Dynamically provisioning isolation in hierarchical architectures

AutorFalzon, Kevin; Bodden, Eric
ArtConference Paper
AbstraktPhysical isolation provides tenants in a cloud with strong security guarantees, yet dedicating entire machines to tenants would go against cloud computings tenet of consolidation. A fine-grained isolation model allowing tenants to request fractions of dedicated hardware can provide similar guarantees at a lower cost. In this work, we investigate the dynamic provisioning of isolation at various levels of a systems architecture, primarily at the core, cache, and machine level, as well as their virtualised equivalents. We evaluate recent technological developments, including post-copy VM migration and OS containers, and show how they assist in improving reconfiguration times and utilisation. We incorporate these concepts into a unified framework, dubbed SafeHaven, and apply it to two case studies, showing its efficacy both in a reactive, as well as an anticipatory role. Specifically, we describe its use in detecting and foiling a system-wide covert channel in a matter of seconds, and in implementing a multi-level moving target defence policy.
KonferenzInformation Security Conference (ISC) <18, 2015, Trondheim>
ReferenzLopez, J.: Information security. 18th inter­national conference, ISC 2015: Trondheim, Norway, September 9-11, 2015; Proceedings. Cham: Springer International Publishing, 2015. (Lecture Notes in Computer Science 9290), pp. 83-101
SchlüsselISBN : 9783319233178 (Print); 9783319233185 (Online)