Cherrypicking Virtual Machines in a Public Cloud

Categories: IT Security

How often do you pass over a bruised apple at the supermarket in favor of a nice, smooth, red one? We all know that although the apples in a bin are priced identically by weight, they vary in quality. So you can buy better apples at a given price through careful selection.

Resources in public clouds are sold on the same premise of uniform quality as apples. A virtual machine (VM) of a given type, for instance, is a fixed-sized bundle of resources—CPU, local storage, and so forth—that is rented to a tenant at a set hourly rate. Yet VMs, like apples, vary in quality. A VM’s performance depends on the CPU model in the machine on which it sits, the workloads of its neighbors (the VMs of other tenants), and a variety of other characteristics.

Is it possible, then, for a savvy shopper in a public cloud to throw bad fruit back into the bin? In other words, does careful selection enable a clever tenant to get higher-performing VMs for a given amount of money? The answer is yes.

In a paper recently presented at the Symposium on Cloud Computing (SOCC), academic colleagues at Univ. of Wisconsin together with RSA Labs have shown that it’s possible for a tenant to game public clouds to achieve better VM performance. Public clouds don’t allow tenants to select VMs freely like apples in a supermarket. But tenants can periodically shut down under performing VMs and spin up new ones. In our experiments in a public cloud, exploiting this small degree of control yields performance gains of 5% for CPU-bound jobs and 34% for bandwidth-intensive jobs.

Essentially any public cloud with a simple pricing regime is likely to be vulnerable to such gaming by tenants. A natural follow-up question is what happens if  cherrypicking by tenants becomes standard practice. The answer may be like the one at the supermarket: Avoid shopping for picked-over VMs on a Sunday evening.

The paper ((c) ACM) is here: “More for Your Money: Exploiting Performance Heterogeneity in Public Clouds

Dr. Ari Juels

Dr. Ari Juels is Chief Scientist and Director of RSA Laboratories, where he works to bring sparks of invention and insight from RSA's scientists and affiliates to the company as a whole. He joined RSA in 1996. Ari's dozens of research publications span a range of topics, including biometric security, RFID security and privacy, electronic voting, browser security, combinatorial optimization, and denial-of-service protection. Ari has served as the program chair or co-chair for a number of conferences and workshops, including Financial Cryptography in 2004, the DIMACS Workshop on Electronic Voting in 2004, the Industry Track of the ACM Conference on Computer and Communications Security in 2005, the ACM Workshop on Wireless Security (WiSe) in 2006, the IEEE International Workshop on Pervasive Computing Security (PerSec) in 2006, and the Security, Privacy, and Ethics track of WWW2006. He has been a frequent invited speaker at industry events, such as USENIX Security 2004 and CHES 2006. In 2004, MIT's Technology Review Magazine named Dr. Juels one of the world's top 100 technology innovators under the age of 35. Ari received his B.A. in Latin Literature and Mathematics from Amherst College in 1991 and his Ph.D. in Computer Science from U.C. Berkeley in 1996. Subscribe to Ari's RSS feed