基于操作系统多样性的虚拟机安全部署策略

doi:10.11959/j.issn.2096-109x.2017.00201

Abstract

Abstract:

The resource-sharing model for cloud computing raises many security issues,such as co-resident of virtual machines,while greatly improving resource utilization.In particular,when a user adopts a single operating system,an attacker can steal privacy and data by compromising the user's entire virtual machine at a smaller cost.In view of this security threat,a strategy for the security deployment of virtual machine based on operating system diversity was presented.This method firstly recommended an operating system configuration options for users applying for virtual machines with the highest degree in diversity,and then through the secure deployment strategy,maximized the effect of diversity,thus making the attacker pay more cost.The experimental results show that compared with the method of single operating system,this method can reduce the attack efficiency by 33.46% at least.

Key words: virtual machine, co-resident attack, operating system, diversity, cloud security

CLC Number:

TP302

Miao ZHANG,Xin-sheng JI,Jian-jian AI,Wen-yan LIU,Hong-chao HU,Shu-min HUO. Secure deployment strategy of virtual machines based on operating system diversity[J]. Chinese Journal of Network and Information Security, 2017, 3(10): 35-43.

Figures/Tables 5

References 18

[1]	RISTENPART T , TROMER E , SHACHAM H ,et al. Hey,you,get off of my cloud:exploring information leakage in third-party compute clouds[C]// ACM Conference on Computer and Communications Security. 2009.
[2]	APECECHEA G I , INCI M S , EISENBARTH T ,et al. Fine grain cross-VM attacks on Xen and VMware are possible![J]. Ecewp.ece.wpi.edu, 2014
[3]	OSVIK D A , SHAMIR A , TROMER E . Cache attacks and countermeasures:the case of AES[J]. Lecture Notes in Computer Science, 2006,(2005): 1-20.
[4]	YAROM Y , FALKNER K . FLUSH+RELOAD:a high resolution,low noise,L3 cache side-channel attack[C]// Usenix Conference on Security Symposium. 2014: 719-732.
[5]	ZHANG Y , REITER M K . Düppel:retrofitting commodity operating systems to mitigate cache side channels in the cloud[C]// ACM Sigsac Conference on Computer ＆ Communications Security. 2013.
[6]	WANG Z , LEE R B . A novel cache architecture with enhanced performance and security[C]// IEEE/ACM International Symposium on Microarchitecture. 2008.
[7]	MOON S J , SEKAR V , REITER M K . Nomad:mitigating arbitrary cloud side channels via provider-assisted migration[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 1595-1606.
[8]	AVIZIENIS A , CHEN L . On the implementation of N-version programming for software fault tolerance during program execution[J]. Proc of the Compsac, 1977,6(1): 25-37.
[9]	FORREST S , SOMAYAJI A , ACKLEY D . Building diverse computer systems[C]// The Workshop on Hot Topics in Operating Systems. 1997: 67-72.
[10]	HOFMEYR S A , FORREST S . Architecture for an artificial immune system[J]. Evolutionary Computation, 2000,8(4): 443-473.
[11]	GASHI I , POPOV P , STRIGINI L . Fault tolerance via diversity for off-the-shelf products:a study with SQL database servers[J]. IEEE Transactions on Dependable and Secure Computing, 2007,4(4): 280-294.
[12]	NEWELL A , OBENSHAIN D , TANTILLO T ,et al. Increasing network resiliency by optimally assigning diverse variants to routing nodes[C]// IEEE/IFIP International Conference on Dependable Systems and Networks. 2013.
[13]	GARCIA M , BESSANI A , GASHI I ,et al. Analysis of operating system diversity for intrusion tolerance[J]. Software-practice ＆Experience, 2014,44(6): 735-770.
[14]	BATES A , MOOD B , PLETCHER J ,et al. Detecting co-residency with active traffic analysis techniques[C]// The 2012 ACM Workshop on Cloud Computing Security Workshop. 2012
[15]	ZHANG Y , JUELS A , OPREA A ,et al. HomeAlone:co-residency detection in the cloud via side-channel analysis[C]// IEEE Symposium on Security and Privacy. 2011.
[16]	ZHANG Y , JUELS A , REITER M K ,et al. Cross-VM side channels and their use to extract private keys[C]// ACM Conference on Computer and Communications Security. 2012
[17]	LEINSTER T , COBBOLD C A . Measuring diversity:the importance of species similarity[J]. Ecology, 2012,93(3):477.
[18]	HAN Y , CHAN J , ALPCAN T ,et al. Using virtual machine allocation policies to defend against co-resident attacks in cloud computing[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2017,14(1): 95-108.

Metrics

Recommended 0

No Suggested Reading articles found!

OS	OS共同漏洞
OS	Windows 7	Windows 8	Windows 10	Ubuntu	Fedora	OS X
Windows 7	374	142	219	0	0	0
Windows 8	142	154	55	0	0	0
Windows 10	219	55	316	0	0	0
Ubuntu	0	0	0	583	58	31
Fedora	0	0	0	58	306	2
OS X	0	0	0	31	2	841

实验	操作系统
实验	Windows 7	Windows 8	Windows 10	Ubuntu	Fedora	OS X	多样性度量
1	1	5	4	—	—	—	1.573 1
2	—	—	—	3	3	4	2.653 4
3	4	—	—	—	3	3	2.963 1
4	—	4	—	—	3	3	2.963 1
5	1	3	2	4	—	—	2.546 2
6	3	—	—	2	2	3	3.629 5
7	2	2	—	3	—	3	3.141 5
8	2	2	—	—	3	3	3.217 0

Secure deployment strategy of virtual machines based on operating system diversity

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 18

Related Articles 12

Metrics

Recommended 0

[1]	Genlin XIE, Guozhen CHENG, Yawen WANG, Qingfeng WANG. Software diversity evaluating method based on gadget feature analysis [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 161-173.
[2]	Benwei HE, Yunfei GUO, Yawen WANG, Qingfeng WANG, Hongchao HU. Software diversification method based on binary rewriting [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 94-103.
[3]	Zichi WANG, Guorui FENG, Xinpeng ZHANG. Steganography in NFT images [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 18-28.
[4]	Wei ZENG, Hongchao HU, Lingshu LI, Shumin HUO. Dynamic heterogeneous scheduling method based on Stackelberg game model in container cloud [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 95-104.
[5]	Jinglei TAN, Hongqi ZHANG, Cheng LEI, Xiaohu LIU, Shuo WANG. Research progress on moving target defense for SDN [J]. Chinese Journal of Network and Information Security, 2018, 4(7): 1-12.
[6]	Wei WANG, Xingshu CHEN, Xiao LAN, Xin JIN. VMI-based virtual machine remote attestation scheme [J]. Chinese Journal of Network and Information Security, 2018, 4(12): 32-43.
[7]	Jianbiao ZHANG,Yuanxi ZHU,Jun HU,Xiao WANG. Scheme of virtual machine trusted migration in cloud environment [J]. Chinese Journal of Network and Information Security, 2018, 4(1): 6-14.
[8]	Shuo ZHAO,Xin-sheng JI,Guo-zhen CHENG,Yu-xing MAO. Research on dynamic migration of critical virtual machines for multi-tenancy [J]. Chinese Journal of Network and Information Security, 2017, 3(8): 8-17.
[9]	Jiang-yong SHI,Yue-xiang YANG,Wen-hua LI,Sen WANG. Research on SDN-based cloud security application [J]. Chinese Journal of Network and Information Security, 2017, 3(5): 10-25.
[10]	Peng XU,Hai JIN. Research on the searchable encryption [J]. Chinese Journal of Network and Information Security, 2016, 2(10): 8-16.
[11]	Yu-tao LIU,Hai-bo CHEN. Virtualization security:the good,the bad and the ugly [J]. Chinese Journal of Network and Information Security, 2016, 2(10): 17-28.
[12]	Wei-qi DAI,De-qing ZOU,Hai JIN,Yan XIA. Research on consistency protection mechanism for secure states of virtual domain in cloud environment [J]. Chinese Journal of Network and Information Security, 2016, 2(10): 48-57.