Smart Resource Allocation to Improve Cloud Security

  • Eddy Caron
  • Frédéric Desprez
  • Jonathan Rouzaud-Cornabas
Chapter

Abstract

Virtualization is now widely used in modern datacenters. Thanks to mature software stacks and the widespread availability of plaforms all over the world, the Cloud is now available for many applications of different kinds. Security and performance are the main goal users want to achieve when porting applications over IaaS or PaaS platforms. Security has been proven to be sometimes difficult to obtain [3, 60, 85] and several issues have been raised in public Clouds and public domain virtualization software stacks. Several different kinds of attacks and security issues can be observed that may lower the impact of Clouds. On the performance side, the expectations are higher than what can be actually obtained on today’s public Clouds. Shared nodes lead to performance degradation that are not appropriate for high performance applications. Isolation is then a critical issue both for security and performance concerns.

References

  1. 1.
    Afoulki Z, Bousquet A, Briffaut J, Rouzaud-Cornabas J, Toinard C (2012) MAC protection of the openNebula cloud environment. In: International conference on high performance computing and simulation (HPCS), pp 85–90Google Scholar
  2. 2.
    Al-Fares M, Loukissas A, Vahdat A (2008) A scalable, commodity data center network architecture. SIGCOMM Comput Commun Rev 38(4):63–74CrossRefGoogle Scholar
  3. 3.
    Ali Q, Kiriansky V, Simons J, Zaroo P (2012) Performance evaluation of HPC benchmarks on VMware’s ESXi server. In: Proceedings of the 2011 international conference on parallel processing, Euro-Par’11. Springer, Berlin, pp 213–222Google Scholar
  4. 4.
    Andreozzi S, Burke S, Ehm F, Field L, Galang G, Konya B, Litmaath M, Millar P, Navarro J (2009) GLUE Specification v. 2.0Google Scholar
  5. 5.
    Ballani H, Costa P, Karagiannis T, Rowstron A (2011) Towards predictable datacenter networks. SIGCOMM Comput Commun Rev 41(4):242–253CrossRefGoogle Scholar
  6. 6.
    Barabash K, Cohen R, Hadas D, Jain V, Recio R, Rochwerger B (2011) A case for overlays in DCN virtualization. In: Proceedings of the 3rd workshop on data center—converged and virtual ethernet switching, DC-CaVES’11, ITCP, pp 30–37Google Scholar
  7. 7.
    Barham P, Dragovic B, Fraser K, Hand S, Harris T, Ho A, Neugebauer R, Pratt I, Warfield A (2003) Xen and the art of virtualization. SIGOPS Oper Syst Rev 37(5):164–177CrossRefGoogle Scholar
  8. 8.
    Barker SK, Shenoy P (2010) Empirical evaluation of latency-sensitive application performance in the cloud. In: Proceedings of the first annual ACM SIGMM conference on multimedia systems, MMSys’10. ACM, New York, NY, USA, pp 35–46Google Scholar
  9. 9.
    Bates A, Mood B, Pletcher J, Pruse H, Valafar M, Butler K (2012) Detecting co-residency with active traffic analysis techniques. In: Proceedings of the 2012 ACM workshop on cloud computing security workshop, CCSW’12. ACM, New York, NY, USA, pp 1–12Google Scholar
  10. 10.
    Bhadauria M, McKee SA (2010) An approach to resource-aware co-scheduling for CMPs. In: Proceedings of the 24th ACM international conference on supercomputing, ICS’10. ACM, New York, NY, USA, pp 189–199Google Scholar
  11. 11.
    Biran O, Corradi A, Fanelli M, Foschini L, Nus A, Raz D, Silvera E (2012) A stable network-aware VM placement for cloud systems. In: Proceedings of the 2012 12th IEEE/ACM international symposium on cluster, cloud and grid computing (ccgrid 2012), CCGRID’12. IEEE Computer Society, Washington, DC, USA, pp 498–506Google Scholar
  12. 12.
    Bleikertz S, Groß T (2011) A virtualization assurance language for isolation and deployment. IEEE Policy, VALIDGoogle Scholar
  13. 13.
    Brandtzaeg E, Mohagheghi P, Mosser S (2012) Towards a domain-specific language to deploy applications in the clouds. In: CLOUD COMPUTING 2012, the third international conference on cloud computing, GRIDs, and virtualization, pp 213–218Google Scholar
  14. 14.
    Breitgand D, Epstein A (2012) Improving consolidation of virtual machines with risk-aware bandwidth oversubscription in compute clouds. In: Proceedings on IEEE INFOCOM, pp 2861–2865Google Scholar
  15. 15.
    Broquedis F, Clet-Ortega J, Moreaud S, Furmento N, Goglin B, Mercier G, Thibault S, Namyst R (2010) hwloc: a generic framework for managing hardware affinities in HPC applications. In: 18th Euromicro international conference on parallel, distributed and network-based processing (PDP), pp 180–186Google Scholar
  16. 16.
    Cappello F, Caron E, Dayde M, Desprez F, Jegou Y, Primet P, Jeannot E, Lanteri S, Leduc J, Melab N, Mornet G, Namyst R, Quetier B, Richard O (2005) Grid’5000: a large scale and highly reconfigurable grid experimental testbed. In: Proceedings of the 6th IEEE/ACM international workshop on grid computing, GRID’05. IEEE Computer Society, Washington, DC, USA, pp 99–106Google Scholar
  17. 17.
    Clemente P, Rouzaud-Cornabas J, Toinard C (2010) From a generic framework for expressing integrity properties to a dynamic mac enforcement for operating Ssystems. In: Gavrilova M, Tan C, Moreno E (eds) Transactions on computational science XI, vol 6480 of Lecture Notes in Computer Science. Springer Berlin, pp 131–161Google Scholar
  18. 18.
    Fan P, Chen Z, Wang J, Zheng Z, Lyu MR (2012) Topology-aware deployment of scientific applications in cloud computing. In: 2012 IEEE fifth international conference on cloud computing, pp 319–326Google Scholar
  19. 19.
    Fedorova A, Seltzer M, Smith MD (2007) Improving performance isolation on chip multiprocessors via an operating system scheduler. In: Proceedings of the 16th international conference on parallel architecture and compilation techniques, PACT’07. IEEE Computer Society, Washington, DC, USA, pp 25–38Google Scholar
  20. 20.
    Feller E, Rilling L, Morin C (2011) Energy-aware ant colony based workload placement in clouds. In: The 12th IEEE/ACM international conference on grid computing (GRID-2011), Lyon, FranceGoogle Scholar
  21. 21.
    Feller E, Rilling L, Morin C, Lottiaux R, Leprince D (2010) Snooze: a scalable, fault-tolerant and distributed consolidation manager for large-scale clusters. In: Green computing and communications (GreenCom), 2010 IEEE/ACM Int’l conference on Iint’l conference on cyber, physical and social computing (CPSCom), pp 125–132Google Scholar
  22. 22.
    Galán F, Sampaio A, Rodero-Merino L, Loy I, Gil V, Vaquero LM (2009) Service specification in cloud environments based on extensions to open standards. In: Proceedings of the fourth international ICST Conference on cOMmunication System softWAre and middlewaRE, COMSWARE’09, vol 19. ACM, New York, NY, USA, pp 1–19, 12Google Scholar
  23. 23.
    Ganguly A, Agrawal A, Boykin P, Figueiredo R (2006) IP over P2P: enabling self-configuring virtual IP networks for grid computing. In: 20th International conferece on parallel and distributed processing symposium, IPDPS 2006, p 10Google Scholar
  24. 24.
    Goglin B, Moreaud S, (2011). Dodging non-uniform I/O access in hierarchical collective operations for multicore clusters. In: CASS the 1st workshop on communication architecture for scalable systems, held in conjunction with IPDPS 2011. IEEE Computer Society Press, Anchorage, AKGoogle Scholar
  25. 25.
    Gonçalves G, Endo P, Santos M, Sadok D, Kelner J, Melander B, Mangs J (2011) CloudML: an integrated language for resource, service and request description for D-clouds. In: 2011 IEEE third international conference on cloud computing technology and science (CloudCom). IEEE, pp 399–406Google Scholar
  26. 26.
    Greenberg A, Hamilton JR, Jain N, Kandula S, Kim C, Lahiri P, Maltz DA, Patel P, Sengupta S (2009) VL2: a scalable and flexible data center network. SIGCOMM Comput Commun Rev 39(4):51–62CrossRefGoogle Scholar
  27. 27.
    Gude N, Koponen T, Pettit J, Pfaff B, Casado M, McKeown N, Shenker S (2008) NOX: towards an operating system for networks. SIGCOMM Comput Commun Rev 38(3):105–110Google Scholar
  28. 28.
    Gulati A, Merchant A, Varman PJ (2010) mClock: handling throughput variability for hypervisor IO scheduling. In: Proceedings of the 9th USENIX conference on operating systems design and implementation, OSDI’10. USENIX Association Berkeley, CA, USA, pp 1–7Google Scholar
  29. 29.
    Harnik D, Pinkas B, Shulman-Peleg A (2010) Side channels in cloud services: deduplication in cloud storage. IEEE Secur Priv 8(6):40–47CrossRefGoogle Scholar
  30. 30.
    Hayashi Y, Itsumi H, Yamamoto M (2011) Improving fairness of quantized congestion notification for data center ethernet networks. In: Proceedings of the 2011 31st international conference on distributed computing systems workshops, ICDCSW’11. IEEE Computer Society, Washington, DC, USA, pp 20–25Google Scholar
  31. 31.
    Hicks B, Rueda S, King D, Moyer T, Schiffman J, Sreenivasan Y, McDaniel P, Jaeger T (2010) An architecture for enforcing end-to-end access control over web applications. In: Proceedings of the 15th ACM symposium on access control models and technologies, SACMAT’10. ACM, New York, NY, USA, pp 163–172Google Scholar
  32. 32.
    Huber N, von Quast M, Hauck M, Kounev S (2011) Evaluating and modeling virtualization performance overhead for cloud environments. In: Proceedings of the 1st international conference on cloud Ccomputing and services science (CLOSER 2011), Noordwijkerhout, The Netherlands, 7–9 May. SciTePress, pp 563–573. Acceptance Rate: 18/164 = 10.9 %, Best Paper AwardGoogle Scholar
  33. 33.
    Jayasinghe D, Pu C, Eilam T, Steinder M, Whally I, Snible E (2011) Improving performance and availability of services hosted on IaaS clouds with structural constraint-aware virtual machine placement. In: IEEE international conference on services computing (SCC), pp 72–79Google Scholar
  34. 34.
    Jiang X, Xu D (2004) VIOLIN: virtual internetworking on overlay infrastructure. In: Proceedings of the second international conference on parallel and distributed processing and applications, ISPA’04. Springer, Berlin, pp 937–946Google Scholar
  35. 35.
    Keller E, Szefer J, Rexford J, Lee RB (2010) NoHype: virtualized cloud infrastructure without the virtualization. SIGARCH Comput Archit News 38(3):350–361Google Scholar
  36. 36.
    Kim G, Park H, Yu J, Lee W (2012) Virtual machines placement for network isolation in clouds. In: Proceedings of the 2012 ACM research in applied computation symposium, RACS’12, New York, NY, USA, pp 243–248Google Scholar
  37. 37.
    Kortchinsky K (2009) Hacking 3D (and Breaking out of VMWare). BlackHat USAGoogle Scholar
  38. 38.
    Lacour S, Perez C, Priol T (2004) A network topology description model for grid application deployment. In: Proceedings of the 5th IEEE/ACM international workshop on grid computing, GRID ’04. IEEE Computer Society, Washington, DC, USA, pp 61–68Google Scholar
  39. 39.
    Landau A, Hadas D, Ben-Yehuda M (2010) Plugging the hypervisor abstraction leaks caused by virtual networking. In: Proceedings of the 3rd annual Haifa experimental systems conference, SYSTOR’10. ACM, New York, NY, USA, pp 16:1–16:9Google Scholar
  40. 40.
    Li J, Qiu M, Niu J, Gao W, Zong Z, Qin X (2010) Feedback dynamic algorithms for preemptable job scheduling in cloud systems. In: Proceedings of the 2010 IEEE/WIC/ACM international conference on web intelligence and intelligent agent technology, vol 01, WI-IAT’10. IEEE Computer Society, Washington, DC, USA, pp 561–564Google Scholar
  41. 41.
    Macdonell C, Lu P (2007) Pragmatics of virtual machines for high-performance computing: a quantitative study of basic overheads. In: High performance computing and simulation conferenceGoogle Scholar
  42. 42.
    Marshall A, Howard M, Bugher G, Harden B, Kaufman C, Rues M, Bertocci V (2010) Security best practices for developing windows azure applications. Microsoft CorpGoogle Scholar
  43. 43.
    McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J (2008) OpenFlow: enabling innovation in campus networks. SIGCOMM Comput Commun Rev 38(2):69–74Google Scholar
  44. 44.
    Meng X, Pappas V, Zhang L (2010) Improving the scalability of data center networks with traffic-aware virtual machine placement. In: Proceedings of the 29th conference on information communications, INFOCOM’10. IEEE Press, Piscataway, NJ, USA, pp 1154–1162Google Scholar
  45. 45.
    Merkel A, Stoess J, Bellosa F (2010) Resource-conscious scheduling for energy efficiency on multicore processors. In: Proceedings of the 5th European conference on computer systems, EuroSys’10. ACM, New York, NY, USA, pp 153–166Google Scholar
  46. 46.
    Mills K, Filliben J, Dabrowski C (2011) Comparing VM-placement algorithms for on-demand clouds. In: Proceedings of the 2011 IEEE conference cloudComGoogle Scholar
  47. 47.
    Mirkovic J, Faber T, Hsieh P, Malaiyandisamy G, Malaviya R (2010) DADL: distributed application description language. USC/ISI Technical Report\(\#\) ISI-TR-664Google Scholar
  48. 48.
    Moscibroda T, Mutlu O (2007) Memory performance attacks: Denial of memory service in multi-core systems. In: Proceedings of 16th USENIX security symposium on USENIX security symposium, SS’07. USENIX Association, Berkeley, CA, USA, pp 18:1–18:18Google Scholar
  49. 49.
    Murakami J (2008) A hypervisor IPS based on hardware assisted virtualization technology. Black Hat USAGoogle Scholar
  50. 50.
    Nathani A, Chaudhary S, Somani G (2012) Policy based resource allocation in IaaS cloud. Future Gener Comput Sys 28(1):94–103CrossRefGoogle Scholar
  51. 51.
    Nguyen Van H, Dang Tran F, Menaud J-M (2009) Autonomic virtual resource management for service hosting platforms. In: Proceedings of the 2009 ICSE workshop on software engineering challenges of cloud computing, CLOUD ’09. IEEE Computer Society, Washington, DC, USA, pp 1–8Google Scholar
  52. 52.
    Okamura K, Oyama Y (2010) Load-based covert channels between xen virtual machines. In: Proceedings of the 2010 ACM symposium on applied computing, SAC’10, ACM, New York, NY, USA, pp 173–180Google Scholar
  53. 53.
    Onoue K, Matsuoka N, Tanaka J (2012) Host-based multi-tenant technology for scalable data center networks. In: Proceedings of the eighth ACM/IEEE symposium on Architectures for networking and communications systems, ANCS’12. ACM, New York, NY, USA. pp 87–98Google Scholar
  54. 54.
    Osvik DA, Shamir A, Tromer E (2006) Cache attacks and countermeasures: the case of AES. In: Proceedings of the 2006 the cryptographers’ track at the RSA conference on topics in cryptology, CT-RSA’06. Springer, Berlin, pp 1–20Google Scholar
  55. 55.
    Open Virtualization Format Specification. Version: 1.0.0d. Distributed Management Task Force, Inc. (DMTF).Google Scholar
  56. 56.
    Page D (2005) Partitioned cache architecture as a side-channel defence mechanism. In: Technical report 2005/280, IACR eprint archive. Cryptography ePrint archiveGoogle Scholar
  57. 57.
    Percival C (2005) Cache missing for fun and profit, BSDCanGoogle Scholar
  58. 58.
    Pu X, Liu L, Mei Y, Sivathanu S, Koh Y, Pu C (2010) Understanding performance interference of I/O workload in virtualized cloud environments. In: 2010 IEEE 3rd international conference on cloud computing (CLOUD), pp 51–58Google Scholar
  59. 59.
    Raj H, Nathuji R, Singh A (2009) Resource management for isolation enhanced cloud services. In: CCSW’09 proceedings of the 2009 ACM workshop on cloud computing security, p 77Google Scholar
  60. 60.
    Ristenpart T, Tromer E, Shacham H, Savage S (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM conference on computer and communications security, CCS’09, New York, NY, USA, pp 199–212Google Scholar
  61. 61.
    Rodero-Merino L, Vaquero LM, Caron E, Muresan A, Desprez F (2012) Building safe PaaS clouds: A survey on security in multitenant software platforms. Comput Secur 31(1):96–108CrossRefGoogle Scholar
  62. 62.
    Schad J, Dittrich J, Quiané-Ruiz J-A (2010) Runtime measurements in the cloud: observing, analyzing, and reducing variance. Proc VLDB Endow 3(1–2):460–471Google Scholar
  63. 63.
    Shieh A, Kandula S, Greenberg A, Kim C (2010) Seawall: performance isolation for cloud datacenter networks. In: Proceedings of the 2nd USENIX conference on hot topics in cloud computing, HotCloud’10, Berkeley, CA, USA, p 1Google Scholar
  64. 64.
    Simarro JLL, Moreno-Vozmediano R, Montero RS, Llorente IM (2011) Dynamic placement of virtual machines for cost optimization in multi-cloud environments. In: International conference on high performance computing and simulation (HPCS), pp 1–7Google Scholar
  65. 65.
    Sotomayor B, Keahey K, Foster I (2008) Combining batch execution and leasing using virtual machines. In: Proceedings of the 17th international symposium on high performance distributed computing, HPDC’08, New York, NY, USA, pp 87–96Google Scholar
  66. 66.
    Sotomayor B, Montero RS, Llorente IM, Foster I (2009) Virtual infrastructure management in private and hybrid clouds. IEEE Intern Comput 13(5):14–22CrossRefGoogle Scholar
  67. 67.
    Srikantaiah S, Kansal A, Zhao F (2008) Energy aware consolidation for cloud computing. In: Proceedings of the 2008 conference on power aware computing and systems, HotPower’08. USENIX Association, Berkeley, CA, USA, p 10Google Scholar
  68. 68.
    Stabler G, Rosen A, Goasguen S, Wang K-C (2012) Elastic IP and security groups implementation using openFlow. In: Proceedings of the 6th international workshop on virtualization technologies in distributed computing date, VTDC’12. ACM, New York, NY, USA, pp 53–60Google Scholar
  69. 69.
    Stillwell M, Schanzenbach D, Vivien F, Casanova H (2009) Resource allocation using virtual clusters. In: Proceedings of the 2009 9th IEEE/ACM international symposium on cluster computing and the grid, CCGRID ’09. IEEE Computer Society, Washington, DC, USA, pp 260–267Google Scholar
  70. 70.
    Sundararaj AI, Dinda PA (2004) Towards virtual networks for virtual machine grid computing. In: Proceedings of the 3rd conference on virtual machine research and technology symposium, vol 3, VM’04. USENIX Association, Berkeley, CA, USA, pp 14–14Google Scholar
  71. 71.
    Szefer J, Keller E, Lee R (2011) Eliminating the hypervisor attack surface for a more secure cloud. In: ACM conference on computer and communications securityGoogle Scholar
  72. 72.
    Taesoo K, Peinado M, Mainar-Ruiz G (2012) System-level protection against cache-based side channel attacks in the cloud. In: Proceedings of the 21st Usenix Security symposium, USENIX Security’12. USENIX Association, Berkeley, CA, USA, pp 1–16Google Scholar
  73. 73.
    Tickoo O, Iyer R, Illikkal R, Newell D (2010) Modeling virtual machine performance: challenges and approaches. SIGMETRICS Perform Eval Rev 37(3):55–60CrossRefGoogle Scholar
  74. 74.
    Tordsson J, Montero RS, Moreno-Vozmediano R, Llorente IM (2012) Cloud brokering mechanisms for optimized placement of virtual machines across multiple providers. Futur Gener Comput Sys 28(2):358–367Google Scholar
  75. 75.
    Tsugawa M, Fortes JAB (2006) A virtual network (ViNe) architecture for grid computing. In: Proceedings of the 20th international conference on Parallel and distributed processing, IPDPS’06. IEEE Computer Society, Washington, DC, USA, pp 148–148Google Scholar
  76. 76.
    Varadarajan V, Kooburat T, Farley B, Ristenpart T, Swift MM (2012) Resource-freeing attacks: improve your cloud performance (at your neighbor’s expense). In: Proceedings of the 2012 ACM conference on computer and communications security, CCS’12. ACM, New York, NY, USA, pp 281–292Google Scholar
  77. 77.
    Verghese B, Gupta A, Rosenblum M (1998) Performance isolation: sharing and isolation in shared-memory multiprocessors. SIGOPS Oper Syst Rev 32(5):181–192CrossRefGoogle Scholar
  78. 78.
    Wang G, Ng T (2010) The impact of virtualization on network performance of amazon EC2 data center. In 2010 Proceedings IEEE INFOCOM, pp 1–9Google Scholar
  79. 79.
    Wang M, Meng X, Zhang L (2011) Consolidating virtual machines with dynamic bandwidth demand in data centers. In: 2011 proceedings on IEEE INFOCOM, pp 71–75Google Scholar
  80. 80.
    Wojtczuk R (2008) Subverting the Xen hypervisor. Black Hat USAGoogle Scholar
  81. 81.
    Wu Z, Xu Z, Wang H (2012) Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: the 21st USENIX security symposium (Security’12)Google Scholar
  82. 82.
    Xia L, Cui Z, Lange JR, Tang Y, Dinda PA, Bridges PG (2012) VNET/P: Bridging the cloud and high performance computing through fast overlay networking. In: Proceedings of the 21st international symposium on high-performance parallel and distributed computing, HPDC’12. ACM, New York, NY, USA, pp 259–270Google Scholar
  83. 83.
    Xu Y, Bailey M, Jahanian F, Joshi K, Hiltunen M, Schlichting R (2011) An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM workshop on cloud computing security workshop, CCSW’11. ACM, New York, NY, USA, pp 29–40Google Scholar
  84. 84.
    Zhang Y, Juels A, Oprea A, Reiter M (2011) HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis. In: IEEE symposium on security and privacy (SP), pp 313–328Google Scholar
  85. 85.
    Zhang Y, Juels A, Reiter MK, Ristenpart T (2012) Cross-VM side channels and their use to extract private keys. In: Proceedings of the 2012 ACM conference on computer and communications security, CCS’12. ACM, New York, NY, USA, pp 305–316Google Scholar
  86. 86.
    Zhuravlev S, Blagodurov S, Fedorova A (2010) Addressing shared resource contention in multicore processors via scheduling. SIGARCH Comput Archit News 38(1):129–142CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Eddy Caron
    • 1
  • Frédéric Desprez
    • 2
  • Jonathan Rouzaud-Cornabas
    • 3
  1. 1.ENSLIP - UMR CNRS - ENS Lyon - INRIA - UCBLLyonFrance
  2. 2.INRIALIP - UMR CNRS - ENS Lyon - INRIA - UCBLLyonFrance
  3. 3.CNRSIN2P3 Computing CenterLyon-VilleurbanneFrance

Personalised recommendations