Placement Security of New IaaS Cloud Providers SCSE01 Pan Yue - - PowerPoint PPT Presentation

placement security of
SMART_READER_LITE
LIVE PREVIEW

Placement Security of New IaaS Cloud Providers SCSE01 Pan Yue - - PowerPoint PPT Presentation

Mar 20, 2023 539 likes •842 views

A Method for Evaluating Placement Security of New IaaS Cloud Providers SCSE01 Pan Yue Mentor: Dr. Ta Nguyen Binh Duong Overview Introduction to Problem Background research Experimental methodology Results and analysis Future development

slide-1
SLIDE 1

A Method for Evaluating Placement Security of New IaaS Cloud Providers

SCSE01 Pan Yue Mentor: Dr. Ta Nguyen Binh Duong

slide-2
SLIDE 2

Overview

Introduction to Problem Background research Experimental methodology Results and analysis Future development

slide-3
SLIDE 3

Introduction to Problem

slide-4
SLIDE 4

IaaS clouds

  • a popular model of cloud computing
  • Configurable computing resources

shared over the internet

  • Hosts Virtual Machines (VM) on

shared physical infrastructure (Multi-tenancy)

slide-5
SLIDE 5

Co-location Attacks

  • a security risk in IaaS Clouds
  • Launched on victim VMs on the

same physical host as attacker

  • Extract confidential data or degrade

performance of victim

data

slide-6
SLIDE 6

Aims of research

I. Examine an evaluation technique of IaaS cloud placement security (memory-bus locking) II. Explore how the findings can be applied to evaluate commercial IaaS cloud providers

slide-7
SLIDE 7

Background Research

slide-8
SLIDE 8

Co-location Attack Mechanism

Attacker Request VM Attacker VM Victim VM Co-location Detection

slide-9
SLIDE 9

Co-location Detection

  • Covert side channel detection

 create contention in shared hardware resources of host  cause observable performance degradation in victim

Attacker Victim Shared hardware resource Intensive request Normal request Request delayed

slide-10
SLIDE 10

Co-location Detection

  • Memory bus locking

 create contention in memory bus of host  observe degraded performance in accessing main memory

Attacker Victim main memory bus Continuous access to memory Access delayed

slide-11
SLIDE 11

Evaluating Placement Security

Susceptibility to co-location attacks Susceptibility to co-location detection

indicates MAY test for

memory bus locking

slide-12
SLIDE 12

Hypothesis

Memory bus locking can achieve accurate co-location detection in both cooperative and uncooperative cases, and hence prove useful for evaluating placement security

  • f IaaS cloud providers.
slide-13
SLIDE 13

Experimental Methodology

slide-14
SLIDE 14

Cooperative memory-bus locking

  • Lock and Probe model
  • two VMs set up on same local host
  • ne locks memory-bus (attacker), one performs and measures

affected task(victim)

slide-15
SLIDE 15

Cooperative experiment set-up

shared hardware memory bus

slide-16
SLIDE 16

Locking: Implementation

reference: github.com/jacnel/co-res

slide-17
SLIDE 17

Probing: Implementation

reference: Varadarajan et al., 2017

slide-18
SLIDE 18

Uncooperative memory-bus locking

  • Lock and Probe model, revised
  • Attacker and victim VMs set up retained
  • Does not assume control over victim (cannot measure own

performance)

  • A third VM (evaluator) on unknown host to measure victim’s

performance

slide-19
SLIDE 19

Uncooperative experiment set-up

  • Victim: web server
  • Virtual host with public domain

OR local host domain

  • Apache 2
  • Evaluator
  • Accesses victim’s domain
  • Measures server performance
  • Apache Jmeter
slide-20
SLIDE 20

Experiment summary

Attacker locks memory bus by executing Locking code Victim performs task and measures own performance Victim performs task and Evaluator measures performance Observe performance degradation in victim to detect co-location

cooperative uncooperative

slide-21
SLIDE 21

Results and Analysis

slide-22
SLIDE 22

Cooperative experiment results

Data collected as the number of CPU clock cycles required to execute one run of the probe program, taken for 100 runs

slide-23
SLIDE 23

Cooperative experiment results

The average runtime with locking instance sees a 70% increase compared to without locking.  Performance degradation is apparent  Co-location successfully detected

slide-24
SLIDE 24

Conclusion for cooperative detection

  • Memory-bus locking can accurately detect co-location in the

cooperative case

  • Hence, it can evaluate the placement security of IaaS clouds if a

dedicated server can be purchased to ensure the co-location of lock and probe VMs

slide-25
SLIDE 25

Overall Conclusion

Memory bus locking is an effective co-location detection technique in the cooperative case, which can be used for evaluating placement security in cloud providers under controlled conditions.

slide-26
SLIDE 26

Future Developments

slide-27
SLIDE 27

Future developments

  • Complete experiments for the uncooperative case
  • Apply memory-bus locking detection technique to

commercial cloud providers

slide-28
SLIDE 28

Thank You

slide-29
SLIDE 29

Main References

Varadarajan, V. (2015). A Placement Vulnerability Study in Multi-Tenant Public Clouds. USENIX. Delimitrou, C., & Kozyrakis, C. (2017). Bolt: I Know What You Did Last Summer...In the

  • Cloud. ACM SIGOPS Operating Systems Review,51(2), 599-613.

doi:10.1145/3093315.3037703 Han, Y., Chan, J., Alpcan, T., & Leckie, C. (2015). Using Virtual Machine Allocation Policies to Defend against Co-resident Attacks in Cloud Computing. IEEE Transactions on Dependable and Secure Computing,1-1. doi:10.1109/tdsc.2015.2429132 Nelson, J. (2017). Co-residency Detection and Memory Bus Locking. Ristenpart, T. (n.d.). Hey, You, Get Off of My Cloud: Exploring Information ... Retrieved from https://hovav.net/ucsd/dist/cloudsec.pdf Alibaba Cloud Ranks the World's Third Largest Cloud Services Provider for Two Consecutive

  • Years. (n.d.). Retrieved from https://www.alibabacloud.com/press-room/alibaba-cloud-ranks-

the-worlds-third-largest-cloud-services-provider-for-two-consecutive- time?spm=a2c5t.10695662.1996646101.searchclickresult.4a645316ZjqxGh