Article Preview
Top1. Introduction
Today cloud providers employ virtualization techniques that allow physical machines to be shared by multiple virtual machines (VMs) owned by different tenants. While resource sharing improves hardware utilization and service reliability, this may also open doors to side channel or performance interference attacks by malicious tenants. For example, CPU cache based attack has been studied in cloud environment (Thomas, Eran, Hovav & Stefan, 2009; YinQian, Ari, Alina & Michael, 2011; Amittai, Sen, Bryan & Ramakrishna, 2010; Taesoo, Marcus & Gloria, 2012), which might be mitigated to a lesser degree when each core in new multi-core CPUs is used exclusively by a single VM (at the cost of reduced CPU utilization). On the other hand, I/O resources are mostly shared in virtualized environments, and I/O based performance attacks remains a great threat, especially for data-intensive applications (Jeremy, Ganesh, & Beng-Hong, 2001; Paul et al., 2003; Ron & Howie, 2011). In this paper, we discuss the possibility of such attacks, and especially focus on the effects of disk I/O scheduling in a hypervisor for VM performance interference.
The premise of virtual I/O based attacks is to deploy malicious VMs that are co-located with target VMs and aim to slow down their performance by over-utilizing the shared I/O resources. Previous work shows the feasibility of co-locating VMs on same physical machines in a public cloud (Thomas, Eran, Hovav & Stefan, 2009). In this work, we will demonstrate that a well-designed measurement framework can help study virtual I/O scheduling, and such knowledge can be potentially applied to exploit the usage of the underlying I/O resources.
Extracting the I/O scheduling knowledge of the hypervisor is challenging. Generally, hypervisors can be divided into two classes, i.e., open-source one (e.g., Xen) and close-source one (e.g., VMware ESX server). For an open-source hypervisor, while the I/O scheduler knowledge is public, which one is in use is unknown, thus we focus on classifying its scheduling algorithm. In detail, we use a gray-box analysis based on pattern matching of the generated I/O output to make the determination of the scheduler type. For a close-source hypervisor, we use a black-box analysis to classify the scheduling algorithm and obtain the scheduling properties such as I/O throughput, I/O execution latency, read/write priority and etc.
With the knowledge of I/O scheduling algorithm, a malicious user can intentionally slow down co-located (co-resident) VMs by launching various attacking workloads. The main feature of such I/O performance attack is to deploy representative I/O workloads and manipulate the shared I/O queues to have an unfair advantage. Note that the space and time locality are the two major considerations in I/O scheduling schedulers. For example, the scheduling algorithms (e.g., Deadline (“Deadline I/O scheduler,”) and CFQ (“Cfq I/O scheduler”)) merge the I/O requests that are continuous in logical block address (LBA) for better space locality, while other algorithms (e.g., AS (Sitaram & Peter, 2001)) have a time window to anticipatorily execute some incoming I/O requests which are adjacent with previous I/O requests in LBA. Clearly, once the knowledge of I/O scheduler is known, a malicious user would be able to carry out more effective attacking workloads.