MIGRATE: Towards a Lightweight Moving-Target Defense Against Cloud Side-Channels

Recent research has demonstrated the severity of co-residency side-channel attacks on computing clouds. These attacks have been successfully employed by malicious tenants to extract sensitive private information from selected neighboring tenants. Solutions towards addressing such attacks have presented customized solutions for specific variants of these attacks that often require significant modifications to the hardware, client virtual machines (VM), or hypervisors. These solutions are not generic and will not succeed with mutating versions of these attacks. Except for the impractical, resource inefficient, and costly single tenant solutions, co-residency will always be an issue to cloud service providers. In this paper, inspired from the camouflaging process of the sea chameleons evading predators, we present MIGRATE. MIGRATE is a container management framework that employs resource-efficient, scalable, real-time moving target defense to obfuscate the container execution behavior complicating the attacker's task to locate their targets. MIGRATE, offers generic defense against side-channel attacks and employs efficient real-time probabilistic random migrations of cloud tenants' applications contained in Linux containers between different hosts. To minimize the probability of attacker-victim co-residency on the same host. Eliminating the stable co-residency issue eliminates most of the side-channel attacks that face such a platform. Given the current implementation of MIGRATE tested on VMware V-Sphere Cloud, results showed that it can induce high frequency migrations with almost no effect on the enclosed applications making it suitable for mission-critical applications and as a mitigation against fast side-channel attacks.