Abstract: Co-residency of different tenants’ virtual machines (VMs) in cloud provides a good chance for side-channel attacks, which results in information leakage. However, most of current defense suffers from the generality or compatibility problem, thus failing in immediate real-world deployment. VM migration, an inherit mechanism of cloud systems, envisions a promising countermeasure, which limits co-residency by moving VMs between servers. Therefore, we first set up a unified practical adversary model, where the attacker focuses on effective side channels. Then we propose Driftor, a new cloud system that contains VMs of a multi-executor structure where only one executor is active to provide service through a proxy, thus reducing possible information leakage. Active state is periodically switched between executors to simulate defensive effect of VM migration. To enhance the defense, real VM migration is enabled at the same time. Instead of solving the migration satisfiability problem with intractable CIRCUIT-SAT, a greedy-like heuristic algorithm is proposed to search for a viable solution by gradually expanding an initial has-to-migrate set of VMs. Experimental results show that Driftor can not only defend against practical fast side-channel attack, but also bring about reasonable impacts on real-world cloud applications.

基于切换和迁移多执行体架构虚拟机的云侧信道攻击防御技术

[1]Almeida JB, Barbosa M, Barthe G, et al., 2016. Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC. 23^rd Int Conf on Fast Software Encryption, p.163-184.

[2]Amazon EC2, 2018. Amazon EC2. https://amazonaws-china.com/cn/events/ec2/?sc_channel=ps&sc_campaign=inbounddg&sc_publisher=baidu&sc_detail={ec2%20amazon}&sc_country=cn&sc_geo=chna&sc_category=ec2&sc_segment={AWS%20EC2|brand}&sc_outcome=field&trkCampaign=inbounddg_ec2& trk=Baidu|AWS%20EC2|brand|ec2%20amazon&audience=205636 [Accessed on Aug. 4, 2018].

[3]Bosman E, Razavi K, Bos H, et al., 2016. Dedup est Machina: memory deduplication as an advanced exploitation vector. IEEE Symp on Security and Privacy, p.987-1004.

[4]Douceur JR, 2002. The Sybil attack. 1^st Int Workshop on Peer-to-Peer Systems, p.251-260.

[5]Ezhilchelvan PD, Mitrani I, 2017. Evaluating the probability of malicious co-residency in public clouds. IEEE Trans Cloud Comput, 5(3):420-427.

[6]Feng DG, Zhang M, Zhang Y, et al., 2011. Study on cloud computing security. J Softw, 22(1):71-83 (in Chinese).

[7]Garey MR, Johnson DS, 1979. Computers and intractability: a guide to the theory of NP-completeness. W.H. Freeman & Co., New York, NY, USA, p.498-500.

[8]Gruss D, Maurice C, Wagner K, et al., 2016. Flush+Flush: a fast and stealthy cache attack. Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment, p.279-299.

[9]Han Y, Alpcan T, Chan J, et al., 2016. A game theoretical approach to defend against co-resident attacks in cloud computing: preventing co-residence using semi-supervised learning. IEEE Trans Inform Forens Secur, 11(3):556-570.

[10]Han Y, Chan J, Alpcan T, et al., 2017. Using virtual machine allocation policies to defend against co-resident attacks in cloud computing. IEEE Trans Depend Secur Comput, 14(1):95-108.

[11]Hu HC, Wu JX, Wang ZP, et al., 2018. Mimic defense: a designed-in cybersecurity defense framework. IET Inform Secur, 12(3):226-237.

[12]Irazoqui G, Eisenbarth T, Sunar B, 2015. S$A: a shared cache attack that works across cores and defies VM sandboxing --and its application to AES. IEEE Symp on Security and Privacy, p.591-604.

[13]Kämäräinen T, Shan YQ, Siekkinen M, et al., 2015. Virtual machines vs. containers in cloud gaming systems. Int Workshop on Network and Systems Support for Games, p.1-6.

[14]Kim T, Peinado M, Mainar-Ruiz G, 2012. STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. 21^st USENIX Conf on Security Symp, p.1-11.

[15]Kwiat L, Kamhoua CA, Kwiat KA, et al., 2015. Security-aware virtual machine allocation in the cloud: a game theoretic approach. Proc IEEE 8^th Int Conf on Cloud Computing, p.556-563.

[16]Li H, Ota K, Dong MX, et al., 2017. Multimedia processing pricing strategy in GPU-accelerated cloud computing. IEEE Trans Cloud Comput, p.1.

[17]Li H, Ota K, Dong MX, 2018. Virtual network recognition and optimization in SDN-enabled cloud environment. IEEE Trans Cloud Comput, p.1.

[18]Li P, Gao DB, Reiter MK, 2014. StopWatch: a cloud architecture for timing channel mitigation. ACM Trans Inform Syst Secur, 17(2):28.

[19]Lingeling, 2018. Lingeling, Plingeling and Treengeling. http://fmv.jku.at/lingeling/ [Accessed on Aug. 4, 2018].

[20]Liu FF, Lee RB, 2014. Random fill cache architecture. 47^th Annual IEEE/ACM Int Symp on Microarchitecture, p.203-215.

[21]Liu FF, Yarom Y, Ge Q, et al., 2015. Last-level cache side-channel attacks are practical. IEEE Symp on Security and Privacy, p.605-622.

[22]MariaDB, 2018. The MariaDB Foundation–Supporting Continuity and Open Collaboration in the MariaDB Ecosystem. https://mariadb.org [Accessed on Aug. 4, 2018].

[23]Microsoft Azure, 2018. Microsoft Azure. https://azure.microsoft.com/zh-cn/ [Accessed on Aug. 4, 2018].

[24]Migrate Instances, 2018. Migrate Instances. https://docs.openstack.org/nova/rocky/admin/migration.html [Accessed on Aug. 4, 2018].

[25]Moon SJ, Sekar V, Reiter MK, 2015. Nomad: mitigating arbitrary cloud side channels via provider-assisted migration. 22^nd ACM SIGSAC Conf on Computer and Communications Security, p.1595-1606.

[26]Moscibroda T, Mutlu O, 2007. Memory performance attacks: denial of memory service in multi-core systems. Proc 16^th USENIX Security Symp, Article 18.

[27]Nginx, 2018. Nginx News. http://nginx.org/ [Accessed on Aug. 4, 2018].

[28]OpenStack, 2018. The Open Infrastructure Summit CFP is Now Open! https://www.openstack.org/ [Accessed on Aug. 4, 2018].

[29]Pattuk E, Kantarcioglu M, Lin ZQ, et al., 2014. Preventing cryptographic key leakage in cloud virtual machines. Proc 23^rd USENIX Conf on Security Symp, p.703-718.

[30]Rackspace, 2018. Transform the Way You Do Business. https://www.rackspace.com/ [Accessed on Aug. 4, 2018].

[31]Raj H, Nathuji R, Singh A, et al., 2009. Resource management for isolation enhanced cloud services. Proc ACM Workshop on Cloud Computing Security, p.77-84.

[32]Ristenpart T, Tromer E, Shacham H, et al., 2009. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. Proc 16^th ACM Conf on Computer and Communications Security, p.199-212.

[33]Shyamasundar RK, 1996. Introduction to algorithms. Resonance, 1(9):14-24.

[34]Thompson M, Evans N, Kisekka V, 2014. Multiple OS rotational environment an implemented moving target defense. 7^th Int Symp on Resilient Control Systems, p.1-6.

[35]Varadarajan V, Ristenpart T, Swift M, 2014. Scheduler-based defenses against cross-VM side-channels. Proc 23^rd USENIX Conf on Security Symp, p.687-702.

[36]Vattikonda BC, Das S, Shacham H, 2011. Eliminating fine grained timers in Xen. 3^rd ACM Workshop on Cloud Computing Security Workshop, p.41-46.

[37]Wang HX, Li F, Chen SQ, 2016. Towards cost-effective moving target defense against DDoS and covert channel attacks. Proc ACM Workshop on Moving Target Defense, p.15-25.

[38]Wang ZH, Lee RB, 2007. New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Comput Arch News, 35(2):494-505.

[39]Wang ZH, Lee RB, 2008. A novel cache architecture with enhanced performance and security. 41^st IEEE/ACM Int Symp on Microarchitecture, p.83-93.

[40]WikiBench, 2018. WikiBench. http://www.wikibench.eu/ [Accessed on Aug. 4, 2018].

[41]Wu J, Dong MX, Ota K, et al., 2017. FCSS: fog computing based content-aware filtering for security services in information centric social networks. IEEE Trans Emerg Top Comput, p.1.

[42]Wu J, Dong MX, Ota K, et al., 2018. Big data analysis-based secure cluster management for optimized control plane in software-defined networks. IEEE Trans Netw Serv Manag, 15(1):27-38.

[43]Wu JX, 2016. Research on cyber mimic defense. J Cyber Secur, 1(4):1-10 (in Chinese).

[44]Yarom Y, Falkner K, 2014. FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. Proc 23^rd USENIX Conf on Security Symp, p.719-732.

[45]Zhang YL, Li M, Bai K, et al., 2012. Incentive compatible moving target defense against VM-colocation attacks in clouds. In: Gritzalis D, Furnell S, Theoharidou M (Eds.), Information Security and Privacy Research. Springer Berlin Heidelberg, Germany, p.388-399.

[46]Zhang YQ, Reiter MK, 2013. Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. Proc ACM SIGSAC Conf on Computer & Communications Security, p.827-838.

[47]Zhang YQ, Juels A, Reiter MK, et al., 2012. Cross-VM side channels and their use to extract private keys. Proc ACM Conf on Computer and Communications Security, p.305- 316.

[48]Zhang YQ, Juels A, Reiter MK, et al., 2014. Cross-tenant side- channel attacks in PaaS clouds. Proc ACM SIGSAC Conf on Computer and Communications Security, p.990-1003.