Resource-freeing attacks

Varadarajan, Venkatanathan; Kooburat, Thawan; Farley, Benjamin; Ristenpart, Thomas; Swift, Michael M.

doi:10.1145/2382196.2382228

Cited by 135 publications

(7 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The authors implement a prototype on top of the Xen hypervisor, adding about 14 % of overhead for each context switch and interrupt. Validation is done by checking the accuracy of accounting under resource interference- [52] and escape- [53] controlled attacks. Although they provide results within 2 % of the ground truth in such scenarios, there is no guarantee that measurements coming from SMM are not tampered with during control switch to enclave entry points.…”

Section: Related Workmentioning

confidence: 99%

SGX-Aware Container Orchestration for Heterogeneous Clusters

Vaucher

Pires

Felber

et al. 2018

2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS)

View full text Add to dashboard Cite

Containers are becoming the de facto standard to package and deploy applications and micro-services in the cloud. Several cloud providers (e.g., Amazon, Google, Microsoft) begin to offer native support on their infrastructure by integrating container orchestration tools within their cloud offering. At the same time, the security guarantees that containers offer to applications remain questionable. Customers still need to trust their cloud provider with respect to data and code integrity. The recent introduction by Intel of Software Guard Extensions (SGX) into the mass market offers an alternative to developers, who can now execute their code in a hardware-secured environment without trusting the cloud provider.This paper provides insights regarding the support of SGX inside Kubernetes, an industry-standard container orchestrator. We present our contributions across the whole stack supporting execution of SGX-enabled containers. We provide details regarding the architecture of the scheduler and its monitoring framework, the underlying operating system support and the required kernel driver extensions. We evaluate our complete implementation on a private cluster using the real-world Google Borg traces. Our experiments highlight the performance tradeoffs that will be encountered when deploying SGX-enabled microservices in the cloud.

show abstract

Section: Related Workmentioning

confidence: 99%

SGX-Aware Container Orchestration for Heterogeneous Clusters

Vaucher

Pires

Felber

et al. 2018

2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS)

View full text Add to dashboard Cite

show abstract

“…Ristenpart et al [2009] show that it is possible to (i) map the internal Cloud infrastructure, (ii) identify where a particular target VM is likely to reside, (iii) instantiate new VMs until one is placed co-resident with the target. Another attack, called resource-freeing attacks, modifies the workload of a victim VM in a way that it frees up resources for the benefit of the attacker's VM [Varadarajan et al 2012].…”

Section: Existing Attacksmentioning

confidence: 99%

Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems

Sgandurra

Lupu

2016

ACM Comput. Surv.

View full text Add to dashboard Cite

Virtualization technology enables Cloud providers to efficiently use their computing services and resources. Even if the benefits in terms of performance, maintenance, and cost are evident, virtualization has also been exploited by attackers to devise new ways to compromise a system. To address these problems, research security solutions have considerably evolved over the years to cope with new attacks and threat models. In this work we review the protection strategies proposed in the literature and show how some of the solutions have been invalidated by new attacks, or threat models, that were previously not considered. The goal is to show the evolution of the threats, and of the related security and trust assumptions, in virtualized systems which have given rise to complex threat models and the corresponding sophistication of protection strategies to deal with such attacks. We also categorize threat models, security and trust assumptions, and attacks against a virtualized system at the different layers, in particular hardware, virtualization, OS, application.

show abstract

“…Bugiel et al [36] investigate the security of the Amazon Image ecosystem. Bates et al [37][38][39][40] investigated the impact of resource sharing among multiple virtual instances, especially targeting a shared network interface card (NIC). Bowers et al [41,42] consider file duplication for fault-tolerance and local distribution of file storing in clouds.…”

Section: Cloud Identificationmentioning

confidence: 99%

The role and security of firewalls in cyber-physical cloud computing

Ullrich

Cropper

Frühwirt

et al. 2016

EURASIP J. on Info. Security

View full text Add to dashboard Cite

Clouds are here to stay, and the same holds for cyber-physical systems-not to forget their combination. In light of these changing paradigms, it is of utter importance to reconsider security as both introduce new challenges. Overcoming the concept of zoned networks, clouds make former internal traffic traveling the Internet. Cyber-physical systems include physical parts into computing and make them potential targets for cyber attacks-a dare as a high number of physical parts have originally been developed to be stand-alone. Cyber-physical cloud computing reinforces the need for a thoughtful security concept. Firewalls are among the basic building blocks in network security and are offered by various cloud providers; however, the question on their quality of protection arises. In this paper, we assess firewall offers of five major cloud providers with respect to cyber-physical system integration. Therefore, we study their default configuration, configuration capabilities, documentation, and filtering behavior. We developed an extendible firewall monitoring tool that enables customers to probe their provider's filtering behavioran information of interest for risk management or further security consideration. Re-assessing filtering behavior, we found that all offered firewalls have evolved over a time period of more than a year: Configuration possibilities have been enhanced, more illegitimate packets are filtered now, and stateful behavior was discovered at a certain provider.

show abstract

Resource-freeing attacks

Cited by 135 publications

References 23 publications

SGX-Aware Container Orchestration for Heterogeneous Clusters

SGX-Aware Container Orchestration for Heterogeneous Clusters

Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems

The role and security of firewalls in cyber-physical cloud computing

Contact Info

Product

Resources

About