VM migration is an effective countermeasure against attempts at malicious co-residency. In this paper, our overarching objectives are: (a) to get an in-depth understanding of the ways and effectiveness with which an attacker can launch attacks toward achieving co-residency and (b) to design migration policies that are very effective in thwarting malicious co-residency, but are thrifty in terms of the bandwidth and downtime costs that are incurred with live migration. Toward achieving our goals, we first undertake an experimental study on Amazon EC2 to obtain an in-depth understanding of the side-channels, through which an attacker can use to ascertain co-residency with a victim. Here, in this paper, we identify a new set of stealthy side-channel attacks which we show to be more effective than the currently available attacks toward verifying co-residency. We also build a simple model that can be used for estimating co-residency times based on very few measurements on a given cloud platform, to account for varying attacker capabilities. Based on the study, we develop a set of guidelines to determine under what conditions the victim VM migrations should be triggered, given the performance costs in terms of bandwidth and downtime, which a user is willing to bear. Through extensive experiments on our private in-house cloud, we show that the migrations, using our guidelines, can limit the fraction of the time that an attacker VM co-resides with a victim VM to about 1% of the time with the bandwidth costs of a few MB and downtimes of a few seconds per day per VM migrated.
All Science Journal Classification (ASJC) codes
- Computer Science Applications
- Computer Networks and Communications
- Electrical and Electronic Engineering