A Secure Container Deployment Strategy by Genetic Algorithm to Defend against Co-Resident Attacks in Cloud Computing

Abstract

Linux container mechanism is constantly gaining ground in the virtualization landscape as a lightweight and efficient alternative to hypervisor-based Virtual Machine (VM). Lightweight virtualization brings convenience and high speed, but the kernel-sharing property also means that isolation is incomplete, so it is more vulnerable to co-resident attacks which could incur information leakage. Previous works mainly eliminate co-resident attacks by fixing hardware and guest operating systems, but these methods cannot be generalized to future co-resident attacks. The threats of co-resident attacks can also be migrated by reducing the probability of co-residency with appropriate deployment of containers. In this paper, we present SecCDS, a Secure Container Deployment Strategy by genetic algorithm (GA) to defend against co-resident attacks in container clouds. SecCDS detects the co-residency of the cloud in real time, and uses a deployment strategy to migrate containers and separate tenants with high risk. In designing SecCDS, we (1) present a formal model and establish metrics to describe deployment and co-residency of container clouds; (2) develop a dynamic container deployment strategy based on GA as a robust defense for arbitrary co-residency; (3) implement, test, and prove the effectiveness of the strategy. The results show that SecCDS can reduce co-residency by 50% compared with existing strategies, and is scalable and flexible to large cloud deployments and different security level requirements.