TY - GEN
T1 - DoS attacks on your memory in the cloud
AU - Zhang, Tianwei
AU - Zhang, Yinqian
AU - Lee, Ruby B.
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/4/2
Y1 - 2017/4/2
N2 - In cloud computing, network Denial of Service (DoS) at- tacks are well studied and defenses have been implemented, but severe DoS attacks on a victim's working memory by a single hostile VM are not well understood. Memory DoS attacks are Denial of Service (or Degradation of Service) at- tacks caused by contention for hardware memory resources on a cloud server. Despite the strong memory isolation tech- niques for virtual machines (VMs) enforced by the software virtualization layer in cloud servers, the underlying hard- ware memory layers are still shared by the VMs and can be exploited by a clever attacker in a hostile VM co-located on the same server as the victim VM, denying the victim the working memory he needs. We first show quantitatively the severity of contention on different memory resources. We then show that a malicious cloud customer can mount low- cost attacks to cause severe performance degradation for a Hadoop distributed application, and 38× delay in response time for an E-commerce website in the Amazon EC2 cloud. Then, we design an effective, new defense against these memory DoS attacks, using a statistical metric to detect their existence and execution throttling to mitigate the at- tack damage. We achieve this by a novel re-purposing of existing hardware performance counters and duty cycle mod- ulation for security, rather than for improving performance or power consumption. We implement a full prototype on the OpenStack cloud system. Our evaluations show that this defense system can effectively defeat memory DoS attacks with negligible performance overhead.
AB - In cloud computing, network Denial of Service (DoS) at- tacks are well studied and defenses have been implemented, but severe DoS attacks on a victim's working memory by a single hostile VM are not well understood. Memory DoS attacks are Denial of Service (or Degradation of Service) at- tacks caused by contention for hardware memory resources on a cloud server. Despite the strong memory isolation tech- niques for virtual machines (VMs) enforced by the software virtualization layer in cloud servers, the underlying hard- ware memory layers are still shared by the VMs and can be exploited by a clever attacker in a hostile VM co-located on the same server as the victim VM, denying the victim the working memory he needs. We first show quantitatively the severity of contention on different memory resources. We then show that a malicious cloud customer can mount low- cost attacks to cause severe performance degradation for a Hadoop distributed application, and 38× delay in response time for an E-commerce website in the Amazon EC2 cloud. Then, we design an effective, new defense against these memory DoS attacks, using a statistical metric to detect their existence and execution throttling to mitigate the at- tack damage. We achieve this by a novel re-purposing of existing hardware performance counters and duty cycle mod- ulation for security, rather than for improving performance or power consumption. We implement a full prototype on the OpenStack cloud system. Our evaluations show that this defense system can effectively defeat memory DoS attacks with negligible performance overhead.
UR - http://www.scopus.com/inward/record.url?scp=85022023445&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85022023445&partnerID=8YFLogxK
U2 - 10.1145/3052973.3052978
DO - 10.1145/3052973.3052978
M3 - Conference contribution
AN - SCOPUS:85022023445
T3 - ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security
SP - 253
EP - 265
BT - ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security
PB - Association for Computing Machinery, Inc
T2 - 2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017
Y2 - 2 April 2017 through 6 April 2017
ER -