Improving Cloud Survivability through Dependency based Virtual Machine Placement

Min Li, Yulong Zhang, Kun Bai, Wanyu Zang, Meng Yu, Xubin He

Abstract

Cloud computing is becoming more and more popular in computing infrastructure and it also introduces new security problems. For example, a physical server shared by many virtual machines can be taken over by an attacker if the virtual machine monitor is compromised through one of the virtual machines. Thus, collocating with vulnerable virtual machines, or “bad neighbours”, on the same physical server introduces additional security risks. Moreover, the connections between virtual machines, such as the network connection between a web server and its back end database server, are natural paths of attacks. Therefore, both virtual machine placement and connections among virtual machines in the cloud have great impact over the overall security of cloud. In this paper, we quantify the security risks of cloud environments based on virtual machine vulnerabilities and placement schemes. Based on our security evaluation, we develop techniques to generate virtual machine placement that can minimize the security risks considering the connections among virtual machines. According to the experimental results, our approach can greatly improve the survivability of most virtual machines and the whole cloud. The computing costs and deployment costs of our techniques are also practical.

References

  1. Apte, R., Hu, L., Schwan, K., and Ghosh, A. (2010). Look who's talking: discovering dependencies between virtual machines using cpu utilization. In Proceedings of the 2nd USENIX conference on Hot topics in cloud computing, HotCloud'10, pages 17-17, Berkeley, CA, USA. USENIX Association.
  2. CVE-2007-4993 (2007). Cve-2007-4993: Xen guest root can escape to domain 0 through pygrub. http://cve.mitre.org/cgibin/cvename.cgi?name=CVE2007-4993, 2007.
  3. CVE-2007-5497 (2007). Cve-2007-5497: Vulnerability in xenserver could result in privilege escalation and arbitrary code execution. http://support.citrix.com/article/CTX118766, 2007.
  4. CVSS (2012). Common vulnerability scoring system. http://www.first.org/cvss/cvss-guide.
  5. Hlavacs, H., Treutner, T., Gelas, J., Lefevre, L., and Orgerie, A. (2011). Energy consumption side-channel attack at virtual machines in a cloud. In Dependable, Autonomic and Secure Computing (DASC), 2011 IEEE Ninth International Conference on, pages 605 -612.
  6. Lucas Simarro, J., Moreno-Vozmediano, R., Montero, R., and Llorente, I. (2011). Dynamic placement of virtual machines for cost optimization in multi-cloud environments. In High Performance Computing and Simulation (HPCS), 2011 International Conference on, pages 1 -7.
  7. Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. (2009). Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security, CCS 7809, pages 199- 212, New York, NY, USA. ACM.
  8. Sahner, R., Trivedi, K., and Puliafito, A. (1997). Performance and reliability analysis of computer systems (an example-based approach using the sharpe software. Reliability, IEEE Transactions on, 46(3):441.
  9. Sindelar, M., Sitaraman, R. K., and Shenoy, P. (2011). Sharing-aware algorithms for virtual machine colocation. In Proceedings of the 23rd ACM symposium on Parallelism in algorithms and architectures, SPAA 7811, pages 367-378, New York, NY, USA. ACM.
  10. Yusoh, Z. and Tang, M. (2010). A penalty-based genetic algorithm for the composite saas placement problem in the cloud. In Evolutionary Computation (CEC), 2010 IEEE Congress on, pages 1 -8.
  11. Zhang, Y., Li, M. L., Bai, K., Yu, M., Zang, W., and He, X. (4-6 June 2012). Incentive compatible moving target defense against vm-colocation attacks in clouds. In IFIP International Information Security and Privacy Conference 2012.
Download


Paper Citation


in Harvard Style

Li M., Zhang Y., Bai K., Zang W., Yu M. and He X. (2012). Improving Cloud Survivability through Dependency based Virtual Machine Placement . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012) ISBN 978-989-8565-24-2, pages 321-326. DOI: 10.5220/0004076003210326


in Bibtex Style

@conference{secrypt12,
author={Min Li and Yulong Zhang and Kun Bai and Wanyu Zang and Meng Yu and Xubin He},
title={Improving Cloud Survivability through Dependency based Virtual Machine Placement},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)},
year={2012},
pages={321-326},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004076003210326},
isbn={978-989-8565-24-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)
TI - Improving Cloud Survivability through Dependency based Virtual Machine Placement
SN - 978-989-8565-24-2
AU - Li M.
AU - Zhang Y.
AU - Bai K.
AU - Zang W.
AU - Yu M.
AU - He X.
PY - 2012
SP - 321
EP - 326
DO - 10.5220/0004076003210326