research article a security-awareness virtual machine...

Research ArticleA Security-Awareness Virtual Machine Management SchemeBased on Chinese Wall Policy in Cloud Computing

Si Yu12 Xiaolin Gui12 Jiancai Lin12 Feng Tian12 Jianqiang Zhao123 and Min Dai12

1 School of Electronics and Information Engineering Xirsquoan Jiaotong University Xirsquoan 710049 China2 Shaanxi Province Key Laboratory of Computer Network Xirsquoan Jiaotong University Xirsquoan 710049 China3 Xirsquoan Politics Institute Xirsquoan 710049 China

Correspondence should be addressed to Xiaolin Gui xlguimailxjtueducn

Received 17 August 2013 Accepted 26 November 2013 Published 5 February 2014

Academic Editors A Rosa and A Tsymbal

Copyright copy 2014 Si Yu et al This is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Cloud computing gets increasing attention for its capacity to leverage developers from infrastructure management tasks Howeverrecent works reveal that side channel attacks can lead to privacy leakage in the cloud Enhancing isolation between users is aneffective solution to eliminate the attack In this paper to eliminate side channel attacks we investigate the isolation enhancementscheme from the aspect of virtual machine (VM) management The security-awareness VMs management scheme (SVMS) a VMsisolation enhancement scheme to defend against side channel attacks is proposed First we use the aggressive conflict of interestrelation (ACIR) and aggressive in ally with relation (AIAR) to describe user constraint relations Second based on the Chinesewall policy we put forward four isolation rules Third the VMs placement and migration algorithms are designed to enforce VMsisolation between the conflict users Finally based on the normal distribution we conduct a series of experiments to evaluate SVMSThe experimental results show that SVMS is efficient in guaranteeing isolation between VMs owned by conflict users while theresource utilization rate decreases but not by much

1 Introduction

With the promotion and development of cloud comput-ing virtualization technology gets increasing attention byacademia and industry There is a broad consensus that vir-tualization technology improves the security and reliabilityof cloud computing This is mainly because of the seeminglystrong isolation which prevents the guest VMs located inthe same host from interfering with each other Howeversuch logical isolation may not be sufficient [1] Using theside channel attacks (SCA) which is firstly introduced byKocher [2] malicious users can circumvent the isolationmechanism and extract private information from otherusers by analyzing responses of third party shared resources[3ndash5]

According to whether the attacker and victim residein the same host we can divide SCA into interhost SCAand intrahost SCA In the scenario of intrahost SCA the

attacker resides in the samehostwith victimUsing the sharedresource in the host such as data cache and instruction cacheattackers can steal the private information from the victimVMs [6ndash8] In the scenario of interhost SCA attacker andvictim are not coresident This kind of SCA is always imple-mented based on the network traffic withwhich attackers cansteal private information from the VMs located in differenthosts [9 10] In this paper we focus on the intrahost SCAIn the following SCA refers in particular to the intrahostSCA

To eliminate SCA a variety of approaches to enhanceisolation have been proposed in the cloud We categorizethem into two types which are the approaches focused onisolating the running of VMs (see eg [11ndash14]) and theapproaches focused on isolating the shared resources (seeeg [15ndash17])The first type of approach achieves the isolationby preventing the conflict VMs from running simultaneouslyThe second type of approach prohibits the sharing of shared

Hindawi Publishing Corporatione Scientific World JournalVolume 2014 Article ID 805923 12 pageshttpdxdoiorg1011552014805923

2 The Scientific World Journal

resources These approaches do represent major progresswhile to the best of our knowledge they are still limited inseveral aspects

(i) By using the first type of approach the schedule oflegitimate VMs may be affected which may lead toVMs running failure For example oil-A and oil-B are two coresident VMs and they are in conflictwith each other So in the system with such accesscontrolmechanism before the shutdown of oil-A oil-B cannot be granted to start up If the oil-A is long-time running oil-B cannot be scheduled in a longtime

(ii) When using the second type of approach the moni-toring system and mediation mechanism are neededwhich should probe all resource requests made byeachVM andmake decisions onwhether to authorizethe requests quickly [12] So the software systemis very sophisticated For example in a SELinuxstrict policy there are about 30 000 policy statementsOn the other hand a prohibitively large number ofoperating system hooks (in the order of hundreds)are needed which makes the MAC policies for thesesystems depend on details of the particular systemand the enforcement across a distributed systemdifficult

In this paper we investigate the isolation issue from theperspective of VMs management including VMs placementand VMs migration The security-awareness VMs manage-ment scheme (SVMS) based on Chinese wall policy is pro-posed Compared with existing isolation enhancing schemesthe main contributions of this work are listed as follows

(i) We calculate the aggressive conflict of interest relation(ACIR) for the users according to the VMs traces Onthe other hand by introducing the aggressive in allywith relation (AIAR) we can restrain the placementbehavior for the new users who do not have VMstraces

(ii) Based on the Chinese wall policy we put forward theisolation rules In these rules we define whether toauthorize the request of placing VMs to host Andwe prove that these rules meet the simple-securityproperty and lowast-security property

(iii) According to the isolation rules we design theVMs placement and migration solution calculationalgorithm which places and migrates the VMs tothe proper hosts to guarantee the isolation betweenconflict users

(iv) We conduct a series of simulated experiments toevaluate the efficacy of SVMS In the experimentswe use the normal distribution to simulate the usersrsquobehavior including theVMs traces andVMs requestsand introduce the index of isolation degree andresource utilization rate

The remainder of this paper is organized as followsSection 2 reviews the related work Section 3 demonstrates

the brief introduction to SCA in the cloud and Chinese wallsecurity In Section 4 we present the overview design ofSVMS The implementation details of SVMS are presentedin Section 5 In Section 6 we illustrate our experimentsand analyze the experimental results Section 7 provides theconclusions

2 Related Work

21 Studies on Enhancing Isolation Studies on enhancingisolation in the virtualized computing environment can becategorized into two types the access control approaches andthe resource isolation approaches

Access Control Approaches Sailer et al [11] presented thesHype hypervisor security architecture which enforced isola-tion at the granularity of a virtual machineMcCune et al [12]introduced a Shamon approach for MAC enforcement acrossdistributed systems that completeMAC referencemonitoringfrom two software layers Jaeger et al [13] evaluated theability of four policy models to express risk flow policiesand examined how such policies would be enforced in VMsystems to assess the possible risk of information leakagedue to a combination of overt channels and covert channelsCheng et al [14] proposed the prioritized Chinese wall modelto reduce the risk of covert flows in VM system and enforcedthe policy in sHypeXen system The above works focus onprohibiting the simultaneous running of conflict VMs byspecific access control policies

Resource Isolation Approaches Raj et al [15] proposed tworesource management approaches to provide security iso-lation in the shared cloud infrastructure which are cachehierarchy aware core assignment and page coloring basedcache partitioning Yasusi et al [16] proposed two methodsto achieve resource isolation among virtual networks whichwas per-slice shaping and per-link policing Jin et al [17]proposed a cache partitioningmechanism in the cloud whichconfined the L2 cache usage of each VM running on thesame host by modifying the page allocation algorithm in theVMM The above works focus on prohibiting the sharing ofshared resource to provide strong isolation in the virtualizedcomputing environment

22 Studies on VM Placement Speitkamp and Bichler [18]presented decision models to optimally allocate sourceservers to physical target servers and a heuristic to addresslarge-scale server consolidation projects Wang et al [19]formulated the VM consolidation into a stochastic binpacking program and proposed an online packing algorithmKim et al [20] placed virtual machines with matching algo-rithm into servers based on measured traffic distribution ofVMs which could reduce oversubscription and increase linkutilization Breitgand and Epstein [21] improved the perfor-mance of work in [19] which abstracted oversubscriptionfactors as overflow probability Fang et al [22] presentedan approach named VMPlanner to optimize both virtualmachine placement and traffic flow routing so as to turn off

The Scientific World Journal 3

Server cluster

Accessing matrix

Host

VM VM

VMM

User behavior analyzing

Constraint relations

ACIR (with traces)

AIAR (no traces)

VMs running traces

Isolation rules

VMs placement determining

Users interface

Requirements

VMsplacementsolution

Agent

Users

Host

Host

Host

Host

Host

VMsmigrationsolution

middot middot middot

Figure 1 Overview of the architecture design for SVMS

as many unneeded network elements as possible for powersaving

In the field of VMs placement there are lots of outstand-ing achievements andwe only list some significant ones Andwe can discover that the existing works focus on optimizingallocation of resources Although they are different from ourwork they provide us with a good reference And this paperrepresents a significant extension to our prior work [23]

3 Background SCA and the ChineseWall Policy

In this section we briefly introduce (1) SCA in the cloud and(2) the Chinese wall policy

31 SCA in the Cloud In the cloud to maximize efficiencymultiple VMs owned by different users may be simultane-ously assigned to execute on the same physical host So it ispossible for the attackers to use SCA to penetrate the isolationbetween coresident VMs and extract private information

According to the Trusted Computer Security EvaluationCriteria (TCSEC) a side channel attack is any attack basedon information gained from the physical environment asopposed to brute force or theoretical weaknesses [24] Forexample timing information power consumption or elec-tromagnetic leaks can bring extra information Commonlyin the cloud SCA consists of two major steps placementand extraction [4] In the first step the attackers shouldtry to locate their VMs in the same host with the VMsof victim According to [4] the attackers can achieve thiswith considerable possibility in the Amazon EC2 In thesecond step the attackers first probe the usage of sharedresourceThen based on the relationship between the sharedresource usage and private information the attackers designthe leakagemodel to extract the private information from theprobed usage samples

In the cloud researchers have investigated how to useSCA to steal information from other users For exampleZhang et al [5] used the L2 cache based side channelanalysis as a defensive detection tool to exploit the maliciouscoresident VM Zhang et al [25] used the L1 instructioncache as side channel to extract the decryption key fromthe coresidency VM Okamura and Oyama [6] developedCCCV which created a side channel and communicated datasecretly using CPU loads between the Xen VMs Xu et al [7]quantified the L2 cache cross-VM side channel with the bitrates and assessed their ability to do harm

32 Chinese Wall Policy Chinese wall policy is firstly pro-posed by Brewer and Nash [26] which is also called BN Chi-nese wall policy It has a three hierarchy architecture includ-ing lowest level intermediate level and highest level Thelowest level consists of individual objects The intermediatelevel consists of the company datasets which contain objectsrelated to a single company The highest level consists ofconflict of interests which contains the datasets of companiesin competition

According to the definition of Brewer and Nash Chinesewall policy has the following two properties [26]

(i) Simple-security property An object O can be read ifthe subject has accessed a prior object O1015840 belongingto the same dataset or the objects conflict of interestset is new

(ii) lowast-security property Simple-security property shouldbe fulfilled for the target O and the writer has onlyread data from the company dataset of O

Since the Chinese wall policy takes advantage of themandatory enforcement and independent choice of users ithas been applied in many fields For example various accesscontrol models are proposed based on Chinese wall policywhich can be implemented in the cloud effectively [27 28]


Furthermore Chinese wall policy is also applied in the fieldof delegation [29]

In this paper we focus on the variety of BN Chinesewall policy the aggressive Chinese wall policy which wasproposed by Lin [30] Andwewill use the notations presentedin [30] such as ACIR and AIAR to illustrate the constraintrelations for users

4 Design of SVMS

In this section we provide a high-level overview of thearchitecture for SVMS As shown in Figure 1 SVMS consistsof three major components which are behavior samplingconstraint relations analyzing and placement determining

(1) Behavior sampling In each host we deploy the agentto record the behavior of VMs thus obtaining theVMs traces

(2) Constraint relations analyzing In this component weanalyze the constraint relations For the users whohave VMs traces we calculate the ACIR For thenew users who do not have VMs traces we calculatethe AIAR Then combining the isolation rules andconstraint relations we can get the access matrixwhich records the maps between VMs and hostsand provides feedback for the dynamical update forconstraint relations

(3) Placement determining According to the constraintrelations and accessmatrix this component calculatesthe VMs placement solutions On the other handwhen the ACIR of users changes this component alsoprovides the VMs migration solutions to guaranteethe isolation between conflict users

5 Implementation of SVMS

In this section we describe the implementation details ofSVMS First we present the ACIR computation processSecond based on the Chinese wall policy we put forwardthe isolation rules Third we propose the VMs placementsolution and migration calculated algorithm

51 Computing the ACIR In the BN Chinese wall policyconflict of interest (CIR) is an equivalence relation Howeverin the scenario of this paper CIR is a binary relation whichis reflexive symmetric and not transitive For example oil-A oil-B and bank-C are three VMs where oil-A and oil-Bare prohibited to reside in the same host oil-B and bank-Care also prohibited to reside in the same host However wecannot deduce that oil-A and bank-C are prohibited in thesame host So based on the work of Lin [30] we use the ACIRto describe the CIR for users

Definition 1 Aggressive Conflict of Interest Relation (ACIR)If user ui is aggressive conflict with user uj denoted as uiACIR uj then the VMs owned by ui are prohibited to residein the same host with the VMs owned by uj and ACIR(ui) iscalled as the ACIR set for ui

Table 1 Example of information

ID User Time domain Supportid119894

119906119895

td119896

120590119897

According to the previous analysis we compute the ACIRfor users according to the VMs traces To formulate the VMstraces we define a specific time period as a placement cycleAnd the placement cycle is divided into several time domainswith the same time spanThenwe define the number of activeVMs in different time domains as VMs traces for differentusers

Based on the work of Pawlak [29] we put forward thefollowing steps to compute ACIR sets according to the VMstraces

Step 1 Forming the information table (IT) IT contains threemajor attributes user (uj) time domain (119905119889k) andVMs tracesvalue (120590l equals to the support factor defined in [29]) asshown in Table 1

Step 2 Computing the strength factor and certainty factor foreach record in IT For the record id

119894 119906119895 td119896 120590119897 the strength

factor and certainty factor are defined in (1) Consider

strength119894=

120590119897

120590 (IT)

certainty119894= strength

119894lowast

120590 (IT)120590 (119906119895)

(1)

where120590(IT) refers to the summary of support factor for all therecords in IT 120590(119906

119895) refers to the summary of support factor

for user 119906119895in IT

Step 3 Computing the active time domains For each recordin IT if the certainty factor is larger than the threshold (eg02) we consider that the user is active in this time domainThe denotation ldquouj rarr tdkrdquo is used to represent that user uj isactive in time domain tdk So for any user uj the active timedomain is T

119895= td119896| 119906119895rarr td119896

Step 4 Forming the similarity matrix S119904119894119895 where 119904

119894119895refers

to the similarity between ui and uj Consider

119904119894119895=

0 119894 = 119895 or 10038161003816100381610038161003816T119895

10038161003816100381610038161003816= 0

10038161003816100381610038161003816T119894cap T119895

1003816100381610038161003816100381610038161003816100381610038161003816T119895

10038161003816100381610038161003816

otherwise(2)

where |T119895| refers to the cardinality of T

119895

Step 5 Obtaining the ACIR sets If sij is larger than 0 then uiACIR uj which means uj isin ACIR(ui) Finally we can get theACIR sets for the users who have VMs traces

52 The Isolation Rules and AIAR For the users who havethe VMs traces using the previous steps we can easily obtaintheir ACIR sets However for the new users who do not have


VMs traces we cannot compute the ACIR sets for them byusing these steps To solve this problem we introduce theAIAR For the new users their VMs could only be placed tothe hosts which are occupied by the users in their AIAR setsIn this section we first define AIAR Then we propose theisolation rules

Definition 2 Aggressive In Ally with Relation (AIAR) If userui is aggressive in ally with uj denoted as ui AIAR uj thenthe VMs owned by ui are permitted to reside in the same hostwith the VMs owned by uj and AIAR(ui) is called the AIARset for ui

AIAR is an equivalence relation which is reflexive sym-metric and transitive And we will present how to computeAIAR in the isolation rules Consider

119886119894119895=

minus1 against0 neutral1 favorable

(3)

In this paper we define the access matrix Aaij as a two-dimensional matrix A H times U rarr minus1 0 1 The notationsldquo1rdquo ldquo0rdquo and ldquominus1rdquo mean that the VM is favorable neutral andagainst to be placed to the host respectively as shown in (3)If the VM placement request to hi from uj(119877(119894 119895)) is rejectedthen the entry aij is assigned to ldquominus1rdquo if 119877(119894 119895) is granted thenaij is assigned to ldquo1rdquo and if 119877(119894 119895) is not determined than aijis assigned to ldquo0rdquo

Based on the access matrix we put forward the isolationrules

Rule 1 Initially for all i and j aij = 0Initially each requestR(i j) is neutral In other words any

VMs are neutral to be placed to any hosts initially

Rule 2 aij = 0 rArr 119877(119894 119895) is granted and 119886119894119895= 1 and forall119897 = 119895 ul isin

AIAR(uj) ail = 1 and forall119897 = 119895 ul isin ACIR(uj) ail = minus1 and updateAIAR(uj) according to Rule 5

In this rule we define the placement behavior when ujis neutral to place VMs to hi When the access permissionis neutral we authorize that user uj can place VMs to thehost Moreover the users in AIAR(uj) are also authorized toplace VMs to the host However the users inACIR(uj) are notallowed to place VMs to the host

This rule applies especially for new users whose ACIRand AIAR are empty initially In this scenario the first accessrequest sent by new users is always granted Then the AIARis initialed with which the behavior of new users is restrainedin the placement cycle

Rule 3 aij = 1 rArr 119877(119894 119895) is granted andforall119897 = 119895 119906119897isin ACIR(uj)

ail = minus1 and forall119897 = j ul isin AIAR(uj) ail = 1 and update AIAR(uj)according to Rule 5

The placement behavior when uj are favorable to place hisVMs to hi is defined in this rule If uj is granted to access hi orhas accessed hi we authorize this request and grant the users

in AIAR(uj) to access hi However the users in ACIR(uj) arerejected to access this host

Rule 4 119886119894119895= minus1 rArr 119877(119894 119895) is denied

If uj is against to access hi we denied his requests to placeVMs to hi

Rule 5 R(i j) is granted and AICR(uj) ==NULLrArr foralll = j ail =1 AIAR(uj) = 119897 cup AIAR(ul) cup AIAR(uj)

In this rule we update AIAR for new users dynamicallyIf uj is authorized to access hi then AIAR(uj) should beexpanded by adding two kinds of users including (1) the userul who is granted to access hi and (2) the users in AIAR(ul)

We put forward the above five rules based on Chinesewall policy According to our scenario we use the accesspermission to substitute for read and write permission If theobject has the access permission then he has the read andwrite permission And we can prove that the rules meet thesimple-security property and lowast-security property which willbe detailed in the appendix

53 The VMs Placement and Migration Solutions In thissection based on the constraint relations and isolationrules we propose the VMs placement solution calculatedalgorithm to get the placement solutions And we proposethe VMs migration solution calculated algorithm to obtainthe migration solutions when changing the ACIR of users

531The VMs Placement Solution Calculated Algorithm Thebasic idea of this algorithm is as follows First accordingto user type (new user or not) and the isolation rules weobtain the candidate hosts which the user can access Thenwe determine whether the available space of candidate hostsis able to meet the needs of user If the available space is notenough we add new hosts to the candidate hosts Finally weplace the VMs to the candidate hosts and update the accessmatrix and constraint relations (AIAR for new users)

The detailed processes of this algorithm are shown inAlgorithm 1

Regarding the input parameters for this algorithm idrefers to the user identity ur refers to the counts of requestedVMs 119860 refers to the access matrix with m rows and ncolumns acir refers to the ACIR set for all the users in thesystem Finally we output the updated access matrix

In this algorithm we introduce the following functionsupdate() adds a new column to the access matrix when usernew is joined in firstFitHost() is designed for the new userwhich gets the first available host and returns the identityof this host getAiar() initials the AIAR set for new usergetCandHost() returns the available hosts which the user hasthe access permission to according to his constraint relationsThere are two callingmode for getCandHost()Thefirstmodeis designed for the new user which should input the AIAR setand access matrix The second mode is designed for the userwho has VMs traces which should input id ACIR set andaccess matrix addNewHosts() is used to add new hosts to thecandidate hosts when the space cannot meet the user requestgetSolution() deploys the VMs to the candidate hosts


input id ur 119860 aciroutput 119860

(1) IF(aiar==NULL)(2) 119860[119898 119899 + 1] = update(119860[119898 119899])(3) 119886 (lowast 119899 + 1) = 0(4) ℎ

119909= firstFitHost(id 119860)

(5) aiar = getAiar(id ℎ119909)

(6) cHosts = getCandHosts(aiar 119860)(7) ELSE(8) IF(newUser (id))(9) cHosts = getCandHosts(aiar 119860)(10) ELSE(11) cHosts = getCandHosts(id acir 119860)(12) ENDIF(13) ENDIF(14) IF(cHostssize lt ur)(15) addNewHosts(cHosts (ur-cHostssize)ℎ119900119904119905119878119894119911119890 + 1)(16) ENDIF(17) placeSolution = getSolution(id ur cHosts)(18) update(119860 aiar)

Algorithm 1 VMs placement solution calculated algorithm

input 119860 aciroutput 119860

(1) FOR(ℎ[]119860[][])(2) FOR(119906ℎ[])(3) coVMs[]= getCoVMs(119906)(4) acirU[]= acir(119906)(5) confVMs[]= sameElem(cVMs confU)(6) IF(confVMs = NULL)(7) 119899119880 = hsdotnum(119906)(8) nConf = hsdotnum(confVMs)(9) IF(119899119880 gt nConfsum())(10) cHosts = getCandHosts(119906 acir 119860)(11) getSolution(119906 119899119880 cHosts)(12) update(119860)(13) ELSE(14) FOR(119899119888 nConfuser)(15) cHosts = getCandHosts(119899119888 acir 119860)(16) getSolution(119899119888 nConfnum(119899119888) cHosts)(17) update(119860)(18) ENDFOR(19) ENDIF(20) ENDIF(21) ENFFOR(22) ENDFOR

Algorithm 2 VMs migration solution calculated algorithm

532 The VMs Migration Solution Calculated Algorithm Inthe scenario ofmultiplacement cycles ACIR changeswith thechange of VMs traces So the VMs owned by conflict usersmay be placed in the same host when changing the ACIR Tosolve this problem we use VMs migration to guarantee theisolation between conflict users

The detailed processes for this algorithm are shown inAlgorithm 2

In this algorithm we first look for the host where theVMs owned by conflict users reside Then we calculatethe minimum number of VMs which should be migratedto remove the conflict Finally we obtain the candidatedestination hosts for the migrated VMs

In this algorithm h[i] records the identity of users whoseVMs locate in host hi where u refers to the user identitycoVMs[] records the users whose VMs are colocated with


user u and acirU[] records the ACIR of u confVM[] refersto the union of coVMs[] and acirU[] which is calculated bysameElem() nU is an integer which refers to the number ofVMs of u located in hi nConf is a structure which records nUfor each user in confVM[] and the user identity The abovetwo variables can be obtained by num()

6 Experiments

Theoverall evaluation of SVMS comprised of (1) experimentsto evaluate the feasibility of ACIR set calculation and (2)

experiments to evaluate the performance of SVMS with theindex of isolation degree and resource utilization

61 Feasibility of ACIR Calculation In this experiment wemainly focus on evaluating the feasibility of calculating ACIRfor different usersExperimental Data Preparation In the simulated experimentwe set one day as a placement cycle which was divided into8 time domains with the same time span 80 users weresimulated and they were divided into 8 groups (groupi i =1sim8) Each group consisted of 10 users

The normal distribution 119883 sim 119873(120583 120590) was used to simu-late the VMs traces for different users where the cumulativeprobability in the range of [119909 minus 05 119909 + 05] was used asthe probability that VMs were active in time domain tdiBy converting the normal distribution to standard normaldistribution119884 = (119883minus120583)120590 we could calculate the probabilityas (4) Consider

119901 (td119894) = Φ[

td119894+ 05 minus 120583

120590] minus Φ[

td119894minus 05 minus 120583

120590] (4)

To obtain the probabilities two key parameters shouldbe set which were the expectation 120583 and standard deviation120590 For the users in groupi we set the expectation as tdiThe standard deviation was simulated randomly generatedfrom a specific range [120590min 120590max] Using 120590max we could statethat the probability for each group was similar with eachother Using 120590min we could state that the probability for thespecific groupwas close to 1 and the probabilities for the othergroups were close to 0 According to the 3120590 principle 3120590accounted for about 9973 So when 3120590-(minus3120590) equaled to 1we could insure that about 9973 of the total VMs wouldbe active in one time domain In this case 120590 equaled to 013According to the theoretical calculation we could observethat when assigning 3 to 120590max the probability for each timedomain was the most similar Therefore in the experimentwe randomly generated 120590 in the range [013 3] In Figure 2we demonstrated some significant results when 120583 wasequal to 5

We used the random integer to describe the total numberof VMs (120578i) owned by user ui where the range is [1 50] Sothe number of active VMs owned by ui in time domain tdjwas lfloor120578

119894lowast 119901(td

119895)rfloor

Finally we could simulate the VMs traces for the users inone placement cycle And the ACIR set for each user could becalculated In the experiment we repeated the process for 100times In the repeated processes the expectation of users was

00

02

04

06

08

10

12

1 2 3 4 5 6 7 8

Prob

abili

ty

Time domain

120583 = 5 120590 = 013

120583 = 5 120590 = 3

Figure 2 The cumulative probabilities for different time domains

constant while the standard deviation and total number ofVMs owned by users were randomly generated for each time

To quantify the aggressive conflict relations betweenusers we defined the average conflict times

Definition 3 Average Conflict Times (act) If user uk (uk isin

groupi) was aggressive conflict with ckj users in groupj thenaverage conflict times between groupi and groupj (actij) aredefined as (5) Consider

act119894119895=

1

119898sum119906119896isingroup119894

119888119896119895 (5)

Since the user is not aggressive conflictedwith himself soif i = jm = |groupi|minus1 if i = jm = |groupi|

Finally the experimental results for average conflict timeswere shown in Figure 3

Taking group1as an example from Figure 3 we could

easily observe that the act11 was about 60 act12 was about 50act13was about 25 and act

1x (x gt 3) was 0 For other groupswe could observe the similar experimental results where thevalue of actij decreased with the increase of distance betweengroupi and groupj In other words the regular in conflicttimes was consistent with the behavior of users (VMs traces)

Brief Summary In the experiment based on normal distri-bution we generated the simulated VMs traces Consideringthe diversity of usersrsquo behavior we divided the users intodifferent groups The users in the same group had the sameexpectation while the standard deviation was randomlygenerated According to the experimental results we coulddraw the following conclusions (1) the more the similaritybetween VMs traces for different users the larger the conflictprobability between the users would be and (2) accordingto the VMs traces we could obtain the ACIR set for userseffectively by using the conflict analysis approach

62 Evaluating the Isolation and Resource UtilizationThrough the theoretical proof we could know that ourproposed isolation rules met both simple-security propertyand lowast-security property In this section we aimed to evaluate


1 2 3 4 5 6 7 8

12

34

56

78

0

20

40

60

80

100

User group

User group

Aver

age c

onfli

ct ti

mes

Figure 3 The average conflict times between different user groups

the possibility for the VMs owned by different users to belocated in the same host

In the experiments we used the index of isolation degreeand resource utilization rate to evaluate the performance ofSVMS compared with the existing resource-awareness VMplacement schemes (RVMPS) A variety of RVMPS specific todifferent scenarios were proposed (see eg [18ndash22]) In ourexperiments we considered that the basic idea for RVMPSwas to use the fewest resources to meet the VMs needs ofusers

Definition 4 Coresidency Times (ct) If there are c hostsin which the VMs owned by ui and uj reside then thecoresidency times between ui and uj are c where i = j whichis denoted as ctij = c

Definition 5 Isolation Degree (120580) For any user ui and uj i =

j if uj isin ACIR(ui) and ctij = c then the isolation degree forthe system is defined as (6)

120580 =1

1 + 05 lowast sum119894ct119894119895

(6)

According to Definition 5 if VMs owned by conflictusers were not placed in the same host which meant thatsum ct119894119895

= 0 then the isolation degree was 1 In this case theefficacy of isolation was optimal On the contrary a largervalue of ct for conflict users referred to a smaller value of 120580which meant that the isolation of the placement solution wasinefficient

Definition 6 Resource Utilization Rate (rur) The maximumnumber of VMs which simultaneously run in host hk wasak and the real number of VMs run in this host was bkthen the resource utilization rate for this host was bkak Forthe system the resource utilization rate was defined as (7)Consider

rur =sum119896119887119896

sum119896119886119896

(7)

In this section we used the same approach to generatethe VMs requests for different users where the number ofrequested VMs for user ui in time domain 119905119889j was rij =lfloor119901(td119895) lowast 120578119894rfloor And we considered the case of one placement

cycle and the case of multiplacement cycles

621 The Case of One Placement Cycle In the case of oneplacement cycle the VMs traces would not be recounted SoACIR for users would not change In this case we consideredtwo scenarios including (1)no newuser joined in and (2) onenew user joined in to evaluate the performance of SVMS andthe impact of new user Using the repeated tests we obtainedthe isolation degree and resource utilization rate(1) The Scenario of No New Users Joined In In the scenarioof no new users joined in using the above approaches togenerate the test data we compared SVMS with RVMPS theexperimental results are shown in Figures 4 and 5

In Figure 4 we demonstrated the experimental results ofisolation degree in the scenario of no new users joined inThe black vertical on the left side referred to the coordinatesfor the ldquoSVMSrdquo curve And the red vertical on the right sidereferred to the coordinates for the ldquoRVMPSrdquo curve From thisfigure we could easily observe that the isolation degree waskept as 1 in the repeated 10 tests which meant that SVMScould guarantee that VMs owned by conflict users would notbe placed to the same host However the isolation degree ofRVMPS was very small which was about 0002 to 0004 inthe repeated tests The small value of isolation degree meantthat coresidency times for conflict users were about 500 to1000 Generally coresidency times for conflict users wererelated with the number of VMs owned by the conflict usersand scheduling order of users Due to the limited space wewill not investigate these factors here Overall in the sameexperimental settings comparedwith SVMS andRVMPS wecould conclude that the VMs owned by conflict users wouldbe placed to the same host with high probability when theconflict relations were not considered which could introducethe vulnerability of side channel attacks

In Figure 5 we demonstrated the resource utilization ratefor SVMS and RVMPS From this figure we could observethat rur was all close to 100 by using RVMPS which meantthat all the hosts could run at full load While by usingSVMS rur was less than the resource utilization rate ofRVMPS which was about 92 to 96 The experimentalresults indicated that SVMS made a trade-off between theisolation and resource utilization In other words by usingSVMS we guaranteed the isolation between conflict users byusing more physical resources(2) The Scenario of NewUser Joined In In this experiment weconsidered new users joined in and evaluated the impact ofnew users Implicitly we considered only one new user sincethe placement behavior of new users was determined by theirAIAR sets and had nothing to do with ACIR sets of otherusers In this scenario for the new user we did not need togenerate his VMs traces and we used 119903

119899119895= lfloor119901(td

119895) lowast 120578119894rfloor to

refer to the number of requested VMs in time domain 119905119889j


0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS

Figure 4 Isolation degrees when no new users joined in

080

084

088

092

096

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

rate

Experiment numbers

SVMSRVMPS

Figure 5 Resource utilizations when no new users joined in

For other users we used the same approach to generate thetest data

Using the same experimental steps we could obtainthe experimental results for isolation degree and resourceutilization rate as shown in Figures 6 and 7

In Figure 6 the black vertical on the left side referred tothe coordinates for the ldquoSVMSrdquo curve And the red verticalon the right side referred to the coordinates for the ldquoRVMPSrdquocurve As shown in Figure 6 the experimental results forisolation degree were similar with the experimental resultsshown in Figure 4 regardless of SVMS or RVMPS whereid for SVMS was 1 and id for RVMPS was about 0002 to0004 Although only one new user was considered we couldconclude that new users had no impact on the isolationbetween the conflict users

In Figure 7 we demonstrated the results of resourceutilization rate when a new user joined in Comparing theresults shown in Figures 7 and 5 we could observe that thenew user had no impact on rur when using RVMPS to getthe placement solutions for the rur was close to 1 with thesetwo schemes However using SVMSmade a difference on rurfrom using RVMPS First the value of rur was smaller Byusing SVMS the smallest rur was about 83 and the averagerur was about 90 Second the variance of rur was larger

0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS

Figure 6 Isolation degrees when one new user joined in

080

084

088

092

096

100

Reso

urce

util

izat

ion

Experiment numbers

SVMSRVMPS

1 2 3 4 5 6 7 8 9 10


The difference between the largest rur and smallest rur wasabout 12Thereweremainly two reasons First in SVMSweused the AIAR to restrain the target location of VMs ownedby new users which would reduce the range of availablecandidate hostsThenwe startedmore new hosts resulting inmore resource wastes Second the AIAR set was initialed anddynamically updated according to the first fit host while thefirst fit host was chosen randomly and the VMs requests ofnew users were also generated randomly As a result the valueof rur in repeated tests would fluctuate with the deploymentsituation of the first fit host and the VMs requests

622 The Case of Multiplacement Cycles To investigate theperformance of SVMS in isolation and resource utiliza-tion we only considered one placement cycle previouslyAs analyzed above in this case AIAR of users did notchange However the cloud is dynamic VMs traces wouldchange at any time which brought about the change to theACIR sets When ACIR of users changed in SVMS weused the VMs migration to guarantee the isolation betweenconflict users In this section we mainly investigated theimpact of VMs migration on system performance And theindexes of migration ratio and resource utilization wereused


In this experiment we used the same approaches togenerate the test data for the users who had VMs traces Forthe new users we defined a random function ranControl()rarr0 1 ranControl randomly returned ldquo0rdquo and ldquo1rdquo If ldquo0rdquo wasreturned no new users joined in during the tests And if ldquo1rdquowas returned one new user joined in And we used the sameapproaches in Section 621 to generate the test data for thenew user

Definition 7 Migration Ratio (mr) In the cloud mr wasdefined as the proportion of migrated VMs in all the VMswhich is denoted as (8) Consider

mr =120578119898

120578alllowast 100 (8)

where 120578m referred to the number of migrated VMs and 120578allreferred to the number of all VMs in the cloud

In this experiment we designed the following steps(1) Generating the VMs traces and calculating the ACIRsets (2) Generating the VMs requests and using SVMS andRVMPS to obtain the placement solutions (3) Recountingthe VMs traces after the VMs placement and recalculatingthe ACIR sets for all the users (4) Using the VMs migrationsolution calculated algorithm to get the migration solutionsto guarantee the isolation between conflict users

Finally we could obtain the experimental results as shownin Figures 8 and 9

In Figure 8 we demonstrated the results of migrationratios As shown in this figure the migration ratios wereabout 13 in the repeated tests which meant that we shouldmigrate about 13 VMs to guarantee the isolation In ouropinion themigration ratios were a bit largeWe believed thiswas mainly because the requested VMs were independent onthe history VMs traces Then the update VMs traces wouldbe very different from the history VMs traces which resultedin the big difference in the ACIR of users

We compared the resource utilization rate before andafter the VMs migration by using SVMS in Figure 9 Asshown in this figure the resource utilization rate fluctuatedaround 90 before the migrationWhile after migration rurfluctuated around 86 which decreased a bit compared withthe results before migration Through this experiment wecould draw the conclusion that to adapt the changed ACIRmore physical resources were needed

Brief Summary In this section we mainly focused onevaluating SVMS First we considered the isolation andresource utilizations in the case of one placement cyclewhere the ACIR sets did not change Then we consideredthe case of multiplacement cycles where the ACIR setschanged By analyzing the experimental results we coulddraw the following conclusions (1) SVMS could guaranteethe isolation between the conflict users effectively In ourrepeated tests the probability of VMs owned by conflict usersbeing located in the same host was 0 (2) The joining in ofthe new user had no impact on the isolation However theresource utilization rate would decrease (3) To guarantee

000

010

020

030

040

1 2 3 4 5 6 7 8 9 10

Mig

ratio

n ra

tio

Experiment numbers

Migration ratio

Figure 8 Migration ratios

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

Experiment numbers

Rur before migrationRur after migration

Figure 9 Resource utilization rate

the isolation after the change of ACIR we should migrate aportion of VMs and start more hosts

7 Conclusions

We proposed a security VMs management scheme (SVMS)for eliminating the SCA in the cloud The major insights arethat the sophisticated decision making system and specificmonitoring systems are not required In SVMS we only needthe agent system to collect the VMs traces for analyzingthe constraint relations and we can insure that the VMsowned by conflict users are placed to the different hostsWe should notice that SVMS makes a trade-off betweenthe security and resource utilization rates which means thatSVMS needs more resources compared with other resource-awareness placement schemes

The work in this paper is very preliminary but demon-strates that it is feasible to reduce the vulnerability by VMsplacement and migration And we believe that there are stillsome limitations and challenges that remain to be solvedFirst in the current solution we consider that the usersshould be isolated from each other according to their VMstraces which is too strict for eliminating the SCA in someways So more efficient approaches for conflict analysis areneeded even though we believe that SVMS has a flexible


frameworkwhich can adapt to different approaches for calcu-lating the conflict relations of users Second according to theexperimental results the cost of VMs migration is large Soit is necessary to design a more efficient migration approachWe believe the VCG mechanism in game theory would be agood tool for solving this problem Third we would like toexamine the trade-offs between security (isolation) resourceutilization rate and performance degradation Thereforewe can propose the security solutions which can meet theindividual needs of usersThe issues mentioned above are leftas future works

Appendix

TheoremA1 The isolation rules meet the lowast-security propertyuser u can assess host h then no host ℎ1015840 which is accessed by uis aggressive conflict with h

Proof We use the method of proof by contradiction For anytwo different users uj and uk satisfy the condition that uk isin

ACIR(uj) and 119886(119894 119895) = 1 and 119877(119894 119896) is grantedIn this scenario 119886(119894 119896)may be assigned to ldquo0rdquo or ldquo1rdquo

(1) If 119886(119894 119896) = 0 according to Rule 2 when 119877(119894 119896) isgranted we can obtain that 119886(119894 119896) = 1 and 119886(119894 119895) =minus1 which means that 119877(119894 119895) will be rejected Theconclusion contradicts the condition


Combining the two cases we can conclude that if u isgranted to access ℎ1015840 which is aggressive conflict with h then ucannot access hThe conclusion contradicts the condition Sothe condition does not hold So our proposed isolation rulesmeet lowast-security property

Corollary A2 The isolation rules meet the simple-securityproperty

Proof According to the definition of lowast-security property ifthe rules meet lowast-security property they should meet simple-security property

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This work was supported in part by NSFC under Grant61172090 National Science and Technology Major Projectunder Grant 2012ZX03002001 PhD Programs Founda-tion of Ministry of Education of China under Grant20120201110013 and Scientific and Technological Project inShaanxi Province under Grant 2012K06-30

References

[1] N Sonehara I Echizen and SWohlgemuth ldquoIsolation in cloudcomputing and privacy-enhancing technologies suitability ofprivacy-enhancing technologies for separating data usage inbusiness processesrdquo Business and Information Systems Engineer-ing vol 3 no 3 pp 155ndash162 2011

[2] P C Kocher ldquoTiming attacks on implementations of Diffie-Hellman RSA DSS and other systemsrdquo in Advances in Cryp-tology (CRYPTO rsquo96) vol 1109 of Lecture Notes in ComputerScience pp 104ndash113 1996

[3] S K Gorantla S Kadloor N Kiyavash T P Coleman I SMoskowitz andM H Kang ldquoCharacterizing the efficacy of thenrl network pump in mitigating covert timing channelsrdquo IEEETransactions on Information Forensics and Security vol 7 no 1pp 64ndash75 2012

[4] T Ristenpart E Tromer H Shacham and S Savage ldquoHey youget off ofmy cloud exploring information leakage in third-partycompute cloudsrdquo in Proceedings of the 16th ACM Conference onComputer and Communications Security (CCS rsquo09) pp 199ndash212Chicago Ill USA November 2009

[5] Y Q Zhang A Juels A Oprea andM K Reiter ldquoHomeAloneco-residency detection in the cloud via side-channel analysisrdquoin Proceedings of the IEEE Symposium on Security and Privacy(SP rsquo11) pp 313ndash328 Berkeley Calif USA May 2011

[6] K Okamura and Y Oyama ldquoLoad-based covert channelsbetween Xen virtual machinesrdquo in Proceedings of the 25thAnnual ACM Symposium on Applied Computing (SAC rsquo10) pp173ndash180 Sierre Switzerland March 2010

[7] Y J Xu M Bailey F Jahanian K Joshi M Hiltunen and RSchlichting ldquoAn exploration of L2 cache covert channels in vir-tualized environmentsrdquo in Proceedings of the ACM Conferenceon Computer and Communications Security pp 29ndash39 ChicagoIll USA October 2011

[8] S Yu X L Gui J C Lin J F Wang and X J Zhang ldquoDetectingVMsCo-residency in the cloud using cache-based side channelattacksrdquo Electronics and Electrical Engineering vol 19 no 5 pp73ndash78 2013

[9] Z Ling J Z Luo Y Zhang M Yang X W Fu and W Yu ldquoAnovel network delay based side-channel attack modeling anddefenserdquo in Proceedings of the IEEE International Conference onComputer Communications (IEEE INFOCOM rsquo12) pp 2390ndash2398 Orlando Fla USA 2012

[10] Y L Zhang M Li K Bai M Yu and W Y Zang ldquoIncen-tive compatible moving target defense against VM-colocationsattacks in cloudsrdquo in IFIP Advances in Information and Commu-nication Technology pp 388ndash399 Heraklion Greece 2012

[11] R Sailer T Jaeger E Valdez et al ldquoBuilding a MAC-basedsecurity architecture for the Xen open-source hypervisorrdquo inProceedings of the 21st Annual Computer Security ApplicationsConference (ACSAC rsquo05) pp 276ndash285 Tucson Ariz USADecember 2005

[12] J M McCune T Jaeger S Berger R Caceres and R SailerldquoShamon a system for distributedmandatory access controlrdquo inProceedings of the 22nd Annual Computer Security ApplicationsConference (ACSAC rsquo06) pp 23ndash32 Miami Beach Fla USADecember 2006

[13] T Jaeger R Sailer and Y Sreenivasan ldquoManaging the riskof covert information flows in virtual machine systemsrdquo inProceedings of the 12th ACM Symposium on Access ControlModels and Technologies (SACMAT rsquo07) pp 81ndash90 SophiaAntipolis France June 2007


[14] G Cheng H Jin D Zou A K Ohoussou and F ZhaoldquoA prioritized chinese wall model for managing the covertinformation flows in virtual machine systemsrdquo in Proceedingsof the 9th International Conference for YoungComputer Scientists(ICYCS rsquo08) pp 1481ndash1487 Zhangjiajie China November 2008

[15] H Raj R Nathuji A Singh and P England ldquoResource man-agement for isolation enhanced cloud servicesrdquo in Proceedingsof the ACM Computer and Communications Security (CCS rsquo09)pp 77ndash84 Chicago Ill USA November 2009

[16] K Yasusi S Kei and N Akihiro ldquoNetwork-resource isolationfor virtualization nodesrdquo IEICE Transactions on Communica-tions vol 96 no 1 pp 20ndash30 2013

[17] X Jin H Chen X Wang et al ldquoA simple cache partitioningapproach in a virtualized environmentrdquo in Proceedings of theIEEE International Symposium on Parallel and DistributedProcessing with Applications (ISPA rsquo09) pp 519ndash524 PiscatawayNJ USA August 2009

[18] B Speitkamp and M Bichler ldquoA mathematical programmingapproach for server consolidation problems in virtualized datacentersrdquo IEEE Transactions on Services Computing vol 3 no 4pp 266ndash278 2010

[19] M Wang X Meng and L Zhang ldquoConsolidating virtualmachines with dynamic bandwidth demand in data centersrdquoin Proceedings of the 30th IEEE International Conference onComputer Communications (IEEE INFOCOM rsquo11) pp 2861ndash2865 Shanghai China April 2011

[20] G KimH Park J Yu andW Lee ldquoVirtualmachines placementfor network isolation in cloudsrdquo in Proceedings of the ACMResearch in Applied Computation Symposium pp 243ndash248 SanAntonio Tex USA 2012

[21] D Breitgand and A Epstein ldquoImproving consolidation ofvirtual machines with risk-aware bandwidth oversubscriptionin compute cloudsrdquo in Proceedings of the IEEE InternationalConference on Computer Communications (IEEE INFOCOMrsquo12) Orlando Fla USA 2012

[22] W W Fang X M Liang S X Li L Chiaraviglio and NX Xiong ldquoVMPlanner optimizing virtual machine placementand traffic flow routing to reduce network power costs in clouddata centersrdquo Computer Networks vol 57 no 1 pp 179ndash1962013

[23] S Yu X L Gui F Tian P Yang and J Q Zhao ldquoA security-awareness virtual machine placement scheme in the cloudrdquo inProceedings of the 15th IEEE International Conference on HighPerformance Computing and Communications pp 1078ndash1083Zhangjiajie China 2013

[24] L M Vaquero L Rodero-Merino and D Moran ldquoLocking thesky a survey on IaaS cloud securityrdquo Computing vol 91 no 1pp 93ndash118 2011

[25] YQ Zhang A JuelsM K Reiter andT Ristenpart ldquoCross-VMside channels and their use to extract private keysrdquo in Proceed-ings of the ACM Conference on Computer and CommunicationsSecurity pp 305ndash316 Raleigh NC USA 2012

[26] D F C Brewer and M J Nash ldquoThe Chinese wall securitypolicyrdquo in IEEE Symposium on Security and Privacy pp 206ndash214 Oakland Calif USA 1989

[27] T-H Tsai Y-C Chen H-C Huang P-M Huang and K-S Chou ldquoA practical Chinese wall security model in cloudcomputingrdquo in Proceedings of the 13th Asia-Pacific NetworkOperations and Management Symposium Managing CloudsSmart Networks and Services (APNOMS rsquo11) pp 1ndash4 TaipeiTaiwan September 2011

[28] D Q Zou L Shi and H Jin ldquoDVM-MAC a mandatory accesscontrol system in distributed virtual computing environmentrdquoin Proceedings of the 15th International Conference on Paralleland Distributed Systems (ICPADS rsquo09) pp 556ndash563 ShenzhenChina December 2009

[29] Z Pawlak ldquoSome remarks on conflict analysisrdquo EuropeanJournal of Operational Research vol 166 no 3 pp 649ndash6542005

[30] T Y Lin ldquoChinese wall security policymdashan aggressive modelrdquoin Proceedings of the 5th Annual Computer Security Applicationpp 282ndash289 Tucson Ariz USA December 1989

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications


Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


ArtificialNeural Systems

Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



resources These approaches do represent major progresswhile to the best of our knowledge they are still limited inseveral aspects

(i) By using the first type of approach the schedule oflegitimate VMs may be affected which may lead toVMs running failure For example oil-A and oil-B are two coresident VMs and they are in conflictwith each other So in the system with such accesscontrolmechanism before the shutdown of oil-A oil-B cannot be granted to start up If the oil-A is long-time running oil-B cannot be scheduled in a longtime

(ii) When using the second type of approach the moni-toring system and mediation mechanism are neededwhich should probe all resource requests made byeachVM andmake decisions onwhether to authorizethe requests quickly [12] So the software systemis very sophisticated For example in a SELinuxstrict policy there are about 30 000 policy statementsOn the other hand a prohibitively large number ofoperating system hooks (in the order of hundreds)are needed which makes the MAC policies for thesesystems depend on details of the particular systemand the enforcement across a distributed systemdifficult

In this paper we investigate the isolation issue from theperspective of VMs management including VMs placementand VMs migration The security-awareness VMs manage-ment scheme (SVMS) based on Chinese wall policy is pro-posed Compared with existing isolation enhancing schemesthe main contributions of this work are listed as follows

(i) We calculate the aggressive conflict of interest relation(ACIR) for the users according to the VMs traces Onthe other hand by introducing the aggressive in allywith relation (AIAR) we can restrain the placementbehavior for the new users who do not have VMstraces

(ii) Based on the Chinese wall policy we put forward theisolation rules In these rules we define whether toauthorize the request of placing VMs to host Andwe prove that these rules meet the simple-securityproperty and lowast-security property

(iii) According to the isolation rules we design theVMs placement and migration solution calculationalgorithm which places and migrates the VMs tothe proper hosts to guarantee the isolation betweenconflict users

(iv) We conduct a series of simulated experiments toevaluate the efficacy of SVMS In the experimentswe use the normal distribution to simulate the usersrsquobehavior including theVMs traces andVMs requestsand introduce the index of isolation degree andresource utilization rate

The remainder of this paper is organized as followsSection 2 reviews the related work Section 3 demonstrates

the brief introduction to SCA in the cloud and Chinese wallsecurity In Section 4 we present the overview design ofSVMS The implementation details of SVMS are presentedin Section 5 In Section 6 we illustrate our experimentsand analyze the experimental results Section 7 provides theconclusions

2 Related Work

21 Studies on Enhancing Isolation Studies on enhancingisolation in the virtualized computing environment can becategorized into two types the access control approaches andthe resource isolation approaches

Access Control Approaches Sailer et al [11] presented thesHype hypervisor security architecture which enforced isola-tion at the granularity of a virtual machineMcCune et al [12]introduced a Shamon approach for MAC enforcement acrossdistributed systems that completeMAC referencemonitoringfrom two software layers Jaeger et al [13] evaluated theability of four policy models to express risk flow policiesand examined how such policies would be enforced in VMsystems to assess the possible risk of information leakagedue to a combination of overt channels and covert channelsCheng et al [14] proposed the prioritized Chinese wall modelto reduce the risk of covert flows in VM system and enforcedthe policy in sHypeXen system The above works focus onprohibiting the simultaneous running of conflict VMs byspecific access control policies

Resource Isolation Approaches Raj et al [15] proposed tworesource management approaches to provide security iso-lation in the shared cloud infrastructure which are cachehierarchy aware core assignment and page coloring basedcache partitioning Yasusi et al [16] proposed two methodsto achieve resource isolation among virtual networks whichwas per-slice shaping and per-link policing Jin et al [17]proposed a cache partitioningmechanism in the cloud whichconfined the L2 cache usage of each VM running on thesame host by modifying the page allocation algorithm in theVMM The above works focus on prohibiting the sharing ofshared resource to provide strong isolation in the virtualizedcomputing environment

22 Studies on VM Placement Speitkamp and Bichler [18]presented decision models to optimally allocate sourceservers to physical target servers and a heuristic to addresslarge-scale server consolidation projects Wang et al [19]formulated the VM consolidation into a stochastic binpacking program and proposed an online packing algorithmKim et al [20] placed virtual machines with matching algo-rithm into servers based on measured traffic distribution ofVMs which could reduce oversubscription and increase linkutilization Breitgand and Epstein [21] improved the perfor-mance of work in [19] which abstracted oversubscriptionfactors as overflow probability Fang et al [22] presentedan approach named VMPlanner to optimize both virtualmachine placement and traffic flow routing so as to turn off


Server cluster

Accessing matrix

Host

VM VM

VMM



ACIR (with traces)

AIAR (no traces)

VMs running traces

Isolation rules


Users interface

Requirements


Agent

Users

Host

Host

Host

Host

Host



















4 Design of SVMS











119906119895

td119896

120590119897





119894 119906119895 td119896 120590119897 the strength


strength119894=

120590119897

120590 (IT)


119894lowast

120590 (IT)120590 (119906119895)

(1)





119895= td119896| 119906119895rarr td119896


119894119895refers


119904119894119895=

0 119894 = 119895 or 10038161003816100381610038161003816T119895

10038161003816100381610038161003816= 0

10038161003816100381610038161003816T119894cap T119895

1003816100381610038161003816100381610038161003816100381610038161003816T119895

10038161003816100381610038161003816

otherwise(2)


119895







119886119894119895=


(3)







































6 Experiments





119901 (td119894) = Φ[

td119894+ 05 minus 120583

120590] minus Φ[


120590] (4)



119894lowast 119901(td

119895)rfloor


00

02

04

06

08

10

12

1 2 3 4 5 6 7 8

Prob

abili

ty

Time domain

120583 = 5 120590 = 013

120583 = 5 120590 = 3






act119894119895=

1

119898sum119906119896isingroup119894

119888119896119895 (5)









1 2 3 4 5 6 7 8

12

34

56

78

0

20

40

60

80

100

User group

User group

Aver

age c

onfli

ct ti

mes







120580 =1

1 + 05 lowast sum119894ct119894119895

(6)




rur =sum119896119887119896

sum119896119886119896

(7)






119899119895= lfloor119901(td

119895) lowast 120578119894rfloor to



0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

rate

Experiment numbers

SVMSRVMPS






0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

Reso

urce

util

izat

ion

Experiment numbers

SVMSRVMPS

1 2 3 4 5 6 7 8 9 10







mr =120578119898

120578alllowast 100 (8)







000

010

020

030

040

1 2 3 4 5 6 7 8 9 10

Mig

ratio

n ra

tio

Experiment numbers

Migration ratio


040

060

080

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

Experiment numbers




7 Conclusions





Appendix











Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




Server cluster

Accessing matrix

Host

VM VM

VMM



ACIR (with traces)

AIAR (no traces)

VMs running traces

Isolation rules


Users interface

Requirements


Agent

Users

Host

Host

Host

Host

Host



















4 Design of SVMS











119906119895

td119896

120590119897





119894 119906119895 td119896 120590119897 the strength


strength119894=

120590119897

120590 (IT)


119894lowast

120590 (IT)120590 (119906119895)

(1)





119895= td119896| 119906119895rarr td119896


119894119895refers


119904119894119895=

0 119894 = 119895 or 10038161003816100381610038161003816T119895

10038161003816100381610038161003816= 0

10038161003816100381610038161003816T119894cap T119895

1003816100381610038161003816100381610038161003816100381610038161003816T119895

10038161003816100381610038161003816

otherwise(2)


119895







119886119894119895=


(3)







































6 Experiments





119901 (td119894) = Φ[

td119894+ 05 minus 120583

120590] minus Φ[


120590] (4)



119894lowast 119901(td

119895)rfloor


00

02

04

06

08

10

12

1 2 3 4 5 6 7 8

Prob

abili

ty

Time domain

120583 = 5 120590 = 013

120583 = 5 120590 = 3






act119894119895=

1

119898sum119906119896isingroup119894

119888119896119895 (5)









1 2 3 4 5 6 7 8

12

34

56

78

0

20

40

60

80

100

User group

User group

Aver

age c

onfli

ct ti

mes







120580 =1

1 + 05 lowast sum119894ct119894119895

(6)




rur =sum119896119887119896

sum119896119886119896

(7)






119899119895= lfloor119901(td

119895) lowast 120578119894rfloor to



0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

rate

Experiment numbers

SVMSRVMPS






0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

Reso

urce

util

izat

ion

Experiment numbers

SVMSRVMPS

1 2 3 4 5 6 7 8 9 10







mr =120578119898

120578alllowast 100 (8)







000

010

020

030

040

1 2 3 4 5 6 7 8 9 10

Mig

ratio

n ra

tio

Experiment numbers

Migration ratio


040

060

080

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

Experiment numbers




7 Conclusions





Appendix











Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






4 Design of SVMS











119906119895

td119896

120590119897





119894 119906119895 td119896 120590119897 the strength


strength119894=

120590119897

120590 (IT)


119894lowast

120590 (IT)120590 (119906119895)

(1)





119895= td119896| 119906119895rarr td119896


119894119895refers


119904119894119895=

0 119894 = 119895 or 10038161003816100381610038161003816T119895

10038161003816100381610038161003816= 0

10038161003816100381610038161003816T119894cap T119895

1003816100381610038161003816100381610038161003816100381610038161003816T119895

10038161003816100381610038161003816

otherwise(2)


119895







119886119894119895=


(3)







































6 Experiments





119901 (td119894) = Φ[

td119894+ 05 minus 120583

120590] minus Φ[


120590] (4)



119894lowast 119901(td

119895)rfloor


00

02

04

06

08

10

12

1 2 3 4 5 6 7 8

Prob

abili

ty

Time domain

120583 = 5 120590 = 013

120583 = 5 120590 = 3






act119894119895=

1

119898sum119906119896isingroup119894

119888119896119895 (5)









1 2 3 4 5 6 7 8

12

34

56

78

0

20

40

60

80

100

User group

User group

Aver

age c

onfli

ct ti

mes







120580 =1

1 + 05 lowast sum119894ct119894119895

(6)




rur =sum119896119887119896

sum119896119886119896

(7)






119899119895= lfloor119901(td

119895) lowast 120578119894rfloor to



0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

rate

Experiment numbers

SVMSRVMPS






0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

Reso

urce

util

izat

ion

Experiment numbers

SVMSRVMPS

1 2 3 4 5 6 7 8 9 10







mr =120578119898

120578alllowast 100 (8)







000

010

020

030

040

1 2 3 4 5 6 7 8 9 10

Mig

ratio

n ra

tio

Experiment numbers

Migration ratio


040

060

080

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

Experiment numbers




7 Conclusions





Appendix











Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in







119886119894119895=


(3)







































6 Experiments





119901 (td119894) = Φ[

td119894+ 05 minus 120583

120590] minus Φ[


120590] (4)



119894lowast 119901(td

119895)rfloor


00

02

04

06

08

10

12

1 2 3 4 5 6 7 8

Prob

abili

ty

Time domain

120583 = 5 120590 = 013

120583 = 5 120590 = 3






act119894119895=

1

119898sum119906119896isingroup119894

119888119896119895 (5)









1 2 3 4 5 6 7 8

12

34

56

78

0

20

40

60

80

100

User group

User group

Aver

age c

onfli

ct ti

mes







120580 =1

1 + 05 lowast sum119894ct119894119895

(6)




rur =sum119896119887119896

sum119896119886119896

(7)






119899119895= lfloor119901(td

119895) lowast 120578119894rfloor to



0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

rate

Experiment numbers

SVMSRVMPS






0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

Reso

urce

util

izat

ion

Experiment numbers

SVMSRVMPS

1 2 3 4 5 6 7 8 9 10







mr =120578119898

120578alllowast 100 (8)







000

010

020

030

040

1 2 3 4 5 6 7 8 9 10

Mig

ratio

n ra

tio

Experiment numbers

Migration ratio


040

060

080

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

Experiment numbers




7 Conclusions





Appendix











Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in



















6 Experiments





119901 (td119894) = Φ[

td119894+ 05 minus 120583

120590] minus Φ[


120590] (4)



119894lowast 119901(td

119895)rfloor


00

02

04

06

08

10

12

1 2 3 4 5 6 7 8

Prob

abili

ty

Time domain

120583 = 5 120590 = 013

120583 = 5 120590 = 3






act119894119895=

1

119898sum119906119896isingroup119894

119888119896119895 (5)









1 2 3 4 5 6 7 8

12

34

56

78

0

20

40

60

80

100

User group

User group

Aver

age c

onfli

ct ti

mes







120580 =1

1 + 05 lowast sum119894ct119894119895

(6)




rur =sum119896119887119896

sum119896119886119896

(7)






119899119895= lfloor119901(td

119895) lowast 120578119894rfloor to



0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

rate

Experiment numbers

SVMSRVMPS






0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

Reso

urce

util

izat

ion

Experiment numbers

SVMSRVMPS

1 2 3 4 5 6 7 8 9 10







mr =120578119898

120578alllowast 100 (8)







000

010

020

030

040

1 2 3 4 5 6 7 8 9 10

Mig

ratio

n ra

tio

Experiment numbers

Migration ratio


040

060

080

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

Experiment numbers




7 Conclusions





Appendix











Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




1 2 3 4 5 6 7 8

12

34

56

78

0

20

40

60

80

100

User group

User group

Aver

age c

onfli

ct ti

mes







120580 =1

1 + 05 lowast sum119894ct119894119895

(6)




rur =sum119896119887119896

sum119896119886119896

(7)






119899119895= lfloor119901(td

119895) lowast 120578119894rfloor to



0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

rate

Experiment numbers

SVMSRVMPS






0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

Reso

urce

util

izat

ion

Experiment numbers

SVMSRVMPS

1 2 3 4 5 6 7 8 9 10







mr =120578119898

120578alllowast 100 (8)







000

010

020

030

040

1 2 3 4 5 6 7 8 9 10

Mig

ratio

n ra

tio

Experiment numbers

Migration ratio


040

060

080

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

Experiment numbers




7 Conclusions





Appendix











Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

rate

Experiment numbers

SVMSRVMPS






0

0002

0004

0006

0008

001

000

020

040

060

080

100

1 2 3 4 5 6 7 8 9 10

Isol

atio

n de

gree

Experiment numbers

SVMSRVMPS


080

084

088

092

096

100

Reso

urce

util

izat

ion

Experiment numbers

SVMSRVMPS

1 2 3 4 5 6 7 8 9 10







mr =120578119898

120578alllowast 100 (8)







000

010

020

030

040

1 2 3 4 5 6 7 8 9 10

Mig

ratio

n ra

tio

Experiment numbers

Migration ratio


040

060

080

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

Experiment numbers




7 Conclusions





Appendix











Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






mr =120578119898

120578alllowast 100 (8)







000

010

020

030

040

1 2 3 4 5 6 7 8 9 10

Mig

ratio

n ra

tio

Experiment numbers

Migration ratio


040

060

080

100

1 2 3 4 5 6 7 8 9 10

Reso

urce

util

izat

ion

Experiment numbers




7 Conclusions





Appendix











Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





Appendix











Acknowledgments


References







































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in



research article a security-awareness virtual machine...

Documents