TY - GEN
T1 - A comprehensive study of co-residence threat in multi-tenant public PaaS clouds
AU - Zhang, Weijuan
AU - Jia, Xiaoqi
AU - Wang, Chang
AU - Zhang, Shengzhi
AU - Huang, Qingjia
AU - Wang, Mingsheng
AU - Liu, Peng
N1 - Publisher Copyright:
© Springer International Publishing AG 2016.
PY - 2016
Y1 - 2016
N2 - Public Platform-as-a-Service (PaaS) clouds are always multitenant. Applications from different tenants may reside on the same physical machine, which introduces the risk of sharing physical resources with a potentially malicious application. This gives the malicious application the chance to extract secret information of other tenants via sidechannels. Though large numbers of researchers focus on the information extraction, there are few studies on the co-residence threat in public clouds, especially PaaS clouds. In this paper, we in detail studied the co-residence threat of public PaaS clouds. Firstly, we investigate the characteristics of different PaaS clouds and implement a memory bus based covert-channel detection method that works for various PaaS cloud platforms. Secondly, we study three popular PaaS clouds Amazon Elastic Beanstalk, IBM Bluemix and OpenShift, to identify the co-residence threat in their placement policies. We evaluate several placement variables (e.g., application type, number of the instances, time launched, data center region, etc.) to study their influence on achieving co-residence. The results show that all the three PaaS clouds are vulnerable to the co-residence threat and the application type plays an important role in achieving co-residence on container-based PaaS clouds. At last, we present an efficient launch strategy to achieve co-residence with the victim on public PaaS clouds.
AB - Public Platform-as-a-Service (PaaS) clouds are always multitenant. Applications from different tenants may reside on the same physical machine, which introduces the risk of sharing physical resources with a potentially malicious application. This gives the malicious application the chance to extract secret information of other tenants via sidechannels. Though large numbers of researchers focus on the information extraction, there are few studies on the co-residence threat in public clouds, especially PaaS clouds. In this paper, we in detail studied the co-residence threat of public PaaS clouds. Firstly, we investigate the characteristics of different PaaS clouds and implement a memory bus based covert-channel detection method that works for various PaaS cloud platforms. Secondly, we study three popular PaaS clouds Amazon Elastic Beanstalk, IBM Bluemix and OpenShift, to identify the co-residence threat in their placement policies. We evaluate several placement variables (e.g., application type, number of the instances, time launched, data center region, etc.) to study their influence on achieving co-residence. The results show that all the three PaaS clouds are vulnerable to the co-residence threat and the application type plays an important role in achieving co-residence on container-based PaaS clouds. At last, we present an efficient launch strategy to achieve co-residence with the victim on public PaaS clouds.
UR - http://www.scopus.com/inward/record.url?scp=85006007435&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85006007435&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-50011-9_28
DO - 10.1007/978-3-319-50011-9_28
M3 - Conference contribution
AN - SCOPUS:85006007435
SN - 9783319500102
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 361
EP - 375
BT - Information and Communications Security - 18th International Conference, ICICS 2016, Proceedings
A2 - Lam, Kwok-Yan
A2 - Qing, Sihan
A2 - Chi, Chi-Hung
PB - Springer Verlag
T2 - 18th International Conference on Information and Communications Security, ICICS 2016
Y2 - 29 November 2016 through 2 December 2016
ER -