Assured Cloud Computing Special Seminar: Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration

  • Posted on January 24, 2017 at 9:09 am by
  • Categorized ACC Speaker.
  • Comments are off for this post.

Winner 2016 NSA Best Scientific Cybersecurity Paper

Soo-Jin Moon, Carnegie Mellon University
February 22, 4:00 p.m., 2405 Siebel Center


Abstract: Recent studies have shown a range of co-residency side channels that can be used to extract private information from cloud clients. Unfortunately, addressing these side channels often requires detailed attack-specific fixes that require significant modifications to hardware, client virtual machines (VM), or hypervisors. Furthermore, these solutions cannot be generalized to future side channels. Barring extreme solutions such as single tenancy which sacrifices the multiplexing benefits of cloud computing, such side channels will continue to affect critical services. In this work, we present Nomad, a system that offers vector-agnostic defense against known and future side channels. Nomad envisions a provider-assisted VM migration service, applying the moving target defense philosophy to bound the information leakage due to side channels. In designing Nomad, we make four key contributions: (1) a formal model to capture information leakage via side channels in shared cloud deployments; (2) identifying provider-assisted VM migration as a robust defense for arbitrary side channels; (3) a scalable online VM migration heuristic that can handle large datacenter workloads; and (4) a practical implementation in OpenStack. We show that Nomad is scalable to large cloud deployments, achieves near-optimal information leakage subject to constraints on migration overhead, and imposes minimal performance degradation for typical cloud applications such as web services and Hadoop MapReduce.

Bio: Soo-Jin Moon is a third-year Ph.D. student at the Electrical and Computer Engineering at Carnegie Mellon University, where she is part of Cylab and advised by Vyas Sekar. Her research interests are broadly in the space of Network and Systems Security. Her work has been recognized with the NSA Best Scientific Cybersecurity paper (2016) and CSAW Applied Security Research award (2015). Before joining CMU, she received a bachelor’s degree (2014) in Electrical Engineering from University of Waterloo, Canada.