Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Dynamically provisioning isolation in hierarchical architectures

: Falzon, Kevin; Bodden, Eric


Lopez, J.:
Information security. 18th international conference, ISC 2015 : Trondheim, Norway, September 9-11, 2015; Proceedings
Cham: Springer International Publishing, 2015 (Lecture Notes in Computer Science 9290)
ISBN: 978-3-319-23317-8 (Print)
ISBN: 978-3-319-23318-5 (Online)
Information Security Conference (ISC) <18, 2015, Trondheim>
Fraunhofer SIT ()
side channels; covert channels; migration; isolation

Physical isolation provides tenants in a cloud with strong security guarantees, yet dedicating entire machines to tenants would go against cloud computings tenet of consolidation. A fine-grained isolation model allowing tenants to request fractions of dedicated hardware can provide similar guarantees at a lower cost. In this work, we investigate the dynamic provisioning of isolation at various levels of a systems architecture, primarily at the core, cache, and machine level, as well as their virtualised equivalents. We evaluate recent technological developments, including post-copy VM migration and OS containers, and show how they assist in improving reconfiguration times and utilisation. We incorporate these concepts into a unified framework, dubbed SafeHaven, and apply it to two case studies, showing its efficacy both in a reactive, as well as an anticipatory role. Specifically, we describe its use in detecting and foiling a system-wide covert channel in a matter of seconds, and in implementing a multi-level moving target defence policy.