Abstract
Third-party Cloud Computing, Amazon’s Elastic Compute Cloud (EC2) for instance, provides Infrastructure as a Service (IaaS) solutions that pack multiple customer virtual machines (VMs) onto the same physical server with hardware virtualization technology. Xen is widely used in virtualization which charges VMs by wall clock time rather than resources consumed. Under this model, manipulation of the scheduler vulnerability may allow theft-of-service at the expense of other customers.
Recent research has shown that attacker’s VM can consume more CPU time than fair share on Amazon EC2 in that Xen 3.x default Credit Scheduler’s resolution was rather coarse. Although considerable changes have been made in Xen 4.x Credit Scheduler to improve the performance in case of such stealing attacks, we’ve found another alternative attack called Time-Stealer which can obtain up to 96.6% CPU cycles stealthily under some circumstances on XenServer6.0.2 platform by analyzing the source code thoroughly. Detection methods using benchmarks as well as a series of countermeasures are proposed and experimental results have demonstrated the effectiveness of these defense techniques.
Chapter PDF
Similar content being viewed by others
References
Amazon Elastic Compute Cloud, EC2 (2013), http://aws.amazon.com/ec2/
Vaughan-Nichols, S.J.: Virtualization Sparks Security Concerns. IEEE Computer Society 41, 13–15 (2008)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Computer Clouds. In: ACM CCS, pp. 199–212 (2009)
Tanzim Khorshed, M., Shawkat Ali, A.B.M., et al.: A Survey on Gaps, Threat Remediation Challenges and Some Thoughts for Proactive Attack Detection in Cloud Computing. In: Future Generation Computer System, vol. 28, pp. 833–851 (2012)
McCanne, S., Torek, C.: A Randomized Sampling Clock for Cpu Utilization Estimation and Code Profiling. In: USENIX, pp. 387–394 (1993)
Tsafrir, D., Etsion, Y., Feitelson, D.G.: Secretly Monopolizing the CPU without Superuser Privileges. In: The 16th USENIX Security Symposium, pp. 239–256 (2007)
Zhou, F., Goel, M., Desnoyers, P.: Scheduler Vulnerabilities and Coordinated Attacks in Cloud Computing. In: IEEE International Symposium on Network Computing and Applications, pp. 123–130 (2011)
Zhou, F., Goel, M., Desnoyers, P.: Scheduler Vulnerabilities and Attacks in Cloud Computing. In: Distributed, Parallel, and Cluster Computing, pp. 1–23 (2011)
Williams, D.E., Garcia, J.: Virtualization with Xen, pp. 43–91. Syngress Publishing (2007)
Barham, P., Dragovic, B., Fraser, K., et al.: Xen and the Art of Virtualization. In: ACM SOSP, pp. 164–177 (2003)
Jaeger, D., Krentz, K.-F., Richly, M.: Xen Episode IV: The Guests still Strike Back. In: Cloud Computing Security Summer Term, pp. 1–15 (2011)
Chisnall, D.: The Definitive Guide to the Xen Hypervisor, pp. 217–223. Prentice Hall PTR (2007)
Cherkasova, L., Gupta, D., Vahdat, A.: Comparison of the Three CPU Schedulers in Xen. SIGMETERICS Performance Evaluation Reviews, 42–51 (2007)
Citix, Inc.: Citrix XenServer 6.0 Administrator’s Guide. 1.1 Edition (2012)
Credit Scheduler (2013), http://wiki.xensource.com
Kim, H., Lim, H., Jeong, J., Jo, H., et al.: Task-aware Virtual Machine Scheduling for I/O Performance. In: ACM VEE, pp. 101–110 (2009)
Govindan, S., Nath, A., Das, A., Urgaonkar, B., Sivasubramaniam, A.: Xen and Co.: Communication-aware Cpu Scheduling for Consolidated Xen-based Hosting Platforms. In: ACM VEE, pp. 126–136 (2007)
Ongaro, D., Cox, A.L., Rixner, S.: Scheduling I/O in a Virtual Machine Monitor. In: ACM VEE, pp. 1–10 (2008)
Weng, C., Wang, Z., Li, M., et al.: The Hybrid Scheduling Framework for Virtual Machine Systems. In: ACM VEE, pp. 111–120 (2009)
Gulati, A., Merchant, A., Varma, P.J.: Mclock: Handling Throughput Variability for Hypervisor IO Scheduling. In: OSDI, pp. 1–7. USENIX, CA (2010)
Luo, S., Lin, Z., Chen, X., et al.: Virtualization Security for Cloud Computing Service. In: International Conference on CSC, pp. 174–179. CSC, Hong Kong (2011)
Bhadauria, M., McKee, S.A.: An Approach to Resource-aware Co-scheduling for CMPs. In: ICS, pp.189-199. ACM (2010)
Merkel, A., Stoess, J., Bellosa, F.: Resource-conscious Scheduling for Efficiency on Multicore Processors. In: EuroSys, pp. 153–166. ACM (2010)
Zhuravlev, S., Blagodurov, S., Fedorova, A.: Addressing Shared Resource Contention in Multicore Processors via Scheduling. In: ASPLOS, pp. 129–142. ACM (2010)
Raj, H., Nathuji, R., Singh, A., England, P.: Resource Management for Isolation Enhanced Cloud Services. In: CCSW, pp. 77–84. ACM, Chicago (2009)
Shieh, A., Kandula, S., Greenberg, A., Kim, C.: Seawall: Performance Isolation for Cloud Datacenter Networks. In: HotCloud, p. 1. USENIX (2010)
Verghese, B., Gupta, A., Rosenbum, M.: Performance Isolation: Sharing and Isolation in Share-memory Multiprocessors. In: ASPLOS, pp. 181–192. ACM (1998)
Cardenas, C., Boppana, R.V.: Detection and Mitigation of Performance Attacks in Multi-tenant Cloud Computing. In: ICACON (2012)
Varadarajan, V., Kooburat, T., et al.: Resource-Freeing Attacks: Improve Your Cloud Performance (at Your Neighber’s Expense). In: ACM CCS, pp. 281–292 (2012)
Xu, Y.J., Bailey, M., Jahanjan, F., Joshi, K., Hiltunen, M., Schlichting, R.: An Exploration of L2 Cache Covert Channels in Virtualized Environments. In: CCSW, pp. 29–40. ACM, Chicago (2011)
Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: Homealone: Co-residency Detection in the Cloud via Side-channel Analysis. In: Security and Privacy IEEE Symposium, Berkeley, CA, pp. 313–328 (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Rong, H., Xian, M., Wang, H., Shi, J. (2013). Time-Stealer: A Stealthy Threat for Virtualization Scheduler and Its Countermeasures. In: Qing, S., Zhou, J., Liu, D. (eds) Information and Communications Security. ICICS 2013. Lecture Notes in Computer Science, vol 8233. Springer, Cham. https://doi.org/10.1007/978-3-319-02726-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-02726-5_8
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-02725-8
Online ISBN: 978-3-319-02726-5
eBook Packages: Computer ScienceComputer Science (R0)