DoS Attacks on Your Memory in Cloud

Authors:
Tianwei Zhang

Princeton University, Princeton, NJ, USA

Princeton University, Princeton, NJ, USA
View Profile

,
Yinqian Zhang

The Ohio State University, Columbus, OH, USA

The Ohio State University, Columbus, OH, USA
View Profile

,
Ruby B. Lee

Princeton University, Princeton, NJ, USA

Princeton University, Princeton, NJ, USA
View Profile

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityApril 2017Pages 253–265https://doi.org/10.1145/3052973.3052978

Published:02 April 2017Publication History

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 253–265

ABSTRACT

In cloud computing, network Denial of Service (DoS) attacks are well studied and defenses have been implemented, but severe DoS attacks on a victim's working memory by a single hostile VM are not well understood. Memory DoS attacks are Denial of Service (or Degradation of Service) attacks caused by contention for hardware memory resources on a cloud server. Despite the strong memory isolation techniques for virtual machines (VMs) enforced by the software virtualization layer in cloud servers, the underlying hardware memory layers are still shared by the VMs and can be exploited by a clever attacker in a hostile VM co-located on the same server as the victim VM, denying the victim the working memory he needs. We first show quantitatively the severity of contention on different memory resources. We then show that a malicious cloud customer can mount low-cost attacks to cause severe performance degradation for a Hadoop distributed application, and 38X delay in response time for an E-commerce website in the Amazon EC2 cloud. Then, we design an effective, new defense against these memory DoS attacks, using a statistical metric to detect their existence and execution throttling to mitigate the attack damage. We achieve this by a novel re-purposing of existing hardware performance counters and duty cycle modulation for security, rather than for improving performance or power consumption. We implement a full prototype on the OpenStack cloud system. Our evaluations show that this defense system can effectively defeat memory DoS attacks with negligible performance overhead.

References

Ab - the apache software foundation. http://httpd.apache.org/docs/2.2/programs/ab.html.Google Scholar
Amazon CloudWatch. https://aws.amazon.com/cloudwatch/.Google Scholar
Amazon virtual private cloud. https://aws.amazon.com/vpc/.Google Scholar
AMD architecture programmer's manual, volume 1: Application programming. http://support.amd.com/TechDocs/24592.pdf.Google Scholar
Google Stackdriver. https://cloud.google.com/stackdriver/.Google Scholar
Improving real-time performance by utilizing cache allocation technology. http://www.intel.com/content/www/us/en/communications/cache-allocation-technology-white-paper.html.Google Scholar
Intel 64 and IA-32 architectures software developer's manual, volume 3: System programming guide. http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html.Google Scholar
Magento: ecommerce software and ecommerce platform. http://www.magento.com/.Google Scholar
memtier benchmark. https://github.com/RedisLabs/memtier_benchmark.Google Scholar
Microsoft Azure Application Insights. https://azure.microsoft.com/en-us/services/application-insights/.Google Scholar
Sysbench: a system performance benchmark. https://launchpad.net/sysbench/.Google Scholar
Welcome to the httperf homepage. http://www.hpl.hp.com/research/linux/httperf/.Google Scholar
J. Ahn, C. Kim, J. Han, Y.-R. Choi, and J. Huh. Dynamic virtual machine scheduling in clouds for architectural shared resources. In USENIX Conference on Hot Topics in Cloud Computing, 2012. Google ScholarDigital Library
S. Alarifi and S. D. Wolthusen. Robust coordination of cloud-internal denial of service attacks. In Intl. Conf. on Cloud and Green Computing, 2013. Google ScholarDigital Library
H. S. Bedi and S. Shiva. Securing cloud infrastructure against co-resident DoS attacks using game theoretic defense mechanisms. In Intl. Conf. on Advances in Computing, Communications and Informatics, 2012. Google ScholarDigital Library
H. Cook, M. Moreto, S. Bird, K. Dao, D. A. Patterson, and K. Asanovic. A hardware evaluation of cache partitioning to improve utilization and energy-efficiency while preserving responsiveness. In Intl. Symp. on Computer Architecture, 2013. Google ScholarDigital Library
C. Delimitrou and C. Kozyrakis. Paragon: QoS-aware scheduling for heterogeneous datacenters. In Intl. Conf. on Architectural Support for Programming Languages and Operating Systems, 2013. Google ScholarDigital Library
E. Ebrahimi, C. J. Lee, O. Mutlu, and Y. N. Patt. Fairness via source throttling: A configurable and high-performance fairness substrate for multi-core memory systems. In Architectural Support for Programming Languages and Operating Systems, 2010. Google ScholarDigital Library
D. Grunwald and S. Ghiasi. Microarchitectural denial of service: Insuring microarchitectural fairness. In ACM/IEEE Intl. Symp. on Microarchitecture, 2002. Google ScholarDigital Library
A. Gupta, J. Sampson, and M. B. Taylor. Quality time: A simple online technique for quantifying multicore execution efficiency. In IEEE Intl. Symp. on Performance Analysis of Systems and Software, 2014.Google ScholarCross Ref
Q. Huang and P. P. Lee. An experimental study of cascading performance interference in a virtualized environment. SIGMETRICS Perf. Eval. Rev., 2013. Google ScholarDigital Library
P. Jamkhedkar, J. Szefer, D. Perez-Botero, T. Zhang, G. Triolo, and R. B. Lee. A framework for realizing security on demand in cloud computing. In Conf. on Cloud Computing Technology and Science, 2013. Google ScholarDigital Library
T. Kim, M. Peinado, and G. Mainar-Ruiz. Stealthmem: System-level protection against cache-based side channel attacks in the cloud. In USENIX Security Symp., 2012. Google ScholarDigital Library
F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee. Last-level cache side-channel attacks are practical. In IEEE Symp. on Security and Privacy, 2015. Google ScholarDigital Library
H. Liu. A new form of DoS attack in a cloud and its avoidance mechanism. In ACM Workshop on Cloud Computing Security, 2010. Google ScholarDigital Library
F. J. Massey Jr. The Kolmogorov-Smirnov test for goodness of fit. Journal of the American statistical Association, 1951.Google Scholar
T. Moscibroda and O. Mutlu. Memory performance attacks: Denial of memory service in multi-core systems. In USENIX Security Symp., 2007. Google ScholarDigital Library
S. P. Muralidhara, L. Subramanian, O. Mutlu, M. Kandemir, and T. Moscibroda. Reducing memory interference in multicore systems via application-aware memory channel partitioning. In ACM/IEEE Intl. Symp. on Microarchitecture, 2011. Google ScholarDigital Library
D. Novaković, N. Vasić, S. Novaković, D. Kostić, and R. Bianchini. Deepdive: Transparently identifying and managing performance interference in virtualized environments. In USENIX Conf. on Annual Technical Conference, 2013. Google ScholarDigital Library
N. Poggi, D. Carrera, R. Gavalda, and E. Ayguade. Non-intrusive estimation of QoS degradation impact on e-commerce user satisfaction. In IEEE Intl. Symp. on Network Computing and Applications, 2011. Google ScholarDigital Library
T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In ACM Conf. on Computer and Communications Security, 2009. Google ScholarDigital Library
V. Varadarajan, T. Kooburat, B. Farley, T. Ristenpart, and M. M. Swift. Resource-freeing attacks: Improve your cloud performance (at your neighbor's expense). In ACM Conf. on Computer and Communications Security, 2012. Google ScholarDigital Library
V. Varadarajan, Y. Zhang, T. Ristenpart, and M. Swift. A placement vulnerability study in multi-tenant public clouds. In USENIX Security Symp., 2015. Google ScholarDigital Library
D. H. Woo and H.-H. S. Lee. Analyzing performance vulnerability due to resource denial-of-service attack on chip multiprocessors. In Workshop on Chip Multiprocessor Memory Systems and Interconnects, 2007.Google Scholar
Z. Wu, Z. Xu, and H. Wang. Whispers in the hyper-space: High-speed covert channel attacks in the cloud. In USENIX Security Symp., 2012. Google ScholarDigital Library
Y. Xu, M. Bailey, F. Jahanian, K. Joshi, M. Hiltunen, and R. Schlichting. An exploration of L2 cache covert channels in virtualized environments. In ACM Workshop on Cloud computing security, 2011. Google ScholarDigital Library
Z. Xu, H. Wang, and Z. Wu. A measurement study on co-residence threat inside the cloud. In USENIX Security Symp., 2015. Google ScholarDigital Library
H. Yang, A. Breslow, J. Mars, and L. Tang. Bubble-flux: Precise online QoS management for increased utilization in warehouse scale computers. In ACM Intl. Symp. on Computer Architecture, 2013. Google ScholarDigital Library
T. Zhang and R. B. Lee. CloudMonatt: An architecture for security health monitoring and attestation of virtual machines in cloud computing. In ACM Intl. Symp. on Computer Architecture, 2015. Google ScholarDigital Library
X. Zhang, S. Dwarkadas, and K. Shen. Hardware execution throttling for multi-core resource management. In USENIX Annual Technical Conference, 2009. Google ScholarDigital Library
X. Zhang, E. Tune, R. Hagmann, R. Jnagal, V. Gokhale, and J. Wilkes. CPI2: Cpu performance isolation for shared compute clusters. In ACM European Conf. on Computer Systems, 2013. Google ScholarDigital Library
Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-VM side channels and their use to extract private keys. In ACM Conf. on Computer and Communications Security, 2012. Google ScholarDigital Library
Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-tenant side-channel attacks in PaaS clouds. In ACM Conf. on Computer and Communications Security, 2014. Google ScholarDigital Library
Y. Zhang, M. A. Laurenzano, J. Mars, and L. Tang. Smite: Precise QoS prediction on real-system smt processors to improve utilization in warehouse scale computers. In IEEE/ACM Intl. Symp. on Microarchitecture, 2014. Google ScholarDigital Library
F. Zhou, M. Goel, P. Desnoyers, and R. Sundaram. Scheduler vulnerabilities and coordinated attacks in cloud computing. In IEEE Intl. Symp. on Network Computing and Applications, 2011. Google ScholarDigital Library
S. Zhuravlev, S. Blagodurov, and A. Fedorova. Addressing shared resource contention in multicore processors via scheduling. In Intl. Conf. on Architectural Support for Programming Languages and Operating Systems, 2010. Google ScholarDigital Library

Index Terms

DoS Attacks on Your Memory in Cloud
1. Computer systems organization
  1. Architectures
    1. Distributed architectures
      1. Cloud computing
2. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
  2. Systems security
    1. Denial-of-service attacks

Recommendations

Securing Cloud Servers Against Flooding Based DDOS Attacks
CSNT '13: Proceedings of the 2013 International Conference on Communication Systems and Network Technologies

Cloud computing is still a juvenile and most dynamic field characterized by a buzzing IT industry. Virtually every industry and even some parts of the public sector are taking on cloud computing today, either as a provider or as a consumer. It has now ...
Read More
Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks

Cloud computing is still in its infancy in regards to its software as services (SAS), web services, utility computing and platform as services (PAS). All of these have remained individualized systems that you still need to plug into, even though these ...
Read More
Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment

As Cloud computing is reforming the infrastructure of IT industries, it has become one of the critical security concerns of the defensive mechanisms applied to secure Cloud environment. Even if there are tremendous advancements in defense systems ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
April 2017
952 pages
ISBN:9781450349444
DOI:10.1145/3052973
General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 April 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
DoS attack
cloud computing
memory resource
Qualifiers
- research-article
Conference

Acceptance Rates
ASIA CCS '17 Paper Acceptance Rate67of359submissions,19%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 25
  Total Citations
  View Citations
- 1,014
  Total Downloads
- Downloads (Last 12 months)160
- Downloads (Last 6 weeks)33
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

DoS Attacks on Your Memory in Cloud

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Securing Cloud Servers Against Flooding Based DDOS Attacks

Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks

Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment