Secure virtual machine placement in cloud data centers

Abstract

Abstract Due to an increasing number of avenues for conducting cross-VM side-channel attacks, the security of multi-tenant public IaaS cloud environments is a growing concern. These attacks allow an adversary to steal private information from a target user whose VM instance is co-located with that of the adversary. In this paper, we focus on secure VM placement algorithms which a cloud provider can use for the automatic enforcement of security against such co-location based attacks. To do so, we first establish a metric for evaluating and quantifying co-location security of multi-tenant public IaaS clouds, and then propose a novel VM placement algorithm called “Previously Co-Located Users First” which aims to reduce the probability of malicious VM co-location. Thereafter, we perform a theoretical and empirical analysis of our proposed algorithm to evaluate its efficiency and security. Our results, obtained using real-world cloud traces containing millions of VM requests and thousands of actual users, indicate that the proposed algorithm provides a significant increase in the cloud’s co-location resistance with little compromise in resource utilization, compared to existing approaches. We also explore the potential for cloud providers to leverage passive cache monitoring techniques as an additional security measure in order to automatically improve the co-location resistance provided by general VM placement algorithms.