| Cloud computing changes from a concept to a widely used service in a few years.At present,domestic and foreign commercial cloud computing business has entered an important period of vigorous development.Cloud computing model not only has the advantages of economies scale,dynamic configuration and low capital expenditure,but also brought some new security risks.Multi-tenant dynamic aggregation,border generalization makes the cloud computing platform inherently difficult to resist the security threats brought by the shared computing resources.Among them,the virtual machine co-resident threat,when the malicious virtual machine and the target virtual machine are hosted on the same physical machine,is obviously important.As for the features of virtual isolation and physical coexistence,cloud platform allows virtual machines to share the majority of the physical host resources,so that the threat is difficult to avoid,which mainly includes resource interference,denial of service,covert/side channel,virtual machine hopping,virtual machine escape and migration gap.Malicious virtual machine co-resident may damage the confidentiality and availability of the data in the cloud platform,leading to serious security problems and great harm to large cloud tenants and ordinary cloud users.If the attacker intends to implement the attack against the cloud computing platform,he/she must first achieve the co-residency between its malicious virtual machine and the target virtual machine.In this paper,we adopted the virtual machine co-resident detection mechanism based on covert channel,which is tested by experiments based on the famous cloud platform service provider Alibaba Cloud.Secondly,this paper deeply studies the architecture of the existing cloud computing platform,and proposes an automated virtual machine flooding method based on the posterior probability.Finally,combined with the proposed virtual machine flooding method and co-resident detection program,we try to figuring out the internal cloud infrastructure of Alibaba Cloud,and to achieve the co-resident virtual machines on it.Our co-resident detection scheme scheme fully considers the specific cloud environment,achieving low false positive rate and easy deployment on without destoring the isolation barrier of cloud platform.As our virtual machine flooding method is a typical malicious behavior on cloud platform,it's the urgent for the major cloud service providers to pay attention.This paper has built the foundation for the subsequent co-resident attack research,and has a positive effect on the security research of existing commercial cloud platform. |
PDF Full Text Request