Speaking of multiple VMs running on a hypervisor: “Herein lies the unseen danger: an attacker can target an unsecured VM, and once that VM is compromised, the attack can move on to compromise the hypervisor,” said US Army Research Lab engineer Dr. Charles Kamhoua (pictured). “At that point, the utility of a shared resource of the hypervisor has tipped toward the attacker because once the hypervisor is compromised, all other virtual machines on that hypervisor are easy prey for the attacker – the negative externality manifests as the (in)security of one virtual machine affecting the security of all other co-located virtual machines.”

Because of the unique structuring of the competing interests in the cloud, according to the Army, the researchers evaluated the situation using game theory and came to a non-intuitive conclusion.

They created an algorithm that, by assigning VMs to hypervisors according to game-theoretically-derived guidelines, makes the attacker indifferent as to which hypervisor to attack.

“The importance of attaining this outcome is this: in cybersecurity, attacker indifference makes a big difference,” Kamhoua said. “By compelling the attacker to be inattentive to any single target, the research team made a novel contribution to cloud security. A quantitative approach to cloud computing security using game theory captures the strategic view of attackers and gains a precise characterisation of the cyber threats facing the cloud”.

The work has been patented (9832220 ‘Security method for allocation of virtual machines in a cloud computing network’) and is presented as ‘Risk and benefit: Game-theoretical analysis and algorithm for virtual machine security management in the cloud’, a chapter in the book ‘Assured cloud computing’ published by Wiley-IEEE.

The US Army worked with the University of Florida, the Caesar Group and Syracuse University.