Abstract | ||
---|---|---|
Recently, cloud computing services such as Amazon EC2 have used virtualization to provide customers with virtual machines running on the provider's hardware, typically charging by wall clock time rather than resources consumed. Under this business model, manipulation of the scheduler may allow theft-of-service at the expense of other customers. We have discovered and implemented an attack scenario which when implemented on Amazon EC2 allowed virtual machines to consume more CPU time regardless of fair share. We provide a novel analysis of the necessary conditions for such attacks, and describe scheduler modifications to eliminate the vulnerability. We present experimental results demonstrating the effectiveness of these defenses while imposing negligible overhead. Cloud providers such as Amazon's EC2 do not explicitly provide the mapping of VMs to physical hosts. Our attack itself provides a mechanism for detecting the co-placement of VMs, which in conjunction with appropriate algorithms can be utilized to reveal this mapping. We abstract mapping discovery as a problem of finding an unknown partition (i.e. of VMs among physical hosts) using a minimum number of co-location queries. We present an algorithm that is provably optimal when the maximum partition size is bounded. In the unbounded case we show upper and lower bounds using the probabilistic method in conjunction with a sieving technique. Our work has implications beyond this attack, for other cases of system and network topology inference from limited data. |
Year | DOI | Venue |
---|---|---|
2013 | 10.3233/JCS-130474 | Journal of Computer Security |
Keywords | DocType | Volume |
sieving technique,amazon ec2,virtualization,single physical system,physical host,scheduling,coordinated attacks,scheduler vulnerabilities,cloud computing service,business model,wall clock time,virtual machine,scheduler vulnerability,scheduler modification,abstract mapping discovery,virtual machines,probabilistic method,attack scenario,operating system,theft-of-service,resource management,virtualisation,cloud provider,xen scheduler,cloud computing attack,mapping discovery abstracting,cloud computing services,virtulization,cloud computing,separate operating system instance,maximum partition size,cpu time,network topology inference,security of data,probability,linux,virtual machine monitor,hardware,upper and lower bounds,network topology,resource manager,kernel | Journal | 21 |
Issue | ISSN | Citations |
4 | 0926-227X | 22 |
PageRank | References | Authors |
0.99 | 23 | 4 |
Name | Order | Citations | PageRank |
---|---|---|---|
Fangfei Zhou | 1 | 51 | 3.80 |
M. Goel | 2 | 231 | 27.01 |
Peter Desnoyers | 3 | 639 | 41.59 |
Ravi Sundaram | 4 | 762 | 72.13 |