A Placement Vulnerability Study in Multi-tenant Public Clouds (1507.03114v1)

Abstract: Public infrastructure-as-a-service clouds, such as Amazon EC2, Google Compute Engine (GCE) and Microsoft Azure allow clients to run virtual machines (VMs) on shared physical infrastructure. This practice of multi-tenancy brings economies of scale, but also introduces the risk of sharing a physical server with an arbitrary and potentially malicious VM. Past works have demonstrated how to place a VM alongside a target victim (co-location) in early-generation clouds and how to extract secret information via side- channels. Although there have been numerous works on side-channel attacks, there have been no studies on placement vulnerabilities in public clouds since the adoption of stronger isolation technologies such as Virtual Private Clouds (VPCs). We investigate this problem of placement vulnerabilities and quantitatively evaluate three popular public clouds for their susceptibility to co-location attacks. We find that adoption of new technologies (e.g., VPC) makes many prior attacks, such as cloud cartography, ineffective. We find new ways to reliably test for co-location across Amazon EC2, Google GCE, and Microsoft Azure. We also found ways to detect co-location with victim web servers in a multi-tiered cloud application located behind a load balancer. We use our new co-residence tests and multiple customer accounts to launch VM instances under different strategies that seek to maximize the likelihood of co-residency. We find that it is much easier (10x higher success rate) and cheaper (up to $114 less) to achieve co-location in these three clouds when compared to a secure reference placement policy.

• The paper demonstrates that placement vulnerabilities enable VM co-location attacks with up to 10× higher success and lower cost than secure benchmarks.
• It introduces covert channel detection methods that exploit shared hardware resources to reliably test for co-residency in major IaaS clouds.
• The study underscores the need for robust placement algorithms and improved isolation strategies in platforms like EC2, GCE, and Azure.

Overview of Co-location Attacks in Public Clouds

The paper "Revisiting VM Co-location Attacks in Public Clouds" by Varadarajan et al. explores the persistent vulnerabilities in the placement algorithms of popular infrastructure-as-a-service (IaaS) cloud providers such as Amazon EC2, Google Compute Engine (GCE), and Microsoft Azure. Despite advancements in cloud isolation technologies, such as Virtual Private Clouds (VPCs), the paper finds that the risk of virtual machines (VMs) sharing the same physical host continues to exist, posing significant security threats.

Key Findings

The authors investigate the feasibility of co-location attacks, where malicious actors attempt to place their VMs on the same physical server as a target victim. They developed new methods for reliably testing for co-residency across modern public clouds, where previous side-channel detection techniques have been rendered ineffective by improved isolation technologies.

Through extensive experimentation, involving 190 runs per cloud provider, the paper demonstrates that co-location can be achieved with a high success rate in these clouds. For instance, on average, co-location was easier and cheaper than expected, with up to a 10$\times$ higher success rate and savings of up to $114 when compared to a hypothetical secure reference placement policy designed to prevent such attacks.

Implications

The implications of these findings are significant both theoretically and practically. Practically, it reveals ongoing vulnerabilities in public cloud placement policies that malicious entities can exploit to breach confidentiality or degrade performance of co-located victim VMs. Theoretically, it highlights the need for more robust placement algorithms that can balance efficiency with security in multi-tenant cloud environments.

The paper introduces innovative co-residency detection techniques involving covert channels based on shared hardware resources, such as the memory bus. These techniques are applicable to heterogeneous cloud environments and can detect co-residency with high confidence, offering a valuable tool for researchers and cloud providers in combatting security risks associated with VM placement.

Future Directions

Future work in this area could focus on further understanding placement algorithms used by cloud providers and developing new strategies to circumvent co-location attacks. Enhancing virtual isolation technologies and implementing smarter co-location-aware placement policies could significantly reduce the success rate of such attacks.

Moreover, expanding research to include other cloud services such as Platform-as-a-Service (PaaS) and examining specific attacks on different workloads could offer deeper insights into the security dynamics of cloud computing. Continued exploration into the integration of machine learning techniques for real-time anomaly detection and prevention of co-location attempts would also be beneficial.

In summary, this paper provides a methodical investigation into placement vulnerabilities in public clouds, demonstrating how such threats persist despite advances in isolation technologies. The findings serve as a pivotal reference point for both academic researchers and industry practitioners aiming to fortify the security of cloud computing infrastructures.