云计算中的调度程序漏洞和协同攻击

Fangfei Zhou, Manishi Goel, Peter Desnoyers, Ravi Sundaram
{"title":"云计算中的调度程序漏洞和协同攻击","authors":"Fangfei Zhou, Manishi Goel, Peter Desnoyers, Ravi Sundaram","doi":"10.1109/NCA.2011.24","DOIUrl":null,"url":null,"abstract":"Recently, cloud computing services such as Amazon EC2 have used virtualization to provide customers with virtual machines running on the provider's hardware, typically charging by wall clock time rather than resources consumed. Under this business model, manipulation of the scheduler may allow theft-of-service at the expense of other customers. We have discovered and implemented an attack scenario which when implemented on Amazon EC2 allowed virtual machines to consume more CPU time regardless of fair share. We provide a novel analysis of the necessary conditions for such attacks, and describe scheduler modifications to eliminate the vulnerability. We present experimental results demonstrating the effectiveness of these defenses while imposing negligible overhead. Cloud providers such as Amazon's EC2 do not explicitly provide the mapping of VMs to physical hosts. Our attack itself provides a mechanism for detecting the co-placement of VMs, which in conjunction with appropriate algorithms can be utilized to reveal this mapping. We abstract mapping discovery as a problem of finding an unknown partition (i.e. of VMs among physical hosts) using a minimum number of co-location queries. We present an algorithm that is provably optimal when the maximum partition size is bounded. In the unbounded case we show upper and lower bounds using the probabilistic method in conjunction with a sieving technique. Our work has implications beyond this attack, for other cases of system and network topology inference from limited data.","PeriodicalId":258309,"journal":{"name":"2011 IEEE 10th International Symposium on Network Computing and Applications","volume":"19 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"98","resultStr":"{\"title\":\"Scheduler Vulnerabilities and Coordinated Attacks in Cloud Computing\",\"authors\":\"Fangfei Zhou, Manishi Goel, Peter Desnoyers, Ravi Sundaram\",\"doi\":\"10.1109/NCA.2011.24\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Recently, cloud computing services such as Amazon EC2 have used virtualization to provide customers with virtual machines running on the provider's hardware, typically charging by wall clock time rather than resources consumed. Under this business model, manipulation of the scheduler may allow theft-of-service at the expense of other customers. We have discovered and implemented an attack scenario which when implemented on Amazon EC2 allowed virtual machines to consume more CPU time regardless of fair share. We provide a novel analysis of the necessary conditions for such attacks, and describe scheduler modifications to eliminate the vulnerability. We present experimental results demonstrating the effectiveness of these defenses while imposing negligible overhead. Cloud providers such as Amazon's EC2 do not explicitly provide the mapping of VMs to physical hosts. Our attack itself provides a mechanism for detecting the co-placement of VMs, which in conjunction with appropriate algorithms can be utilized to reveal this mapping. We abstract mapping discovery as a problem of finding an unknown partition (i.e. of VMs among physical hosts) using a minimum number of co-location queries. We present an algorithm that is provably optimal when the maximum partition size is bounded. In the unbounded case we show upper and lower bounds using the probabilistic method in conjunction with a sieving technique. Our work has implications beyond this attack, for other cases of system and network topology inference from limited data.\",\"PeriodicalId\":258309,\"journal\":{\"name\":\"2011 IEEE 10th International Symposium on Network Computing and Applications\",\"volume\":\"19 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2011-08-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"98\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2011 IEEE 10th International Symposium on Network Computing and Applications\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NCA.2011.24\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 IEEE 10th International Symposium on Network Computing and Applications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NCA.2011.24","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 98

摘要

最近,像Amazon EC2这样的云计算服务已经使用虚拟化为客户提供运行在提供商硬件上的虚拟机,通常按时钟时间而不是按消耗的资源收费。在这种业务模型下,对调度器的操纵可能会以牺牲其他客户的利益为代价来窃取服务。我们发现并实现了一个攻击场景,当在Amazon EC2上实现时,它允许虚拟机消耗更多的CPU时间,而不管是否公平共享。我们对此类攻击的必要条件进行了新颖的分析,并描述了调度器修改以消除漏洞。我们提出的实验结果证明了这些防御的有效性,同时施加了微不足道的开销。像Amazon的EC2这样的云提供商并没有显式地提供虚拟机到物理主机的映射。我们的攻击本身提供了一种检测虚拟机共置的机制,该机制与适当的算法相结合,可以用来揭示这种映射。我们将映射发现抽象为使用最少数量的协同定位查询找到未知分区(即物理主机中的虚拟机)的问题。在最大分区大小有界的情况下,给出了一种可证明的最优算法。在无界情况下,我们使用概率方法结合筛分技术来显示上界和下界。我们的工作对从有限数据推断系统和网络拓扑的其他情况的影响超出了这种攻击。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Scheduler Vulnerabilities and Coordinated Attacks in Cloud Computing
Recently, cloud computing services such as Amazon EC2 have used virtualization to provide customers with virtual machines running on the provider's hardware, typically charging by wall clock time rather than resources consumed. Under this business model, manipulation of the scheduler may allow theft-of-service at the expense of other customers. We have discovered and implemented an attack scenario which when implemented on Amazon EC2 allowed virtual machines to consume more CPU time regardless of fair share. We provide a novel analysis of the necessary conditions for such attacks, and describe scheduler modifications to eliminate the vulnerability. We present experimental results demonstrating the effectiveness of these defenses while imposing negligible overhead. Cloud providers such as Amazon's EC2 do not explicitly provide the mapping of VMs to physical hosts. Our attack itself provides a mechanism for detecting the co-placement of VMs, which in conjunction with appropriate algorithms can be utilized to reveal this mapping. We abstract mapping discovery as a problem of finding an unknown partition (i.e. of VMs among physical hosts) using a minimum number of co-location queries. We present an algorithm that is provably optimal when the maximum partition size is bounded. In the unbounded case we show upper and lower bounds using the probabilistic method in conjunction with a sieving technique. Our work has implications beyond this attack, for other cases of system and network topology inference from limited data.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信