Co-Residence Data Theft Attacks on N-Version Programming Based Cloud Services with Task Cancelation
Abstract : Powered by virtualization, the cloud computing has brought good merits of cost effective and on-demand resource sharing among many users. On the other hand, cloud users face security risks from co-residence attacks when using this virtualized platform. Particularly, a malicious attacker may create side channels to steal data from a target user’s virtual machine (VM) that co-resides with the attacker’s VM on the same physical server. This article models a cloud service undergoing the co-residence data theft attacks. The threshold voting based N-version programming (NVP) is implemented to improve the service reliability, where multiple service component versions (SCVs) are activated in parallel to perform the requested service. The final output is determined upon receiving a threshold number of identical outputs from the SCVs, immediately followed by canceling all outstanding SCVs to reduce expenses. Probabilistic models are first introduced to evaluate performance metrics of the considered service, including the data theft probability, service success probability, expected service operation time, and expected utility. Optimization problems are further solved to find the optimal number of SCVs maximizing the expected utility. Interactions among different model parameters and VM allocation policies, as well as their effects on the considered performance metrics and on the optimization solutions are studied through examples.
Third-party cloud computing represents the promise of out-sourcing as applied to computation. Services, such as Microsoft’s Azure and Amazon’s EC2, allow users to instant ate virtual machines (VMs) on demand and thus purchase precisely the capacity they require when they require it. In turn, the use of virtualization allows third-party cloud providers to maximize the utilization of their sunk capital costs by multiplexing many customer VMs across a shared physical infrastructure.
Thus is likely to be demanded by customers with strong privacy requirements.
We argue that the best solution is for cloud providers to expose this risk explicitly and give some placement control directly to customers.
In this paper, we show that this approach can also introduce new vulnerabilities. Using the Amazon EC2 service as a case study, we show that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and then instantiate new VMs until one is placed co-resident with the target. We explore how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine.
Some of these risks are self-evident and relate to the new trust relationship between customer and cloud provider. For example, customers must trust their cloud providers to respect the privacy of their data and the integrity of their computations.
Cloud infrastructures can also introduce non-obvious threats from other customers due to the subtleties of how physical resources can be transparently shared between virtual machines (VMs).
|