| Many applications that are in day-to-day use by customers over the Internet are hosted in the public clouds. Public infrastructure-as-a-service clouds, such as Amazon EC2, Google Compute Engine and Microsoft Azure allow clients to run virtual machines (VMs) on shared physical infrastructure. This practice of multi-tenancy improves efficiency by multiplexing resources among disparate customers at low costs. Unfortunately, it also introduces the risk of sharing a physical server to run both sensitive customer applications and VMs that may belong to an arbitrary and potentially malicious users. Such a scenario uniquely arises because of multi-tenancy and the openness of public clouds.;The current management infrastructure of these public clouds is driven towards improving performance and efficiency and the security of these systems often takes the back seat in this drive forward. As a result it is unclear what the degree of isolation that these clouds provide against malicious users. In this dissertation, we focus on one of the main security threats to public clouds, cross-VM attacks, and evaluate how state-of-the-art cloud infrastructure fares against these attacks. The thesis of this dissertation is that, " the practice of multi-tenancy in public clouds demands stronger isolation between VMs in the presence of malicious users.";Any cross-VM attack involves two steps: placing an adversary controlled VM on the same host as one of the victim VMs, and then breaching the isolation boundary to either steal sensitive victim information or affect its performance for greed or vandalism. In the first part, we show the lack of stronger isolation in public clouds with two findings. 1. VM placement is practical in three popular public clouds, 2. how a greedy users can exploit lack isolation at the hypervisor for their own performance gains.;In the second part, we venture to improve isolation between VMs in the hypervisor. A straightforward solution is hard isolation that strictly partitions hardware resources between VMs. However, this comes at the cost of reduced efficiency. We investigate the principle of soft isolation: reduce the risk of sharing through better scheduling. We demonstrate this design principle by using it to defend against cross-VM attacks. |
