{"title":"迁移攻击:针对云虚拟机迁移方案的多资源DoS攻击","authors":"Jia-Rung Yeh, H. Hsiao, Ai-Chun Pang","doi":"10.1109/AsiaJCIS.2016.14","DOIUrl":null,"url":null,"abstract":"Live virtual machine (VM) migration is the core technology in elastic cloud computing. With live VM migration, cloud providers can improve resource use and quality of service by adjusting the VM placement on demand. However, live migration is expensive because of high CPU usage and the negative effect on co-located VMs, and frequent live migration thus severely undermines the performance of the cloud. Although existing dynamic allocation schemes are designed to minimize the number of live migrations, this study demonstrated that a denial-of-service adversary can cause excessive live migrations by exploiting dynamic allocation. The attack, which we term migrant attack, deliberately varies the resource usages of a malicious VM to trigger live migration. A crucial feature of the migrant attack is that even if VMs on the same physical machine are perfectly isolated through virtualization, a malicious VM can still affect the availability of the co-located VMs. As proof of concept, we investigated two common VM allocation schemes: load balancing and consolidation. We evaluated the effectiveness of the attack by using both simulations and testbed experiments. We also discuss several potential countermeasures, such as enforcing another layer of isolation between malicious and harmless VMs in dynamic allocation schemes.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"98 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"Migrant Attack: A Multi-resource DoS Attack on Cloud Virtual Machine Migration Schemes\",\"authors\":\"Jia-Rung Yeh, H. Hsiao, Ai-Chun Pang\",\"doi\":\"10.1109/AsiaJCIS.2016.14\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Live virtual machine (VM) migration is the core technology in elastic cloud computing. With live VM migration, cloud providers can improve resource use and quality of service by adjusting the VM placement on demand. However, live migration is expensive because of high CPU usage and the negative effect on co-located VMs, and frequent live migration thus severely undermines the performance of the cloud. Although existing dynamic allocation schemes are designed to minimize the number of live migrations, this study demonstrated that a denial-of-service adversary can cause excessive live migrations by exploiting dynamic allocation. The attack, which we term migrant attack, deliberately varies the resource usages of a malicious VM to trigger live migration. A crucial feature of the migrant attack is that even if VMs on the same physical machine are perfectly isolated through virtualization, a malicious VM can still affect the availability of the co-located VMs. As proof of concept, we investigated two common VM allocation schemes: load balancing and consolidation. We evaluated the effectiveness of the attack by using both simulations and testbed experiments. We also discuss several potential countermeasures, such as enforcing another layer of isolation between malicious and harmless VMs in dynamic allocation schemes.\",\"PeriodicalId\":213242,\"journal\":{\"name\":\"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)\",\"volume\":\"98 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/AsiaJCIS.2016.14\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AsiaJCIS.2016.14","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Migrant Attack: A Multi-resource DoS Attack on Cloud Virtual Machine Migration Schemes
Live virtual machine (VM) migration is the core technology in elastic cloud computing. With live VM migration, cloud providers can improve resource use and quality of service by adjusting the VM placement on demand. However, live migration is expensive because of high CPU usage and the negative effect on co-located VMs, and frequent live migration thus severely undermines the performance of the cloud. Although existing dynamic allocation schemes are designed to minimize the number of live migrations, this study demonstrated that a denial-of-service adversary can cause excessive live migrations by exploiting dynamic allocation. The attack, which we term migrant attack, deliberately varies the resource usages of a malicious VM to trigger live migration. A crucial feature of the migrant attack is that even if VMs on the same physical machine are perfectly isolated through virtualization, a malicious VM can still affect the availability of the co-located VMs. As proof of concept, we investigated two common VM allocation schemes: load balancing and consolidation. We evaluated the effectiveness of the attack by using both simulations and testbed experiments. We also discuss several potential countermeasures, such as enforcing another layer of isolation between malicious and harmless VMs in dynamic allocation schemes.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
