Skip to main content

Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration

Publication ,  Conference
Moon, SJ; Sekar, V; Reiter, MK
Published in: Proceedings of the ACM Conference on Computer and Communications Security
October 12, 2015

Recent studies have shown a range of co-residency side channels that can be used to extract private information from cloud clients. Unfortunately, addressing these side channels often requires detailed attack-specific fixes that require significant modifications to hardware, client virtual machines (VM), or hypervisors. Furthermore, these solutions cannot be generalized to future side channels. Barring extreme solutions such as single tenancy which sacrifices the multiplexing benefits of cloud computing, such side channels will continue to affect critical services. In this work, we present Nomad, a system that offers vector-agnostic defense against known and future side channels. Nomad envisions a provider-assisted VM migration service, applying the moving target defense philosophy to bound the information leakage due to side channels. In designing Nomad, we make four key contributions: (1) a formal model to capture information leakage via side channels in shared cloud deployments; (2) identifying provider-assisted VM migration as a robust defense for arbitrary side channels; (3) a scalable online VM migration heuristic that can handle large datacenter workloads; and (4) a practical implementation in OpenStack. We show that Nomad is scalable to large cloud deployments, achieves near-optimal information leakage subject to constraints on migration overhead, and imposes minimal performance degradation for typical cloud applications such as web services and Hadoop MapReduce.

Duke Scholars

Published In

Proceedings of the ACM Conference on Computer and Communications Security

DOI

ISSN

1543-7221

Publication Date

October 12, 2015

Volume

2015-October

Start / End Page

1595 / 1606
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Moon, S. J., Sekar, V., & Reiter, M. K. (2015). Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration. In Proceedings of the ACM Conference on Computer and Communications Security (Vol. 2015-October, pp. 1595–1606). https://doi.org/10.1145/2810103.2813706
Moon, S. J., V. Sekar, and M. K. Reiter. “Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration.” In Proceedings of the ACM Conference on Computer and Communications Security, 2015-October:1595–1606, 2015. https://doi.org/10.1145/2810103.2813706.
Moon SJ, Sekar V, Reiter MK. Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration. In: Proceedings of the ACM Conference on Computer and Communications Security. 2015. p. 1595–606.
Moon, S. J., et al. “Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration.” Proceedings of the ACM Conference on Computer and Communications Security, vol. 2015-October, 2015, pp. 1595–606. Scopus, doi:10.1145/2810103.2813706.
Moon SJ, Sekar V, Reiter MK. Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration. Proceedings of the ACM Conference on Computer and Communications Security. 2015. p. 1595–1606.

Published In

Proceedings of the ACM Conference on Computer and Communications Security

DOI

ISSN

1543-7221

Publication Date

October 12, 2015

Volume

2015-October

Start / End Page

1595 / 1606