Dynamically Provisioning Isolation in Hierarchical Architectures

  • Kevin Falzon
  • Eric Bodden
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9290)


Physical isolation provides tenants in a cloud with strong security guarantees, yet dedicating entire machines to tenants would go against cloud computing’s tenet of consolidation. A fine-grained isolation model allowing tenants to request fractions of dedicated hardware can provide similar guarantees at a lower cost.

In this work, we investigate the dynamic provisioning of isolation at various levels of a system’s architecture, primarily at the core, cache, and machine level, as well as their virtualised equivalents. We evaluate recent technological developments, including post-copy VM migration and OS containers, and show how they assist in improving reconfiguration times and utilisation. We incorporate these concepts into a unified framework, dubbed SafeHaven, and apply it to two case studies, showing its efficacy both in a reactive, as well as an anticipatory role. Specifically, we describe its use in detecting and foiling a system-wide covert channel in a matter of seconds, and in implementing a multi-level moving target defence policy.


Side channels Covert channels Migration Isolation 


  1. 1.
    CRIU project page, April 2015.
  2. 2.
    KVM project page, April 2015.
  3. 3.
    Libvirt project page, April 2015.
  4. 4.
    Aciiçmez, O., Koç, c.K., Seifert, J.P.: On the power of simple branch prediction analysis. In: ASIACCS 2007, pp. 312–320. ACM, New York (2007)Google Scholar
  5. 5.
    Agat, J.: Transforming out timing leaks. In: Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2000, pp. 40–53. ACM, New York (2000)Google Scholar
  6. 6.
    Askarov, A., Zhang, D., Myers, A.C.: Predictive black-box mitigation of timing channels. In: CCS 2010, pp. 297–307. ACM, New York (2010)Google Scholar
  7. 7.
    Azar, Y., Kamara, S., Menache, I., Raykova, M., Shepard, B.: Co-location-resistant clouds. In: CCSW 2014, pp. 9–20. ACM, New York (2014)Google Scholar
  8. 8.
    Bienia, C., Kumar, S., Singh, J.P., Li, K.: The parsec benchmark suite: characterization and architectural implications. In: Proceedings of the 17th International Conference on Parallel Architectures and Compilation Techniques, October 2008Google Scholar
  9. 9.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  10. 10.
    Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: CCS 2004. ACM, New York (2004)Google Scholar
  11. 11.
    Cardelli, L., Gordon, A.D.: Mobile ambients. In: POPL 1998. ACM Press (1998)Google Scholar
  12. 12.
    Caron, E., Desprez, F., Rouzaud-Cornabas, J.: Smart resource allocation to improve cloud security. In: Nepal, S., Pathan, M. (eds.) Security, Privacy and Trust in Cloud Systems. Springer, Heidelberg (2014)Google Scholar
  13. 13.
    Coppens, B., Verbauwhede, I., Bosschere, K.D., Sutter, B.D.: Practical mitigations for timing-based side-channel attacks on modern x86 processors. In: S&P 2009, pp. 45–60. IEEE Computer Society, Washington, DC (2009)Google Scholar
  14. 14.
    Dolan-Gavitt, B., Leek, T., Hodosh, J., Lee, W.: Tappan zee (north) bridge: mining memory accesses for introspection. In: CCS 2013. ACM, New York (2013)Google Scholar
  15. 15.
    Du, J., Sehrawat, N., Zwaenepoel, W.: Performance profiling in a virtualized environment. In: 2nd USENIX Workshop on Hot Topics in Cloud Computing (2010)Google Scholar
  16. 16.
    Ericsson AB: Erlang reference manual user’s guide, 6.2 edn., September 2014.
  17. 17.
    Gorantla, S., Kadloor, S., Kiyavash, N., Coleman, T., Moskowitz, I., Kang, M.: Characterizing the efficacy of the NRL network pump in mitigating covert timing channels. IEEE Trans. Inf. Forensics Secur. 7(1), 64–75 (2012)CrossRefGoogle Scholar
  18. 18.
    Gueron, S.: Intel advanced encryption standard (AES) new instructions set, May 2010.
  19. 19.
    Hu, W.M.: Reducing timing channels with fuzzy time. In: S&P 1991, pp. 8–20. IEEE Computer Society, May 1991Google Scholar
  20. 20.
    Hu, W.M.: Lattice scheduling and covert channels. In: S&P 1992, p. 52. IEEE Computer Society, Washington, DC (1992)Google Scholar
  21. 21.
    Intel: system programming guide, Intel\(\textregistered \) 64 & IA-32 architectures software developers manual, vol. 3B. Intel, May 2011Google Scholar
  22. 22.
    Intel: instruction set reference, intel\(\textregistered \) 64 & IA-32 architectures software developers manual, vol. 2. Intel, January 2015Google Scholar
  23. 23.
    Keller, E., Szefer, J., Rexford, J., Lee, R.B.: Nohype: virtualized cloud infrastructure without the virtualization. In: 37th Annual International Symposium on Computer Architecture, ISCA 2010, pp. 350–361. ACM, New York (2010)Google Scholar
  24. 24.
    Kim, T., Peinado, M., Mainar-Ruiz, G.: Stealthmem: system-level protection against cache-based side channel attacks in the cloud. In: Security 2012. USENIX Association, Berkeley (2012)Google Scholar
  25. 25.
    Lampson, B.W.: A note on the confinement problem. CACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  26. 26.
    Li, P., Gao, D., Reiter, M.: Mitigating access-driven timing channels in clouds using stopwatch. In: 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12, June 2013Google Scholar
  27. 27.
    Linux: cpuset(7) - Linux manual page, August 2014.
  28. 28.
    Mdhaffar, A., Ben Halima, R., Jmaiel, M., Freisleben, B.: A dynamic complex event processing architecture for cloud monitoring and analysis. In: 2013 IEEE 5th International Conference on Cloud Computing Technology and Science, CloudCom, vol. 2, pp. 270–275, December 2013Google Scholar
  29. 29.
    Mucci, P.J., Browne, S., Deane, C., Ho, G.: Papi: a portable interface to hardware performance counters. In: Proceedings of the DoD HPCMP Users Group Conference (1999)Google Scholar
  30. 30.
    Okamura, K., Oyama, Y.: Load-based covert channels between Xen virtual machines. In: 2010 ACM Symposium on Applied Computing, SAC 2010, pp. 173–180. ACM, New York (2010)Google Scholar
  31. 31.
    OpenStack foundation: OpenStack documentation, February 2015.
  32. 32.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  33. 33.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: CCS 2009, pp. 199–212. ACM, New York (2009)Google Scholar
  34. 34.
    Sailer, R., Jaeger, T., Valdez, E., Cáceres, R., Perez, R., Berger, S., Linwood, J., Doorn, G.L.: Building a MAC-based security architecture for the Xen opensource hypervisor. In: 21st Annual Competition Section Applications Conference, ACSAC 2005 (2005)Google Scholar
  35. 35.
    Saltaformaggio, B., Xu, D., Zhang, X.: Busmonitor: a hypervisor-based solution for memory bus covert channels. In: EuroSec 2013. ACM (2013)Google Scholar
  36. 36.
    Silberschatz, A., Galvin, P.B., Gagne, G.: Operating System Concepts, Chap. 5, 7th edn, p. 161. Wiley Publishing, New York (2005)Google Scholar
  37. 37.
    Tycho: live migration of linux containers, October 2014.
  38. 38.
    Varadarajan, V., Ristenpart, T., Swift, M.: Scheduler-based defenses against Cross-VM side-channels. In: Security 2014. USENIX Association, San Diego, August 2014Google Scholar
  39. 39.
    Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: 22nd Annual Computer Security Applications Conference, ACSAC 2006, pp. 473–482. IEEE Computer Society, Washington, DC (2006)Google Scholar
  40. 40.
    Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: Security 2012. USENIX Association, Berkeley (2012)Google Scholar
  41. 41.
    Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: CCSW 2011, pp. 29–40. ACM, New York (2011)Google Scholar
  42. 42.
    Yarom, Y., Falkner, K.E.: Flush+reload: a high resolution, low noise, L3 cache side-channel attack. IACR Crypt. ePrint Arch. 2013, 448 (2013)Google Scholar
  43. 43.
    Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: Homealone: co-residency detection in the cloud via side-channel analysis. In: S&P 2011, pp. 313–328. IEEE Computer Society, Washington, DC (2011)Google Scholar
  44. 44.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in paas clouds. In: CCS 2014, pp. 990–1003. ACM, New York (2014)Google Scholar
  45. 45.
    Zhang, Y., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: CCS 2013, pp. 827–838. ACM, New York (2013)Google Scholar
  46. 46.
    Yu, M., Zang, W., Zhang, Y., Li, M., Bai, K.: Incentive compatible moving target defense against VM-colocation attacks in clouds. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 388–399. Springer, Heidelberg (2012) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.European Centre for Security and Privacy by Design (EC-SPRIDE)DarmstadtGermany

Personalised recommendations