| Title | : | A Deterministic Moving Target Defense Mechanism for Mitigating Cross-VM Attacks in Clouds |
| Speaker | : | Arun Raj (IITM) |
| Details | : | Thu, 28 Jun, 2018 4:00 PM @ A M Turing Hall |
| Abstract: | : | Virtualization technology enables cloud providers to host multiple virtual machines (VMs) on the same physical host and rent them to different customers. Though virtualization might give an notion of isolated environments, the VMs still share the underlying hardware resources. As a result, cloud instances are vulnerable to cross-core, cross-VM attacks against the shared memory subsystem. Also, the attacker possesses an asymmetric advantage of time if the system stays in one state.
Moving target defense is a promising strategy to counter the configuration staticity problem. However, existing techniques are all probabilistic in nature and reconfigure the system when the probability of an attack is high. Naive probabilistic models can be ineffective against complex attacks and also result in unnecessary reconfigurations leading to increased costs. Since cloud instances are rented for specific time duration, preemptive release can result in excessive resource wastage. We propose a deterministic mechanism which relies on actual indicators of attacks and knowledge about cloud instance lease periods to determine the time of system reconfiguration. It consists of two major components: an analysis module to model and predict the growth rate of attacks (for attacks with a profiling phase, e.g., cache timing attacks), and a migration module based on live migration of Linux containers. Another component is a cache obfuscation mechanism which can be used to dampen or slow down an attack when significant time remains on the lease of an instance. Experimental evaluation shows that our approach is able to detect different types of attacks with low overheads of < 5%. The migration process incurs a nominal downtime of few seconds. Moreover, the proposed mechanism does not require changes to the hardware or hypervisor and be utilized by regular cloud subscribers. |
