面向云计算平台的虚拟机同驻方法

刘维杰; 王丽娜; 王丹磊; 尹正光; 付楠

doi:10.11959/j.issn.1000-436x.2018241

您当前的位置：

首页 >

文章列表页 >

面向云计算平台的虚拟机同驻方法

学术论文 | 更新时间：2024-06-05

- 面向云计算平台的虚拟机同驻方法
- Virtual machine co-residency method on cloud computing platform
- 通信学报 2018年39卷第11期页码：116-128
- 作者机构：
  
  1. 空天信息安全与可信计算教育部重点实验室，湖北武汉 430079
  2. 武汉大学国家网络安全学院，湖北武汉 430079
  3. 阿里云计算有限公司，浙江杭州 311121
- 作者简介：
  
  [ "刘维杰（1991–），男，湖北武汉人，武汉大学博士生，主要研究方向为虚拟化安全、图像处理等。" ]
  [ "王丽娜（1964–），女，辽宁营口人，博士，武汉大学教授、博士生导师，主要研究方向为多媒体安全、云计算安全、可信计算等。" ]
  [ "王丹磊（1992–），男，湖北武汉人，武汉大学硕士生，主要研究方向为机器学习、信息内容安全等。" ]
  [ "尹正光（1989–），男，江西吉安人，硕士，阿里云计算有限公司高级开发工程师，主要研究方向为cloud native和IaaS架构等。" ]
  [ "付楠（1993–），女，江西九江人，武汉大学硕士生，主要研究方向为网络安全、云计算安全等。" ]
- 基金信息：
  
  国家自然科学基金资助项目(U1536204);中央高校基本科研业务费专项基金资助项目(2042018kf1028)
- DOI：10.11959/j.issn.1000-436x.2018241
  中图分类号： TP309
- 网络出版日期：2018-11，
  
  纸质出版日期：2018-11-25
- 稿件说明：
移动端阅览
刘维杰, 王丽娜, 王丹磊, 等. 面向云计算平台的虚拟机同驻方法[J]. 通信学报, 2018,39(11):116-128.

Weijie LIU, Li’na WANG, Danlei WANG, et al. Virtual machine co-residency method on cloud computing platform[J]. Journal on communications, 2018, 39(11): 116-128.
刘维杰, 王丽娜, 王丹磊, 等. 面向云计算平台的虚拟机同驻方法[J]. 通信学报, 2018,39(11):116-128. DOI： 10.11959/j.issn.1000-436x.2018241.

Weijie LIU, Li’na WANG, Danlei WANG, et al. Virtual machine co-residency method on cloud computing platform[J]. Journal on communications, 2018, 39(11): 116-128. DOI： 10.11959/j.issn.1000-436x.2018241.

摘要

若攻击者想攻击云平台上某一目标虚拟机，则其必须与目标虚拟机同驻。基于此，提出一种虚拟机同驻方法，通过构建云环境中自适应的隐蔽信道，结合基于隐蔽信道的虚拟机同驻检测方法和自动化虚拟机洪泛策略，并在国内某知名商业云平台上进行同驻验证。实验表明，所构建的自适应隐蔽信道传输正确率可高达95%以上；所提出的同驻检测方法置信度高，误检率不超过5‰。同驻方法不会破坏云平台本身隔离性且具有一定的通用性，但潜在威胁极大，亟需重视与防范。

Abstract

If the attacker wants to compromise a target virtual machine on a cloud platform

the malicious virtual machine must be co-resident with the target.Based on this

a virtual machine co-residency method was proposed.The method combined a co-residency detection scheme based on covert channel construction and an automatic virtual machine flooding strategy

and was evaluated on a well-known domestic cloud platform.Experiment shows that the adaptive covert channel can achieve accuracies of 95%

the proposed detection scheme has strong robustness whose false positive rate is less than 5 ‰

the proposed method is versatile and keeps the virtualization isolation barrier intact

which has great potential threat and should be paid great attention and precaution.

关键词

Keywords

references

DESNOS A , FILIOL E , LEFOU I , et al . Detecting (and creating!) a HVM rootkit (aka BluePill-like) [J ] . Journal in Computer Virology , 2011 , 7 ( 1 ): 23 - 49 .

RAZAVI K , GRAS B , BOSMAN E , et al . Flip feng shui:hammering a needle in the software stack [C ] // Usenix Security Symposium . 2016 : 1 - 18 .

XIAO Y , ZHANG X , ZHANG Y , et al . One bit flips,one cloud flops:cross-VM row hammer attacks and privilege escalation [C ] // Usenix Security Symposium . 2016 : 19 - 35 .

ZHANG T , ZHANG Y , LEE R . DoS attacks on your memory in the cloud [C ] // ACM Symposium on Information,Computer and Communications Security . 2017 : 253 - 265 .

IRAZOQUI G , INCI M S , EISENBARTH T , et al . Fine grain cross-VM attacks on Xen and VMware [C ] // ACM Conference on Cloud Computing . 2014 : 737 - 744 .

IRAZOQUI G , INCI M S , EISENBARTH T , et al . Wait a minute! a fast,cross-VM attack on AES [C ] // International Symposium on Recent Advances in Intrusion Detection . 2014 : 299 - 319 .

LIU F , YAROM Y , GE Q , et al . Last-level cache side-channel attacks are practical [C ] // IEEE Symposium on Security and Privacy . 2015 : 605 - 622 .

IRAZOQUI G , EISENBARTH T , SUNAR B , et al . Cross processor cache attacks [C ] // ACM Conference on Computer and Communications Security . 2016 : 353 - 364 .

YAROM Y , GENKIN D , HENINGER N , et al . CacheBleed:a timing attack on OpenSSL constant time RSA [C ] // International Workshop on Cryptographic Hardware and Embedded Systems . 2016 : 346 - 367 .

RISTENPART T , TROMER E , SHACHAM H , et al . Hey,you,get off of my cloud:exploring information leakage in third-party computeclouds [C ] // ACM Conference on Computer and Communications Security . 2009 : 199 - 212 .

BATES A , MOOD B , PLETCHER J , et al . Detecting co-residency with active traffic analysis techniques [C ] // ACM Conference on Cloud Computing . 2012 : 1 - 12 .

XU Z , WANG H , WU Z , et al . A measurement study on co-residence threat inside the cloud [C ] // Usenix Security Symposium . 2015 : 929 - 944 .

王丽娜 , 张浩 , 余荣威 , 等 . 基于 VPE 的可信虚拟域构建机制 [J ] . 通信学报 , 2013 , 34 ( 12 ): 167 - 177 .

WANG L N , ZHANG H , YU R W , et al . Building mechanism of trusted virtual domain via the VPE [J ] . Journal on Communications , 2013 , 34 ( 12 ): 167 - 177 .

ZHANG Y , JUELS A , OPREA A , et al . HomeAlone:co-residency detection in the cloud via side-channel analysis [C ] // IEEE Symposium on Security and Privacy . 2011 : 313 - 328 .

余思 , 桂小林 , 张学军 , 等 . 云环境中基于 cache 共享的虚拟机同驻检测方法 [J ] . 计算机研究与发展 , 2013 , 50 ( 12 ): 2651 - 2660 .

YU S , GUI X L , ZHANG X J , et al . Co-residency detection scheme based on shared cache in the cloud [J ] . Journal of Computer Research and Development , 2013 , 50 ( 12 ): 2651 - 2660 .

LIU F , GE Q , YAROM Y , et al . CATalyst:defeating last-level cache side channel attacks in cloud computing [C ] // IEEE International Symposium on High Performance Computer Architecture . 2016 : 406 - 418 .

梁鑫 , 桂小林 , 戴慧珺 , 等 . 云环境中跨虚拟机的 cache 侧信道攻击技术研究 [J ] . 计算机学报 , 2017 , 40 ( 2 ): 317 - 336 .

LIANG X , GUI X L , DAI H J , et al . Cross-VM cache side channel attacks in cloud:a survey [J ] . Chinese Journal of Computers , 2017 , 40 ( 2 ): 317 - 336 .

王国峰 , 刘川意 , 潘鹤中 , 等 . 云计算模式内部威胁综述 [J ] . 计算机学报 , 2017 , 40 ( 2 ): 296 - 316 .

WANG G F , LIU C Y , PAN H Z , et al . Survey on insider threats to cloud computing [J ] . Chinese Journal of Computers , 2017 , 40 ( 2 ): 296 - 316 .

WANG L , LIU W , KUMAR N , et al . A novel covert channel detection method in cloud based on XSRM and improved event association algorithm [J ] . Security and Communication Networks , 2016 , 9 ( 16 ): 3543 - 3557 .

IRAZOQUI G , EISENBARTH T , SUNAR B , et al . S$A:a shared cache attack that works across cores and defies VM sandboxing-and its application to AES [C ] // IEEE Symposium on Security and Privacy . 2015 : 591 - 604 .

沈晴霓 , 李卿 . 云计算环境中的虚拟机同驻安全问题综述 [J ] . 集成技术 , 2015 , 4 ( 5 ): 5 - 17 .

SHEN Q N , LI Q . Review on co-residency security issues of virtual machines in cloud computing [J ] . Journal of Integration Technology , 2015 , 4 ( 5 ): 5 - 17 .

OSVIK D A , SHAMIR A , TROMER E . Cache attacks and countermeasures:the case of AES [C ] // Cryptographers’ Track at the RSA Conference . 2006 : 1 - 20 .

YAROM Y , FALKNER K . FLUSH+RELOAD:a high resolution,low noise,L3 cache side-channel attack [C ] // Usenix Security Symposium . 2014 : 719 - 732 .

MAURICE C , SCOUARNEC N L , NEUMANN C , et al . Reverse engineering intel last-level cache complex addressing using performance counters [C ] // International Symposium on Recent Advances in Intrusion Detection . 2015 : 48 - 65 .

IRAZOQUI G , EISENBARTH T , SUNAR B , et al . Systematic reverse engineering of cache slice selection in intel processors [C ] // Euromicro Conference on Digital Systems Design . 2015 : 629 - 636 .

WU Z , XU Z , WANG H , et al . Whispers in the hyper-space:high-bandwidth and reliable covert channel attacks inside the cloud [J ] . IEEE/ACM Transactions on Networking , 2015 , 23 ( 2 ): 603 - 615 .

PAAR C , PELZL J . Understanding cryptography:a textbook for students and practitioners [M ] . Springer Science ＆ Business Media , 2009 .

LI P , GAO D , REITER M K , et al . Replica placement for availability in the worst case [C ] // International Conference on Distributed Computing Systems . 2015 : 599 - 608 .

MOON S , SEKAR V , REITER M K , et al . Nomad:mitigating arbitrary cloud side channels via provider-assisted migration [C ] // ACM Conference on Computer and Communications Security . 2015 : 1595 - 1606 .

LIU W , GAO D , REITER M K . On-demand time blurring to support side-channel defense [C ] // European Symposium on Research in Computer Security . 2017 : 210 - 228 .

NEEDLEMAN S B , WUNSCH C D . A general method applicable to the search for similarities in the amino acid sequence of two proteins [J ] . Journal of Molecular Biology , 1970 , 48 ( 3 ): 443 - 453 .

VARADARAJAN V , ZHANG Y , RISTENPART T , et al . A placement vulnerability study in multi-tenant public clouds [C ] // Usenix Security Symposium . 2015 : 913 - 928 .

浏览量

1566

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

面向云计算平台的层次化性能问题诊断方法