca Re calcul Apply migration balanc nced ed Done source: VMware vSphere 4.1 HA and DRS. technical Deepdive. D.Epping et F. Denneman 3 unrestricted
DRS: Target Imbalance ( I t ) analysis 𝐷𝑝𝑜𝑡𝑢𝑏𝑜𝑢 𝐵𝑠𝑓𝑡𝑡𝑗𝑤𝑓𝑜𝑓𝑡𝑡 I t = 𝐷𝑚𝑣𝑡𝑢𝑓𝑠 𝑇𝑗𝑨𝑓 Four Aggressiveness Levels enabling dynamic migrations: Moderately Conservative Moderate (Default) Moderately Aggressive Aggressive Abusive VM Migration Attack: deliberately manipulate the quantity of resources consumed by VMs to enforce DRS to trigger VM migrations : I c > I t 4 unrestricted
Experimentation Setup Context DRS vMotion 5 Hosts vCenter Management Server (VMware) 16 GB of RAM each 8 CPU x 2.133 GHz each VMs / Host = 10 % Overcommitment Mem = 13.18% (17.5 GB) CPU = 25% (10 vCPU) Resource Usage in normal VMs Real private IaaS cloud traces Virtual Platform Analysis Tools (Orange Labs) Load Monitoring Diagnosis Generator 5 unrestricted
Abusive VM Migration Attack: one shot 6 unrestricted
Coordinated Abusive VM Migration Attack: Serial Migration acker VM alance . 2 - Imbalanc .1 – Attacke Fig.1 Fig. Attack conditions: - Attacker coordinates VMs on two different hosts - VMs fluctuate their resource consumption in phase opposition between the two hosts 7 unrestricted
Vulnerability Measurement (small cluster) Minimum quantity of resources to be under the control of the attacker? Vulnera rabil ility ity increas ases s when cluster r size e increas ases Cluster vulnerability is high when this quantity is low Vulnera rabil ility ity increas ases s when DRS Aggr gressi sivenes ess s increas ases 14 14 15 15 Minimum Required Resource 12 12 Moderately Conservative Minimum Required Resource 10 10 Moderate (Default) 11,5 10 10 11 11 10,5 Memory (GB) 10 10 8 CPU (vCPU ) 6 5 4 2 0 0 2 3 4 5 2 3 4 5 Cluster Size (N) Cluster Size (N) 6 3 Minimum Required Resource 5 Moderately Aggressive 2,5 Minimum Required Resource Agressive 5 2,5 2, 4 2 3 1, 1,5 2 1 1 0,5 0, 0 0 2 3 4 5 2 3 4 5 Cluster Size (N) Cluster Size (N) 8 Context :‘one shot ’ Abusive VM Migration attack, execution context described in slide 8 unrestricted
Demonstration 19 unrestricted
Conclusion How to autonomously mitigate such threats ? – Proact ctiv ive Integrating security considerations in dynamic resource management systems design? – React ctiv ive Autonomic Monitoring and detection of malicious resource consumption profiles How to characterize such profiles? How to deal with these profiles? 10 unrestricted
Thank you Questions? unrestricted
Recommend
More recommend
