New hypervisor (Xen) scheduler, Shuffler schedulers, to mitigate cross-VM side channel attacks in the cloud.
Cloud computing relies on resources sharing to achieve high resource utilization and economy of scale. Meanwhile, contention on shared resources open doors for co-located VMs to have negative impacts on each other, and even introduces vulnerabilities such as information leakage. Via CPU cache based side channel attacks, an attacking Virtual Machine (VM) can extract crypto keys from a targeted VM.
To cost-effectively secure the cloud against those threats without sacrificing resource sharing, in our paper (http://www.cs.gmu.edu/~sqchen/open-access/new-xen-scheduler-report.pdf), we first investigate the factors that can impact the success of such attacks. Our investigation reveals that the root cause of such attacks is the constant sharing patterns of hardware resources between VMs. Based on our findings, we quantify the negative impacts a VM can have on another VM on the same machine using vulnerable probability, and propose lightweight and generic scheduler-based defense mechanisms called Shuffler schedulers, which can effectively limit the vulnerable probability of any VM. Our analyses and experimental results show that Shuffler schedulers can effectively reduce information leakage to mitigate cross-VM attacks with little performance penalty while preserving high resource utilization.
Here is the description of Xen default Credit scheduler https://wiki.xen.org/wiki/Credit_Scheduler.
The figure above demonstrate how vCPU is maintained and selected. In short,
- A local runq is maintained for each core.
- Runq selection: local runq for current core.
- vCPU selection: from the head of runq.
The figure above demonstrate how vCPU is maintained and selected. In short,
- A local runq is maintained for each core.
- Runq selection: random runq.
- vCPU selection: random vCPU.
The figure above (fig:gs) demonstrate how vCPU is maintained and selected. In short,
- A global runq is maintained for all cores.
- Runq selection: global runq.
- vCPU selection: random vCPU.
Scheduling trace generated by Credit scheduler. Among all potential victim/attacker VM pairs, VM-2 is always exposed to attack from VM-1.
Scheduling trace generated by Shuffler schedulers. Among all potential victim/attacker VM pairs, VM-2 is exposed to all attack from VM-1/3/4 for much less time than that in previous scheduling trace..
The directory “/xen” contains source code of xen-4.6.0, cloned by “git clone -b RELEASE-4.6.0 git://xenbits.xen.org/xen.git”.
The file /xen/xen/common/sched_credit.c is modified to improve credit scheduler to defend against side channel attacks. g The different version of Shuffler schedulers can be switched to by chaning the value of “choose” in this file, in the function “csched_schedule”. A summary of how each scheduler behave is described in line 2101-2113 of this file.
// Li
// define an option to switch between different version of improved scheduler
// difference mainly in vCPU picking up and returning process
// A: which runq to pick next vCPU (local/random/global)
// B: which order to pick next vCPU in given runq (ordered/random)
// C: which runq to return current vCPU (local/global)
// the combinations of different value for choose are:
// choose=1: A-random, B-order, C-local
// =2: A-local, B-random, C-local
// =3: A-random, B-random, C-local
// =4: A-global, B-order, C-global
// =5: A-global, B-random, C-global
// LS in paper using choose=3, GS using choose=5
int choose = 5;After set the value of “choose”, xen can be build and install as normal. A good guide to compile Xen from source: https://wiki.xenproject.org/wiki/Compiling_Xen_From_Source