MIGRATE: Towards a Lightweight Moving-Target Defense Against Cloud Side-Channels

Azab, Mohamed; Eltoweissy, Mohamed

doi:10.1109/spw.2016.28

Cited by 27 publications

(13 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…To implement defenses that encompass a wider range of attacks, moving target defenses [14,16,36] are successful. Since orchestrators often manage a large number of nodes for a cluster, performing container migration on these nodes will be easier than migrating the entire VM as suggested by Atya et al [14].…”

Section: Defensesmentioning

confidence: 99%

Co-residency Attacks on Containers are Real

Shringarputale

McDaniel

Butler

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

View full text Add to dashboard Cite

Public clouds are inherently multi-tenant: applications deployed by different parties (including malicious ones) may reside on the same physical machines and share various hardware resources. With the introduction of newer hypervisors, containerization frameworks like Docker, and managed/orchestrated clusters using systems like Kubernetes, cloud providers downplay the feasibility of co-tenant attacks by marketing a belief that applications do not operate on shared hardware. In this paper, we challenge the conventional wisdom that attackers cannot confirm co-residency with a victim application from inside state-of-the-art containers running on virtual machines. We analyze the degree of vulnerability present in containers running on various systems including within a broad range of commercially utilized orchestrators. Our results show that on commercial cloud environments including AWS and Azure, we can obtain over 90% success rates for co-residency detection using real-life workloads. Our investigation confirms that co-residency attacks are a significant concern on containers running on modern orchestration systems.

show abstract

Section: Defensesmentioning

confidence: 99%

Co-residency Attacks on Containers are Real

Shringarputale

McDaniel

Butler

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

View full text Add to dashboard Cite

show abstract

“…Live migration was introduced as a solution (Azab and Eltoweissy, 2016a) but lead to more problems (Rakotondravony et al, 2017).…”

Section: Virtualisation-based Threats and Attacksmentioning

confidence: 99%

“…Barlev et al (2016) presented Starlight which monitors the behaviour of a running system and creates a customised security policy, a set of operating system execution rules that accurately defines the execution boundaries of the system. Azab and Eltoweissy (2016b) presented MIGRATE as a lightweight container management framework employing random, real-time MTD to mitigate side channel attacks on clouds. MIGRATE obfuscates the cloud containers execution behaviour by employing random live migration to eliminate attacker and victim co-residency on the same host.…”

Section: Mitigating Container-based Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Resilient intrusion detection system for cloud containers

Abed

Azab

Clancy

et al. 2020

IJCNDS

Self Cite

View full text Add to dashboard Cite

The lightweight virtualisation and isolated execution offered by Linux containers qualify it to be the dominant virtualisation platform for cloud-based applications. The fact that Linux containers run on the same host while sharing the same kernel opens the door for new attacks. However, limited research has been conducted in the area of securing cloud containers. This paper presents a resilient intrusion detection and resolution system for cloud-based containers. The system relies on two main pillars, a real-time smart behaviour monitoring mechanism to detect maliciously behaving containers, and a moving-target defence approach that applies runtime container migration to quarantine such containers and to minimise attack dispersion. To avoid zero-day targeted attacks, the system also induces random live migrations between running containers to obfuscate its execution behaviour. Such obfuscation makes it harder for attackers to execute their targeted attacks. The system was tested by a big-data application using a container-based Apache Hadoop cluster to demonstrate the system's ability to automatically deploy,

show abstract

“…To defend against web bots, Vikram et al [31] prevented them from automating web resource access by randomizing HTML elements. To defend against side-channel attacks, Azab and Eltoweissy [32] migrated cloud tenants' applications between different hosts. To defend against jamming attacks, Marttinen et al [33] adopted an approach in which the source MAC address depends on the frame destination and only the receiver knows how to encode the source address.…”

Section: A Mtd Technologymentioning

confidence: 99%

Efficient Strategy Selection for Moving Target Defense Under Multiple Attacks

et al. 2019

View full text Add to dashboard Cite

In a real network environment, multiple types of attacks can occur. The more important the service or network, the more attacks it may suffer simultaneously. Moving target defense (MTD) technology is a revolutionary game-changing cyberspace technology that has found various applications in recent years. However, the existing strategies are targeted at defending against specific types of attacks and do not meet the security requirements for multiple attacks. Therefore, we propose a joint defense strategy based on the MTD that can select one or multiple mutant elements to defend against different types of attacks. In addition, we use the analytic hierarchy process (AHP) to quantify the factors affecting the attack and defense costs. After comprehensively analyzing the effects of the different MTD technologies against different attacks, we propose an efficient strategy selection algorithm based on joint defense. Finally, we conduct experiments to evaluate the selection of a joint defense strategy under multiple attacks. The experimental results demonstrate the feasibility and effectiveness of the proposed joint defense strategy selection approach. INDEX TERMS Moving target defense, efficient defensive strategy selection, multiple attack, joint defense, genetic algorithm.

show abstract

MIGRATE: Towards a Lightweight Moving-Target Defense Against Cloud Side-Channels

Cited by 27 publications

References 6 publications

Co-residency Attacks on Containers are Real

Co-residency Attacks on Containers are Real

Resilient intrusion detection system for cloud containers

Efficient Strategy Selection for Moving Target Defense Under Multiple Attacks

Contact Info

Product

Resources

About