Interference-based VM Migration to Mitgate Cache-based Side-channel Attacks in Cloud

Co-residency of different clients' VMs on the same hardware platform puts users at risk of cache-based side-channel attacks in cloud. While current countermeasures fail to be general and precise, we observe that cache behaviors of co-resident VMs interfere with each other. So we set up a novel cache interference model which precisely depicts how a bystander's behavior affects cache side channels between VMs. Based on this model, we propose an interference-based VM migration strategy to defend against cache attacks by co-locating multiple VMs so as to maximize the effect of one VM's cache activities on disrupting the cache access pattern of another VM which might be utilized by side-channel attackers. Simulation result shows that our approach is effective against cache attacks by improving the average interference ratio by about 35%.

• Publication year

  2018

• Venue

  2018 IEEE 4th International Conference on Computer and Communications (ICCC)

• Publication date

  2018-12-01

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1109/CompComm.2018.8780825
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Using Virtual Machine Allocation Policies to Defend against Co-Resident Attacks in Cloud Computing

  2017cited by this paper
• A cost-effective security management for clouds: A game-theoretic deception mechanism

  2017cited by this paper
• Evaluating the Probability of Malicious Co-Residency in Public Clouds

  2017cited by this paper
• Towards Cost-Effective Moving Target Defense Against DDoS and Covert Channel Attacks

  2016cited by this paper
• Flush+Flush: A Fast and Stealthy Cache Attack

  2015cited by this paper
• Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration

  2015influential reference
• Last-Level Cache Side-Channel Attacks are Practical

  2015cited by this paper
• On Mitigating the Risk of Cross-VM Covert Channels in a Public Cloud

  2015cited by this paper
• Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity

  2015cited by this paper
• Preventing Cryptographic Key Leakage in Cloud Virtual Machines

  2014cited by this paper
• StopWatch: A Cloud Architecture for Timing Channel Mitigation

  2014cited by this paper
• Scheduler-based Defenses against Cross-VM Side-channels

  2014cited by this paper
• FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack

  2014cited by this paper
• Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud

  2013cited by this paper
• Incentive Compatible Moving Target Defense against VM-Colocation Attacks in Clouds

  2012cited by this paper
• Cache Attacks and Countermeasures: The Case of AES

  2006cited by this paper
• Partitioned Cache Architecture as a Side-Channel Defence Mechanism

  2005cited by this paper

• Emerging VM Threat Prediction and Dynamic Workload Estimation for Secure Resource Management in Industrial Clouds

  2024cites this paper
• An AI-Driven VM Threat Prediction Model for Multi-Risks Analysis-Based Cloud Cybersecurity

  2023cites this paper
• IAGA: Interference Aware Genetic Algorithm based VM Allocation Policy for Cloud Systems

  2022cites this paper
• Hardware Information Flow Tracking

  2021cites this paper
• Minimization of Expected User Losses Considering Co-resident Attacks in Cloud System with Task Replication and Cancellation

  2021cites this paper