[Experiment Setup] Cloud Environment Setup

0.  Introduction

[2025-02-04]

This is my first time searching vnlnerability in cloud environments. So I'm going to record all the procedure right now. 

[2025-02-05]

Today, I try to make experimental environments to test which metric I can use. For example, I made two openstack cloud enviroment to test how to assign network IP. 

 Remaining Question [Update]

• If two VM has similar network IP range, Does it mean that they are on the same server or host? 
  • ... I don't know...? 
• How do I setup the experiment enviroment? , What is my threat model???  
• If I am going to collect the network infomation, inside outside, any effect? 
• How can I judge that the attacker's instance is on the same host and server. 
•  

 

 

1.  Abstract

Here is the abstract of my research. I am going to conduct the research on co-location strategy in cloud environments. I want to notice something to reader. Because This is my first time doing research in English, you might feel weird to my english. But please understand if you don't understand my article well. 

 

Modern Microarchitectual has been exploited by many kinds of attack such as rohammer, buffer overflow, side channel. One of these attack is cache based side channel attack. The cache side channel attack is about attacking the shared resource in cloud environment by observing the victim's cache access pattern. There are the key step of cache side channel attack. The attacker's instance must be on the same server or host called co-location. After that, the attacker can exploit the shared resources by observing the victim's access pattern. In IA & AI sec lab which is my lab in Korea, I've conducted the research on side channel attack and cache side channel attack. But I've never considered about this assumption. I just assume the situation that the attacker instance is already on the same server and host. But this leds to logical error, since the real world experiment in cloud environment don't gurantee co-location that easily. Fortunately, I got the chance visting the U.S to conduct the research with Dr. Chang at the UCCS. From now, I am going to  do research on the co-location strategy. 

 

 

As I said before, Before launching the attack, the attacker must be on the same server and host as the victim. I think that prior research has three kinds of limitations.

 

• First, most techniques involve deploying a large number of instance through the network to find the victim, which is resource-intensive and easily detectable.
• Second, these apporch typically do not target specific victim, but rather than any instances on the same host. That means that many researcher have focused on how to detect any victim' instance on the same server.
• Lastly, pinpointing a specific victim often requires a controlled experimental environment, making real-world application difficult. My research aims to overcome these limitations and develop a more effective approach.

My research aims to overcome these limitations and develop a more effective approach.

 

1-1. Considerations

There are three key considerations for my study.

 

First, which cloud service should I target?

• There are many options like AWS or Google Cloud, but for now, I’ll start with CloudLab, since it’s free, research-focused, and provides useful network information for attacks. After I finish detecting the co-location in cloudlab, I will move on the next step to test my stratgy to co-locate in AWS environments

Second, what metrics should I use for co-location?

• I haven’t fully explored all possibilities yet, but I plan to analyze auto-scaling behavior, load balancing, and traffic patterns to identify co-location opportunities. To overcome the previous limitations which I mentioned before, I need to target a specific victim to overcome it. so I considered a lot of features that I try to feed into deep learning model. 
  • Network Traffic informatiom → IP assignment protocol, Load Balancing,  etc
  • Hardware Information → TSC(Time stamp counter), Cache access pattern, etc
  • Application Information → HTTP, HTTPs, any other websevices, etc 

Lastly, how can I improve performance?

• This is something I still need to refine, but optimizing detection accuracy and reducing resource usage will be critical.

1-2.   Approach

Using deep learning model is quite simple way to classify whether the attacker'instance can co-locate on the same server as the victim or not. In addition to, When the model is trained by some features,  I can interpret the result of classification throughout analyzing the weight of model. To figure out which features is most important,  

Using Deep Learning Model to figure out co-location

• Input Features: Timestamp, network traffic data, resource usage patterns.
• Model Considerations: LSTM, CNN, Transformer for temporal and spatial feature learning.
• Training and Validation: Data collection in cloud environments, adversarial evaluation for accuracy.
• Analyzing the results which feature is most involved to classify co-location.

2.  Related Work

https://dl.acm.org/doi/10.1145/3617232.3624867

Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS | Proceedings of the 29th ACM International Conference on Archi

 

This paper was trying to co-locate the attack's instance with victim's instance using Time Stamp Counter. If the attacker's instance has the same time counter with the victim, they detected co-location. And then, they were trying to anaylze VM placement policy of Google. 

 

[2] conducted a measurement study of the co-residence threat in IaaS environments. In particular, the authors investigated Amazon EC2 from the perspectives of virtual machine placement, network management, and Virtual Private Cloud. ZMap was used to scan the specified ranges of IP addresses published by EC2 for several well-known ports to acqurice a list of live hosts in EC2. Such scanning followed by several experiments revealed that VPC can prevent the co-residence threat. Finally, the authors presented a technique that achieves co-recovery in VPC and can detect live hosts from their domain names, IP addresses, and mapping between public and private IP address. 

 

3.  Experimental Setup

Now, Let me show you about my plan making experimental setup.