Abstract
Virtualization is now widely used in modern datacenters. Thanks to mature software stacks and the widespread availability of plaforms all over the world, the Cloud is now available for many applications of different kinds. Security and performance are the main goal users want to achieve when porting applications over IaaS or PaaS platforms. Security has been proven to be sometimes difficult to obtain [3, 60, 85] and several issues have been raised in public Clouds and public domain virtualization software stacks. Several different kinds of attacks and security issues can be observed that may lower the impact of Clouds. On the performance side, the expectations are higher than what can be actually obtained on today’s public Clouds. Shared nodes lead to performance degradation that are not appropriate for high performance applications. Isolation is then a critical issue both for security and performance concerns.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
HyperThreading in Intel processor.
- 2.
HyperTransport for AMD and QPI for Intel.
- 3.
Each scenario has been launched 10 times, the results presented here are the average of these executions
- 4.
The ebtables programs is a filtering tool for a Linux-based bridging firewall. http://ebtables.sourceforge.net/
- 5.
- 6.
- 7.
The completion time of the MapReduce workload is the sum of execution time of three hadoop blast workload.
References
Afoulki Z, Bousquet A, Briffaut J, Rouzaud-Cornabas J, Toinard C (2012) MAC protection of the openNebula cloud environment. In: International conference on high performance computing and simulation (HPCS), pp 85–90
Al-Fares M, Loukissas A, Vahdat A (2008) A scalable, commodity data center network architecture. SIGCOMM Comput Commun Rev 38(4):63–74
Ali Q, Kiriansky V, Simons J, Zaroo P (2012) Performance evaluation of HPC benchmarks on VMware’s ESXi server. In: Proceedings of the 2011 international conference on parallel processing, Euro-Par’11. Springer, Berlin, pp 213–222
Andreozzi S, Burke S, Ehm F, Field L, Galang G, Konya B, Litmaath M, Millar P, Navarro J (2009) GLUE Specification v. 2.0
Ballani H, Costa P, Karagiannis T, Rowstron A (2011) Towards predictable datacenter networks. SIGCOMM Comput Commun Rev 41(4):242–253
Barabash K, Cohen R, Hadas D, Jain V, Recio R, Rochwerger B (2011) A case for overlays in DCN virtualization. In: Proceedings of the 3rd workshop on data center—converged and virtual ethernet switching, DC-CaVES’11, ITCP, pp 30–37
Barham P, Dragovic B, Fraser K, Hand S, Harris T, Ho A, Neugebauer R, Pratt I, Warfield A (2003) Xen and the art of virtualization. SIGOPS Oper Syst Rev 37(5):164–177
Barker SK, Shenoy P (2010) Empirical evaluation of latency-sensitive application performance in the cloud. In: Proceedings of the first annual ACM SIGMM conference on multimedia systems, MMSys’10. ACM, New York, NY, USA, pp 35–46
Bates A, Mood B, Pletcher J, Pruse H, Valafar M, Butler K (2012) Detecting co-residency with active traffic analysis techniques. In: Proceedings of the 2012 ACM workshop on cloud computing security workshop, CCSW’12. ACM, New York, NY, USA, pp 1–12
Bhadauria M, McKee SA (2010) An approach to resource-aware co-scheduling for CMPs. In: Proceedings of the 24th ACM international conference on supercomputing, ICS’10. ACM, New York, NY, USA, pp 189–199
Biran O, Corradi A, Fanelli M, Foschini L, Nus A, Raz D, Silvera E (2012) A stable network-aware VM placement for cloud systems. In: Proceedings of the 2012 12th IEEE/ACM international symposium on cluster, cloud and grid computing (ccgrid 2012), CCGRID’12. IEEE Computer Society, Washington, DC, USA, pp 498–506
Bleikertz S, Groß T (2011) A virtualization assurance language for isolation and deployment. IEEE Policy, VALID
Brandtzaeg E, Mohagheghi P, Mosser S (2012) Towards a domain-specific language to deploy applications in the clouds. In: CLOUD COMPUTING 2012, the third international conference on cloud computing, GRIDs, and virtualization, pp 213–218
Breitgand D, Epstein A (2012) Improving consolidation of virtual machines with risk-aware bandwidth oversubscription in compute clouds. In: Proceedings on IEEE INFOCOM, pp 2861–2865
Broquedis F, Clet-Ortega J, Moreaud S, Furmento N, Goglin B, Mercier G, Thibault S, Namyst R (2010) hwloc: a generic framework for managing hardware affinities in HPC applications. In: 18th Euromicro international conference on parallel, distributed and network-based processing (PDP), pp 180–186
Cappello F, Caron E, Dayde M, Desprez F, Jegou Y, Primet P, Jeannot E, Lanteri S, Leduc J, Melab N, Mornet G, Namyst R, Quetier B, Richard O (2005) Grid’5000: a large scale and highly reconfigurable grid experimental testbed. In: Proceedings of the 6th IEEE/ACM international workshop on grid computing, GRID’05. IEEE Computer Society, Washington, DC, USA, pp 99–106
Clemente P, Rouzaud-Cornabas J, Toinard C (2010) From a generic framework for expressing integrity properties to a dynamic mac enforcement for operating Ssystems. In: Gavrilova M, Tan C, Moreno E (eds) Transactions on computational science XI, vol 6480 of Lecture Notes in Computer Science. Springer Berlin, pp 131–161
Fan P, Chen Z, Wang J, Zheng Z, Lyu MR (2012) Topology-aware deployment of scientific applications in cloud computing. In: 2012 IEEE fifth international conference on cloud computing, pp 319–326
Fedorova A, Seltzer M, Smith MD (2007) Improving performance isolation on chip multiprocessors via an operating system scheduler. In: Proceedings of the 16th international conference on parallel architecture and compilation techniques, PACT’07. IEEE Computer Society, Washington, DC, USA, pp 25–38
Feller E, Rilling L, Morin C (2011) Energy-aware ant colony based workload placement in clouds. In: The 12th IEEE/ACM international conference on grid computing (GRID-2011), Lyon, France
Feller E, Rilling L, Morin C, Lottiaux R, Leprince D (2010) Snooze: a scalable, fault-tolerant and distributed consolidation manager for large-scale clusters. In: Green computing and communications (GreenCom), 2010 IEEE/ACM Int’l conference on Iint’l conference on cyber, physical and social computing (CPSCom), pp 125–132
Galán F, Sampaio A, Rodero-Merino L, Loy I, Gil V, Vaquero LM (2009) Service specification in cloud environments based on extensions to open standards. In: Proceedings of the fourth international ICST Conference on cOMmunication System softWAre and middlewaRE, COMSWARE’09, vol 19. ACM, New York, NY, USA, pp 1–19, 12
Ganguly A, Agrawal A, Boykin P, Figueiredo R (2006) IP over P2P: enabling self-configuring virtual IP networks for grid computing. In: 20th International conferece on parallel and distributed processing symposium, IPDPS 2006, p 10
Goglin B, Moreaud S, (2011). Dodging non-uniform I/O access in hierarchical collective operations for multicore clusters. In: CASS the 1st workshop on communication architecture for scalable systems, held in conjunction with IPDPS 2011. IEEE Computer Society Press, Anchorage, AK
Gonçalves G, Endo P, Santos M, Sadok D, Kelner J, Melander B, Mangs J (2011) CloudML: an integrated language for resource, service and request description for D-clouds. In: 2011 IEEE third international conference on cloud computing technology and science (CloudCom). IEEE, pp 399–406
Greenberg A, Hamilton JR, Jain N, Kandula S, Kim C, Lahiri P, Maltz DA, Patel P, Sengupta S (2009) VL2: a scalable and flexible data center network. SIGCOMM Comput Commun Rev 39(4):51–62
Gude N, Koponen T, Pettit J, Pfaff B, Casado M, McKeown N, Shenker S (2008) NOX: towards an operating system for networks. SIGCOMM Comput Commun Rev 38(3):105–110
Gulati A, Merchant A, Varman PJ (2010) mClock: handling throughput variability for hypervisor IO scheduling. In: Proceedings of the 9th USENIX conference on operating systems design and implementation, OSDI’10. USENIX Association Berkeley, CA, USA, pp 1–7
Harnik D, Pinkas B, Shulman-Peleg A (2010) Side channels in cloud services: deduplication in cloud storage. IEEE Secur Priv 8(6):40–47
Hayashi Y, Itsumi H, Yamamoto M (2011) Improving fairness of quantized congestion notification for data center ethernet networks. In: Proceedings of the 2011 31st international conference on distributed computing systems workshops, ICDCSW’11. IEEE Computer Society, Washington, DC, USA, pp 20–25
Hicks B, Rueda S, King D, Moyer T, Schiffman J, Sreenivasan Y, McDaniel P, Jaeger T (2010) An architecture for enforcing end-to-end access control over web applications. In: Proceedings of the 15th ACM symposium on access control models and technologies, SACMAT’10. ACM, New York, NY, USA, pp 163–172
Huber N, von Quast M, Hauck M, Kounev S (2011) Evaluating and modeling virtualization performance overhead for cloud environments. In: Proceedings of the 1st international conference on cloud Ccomputing and services science (CLOSER 2011), Noordwijkerhout, The Netherlands, 7–9 May. SciTePress, pp 563–573. Acceptance Rate: 18/164 = 10.9 %, Best Paper Award
Jayasinghe D, Pu C, Eilam T, Steinder M, Whally I, Snible E (2011) Improving performance and availability of services hosted on IaaS clouds with structural constraint-aware virtual machine placement. In: IEEE international conference on services computing (SCC), pp 72–79
Jiang X, Xu D (2004) VIOLIN: virtual internetworking on overlay infrastructure. In: Proceedings of the second international conference on parallel and distributed processing and applications, ISPA’04. Springer, Berlin, pp 937–946
Keller E, Szefer J, Rexford J, Lee RB (2010) NoHype: virtualized cloud infrastructure without the virtualization. SIGARCH Comput Archit News 38(3):350–361
Kim G, Park H, Yu J, Lee W (2012) Virtual machines placement for network isolation in clouds. In: Proceedings of the 2012 ACM research in applied computation symposium, RACS’12, New York, NY, USA, pp 243–248
Kortchinsky K (2009) Hacking 3D (and Breaking out of VMWare). BlackHat USA
Lacour S, Perez C, Priol T (2004) A network topology description model for grid application deployment. In: Proceedings of the 5th IEEE/ACM international workshop on grid computing, GRID ’04. IEEE Computer Society, Washington, DC, USA, pp 61–68
Landau A, Hadas D, Ben-Yehuda M (2010) Plugging the hypervisor abstraction leaks caused by virtual networking. In: Proceedings of the 3rd annual Haifa experimental systems conference, SYSTOR’10. ACM, New York, NY, USA, pp 16:1–16:9
Li J, Qiu M, Niu J, Gao W, Zong Z, Qin X (2010) Feedback dynamic algorithms for preemptable job scheduling in cloud systems. In: Proceedings of the 2010 IEEE/WIC/ACM international conference on web intelligence and intelligent agent technology, vol 01, WI-IAT’10. IEEE Computer Society, Washington, DC, USA, pp 561–564
Macdonell C, Lu P (2007) Pragmatics of virtual machines for high-performance computing: a quantitative study of basic overheads. In: High performance computing and simulation conference
Marshall A, Howard M, Bugher G, Harden B, Kaufman C, Rues M, Bertocci V (2010) Security best practices for developing windows azure applications. Microsoft Corp
McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J (2008) OpenFlow: enabling innovation in campus networks. SIGCOMM Comput Commun Rev 38(2):69–74
Meng X, Pappas V, Zhang L (2010) Improving the scalability of data center networks with traffic-aware virtual machine placement. In: Proceedings of the 29th conference on information communications, INFOCOM’10. IEEE Press, Piscataway, NJ, USA, pp 1154–1162
Merkel A, Stoess J, Bellosa F (2010) Resource-conscious scheduling for energy efficiency on multicore processors. In: Proceedings of the 5th European conference on computer systems, EuroSys’10. ACM, New York, NY, USA, pp 153–166
Mills K, Filliben J, Dabrowski C (2011) Comparing VM-placement algorithms for on-demand clouds. In: Proceedings of the 2011 IEEE conference cloudCom
Mirkovic J, Faber T, Hsieh P, Malaiyandisamy G, Malaviya R (2010) DADL: distributed application description language. USC/ISI Technical Report\(\#\) ISI-TR-664
Moscibroda T, Mutlu O (2007) Memory performance attacks: Denial of memory service in multi-core systems. In: Proceedings of 16th USENIX security symposium on USENIX security symposium, SS’07. USENIX Association, Berkeley, CA, USA, pp 18:1–18:18
Murakami J (2008) A hypervisor IPS based on hardware assisted virtualization technology. Black Hat USA
Nathani A, Chaudhary S, Somani G (2012) Policy based resource allocation in IaaS cloud. Future Gener Comput Sys 28(1):94–103
Nguyen Van H, Dang Tran F, Menaud J-M (2009) Autonomic virtual resource management for service hosting platforms. In: Proceedings of the 2009 ICSE workshop on software engineering challenges of cloud computing, CLOUD ’09. IEEE Computer Society, Washington, DC, USA, pp 1–8
Okamura K, Oyama Y (2010) Load-based covert channels between xen virtual machines. In: Proceedings of the 2010 ACM symposium on applied computing, SAC’10, ACM, New York, NY, USA, pp 173–180
Onoue K, Matsuoka N, Tanaka J (2012) Host-based multi-tenant technology for scalable data center networks. In: Proceedings of the eighth ACM/IEEE symposium on Architectures for networking and communications systems, ANCS’12. ACM, New York, NY, USA. pp 87–98
Osvik DA, Shamir A, Tromer E (2006) Cache attacks and countermeasures: the case of AES. In: Proceedings of the 2006 the cryptographers’ track at the RSA conference on topics in cryptology, CT-RSA’06. Springer, Berlin, pp 1–20
Open Virtualization Format Specification. Version: 1.0.0d. Distributed Management Task Force, Inc. (DMTF).
Page D (2005) Partitioned cache architecture as a side-channel defence mechanism. In: Technical report 2005/280, IACR eprint archive. Cryptography ePrint archive
Percival C (2005) Cache missing for fun and profit, BSDCan
Pu X, Liu L, Mei Y, Sivathanu S, Koh Y, Pu C (2010) Understanding performance interference of I/O workload in virtualized cloud environments. In: 2010 IEEE 3rd international conference on cloud computing (CLOUD), pp 51–58
Raj H, Nathuji R, Singh A (2009) Resource management for isolation enhanced cloud services. In: CCSW’09 proceedings of the 2009 ACM workshop on cloud computing security, p 77
Ristenpart T, Tromer E, Shacham H, Savage S (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM conference on computer and communications security, CCS’09, New York, NY, USA, pp 199–212
Rodero-Merino L, Vaquero LM, Caron E, Muresan A, Desprez F (2012) Building safe PaaS clouds: A survey on security in multitenant software platforms. Comput Secur 31(1):96–108
Schad J, Dittrich J, Quiané-Ruiz J-A (2010) Runtime measurements in the cloud: observing, analyzing, and reducing variance. Proc VLDB Endow 3(1–2):460–471
Shieh A, Kandula S, Greenberg A, Kim C (2010) Seawall: performance isolation for cloud datacenter networks. In: Proceedings of the 2nd USENIX conference on hot topics in cloud computing, HotCloud’10, Berkeley, CA, USA, p 1
Simarro JLL, Moreno-Vozmediano R, Montero RS, Llorente IM (2011) Dynamic placement of virtual machines for cost optimization in multi-cloud environments. In: International conference on high performance computing and simulation (HPCS), pp 1–7
Sotomayor B, Keahey K, Foster I (2008) Combining batch execution and leasing using virtual machines. In: Proceedings of the 17th international symposium on high performance distributed computing, HPDC’08, New York, NY, USA, pp 87–96
Sotomayor B, Montero RS, Llorente IM, Foster I (2009) Virtual infrastructure management in private and hybrid clouds. IEEE Intern Comput 13(5):14–22
Srikantaiah S, Kansal A, Zhao F (2008) Energy aware consolidation for cloud computing. In: Proceedings of the 2008 conference on power aware computing and systems, HotPower’08. USENIX Association, Berkeley, CA, USA, p 10
Stabler G, Rosen A, Goasguen S, Wang K-C (2012) Elastic IP and security groups implementation using openFlow. In: Proceedings of the 6th international workshop on virtualization technologies in distributed computing date, VTDC’12. ACM, New York, NY, USA, pp 53–60
Stillwell M, Schanzenbach D, Vivien F, Casanova H (2009) Resource allocation using virtual clusters. In: Proceedings of the 2009 9th IEEE/ACM international symposium on cluster computing and the grid, CCGRID ’09. IEEE Computer Society, Washington, DC, USA, pp 260–267
Sundararaj AI, Dinda PA (2004) Towards virtual networks for virtual machine grid computing. In: Proceedings of the 3rd conference on virtual machine research and technology symposium, vol 3, VM’04. USENIX Association, Berkeley, CA, USA, pp 14–14
Szefer J, Keller E, Lee R (2011) Eliminating the hypervisor attack surface for a more secure cloud. In: ACM conference on computer and communications security
Taesoo K, Peinado M, Mainar-Ruiz G (2012) System-level protection against cache-based side channel attacks in the cloud. In: Proceedings of the 21st Usenix Security symposium, USENIX Security’12. USENIX Association, Berkeley, CA, USA, pp 1–16
Tickoo O, Iyer R, Illikkal R, Newell D (2010) Modeling virtual machine performance: challenges and approaches. SIGMETRICS Perform Eval Rev 37(3):55–60
Tordsson J, Montero RS, Moreno-Vozmediano R, Llorente IM (2012) Cloud brokering mechanisms for optimized placement of virtual machines across multiple providers. Futur Gener Comput Sys 28(2):358–367
Tsugawa M, Fortes JAB (2006) A virtual network (ViNe) architecture for grid computing. In: Proceedings of the 20th international conference on Parallel and distributed processing, IPDPS’06. IEEE Computer Society, Washington, DC, USA, pp 148–148
Varadarajan V, Kooburat T, Farley B, Ristenpart T, Swift MM (2012) Resource-freeing attacks: improve your cloud performance (at your neighbor’s expense). In: Proceedings of the 2012 ACM conference on computer and communications security, CCS’12. ACM, New York, NY, USA, pp 281–292
Verghese B, Gupta A, Rosenblum M (1998) Performance isolation: sharing and isolation in shared-memory multiprocessors. SIGOPS Oper Syst Rev 32(5):181–192
Wang G, Ng T (2010) The impact of virtualization on network performance of amazon EC2 data center. In 2010 Proceedings IEEE INFOCOM, pp 1–9
Wang M, Meng X, Zhang L (2011) Consolidating virtual machines with dynamic bandwidth demand in data centers. In: 2011 proceedings on IEEE INFOCOM, pp 71–75
Wojtczuk R (2008) Subverting the Xen hypervisor. Black Hat USA
Wu Z, Xu Z, Wang H (2012) Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: the 21st USENIX security symposium (Security’12)
Xia L, Cui Z, Lange JR, Tang Y, Dinda PA, Bridges PG (2012) VNET/P: Bridging the cloud and high performance computing through fast overlay networking. In: Proceedings of the 21st international symposium on high-performance parallel and distributed computing, HPDC’12. ACM, New York, NY, USA, pp 259–270
Xu Y, Bailey M, Jahanian F, Joshi K, Hiltunen M, Schlichting R (2011) An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM workshop on cloud computing security workshop, CCSW’11. ACM, New York, NY, USA, pp 29–40
Zhang Y, Juels A, Oprea A, Reiter M (2011) HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis. In: IEEE symposium on security and privacy (SP), pp 313–328
Zhang Y, Juels A, Reiter MK, Ristenpart T (2012) Cross-VM side channels and their use to extract private keys. In: Proceedings of the 2012 ACM conference on computer and communications security, CCS’12. ACM, New York, NY, USA, pp 305–316
Zhuravlev S, Blagodurov S, Fedorova A (2010) Addressing shared resource contention in multicore processors via scheduling. SIGARCH Comput Archit News 38(1):129–142
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Caron, E., Desprez, F., Rouzaud-Cornabas, J. (2014). Smart Resource Allocation to Improve Cloud Security. In: Nepal, S., Pathan, M. (eds) Security, Privacy and Trust in Cloud Systems. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38586-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-38586-5_4
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38585-8
Online ISBN: 978-3-642-38586-5
eBook Packages: EngineeringEngineering (R0)