Received 10 April 2024, accepted 10 May 2024, date of publication 24 May 2024, date of current version 3 June 2024.

Digital Object Identifier 10.1109/ACCESS.2024.3404949

Interdependency Attack-Aware Secure and

Performant Virtual Machine Allocation
Policies With Low Attack Efficiency
and Coverage
BERNARD OUSMANE SANE 1,2 , (Member, IEEE), MANDICOU BA 1,3 , DOUDOU FALL2 ,
YUZO TAENAKA2 , (Member, IEEE), IBRAHIMA NIANG1 ,
AND YOUKI KADOBAYASHI2 , (Member, IEEE)
1 Laboratoire d’Informatique de Dakar (LID), Faculty of Science and Technology, University Cheikh Anta Diop of Dakar, Dakar 630-0101, Senegal
2 Laboratory for Cyber Resilience, Nara Institute of Science and Technology, Ikoma, Nara 630-0192, Japan
3 Ecole Supèrieure Polytechnique, Faculty of Science and Technology, University Cheikh Anta Diop of Dakar, Dakar 630-0101, Senegal
Corresponding author: Bernard Ousmane Sane ([email protected])
This work was supported in part by Industrial Cyber Security Center of Excellence (ICSCoE) Core Human Resources Development
Program, and in part by Japan Society for the Promotion of Science (JSPS) KAKENHI under Grant JP24K03045.

ABSTRACT Cloud computing has completely changed IT (information technology) by providing IT

resources as services on the internet. However, certain types of attacks, such as interdependency attacks,
impede its wide adoption. With the latter, an attacker who succeeds in compromising the VM of a user can
traverse the hypervisor to launch an attack on the VM(s) of other users on the same hypervisor. Unfortunately,
we note a lack of secure and performant allocation policies against this problem. Existing policies focus
on security but ignore other factors, including workload balance and energy consumption, which are vital
for commercial cloud platforms. In this context, we propose different allocation policies for choosing
the datacenter server to which we allocate a new virtual machine. These policies aim to minimize the
interdependence of different users’ VMs while keeping the system performant regarding workload balance
and/or power consumption. By default, our allocation policies treat all legitimate users as attackers and host
their virtual machines according to their efficiency and coverage. We first design a secure and balanced
solution that increases workload balance to prevent the servers from being overused. Afterward, we propose
an algorithm that addresses security, power consumption, and workload balance objectives simultaneously.
Based on our simulation results, our solutions perform better than existing algorithms regarding security,
workload balance, and power consumption. The balanced solution reduces the chance of an attacker to zero
and increases workload balance linearly. In other words, the workload balance is between [5, 35], and it
utilizes slightly more hosts than existing proposals, with gains between [2, 8]. Although our final proposal
is less secure than previous algorithms, it performs better, so it has a good workload balance ([5, 30]) and
consumes less energy.

INDEX TERMS Virtual machine allocation, interdependency attack, security, workload balance, power
consumption, hypervisor.

I. INTRODUCTION
Cloud computing is one of the most remarkable advances in
IT in the last two decades. It offers resource consumption
The associate editor coordinating the review of this manuscript and on demand, a flexible environment, and easy to use. These
approving it for publication was Nitin Gupta . facilities make it widely adopted by the customers. However,
2024 The Authors. This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
74944 For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ VOLUME 12, 2024
B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

in cloud computing, the hypervisor allows multiple virtual virtual machine allocation in cloud environments. With these
machines (VMs) of different users to run simultaneously on algorithms, the interdependency attacks, an underexplored
the same physical server. Ideally, each of these users’ virtual vulnerability in virtual machine allocation, are addressed
machines should operate in isolation to maintain optimal by modeling attacker behavior and optimizing resource
security conditions. Unfortunately, perfect logical isolation allocation based on a game-theoretic approach. Indeed, in our
has not been achieved in practice, leaving attackers with previous work [16], we proposed a secure solution against
the possibility of launching attacks such as interdependency the interdependency attack that minimizes both attacker’s
attacks, etc. [1], [2], [3], [4], [5], [6], [7]. With the inter- efficiency and coverage. However, this solution [16] ignored
dependency attack, a malicious user who has compromised the performance constraints relative to the minimization of
the VM(s) of a user i can traverse the hypervisor to launch the power consumption and the maximization of the workload
an attack on the VMs of another user j ̸ = i on the same balance in the data center. Regarding these two distinct points,
hypervisor. we need to design performant algorithms to increase the
Hence, to tackle this issue, most of the proposals tried attacker’s difficulties. Our main contributions are:
to satisfy security and/or performance constraints by using • A secure and balanced algorithm, called
optimization methods such as heuristic algorithms [8], SALAEC-Balanced (SALAEC-B) which is an extension
[9], [10], game theory approaches [3], [11], [12], [13], of our algorithm SALAEC [16]. It is a virtual
the multi-objectives optimization [14], [15], [16] since the machine allocation policy that minimizes the possibility
problem is NP-hard [14]. However, we note the absence of attackers who use a weak/vulnerable VM as a
of a secure and performant virtual machine allocation jumping-off point to attack other VMs within the
technique against the interdependency problem. For instance, same hypervisor management area. Moreover, to avoid
in [16], the authors proposed a secure solution against violating the workload balance constraints, SALAEC-B
the interdependency attack that minimizes both attacker’s does not allocate additional VMs to a particular host,
efficiency and coverage, which respectively represent the even if the latter can still host more hosts. This favors
probability of success of the attacker and the probability that the use of several servers, thus resulting in the dispersion
the virtual machine of a legitimate user will be compromised. of the virtual machines to prevent the servers from
Nevertheless, this solution overlooked essential performance being overloaded. Hence, SALAEC-B is a solution
constraints related to minimizing power consumption and that prevents the servers from being overused while
maximizing workload balance in the datacenter. These two maintaining security.
performance constraints are very important for commercial • We propose an algorithm that simultaneously tackles
cloud platforms. The first one motivates a provider to the security and performance constraints. Hence, this
allocate a lot of VMs to fewer servers to reduce the cost algorithm, named secure and performant allocation for
of energy consumption and the emission of carbon dioxide low attacker’s efficiency and coverage (SPALAEC), is an
(CO2). Significant energy consumption leads to high energy improvement of SALAEC-Balanced. It decreases power
costs among providers. On the other hand, maximizing the consumption by using the least hosts without having an
workload balance spreads users’ virtual machines among important negative impact on the workload balance and
the servers to prevent the hosts from being over-utilized. security. In SPALAEC, the failure of the host does not
To accommodate these two performance constraints essential have an impact on all the users’ VMs, unlike in existing
for commercial cloud platforms, we propose extending [16]. works [14], [15]. It also prevents virtual machines that
We address the interdependency problem and the interdepen- belong to the same user from launching interdependency
dency attack interchangeably throughout the paper. We also attacks on each other.
refer to the performance by workload balance and power Our simulation results show that by switching from the
consumption. secure policy (SALAEC) to the secure and balanced policy
This paper extends our previous work [16]. We first give (SALAEC-B), we kept the same level of security, unlike
a complete overview of existing secure virtual machine the solution in [14]. Besides, SALAEC-B performs better
allocation techniques. Then, we present three algorithms regarding the workload balance compared to a similar
that determine the data center host to which we allocate algorithm in [14]. Moreover, SPALAEC has a high workload
a new VM to minimize the interdependency of different balance performance while being secure. It also uses less
users’ VMs while optimizing the power consumption and energy compared to SALAEC-B and the solution in [14]. This
workload balance. By default, our allocation policies consider work is compared with previous ones in Table 1.
all legitimate users as attackers and then proceed to host the The manuscript is organized as follows: A complete
users’ virtual machines to the server where their efficiency overview of existing secure virtual machine allocation
and/or coverage are the smallest. Our simulation results show techniques is presented in Section II. Then, we describe
that our allocation policies perform better than the existing some fundamental concepts before defining the studied
works. problem and the requirements in Section III. We present three
Contributions: This paper presents two novel allocation algorithms for virtual machine allocation policies against the
policies: SALAEC-B and SPALAEC, which advance secure interdependency problem that optimize the constraints related

VOLUME 12, 2024 74945

 B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

TABLE 1. Comparative Analysis of VM allocation Policies. High and Low criteria refer to good security performance and optimum power consumption,
respectively.

to security, power consumption, and workload balance in in [15] to define a more secure and performant virtual
Section IV. We analyze our proposals in section V. Section VI machine allocation policy. In [16], the authors focused on
discusses our proposals and their limitations. We conclude the interdependency attack in co-resident environments and
this paper with a conclusion in section VII. proposed a secure VM management that decreases as much
as possible the attacker’s efficiency and coverage.
II. RELATED WORK Based on the interconnection between cloud users, other
The papers [8], [10], [17], [18], [19] used different virtual approaches use game theory methods for secure virtual
machine allocation techniques to satisfy performance con- machine allocation [3], [11], [12], [13]. In [3] and [11],
straints such as load-balancing and/or energy consumption. the authors proposed a game model in the public cloud for
The energy consumption at the data center level is very studying the interdependency problem. Hence, they proved
important. In [10], the authors focused on live migration that the interdependency problem is a real problem in cloud
while keeping the high quality of service to reduce energy computing. The lack of investment in the security of one
consumption. They proposed an algorithm based on the user can harm other users on the same hypervisor [3].
history of the data used by the virtual machines. They split the They also defined theoretic virtual machine management
dynamic consolidation problem into four sub-problems and based on the user’s investment in security [11]. In [12],
improved a deterministic heuristic algorithm using historical Han et al. evaluated the co-resident attack in public cloud
VMs’ data. computing. They introduced a secure game model to mitigate
The work in [20], concerning security and privacy in the the users’ risks. They also showed that the best way for the
interconnection between autonomous devices, gave us an idea cloud provider to secure cloud users is to use pool policies
about the interdependency in cloud computing. Replacing and, given a virtual machine, select one of them randomly.
the network nodes with the cloud’s virtual machines proves An evaluation of the attacker’s difficulty in achieving the
this connection between virtual machines. In [3], the authors interdependency problem is proposed in [13]. The authors
defined the interdependency between cloud users sharing analyzed the attacker’s efficiency under four basic virtual
the same hypervisor as an indirect attack. Hence, when an machine allocation policies. Moreover, they showed that the
attacker wants to compromise the user i, he first compromises Round Robin virtual machine allocation policy is unsuitable
a vulnerable customer, then he proceeds to the hypervisor. for the interdependency problem.
Unfortunately, when the hypervisor is compromised, all However, currently, there is no secure and performant
users’ virtual machines connected to it will be vulnerable. virtual machine allocation solution against the interde-
Additionally, if the attacker can launch the interdependency pendency attack. In [16], the authors tried to minimize
attack, then it can also try to measure the utilization of the attacker’s efficiency and coverage, but they did not
CPU caches in the server [5], [6]. However, to launch focus on performance factors in the datacenter such as
an interdependency attack, the attacker must first be a workload and power consumption. Thus, our main research
co-resident of the vulnerable customer. That means that the question is: ‘‘How to improve [16] to attain secure virtual
co-resident attacks solutions [4], [14], [15], [21], [22] allow machine management against the interdependency problem
to avoid the interdependency problem. Hence, Han et al. [15] while increasing the workload and decreasing the power
proposed a secure VM management named the previous consumption?’’
selected server first (PSSF). Where given a VM from a
user, a server will be selected randomly, based on the A. A BRIEF OVERVIEW OF THE PROBLEM OF
LEAST algorithm or based on the MOST algorithm when the INTERDEPENDENCE
user does not yet have a VM in the datacenter. Otherwise, According to [20], security and privacy are explored in the
the server that already hosts a VM from the user will interconnection of autonomous devices. Based on the results
be selected. This solution ensured the security of users in of this work, we can conclude that the interdependency in
the cloud by increasing the attacker’s difficulties. However, cloud computing is strongly influenced by its structure by
in PSSF, a user could lose all her virtual machines when a replacing the network nodes with virtual machines. Our study
server fails, and PSSF is not performant regarding workload focuses on the interdependency between cloud users who
balance. In [14], Han et al. extended their previous work share the same hypervisor. Our previous paper [16] defined

74946 VOLUME 12, 2024

B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

γ
it as follows: To compromise user i, the attacker must first • Target(Ai ): a set of virtual machines under the distribu-
place his virtual machine on the same server as his potential tion γ started by a user Ui and targeted by the attacker.
γ
target, named user i. Then he goes through a vulnerable user • PtVM (Ui , δ): user Ui ’s virtual machines under the
named user j, who is another client on the same server and distribution γ whose potential loss difference(s) with at
is easy to compromise(has a big potential loss). Afterward, least one virtual machine of an attacker Ai is quite high.
γ
he uses the latter, i.e., user j, to proliferate his attack on the • PtVM (Ai , δ): attacker Ai ’s virtual machines under the
hypervisor. As we know, if the hypervisor is compromised, all distribution γ whose potential loss difference(s) with at
the virtual machines connected to it will be compromised [3]. least one virtual machine of a user Ui is quite high.
Thus, through the vulnerable user (user j), the attacker has • Hyp(vm): hypervisor where the virtual machine vm is
control over all virtual machines on the same hypervisor. hosted.
γ γ
Therefore, if there is a large difference in potential loss • IdepVM (Ai , δ): a subset of VM (Ai , δ) that contains all
between users, then one user’s security can impact another the virtual machines that can launch the interdependency
user, resulting in an interdependency problem [3]. To initiate attack.
γ γ
an interdependency attack, the attacker can use a brute force • IdepVM (Ui , δ): a subset of VM (Ui , δ) that contains
strategy: start as many virtual machines as possible until he all the virtual machines that are susceptible to be
secures a good target (a user with whom the difference of loss compromised by the interdependency attack.
is high). Referring to [3], interdependency strongly connects • Most secure host: a host where the attacker’s efficiency
to side-channel attacks. Hence, if the attacker can launch the and coverage are equal to zero.
interdependency attack, then it can also attempt to measure • Semi-secure host: a host where the attacker’s efficiency
the CPU cache utilization in the server [5], [6]. and coverage are equal to 0.2 and 0.15, respectively.
γ γ
We confirm that IdepVM (Ai , δ) and IdepVM (Ui , δ) are
III. PROBLEM FORMULATION AND REQUIREMENTS different. Indeed, we consider any user a potential attacker,
In this section, we first describe some fundamental concepts but when he is launching a VM, This precision is important.
before defining the studied problem and the requirements In other words, at the instant δ, when a useri starts a virtual
for having secure and performant VM allocation policies machine, he is considered an attacker. At the time δ + 1,
against the interdependency problem. However, the scope we assume its VMs are already allocated. This means these
of our previous paper [16] is extended beyond security to VMs will be protected at time δ + 1. In other words, the userj
include performance considerations, resulting in criteria (7), who will launch his VM at time δ + 1 should not be able
(8), and (9). In this expansion, we offer metrics for assessing to attack the VMs of useri (Ui ). These useri ‘s VMs which
γ
our solutions’ performance. must be protected are estimated with IdepVM (Ui , δ) instead
γ
IdepVM (Ai , δ) (where Ai = Uj ) which estimates among the
userj ’s VMs launched at time δ + 1, the one which can launch
A. NOTATIONS AND DEFINITIONS
an interdependence attack.
Prior research has shown [3], [11] that disparities in potential
loss among clients hosted on a single server facilitate 1) SECURITY FACTORS
interdependence attacks. Through mathematical evaluation,
While the VMs distribution is γ , we have the attacker’s
the factors outlined here are meant to assess attackers’ success
efficiency and coverage defined as follows [12], [15],
and legitimate users’ vulnerabilities. For instance, using the
and [16]:
equation 2 below, we can find the attacker’s VMs that share
• Efficiency (E): the probability of success of the attack
the same hypervisor as the legitimate user.
when the time and the number of virtual machines
We adopt the notations and definitions as in [15] and as in
started by the attacker decrease or increase.
our previous papers [13], [16].
γ
Given a set of VMs and a set of servers, we define γ as γ #IdepVM (Ai , δ)
• E(VM (Ai , δ)) = γ (1)
how the virtual machines are distributed in the servers. #VM (Ai , δ)
• D: set of possible distributions. where:
• Ai and Ui designate respectively attacker i and legitimate
γ γ
user i. IdepVM (Ai , δ) = {vm/vm ∈ PtVM (Ai , δ),
γ
• VM (Xi , δ): a set of virtual machines under the distri- γ
Hyp(vm) ⊂ {Hyp(vm′ ), vm′ ∈ Target(Ai )}} (2)
bution γ launched by the entity (attacker or legitimate
user) Xi at time δ. is the set of the attacker’s virtual machines under the
• PL(vm): potential loss of the virtual machine vm. distribution γ that can launch an attack on at least one
We define it as the amount of loss a user could suffer of the virtual machines of the legitimate users [3], [13].
if one of his virtual machines were compromised. For γ γ
PtVM (Ai , δ) = {vm | vm ∈ VM (Ai , δ) and
example, companies managing sensitive data, such as
banks, ministers of defense, health centers, etc., can be |PL(vm) − PL(vm′ )| and/or
considered as having a high potential loss. |PL(vm) − PL(vm′′ )| quite high

VOLUME 12, 2024 74947

 B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

γ γ
with (vm′ , vm′′ ) ∈ (Target(Ai ), VM (Ai , δ))} (3) • Usable Hosts (Uh): hosts used during the allocation.
We define it as shown in (8), where αγ is the number
• Coverage (C): it gives an idea about how many of the
of selected hosts under the allocation policy γ and N is
legitimate users’ virtual machines are vulnerable to the
the total number of hosts available in the datacenter.
interdependency attack.
γ
αγ
#(IdepVM (Ui , δ)) Uh(γ ) = × 100 (8)
γ N
C(VM (Ui , δ)) = γ (4)
#(VM (Ui , δ)) • Power consumption (P): controlling energy consump-
where: tion at the cloud computing level is crucial for cloud
γ γ providers. However, among the main components (CPU
IdepVM (Ui , δ) = {vm/ vm ∈ PtVM (Ui , δ),
γ
(central processing unit), cooling unit, network inter-
Hyp(vm) ⊂ {Hyp(vm′ ), vm′ ∈ VM (Ai , δ)}} (5) face, primary and secondary storage) in a data center
is a set of the legitimate user’s virtual machines under the that consumes electrical energy, the CPU consumes
distribution γ that are susceptible to be compromised by more electrical energy than the other components [10].
at least one of the virtual machines of the attacker [13]. Hence, we provide a model for the power consumption
γ γ of hosts that depends on the utilization of the critical
PtVM (Ui , δ) = {vm | vm ∈ VM (Ui , δ) and system component (CPU). Therefore, we estimate the
|PL(vm) − PL(vm′ )| and/or energy consumption by using a linear interpolation of
|PL(vm) − PL(vm′′ )| quite high the utilization change for a given time interval [10].
γ γ We adopt the definition from [23]. The formula is given
with (vm′ , vm′′ ) ∈ (VM (Ai , δ), VM (Ui , δ))} (6)
in (9), where Rkγ indicates the actual CPU proportion
γ
PtVM (Xi , t) allows us to find the virtual machines of the k th host under the allocation policy γ , N is the
under the distribution γ that have a high difference total number of hosts, and Pmax represents the maximum
of potential of loss. Unlike [13], we consider that the power that a host uses, and 70% of power defines the
virtual machines coming from the same user must not minimum percentage of power a Host uses, even when
be able to attack each other. That is why we redefine the it is if in idle mode. We want to be in phase with our
γ
PtVM (Xi , t). The #A, cardinality of set A, is the total simulation platform CloudSim Plus [10].
number of elements in A. For instance, #{a, b, d, h, l} = N N
5. Note also that the attacker’s efficiency and coverage X X
P(γ ) = Pk = (70% × Pmax
are two dynamic factors since they depend both on the
k=0 k=0
delay and on the number of virtual machines allocated.
γ
Also, In the coverage formula, we use VM (Ui , δ), as an + (1 − 70%) × Pmax × Rkγ ) (9)
γ
input instead of VM (Ai , δ). In fact, with the coverage, • Gain Function: we define the gain function to quantify
we would like to estimate how many users’ VMs are the exact value of gain between two allocation policies.
vulnerable to the interdependency attack. That is why we The definition is given in (10) where X is the factor to
γ
use VM (Ui , δ) as the input variable where Ui designs a evaluate, A1 and A2 , two different algorithms.
legitimate user. XA1 − XA2
GX = × 100 (10)
2) PERFORMANCE FACTORS XA1
The cloud service provider aims to find a VM allocation By the way, the security level (mentioned in the assump-
policy that reduces the attack’s effectiveness and efficiency tions) will allow us to assess the potential loss of the VM. The
while keeping the system performing. Hence, we define the efficiency and coverage use the latter, and the waiting time
workload balance (Wk ) and the power consumption allows our algorithms to reach the secure server. Unlike the
P at the
host’s level (P k ). However, we compute the sums ( Wk ) and performance factors, we can remark that the security factors
are expressed as a function of the waiting time. Therefore, the
P
( Pk ) for having these metrics for the entire datacenter since
a datacenter comprises several hosts. expected effect of the waiting time is more related to security
• Workload balance (Wb): improves the Quality of Service than performance.
(QoS) and reduces the cost. It can be defined as how the
amount of processing is distributed at the host’s level. B. PROBLEM
In other words, it estimates how many times a server is We consider a cloud environment that runs on a virtualization
selected. The formula is given in (7) where Hk is the technology named a hypervisor (Hyp) with n entities.
k th Host, λkγ is the number of times that Hk is selected We consider that the entity that manages the cloud computing
under the allocation policy γ and N is the total number resources (the provider) will act in good faith to guarantee the
of hosts [12]. customers’ security. On the other hand, the entity that engages
the cloud provider in order to benefit from its services (the
N
X N
X λkγ
Wb(γ ) = Wk = exp −( ) (7) customer) will be our reference user in what follows. In other
10 words, we will use ‘‘user’’ to refer to customers. Thus, each
k=0 k=0

74948 VOLUME 12, 2024

B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

user (Ui ) can rent one or more virtual machines with different distribution γ ′ ∈ D. The two last conditions signify that we
operating systems. However, the number of applications a cannot find another distribution γ ′ ̸= γ which best minimizes
user launches will not impact the model. When a user rents the power consumption or maximizes the workload balance
a virtual machine (vm), he can decide to pay (or not) an in the datacenter.
amount of e of investment in security. Using this investment
in security for each virtual machine, we can determine the C. ASSUMPTION
security level and the potential of loss (PL(vm)). Since We make the following assumptions:
the virtual machines are running under a hypervisor (such • If a user does not have a VM on the same hypervisor as
as Xen, VMware, or KVM), different users can share the the attacker, he will not suffer the consequences of the
same hypervisor. Hence, the platform is susceptible to being attack.
compromised by the interdependency attack [3]. This means • Any user is considered as an attacker Ai when he starts a
that a malicious user who has compromised the VMs of a virtual machine at time t. However, ‘‘launching/starting
user i can traverse the hypervisor to launch an attack on the a VM’’ does not mean ‘‘turning on a VM’’. We mean by
VMs of another user j ̸ = i on the same hypervisor. In fact, ‘‘Launching a VM’’ a request from a client who wants
in this situation, a lack of investment in the security of one to subscribe for a VM in the cloud provider.
user can impact the other users (bad neighborhood effect). • We assume that the attacker can try to launch an
Therefore, a malicious user can compromise all legitimate interdependency attack at any time.
users on the same hypervisor. To quantify the attack’s impact, • Given a user’s virtual machine and his amount of
we use two security factors: efficiency (E) (1) and coverage investment in security, we can determine the security
(C) (4). Also, to evaluate the performance of the cloud level and the potential loss (PL(vm)).
datacenter, we use the workload balance and the power • Given a user’s virtual machine, his amount of investment
consumption. So, the attacker’s goal is to maximize these in security does not vary over time.
two security factors, while the cloud provider’s aim is to • We consider only suitable hosts (servers that have
define VM allocation policies that increase the attacker’s enough resources to host at least one VM) given a new
difficulties while keeping the system performant. In other virtual machine. In fact, given a virtual machine and its
words, a secure and performant VM allocation policy should characteristics, we can recognize the list of hosts that
satisfy the following conditions at the same time: have the capacity to host it. In each suitable host, we are
• Minimize the attacker’s possibilities as much as possi- looking for the top-ranked server so that the three above
ble. In other words, the success of an attack, as minimal conditions (11), (12), and (13) can be satisfied.
as it could be, must require the launch of many virtual • To minimize the power consumption, we use the
machines. Therefore, a successful attack will require straightforward method, which consists of reducing the
significant financial resources. On the other hand, number of running servers.
increasing the number of virtual machines launched
should not significantly impact the attack’s efficiency. D. REQUIREMENTS
In this context, we seek to minimize efficiency and To propose a secure and performant solution against the
coverage (11). interdependency problem, we should define a VM allocation
• Keep the system performant by reducing the power policy that satisfies at the same time the previous condi-
consumption (12) and increasing the workload balance tions (11), (12) and (13). That means that our solution should:
and distributing virtual machines to avoid the servers • increase the attacker’s difficulties by minimizing his
being over-utilized (13). efficiency and coverage.
Hence, the problem can be formalized as follows: let • keep the system performant, by increasing the workload
vmList = {vm1 , . . . , vmn } be a set of available virtual and decreasing the power-consumption.
machines in a datacenter, D the set of all allocation However, satisfying these constraints is equivalent to solving
possibilities. An allocation policy γ ∈ D is said to be secure an NP-hard combinatorial problem [8]. It includes both the
and performant if: knapsack problem (the security and the workload balancing
γ γ constraints) and the bin packing problem (the energy
E(VM (Ai , δ)) = min E(VM (Ai , δ)) consumption constraint) [15]. As a solution, we use the
γ ∈D
γ γ multi-objectives approach by minimizing the security metrics
C(VM (Ui , δ)) = min C(VM (Ui , δ)) (11)
γ ∈D while treating the power consumption and the workload
P(γ ) = min P(γ ) (12) balance as constraints. In other words, when the choice arises,
γ ∈D we will choose a secure server instead of a server with good
Wb(γ ) = max Wb(γ ) (13) power consumption and/or workload balance. This approach
γ ∈D
considers all legitimate users as attackers who attempt to
The first conditions (11) mean that the distribution γ must hack the host’s hypervisor, gain unauthorized privileges on
be the distribution that most minimizes, at the same time, the VMs it contains, and then proceed to host the users’
the attacker’s efficiency and coverage compared to the other virtual machines. Hence, we define allocation policies based

VOLUME 12, 2024 74949

 B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

on the attacker’s efficiency and coverage focusing on different Algorithm 1 Find Potential Secure Host for Virtual Machine
objectives separately and simultaneously: Input: A virtual machine vm launched by user Ui at time
• The first allocation policy is the secure allocation δ and a list of hosts available in the datacenter (HostList)
for low attacker’s efficiency and coverage (SALAEC). that will be used by the allocation policy to place the virtual
It focuses on the security and the power consumption machine vm.
(Algorithm 2). Output: Return the most secure host for the virtual
• The second allocation is named SALAEC-Balanced machine
(SALAEC-B), and it focuses on the security and the Initialization
workload balance (Algorithm 3).
1: Ai ← user i
• The third allocation policy is the secure and performant
2: min_e ← 1
allocation for low attacker’s efficiency and coverage
3: min_c ← 1
(SPALAEC). It focuses on security, power consumption,
4: secHost ← null
and workload balance simultaneously (Algorithm 4).
5: for each host in HostList do
In the next section, we will provide more details about these {Searching for first secure host}
algorithms. 6: if (host is Suitable for vm) then
γ
7: min_e ← E(VM (Ai , δ))
IV. PROPOSED ALGORITHMS FOR MEETING SECURITY γ
8: min_c ← C(VM (Ui , δ))
AND PERFORMANCE FACTORS
9: secHost ← host
A summary of the proposed algorithms can be found in 10: break;
figure 1. 11: end if
12: end for
A. SECURE ALLOCATION FOR LOW ATTACKING
13: {Due to performance concerns, we do not want to check
EFFICIENCY AND COVERAGE
all hosts, so we define a sublist that will vary based on
We start by only considering the security constraints defined the number of VMs}
in (11). To minimize the attacker’s possibilities, we try to 14: if (the number of vms in the datacenter is higher than the
allocate any user’s VM to a suitable host (a server that has number of available hosts) then
enough resources to host at least one VM) where the security 15: NbrHostTocheck ← HostList.size ()
is optimal. Hence, we consider any user malicious when 16: else
he starts his virtual machine. Then, we leverage the list of 17: NbrHostTocheck ← number of vms already hosted
hosts with enough resources to host a new virtual machine +1
and process to compute each host’s efficiency and coverage. 18: end if
Finally, the new virtual machine will be hosted in a suitable 19: for each host in HostList.subList
host where the efficiency/coverage is the smallest. Hence, (startIndex,NbrHostTocheck) do
each VM will be allocated to the optimal security host. Given 20: if (host is Suitable for vm and host! =secHost) then
a virtual machine and a list of hosts, Algorithm 2 works as γ
21: tmp_e ← E(VM (Ai , δ))
follows: γ
22: tmp_c ← C(VM (Ui , δ))
• We first consider the first suitable host on the list of
23: min_e←min(min_e, tmp_e)
hosts as the temporary secure server. Then, we evaluate
24: min_c ← min(min_c, tmp_c)
the efficiency and the coverage by considering the VM’s
25: secHost ← HostList.getHost (min_e,min_c)
owner as an attacker and the users that already have VMs
26: else
in the datacenter as the targets. When we reach the time
27: startIndex ← startIndex +1
when the latter is no longer suitable, we will look for
28: end if
another suitable host. This continuous process creates a
29: end for
loop (Algorithm 1).
30: return secHost
• We consider the secure host as the host where
the efficiency/coverage is the smallest, and this
efficiency/coverage will be called ‘‘(min_e/min_c)’’. smallest. Additionally, if the secure host is not suitable,
To find this secure host (‘‘secHost’’), we evaluate the we remove it from the list of hosts and look for another
efficiency and coverage (tmp_e, tmp_c) in all suitable one on the updated list of hosts. When it is ‘‘null’’ (not
remaining hosts again. To avoid checking all available instantiated), the first free suitable host will be supposed
hosts, we define sub-lists of hosts from the start index as the secure host. Because the virtual machine will be
to the number of hosts to check. In other words, the alone inside the host, i.e., it cannot compromise other
checked hosts’ size will equal the number of virtual virtual machines (Algorithm 2).
machines currently and already allocated (Algorithm 1). Besides, we consider efficiency as the most important
• Finally, the secure and suitable host is the one factor compared to the coverage since it works directly
where the attacker’s efficiency and coverage is the with the attacker’s VMs, unlike the coverage where the

74950 VOLUME 12, 2024

B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

FIGURE 1. Proposed virtual allocation policy workflow.

input parameters are the VMs of the legitimate user hence, that SALAEC (Algorithm 2) adopts the same philosophy by
as mentioned in the original paper [16], we first used the avoiding launching new servers in the following ways:
attacker’s efficiency for searching the secure host. However, • When the attacker’s efficiency and coverage are the
by using the attacker’s efficiency we can meet the situation same in two servers, we chose the server that has the
where the efficiency is the same when a virtual machine is largest number of virtual machines. This allows us to use
supposed to be in hosti and also when it is supposed to be in between 30 − 48% less hosts as shown in our previous
hostj . In this case, we will use the coverage to decide which paper [16].
host to choose. More explanations, details, and an example • There is no limit to the number of virtual machines
can be found in the original paper [16]. per server. That means a server can host a new virtual
machine if it has enough resources.
• A server without a virtual machine will be turned off.

B. POWER CONSUMPTION-AWARE SECURE ALLOCATION Hence, we propose SALAEC as a candidate when the
FOR LOW ATTACKER’S EFFICIENCY AND COVERAGE constraints relative to the security (11) and the power
We know that the MOST-POLICY (an algorithm that allocates consumption (12) are considered.
a new virtual machine to a suitable host that contains
more VMs) performs better in terms of power consumption C. BALANCED SECURE ALLOCATION FOR LOW
compared to the LEAST-POLICY (where a new virtual ATTACKER’S EFFICIENCY AND COVERAGE
machine will be allocated to a suitable host that has the In this subsection, we define an algorithm that will focus on
least VMs) [12]. For the reason that the MOST-POLICY the security and workload constraints by slightly modifying
uses fewer servers because it tries to allocate a new virtual SALAEC:
machine to a server that has more virtual machines until • We prevent a server from being overused by defining
that server reaches its full capacity. However, we remark a limited number of virtual machines (N ) per server.

VOLUME 12, 2024 74951

 B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

Algorithm 2 Secure Allocation for Low Attacking Efficiency – Additionally, if the secure host and some other hosts
and Coverage (SALAEC) (not all hosts) contain N virtual machines. Then,
Input: the host will be considered secure but not balanced.
A virtual machine vm launched by user Ui at time δ and a In this case, we will use the LEAST algorithm to find
list of hosts available in the datacenter (HostList), that will the host with the least virtual machines. We chose
be used by the allocation policy to place the virtual machine the LEAST algorithm based on its performance
vm. about the workload. Additionally, it performs
Output: better concerning security compared to the MOST
Return the potential secure and suitable host for the virtual algorithm and the RANDOM algorithm [12]. When
machine we use the MOST algorithm, we will probably
overuse some servers, which favors the co-location
Initialization between the attacker and the legitimate user.
On the other hand, choosing a server randomly
among several servers with a different level of
1: HostList ← getHostList ()
security is not helpful. For the reason that among
2: secHost←FindPotentialSecHostForVm(HostList, vm)
the chosen servers some of them may already
3: while IndexMostSecHost ()< HostList.size () do
have the attacker’s VM(s). Moreover, most of the
4: if (secHost! =null and secHost is Suitable for vm)
time, the ‘‘least server’’ will be free (contains no
then
VM), which is crucial for the security and the
5: secHost.add (vm)
workload at the same time.
6: return secHost
7: else
D. SECURE AND PERFORMANT ALLOCATION FOR LOW
8: if secHost!=null && secHost is not Suitable for vm
ATTACKING EFFICIENCY AND COVERAGE (SPALAEC)
then
9: HostList.remove (secHost) In this section, we consider the security, the power consump-
10: secHost←FindPotentialSecHostForVm tion, and the workload balance constraints at the same time.
(HostList, vm) Hence, we introduce the SPALAEC algorithm that optimizes
11: else these three factors as follows:
• Security: SPALAEC considers any user as a potential
12: IndexMostSecHost← IndexMostSecHost () + 1
attacker when he launches his virtual machine. Then,
13: if (IndexMostSecHost() <HostList.size()) then
it allocates the latter’s virtual machine to the host
14: secHost← HostList.get (IndexMostSecHost())
where his efficiency and coverage are the smallest.
Additionally, as the allocated host will be selected from
15: return secHost
a list of hosts using the LEAST algorithm, we contend
16: end if
that the hosts inside the lists are homogeneous (they
17: end if
have the same level of security). Hence, we define Most-
18: IndexMostSecHost(HostList.indexOf(secHost))
secure host as the host where the attacker’s efficiency and
19: end if
coverage are both equal to zero. A host is Semi-secure
20: end while
when the attacker’s efficiency and coverage are in the
Hence, we assume that no server can host more than N intervals ]0, 0.2] and ]0, 0.15], respectively.
virtual machines from any users even if it has enough These values are from the simulation results of ‘‘PSSF-
remaining resources. Balanced’’ [14], which is considered secure enough
• We prevent the VMs from the same user from being at when the attacker’s efficiency and coverage is equal to
the same host by using efficiency/coverage as criteria for 0.2 and 0.15, respectively. The allocated host can be
allocation. Otherwise, if the host crashes, the user will insecure without this homogeneity due to utilizing the
lose his virtual machines. LEAST algorithm.
The Algorithm 3 works as follows: • Workload balance: The workload balance aims to
• We use the SALAEC algorithm to verify the host’s prevent a server from being overused. Hence, we define
security. Then, we check some constraints relative to the a number N of virtual machines per server to solve that
workload balance. Hence, issue. That threshold will help us to distribute the users’
– If a secure host contains less than N virtual virtual machines across the servers. It also does not harm
machines, it will be considered as a secure and security since if the number of virtual machines per host
balanced host. is limited, then the number of virtual machines able to
– Otherwise, we check if all servers already have N launch attacks will be small.
virtual machines. If yes, the virtual machine can be • Power consumption: we should use as few hosts as
hosted at the current secure host even if it has N possible to decrease the power consumption. But, using
virtual machines. the least hosts can harm the workload balance and

74952 VOLUME 12, 2024

B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

Algorithm 3 Balanced Secure Allocation for Low Attacking Algorithm 4 Secure and Performant Allocation for Low
Efficiency and Coverage (SALAEC-B) Attacking Efficiency and Coverage (SPALAEC)
Input: Input:
A virtual machine VM launched by user Ui at time δ and a A virtual machine vm launched by user Ui at time δ and a
list of hosts available in the datacenter (HostList), that will list of hosts available in the datacenter (HostList), that will
be used by the allocation policy to place the virtual machine be used by the allocation policy to place the virtual machine
vm. vm.
Output: Output:
Return the most secure and balanced suitable host for the Return the most secure and balanced suitable host for the
virtual machine virtual machine

Initialization Initialization
1: allocatedHost ← null 1: secureBalancedHostList ← null
2: for host in HostList do 2: securenobalancedHostList ← null
3: if host is secure based on SALAEC and it contains less 3: mostSecureBalancedHostList ← null
than N virtual machines) then 4: semiSecureBalancedHostList ← null
4: allocatedHost ← secHost 5: mostSecHostList ← null
5: else if all servers already host N virtual machines then 6: semiSecHostList ← null
6: allocatedHost ← secHost 7: noFactorsHostList ← null
7: else 8: allocatedHost ← null
8: allocatedHost ← FindLeastSuitableHost (vm, δ, 9: potentialAllocatedHostList ← null
HostList) 10: for host in HostList do
9: end if 11: Categorize it based on SALAEC using ‘‘Most-secure’’,
10: end for ‘‘Semi-secure’’, ‘‘noFactors’’
return allocatedHost 12: sort it according to (mostSecHostList,
semiSecHostList, noFactorsHostList)
the security. To avoid this negativity, we ensure our 13: if host is balanced based on SALAEC-B then
VM allocation policy does not launch new free hosts 14: sort it according to (mostSecureBalancedHostList,
and select ‘‘insecure’’ hosts. Hence, the allocated host semiSecureBalancedHostList)
will be chosen among a group of balanced Most- 15: end if
secure/Semi-secure not-empty hosts (hosts that contain 16: end for
at least one virtual machine). Or it will be from a 17: potentialallocatedHostList ←determine the first
group of not balanced Most-secure/Semi-secure not- non-empty list by following the priority order as
empty hosts. Otherwise, it will be chosen from a list follows: mostSecureBalancedHostList,
containing some empty hosts. As you can remark, we are semiSecureBalancedHostList, MostSecHostList,
always looking for secure hosts that have fewer virtual semiSecHostList, noFactorsHostList
machines among non-empty hosts while respecting the 18: if ! (potentialAllocatedHostList.isEmpty ()) then
limit of N virtual machines per server. 19: allocatedHost←FindLeastSuitableHost(vm, δ,
Algorithm 4 works as follows:
potentialallocatedHostList)
• It considers any user as an attacker when he launches his
20: end if
virtual machine.
21: return allocatedHost
• Then, it sorts the list of available hosts from the most
secure to the least secure by using SALAEC.
• Finally, the workload balance constraints will be memory, in contrast to cloud computing. The complexity of
checked based on SALAEC-B. The allocated host will SALAEC, SALAEC-B and SPALAEC are polynomials which
be chosen based on the LEAST algorithm among a list is synonymous with ‘‘feasible’’ and ‘‘efficient’’.
of hosts such as each host is balanced and the attacker’s • The complexity of SALAEC is equal to 1+pc +p(θ(1)+
efficiency and coverage are null, no host is balanced and pc ) = 1 + p + pc + pc+1 ≈ θ(pk ), k constant, p
the attacker’s efficiency and coverage are null, each host be the total number of hosts. In fact, the complexity
γ γ
is balanced and Semi-secure host or, not balanced Semi- of E(VM (Ai , δ)) and C(VM (Ui , δ)) are both equal to
secure or, each host is simple; a host which we ignore 2
2p as shown in [16]. In Algorithm 1, the total number of
his security and performance level. operations regarding the instruction (Ai ← user i) and the
first loop is 1 + p(θ(1) + 2p2 ) = 1+p+2p3 . After the first
E. COMPLEXITY ANALYSIS loop, we have some elementary operations (θ(1)) and
We consider computational complexity. In fact, the com- another loop with p(θ(1) + 2p2 ) = p + 2p3 operations.
plexity of space is a concern when using devices with low The total number of operations for Algorithm 1 is

VOLUME 12, 2024 74953

 B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

1 + p + 2p3 + p + 2p3 = 1 + 2p + 4p3 . The complexity is TABLE 2. Devices configuration.

θ(pc ), where c is a constant. In Algorithm 2, the number
of operations is 1 + pc where pc is given by the function
FindPotentialSecHostForVm. IndexMostSecHost()<
hostlist.size() will be executed p times. Inside the loop
‘‘while’’, the number of operations is θ(1) + pc . Hence,
the complexity is 1 + pc + p(θ(1) + pc ) = 1 + p + pc +
pc+1 ≈ θ(pk ), k constant.
• The complexity of SALAEC-B is polynomial and equal
to ≈ θ(pk+1 ), k constant. In fact, in SALAEC-B, the
Algorithm 2 (SALAEC) will be executed as many times
as we have a host. Since the number of hosts is equal
to p, then the number of operations in the loop is equal
to p(θ(pk ) + θ(1)), where θ(1) is the complexity of the
elementary operations inside the loop.
• The complexity of SPALAEC is polynomial and equal
to ≈ θ(pk+2 )+θ(pk+1 ), k constant. In fact, in SPALAEC,
SALAEC and SALAEC-B will be executed p times then
the number of operations in the loop is equal to p(θ(pk )+
θ(pk+1 ) + θ(1)), where θ(1) is the complexity of the
elementary operations inside the loop.

V. EVALUATION For the simulation, we note δ the waiting time between

In this section, we perform the analysis of the resource the start of the virtual machines of the legitimate user and
allocation policies to evaluate the security of virtual machines those of the attacker [12]. This delay varies between 0 to
and the performance in the datacenters. Hence, we consider 100. The simulation works as follows: the legitimate user
different allocation policies such as PSSF-LEAST [15], starts 25 virtual machines; after a waiting time, δ = t, the
and PSSF-BALANCED [14], because they are close to our attacker starts 10 virtual machines. This operation is repeated
work and are recent proposals concerning secure and/or 100 times. Then, we pass to the scenario where the virtual
performant virtual machine allocation policies. We also machines of the legitimate user are equal to 25, δ = t, and
consider SALAEC [16], SALAEC-B and SPALAEC. Hence, the virtual machines of the attacker are 20; this is repeated
we present the attacker’s efficiency and coverage, and the 100 times. We continue until the virtual machines of the
datacenter performances such as the power consumption and legitimate user are 25, δ = t, and the virtual machines of
the workload-balance under these VM allocation policies by the attacker are 100. We conduct the previous procedure for
using CloudSim Plus. all δ ∈ {0, 10, . . . , 100} [16].
Assumptions: The attackers can decide when to launch
A. SIMULATION SETTINGS their virtual machines and the number of virtual machines to
As a simulator, we use CloudSim Plus [10], which is an launch.
open-source project developed in the Java programming
language. It provides a flexible environment where it is B. PERFORMANCE EVALUATION AND DISCUSSION
possible to test all cloud services. We compare our different In Fig. 2, we only consider the security constraint, and
algorithms with PSSF-LEAST [15] and PSSF-Balanced [14] we evaluate the attacker’s efficiency and coverage under
by using the factors such as the efficiency E, the coverage SALAEC and PSSF-LEAST [15]. In Figs. 3 and 4, we con-
C, the workload balance Wb , the power consumption P, and sider the security and workload balance, then we evaluate
the Usable hosts Uh . Using inheritance, we can define the respectively the attacker’s efficiency (Fig. 3(a), Fig. 3(b)),
potential loss criterion as a feature for each virtual machine. coverage (Fig. 3(c), Fig. 3(d)), the workload balance
Also, for each virtual machine, we attribute a random score Fig. 4(b), Fig. 4(a)). Also, we compute the gain of workload
between 0 and 10 as its security level. Note that in real cloud balance (Fig. 4(c)) between SALAEC-B and PSSF-Balanced.
computing, based on the amount of investment in security, Finally, we evaluate the attacker’s efficiency (Fig. 6(a)),
the provider can define the security level. We consider that coverage (Fig. 6(b)), the workload balance (Fig. 6(c)), the
the difference in loss between the two virtual machines is high power consumption (Fig. 6(d)) according to the variation of
γ
when it is greater than or equal to 4. The different devices that VM (Ai , δ) when all security and performance factors are
we use in our simulation and the configuration parameters considered.
are given in Table 2. The previous works [14] and [15] used We note that the attacker’s efficiency and coverage are
exactly the same settings as us. reduced to zero under SALAEC and PSSF-LEAST as shown in

74954 VOLUME 12, 2024

B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

FIGURE 2. Average efficiency and coverage according to the number of virtual machines and the delay
under different VM allocation policies that only consider security factors.

FIGURE 3. Average efficiency and coverage according to the number of virtual machines and the delay
under different VM allocation policies that only consider security and workload balance.

Fig. 2. This means that the virtual machines are secure under As shown in Fig. 3, when we pass from SALAEC to
these two policies. The reason is that SALAEC considers SALAEC-B, we do not lose on security. In fact, SALAEC-B
any user as a potential attacker, and then, it looks for a is SALAEC with a limited number of virtual machines
host where the security factors are the smallest. This process per server. Hence, as the number of virtual machines per
guarantees that a server will only host virtual machines with server decreases, the probability of co-location decreases,
the same security level. Hence, the probability of launching i.e., it becomes difficult to launch interdependency attacks.
an interdependency attack will be too low. Concerning PSSF- However, in Han et al. [14], from PSSF-LEAST to PSSF-
LEAST, the attacker’s possibilities are null because they use Balanced, the attacker’s efficiency and coverage are not null
dedicated hosts. That means that the virtual machines from as shown in Fig. 3(b) and Fig. 3(d). The reason is that for
the same user will share the same host. Nevertheless, the a new user (for example, the attacker), his virtual machines
situation can have a negative impact when such kind of host will be allocated to the servers chosen randomly from a
goes down, unlike SALAEC, where the allocation is done by group of servers. That means if the servers inside the group
using the attacker’s efficiency and coverage. Therefore, the already host some users’ virtual machines, the attackers can
VMs from the same user are mostly distributed among the share the same host with some legitimate users to launch
hosts. interdependency attacks. Unfortunately, this group of servers

VOLUME 12, 2024 74955

 B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

FIGURE 4. Workload balance according to the number of virtual machines and the delay under
different VM allocation policies that only consider security and workload balance.

often already contains virtual machines from other users. Hence, it is between [2, 10] and [5, 30] under SALAEC
Switching from one group of servers to another will be and SALAEC-B, respectively. It is equal to [4, 18] and
possible only if the servers of the first group are all fully [6, 28] under PSSF-LEAST and PSSF-Balanced, respectively.
used [14]. In this context, the random choice is favorable to As you can remark, SALAEC-B uses slightly more hosts
the attacker. This justifies the non-null values of the attacker’s than PSSF-Balanced with a gain that varies between [−2, 8]
efficiency and coverage. However, there is a linear decrease (Fig. 5(e)). We can remark that we don’t even use 30% of the
of the attacker’s efficiency. This decrease is due to the passage servers yet. Moreover, 30% servers mean we have allocated
of the other groups of hosts. Indeed, once the first virtual all 125 VMS using 45 servers. So, indirectly, we remain
machines of the attacker fill a group of hosts, those remaining efficient even with more VMs than servers. Since SALAEC-B
will be the first to be hosted in new groups. As they will uses more hosts compared to PSSF-Balanced, SALAEC-B
be alone there, the probability that they will launch attacks performs better than PSSF-Balanced regarding the workload
decreases. balance as shown in Fig. 4(c). In fact, the gain between
Concerning the workload balance, it is represented mathe- SALAEC-B and PSSF-Balanced is equal to [−4, 10]. The
matically by a decreasing function depending on the number negative values represent the few times that SALAEC-B has
of times that a server is selected. This means that the more a a bad workload compared to PSSF-Balanced, and they are
server is solicited, the more its workload balance decreases. represented by the few purple colors in Fig. 4(c).
So, when we increase the workload balance, we reduce In Fig. 6, we take into account the security (Fig. 6(a),
the possibility of a server being overloaded. Hence, from Fig. 6(b)), the workload balance (Fig. 6(c)) and the power
SALAEC to SALAEC-B (Fig. 4(a)) and from PSSF-LEAST to consumption (Fig. 6(d)). We observe that the attacker’s
PSSF-Balanced (Fig. 4(b)), we note a linear increase of the efficiency and coverage are not null. These two metrics
workload balance (for space reasons, the workload balance oscillate between [0.16, 0.3] and [0.15, 0.5] therefore in
graphs under SALAEC and PSSF-LEAST are omitted). More terms of security PSSF-Balanced and SALAEC-B are better
precisely, the workload balance is between [1.5, 6.5] under than SPALEC. Indeed, SPALAEC tries to minimize power
SALAEC and [5, 35] under SALAEC-B. It is is between [4, 16] consumption, so it will try to use fewer hosts. Consequently,
under PSSF-LEAST and [5, 35] under PSSF-Balanced. These it promotes co-location and, thus, the interdependence attack
variations are due to the limit of the number of virtual (which increases the attacker’s efficiency and coverage),
machines per server. This limit favors the dispersion of unlike SALAEC-B and PSSF-balanced. In other words, this
the virtual machines among several servers to avoid over- was expected since performance has a cost on security.
utilization. As a result, a server will be selected just a few Besides, we aim to ensure that the virtual machines from
times. Consequently, the number of usable hosts experience the same account cannot attack each other. Unfortunately,
a linear increase by switching from non-balanced policies this increases the number of target virtual machines and,
(SALAEC (Fig. 5(a)), PSSF-LEAST (Fig. 5(c))) to balanced therefore, increases the coverage. Other factors are also
policies (SALAEC-B (Fig. 5(b)), PSSF-Balanced (Fig. 5(d))). added, such as the limit N of virtual machines per server.

74956 VOLUME 12, 2024

B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

FIGURE 5. Usable Host according to the number of virtual machines and the delay under different VM
allocation policies that only consider security and workload balance.

Indeed, with this limit, a secure server that already contains N their polynomial time complexity, these algorithms provide
virtual machines will not be chosen. This results in choosing scalable solutions that can be deployed in large-scale cloud
a less secure server instead. On the other hand, the reduction environments.
in the level of security favors the performance. Indeed,
the workload balance has a good variation ([5, 30]). This VI. DISCUSSIONS AND LIMITATIONS
variation is almost equal to that of an algorithm that is One cloud providers’ biggest challenge is identifying a mali-
only balanced, such as PSSF-Balanced, SALAEC-B. Also, the cious user from an honest user. In a sense, our virtual machine
power consumption is controlled since the servers consume allocation policies consider any user a potential attacker when
less compared to PSSF-Balanced and SALAEC-B. An evalu- he launches his virtual machine. This consideration allows
ation of the gain of power consumption shows that SPALAEC us to ignore the process of distinction between an attacker
uses less energy with a gain equal to [15, 55], [20, 50] and a legitimate user. Because if all the users are considered
compared to PSSF-Balanced and SALAEC-B, respectively. attackers, the ‘‘real attacker’’ is not spared. Indeed, those who
However, the evaluation shows that if we remove the can do more can do less. Furthermore, even if the attacker
condition that the virtual machines from the same account uses many accounts, it will not impact the efficiency of
cannot attack each other, then the attacker’s possibilities will his attack. On the other hand, at the level of commercial
be reduced to zero while keeping the same performance cloud platforms (Example: Amazon Web Services (AWS)),
relative to the workload balance and the power consumption. the best practice requires that the services (including the
SALAEC-B and SPALAEC are two innovative alloca- creation of virtual machines) be under the responsibility of
tion policies that go beyond security considerations by an administrator account. Thus, on behalf of a big company
addressing critical factors such as power consumption and (with several different user departments), the administrator
workload balance, reflecting a holistic approach tailored to must create several virtual machines and give roles to the
real-world deployments in which multiple demands compete users called upon to use them. The same is true on behalf of
for resources. With the foundation of game theory and a service provider (different from a cloud service provider),

VOLUME 12, 2024 74957

 B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

FIGURE 6. Average efficiency, coverage, workload balance and power consumption according to the
number of virtual machines and the delay under different VM allocation policies that consider security,
workload balance and power consumption.

who, in turn, can create servers for different small and In AWS Leadership Principles [24], they said that ‘‘they
medium businesses. Thus, we note that the risks are that the work vigorously to earn and keep customer trust.’’ For
users of different departments or small and medium-sized us, that means that it is better to increase the workload
businesses who are competing by using servers from the balance to satisfy the users than to reduce the power
same administrator account may attack each other. Indeed, consumption to help cloud service providers save money.
our best friend can become our worst enemy. To remove this For this reason, SPALAEC focuses on workload balance
insecurity, our virtual machine allocation policies ensure that and power consumption while giving more priority to the
virtual machines from the same account should not be able workload balance.
to attack each other. In other words, for any virtual machine However, any scientific work has limits. We observe that
launched from an account named X , the virtual machines SPALEC provides better performance in terms of workload
already hosted (including those coming from the account X ) balance and power consumption. However, SALEC-B and
are all considered targets. PSSF-BALANCED beat SPALEC in terms of security. Obvi-
We chose to offer different algorithms. The reason is that ously, we could reduce the efficiency and coverage by lifting
we want to give a palette of choices to the cloud service certain constraints, assuming that only VMs belonging to
providers. Hence, depending on the requirements of the different customers can attack each other. But as you know,
applications to be hosted, they can choose only a secure we have a strong constraint that requires that VMs from the
allocation policy, whatever the performance constraints are, same account cannot attack each other. Even if VMa and VMb
or choose an allocation that is secure with a good workload belong to client X , our algorithm must protect VMa from
balance and/or good power consumption. Moreover, our damage caused by VMb .
allocation policies did not consider the migration of the We note that considering any user as an attacker and avoid-
virtual machines. That means once a virtual machine is hosted ing attacks from the same user’s account require significant
on a server, it will not move to another server. However, resources for a good implementation of the solutions. Indeed,
to avoid a server being overused, which may result in the the allocation of a virtual machine needs several processes.
violation of the service level agreement (SLA). We fixed a This consequence is not negligible, given the large number
limit of virtual machines per server. We set the limit based of cloud computing users. Nonetheless, data centers have
on the total number of virtual machines per server rather enormous computing capacities. Also, finding the best host is
than the number of users’ virtual machines per server. The equivalent to solving an NP-hard combinatorial problem [8].
last case allows X users to have N machines per server. So, Therefore, we tried to find an optimal solution. The only limit
on a given server, we can find XN virtual machines, unlike we found regarding the efficiency and the coverage is that
in the first case, where the total number of virtual machines they need to be calculated for each user’s VMs. However, the
rarely exceeds N . The first case also favors the dispersion of complexities of our algorithms are polynomials (as shown
a user’s virtual machines. Hence, when a server goes down in the sub-section IV-E), which means that they are easier
the possibility that the user loses all his virtual machines is and faster to compute. On the other hand, we made an
limited. arbitrary choice on the difference in potential of loss (which

74958 VOLUME 12, 2024

B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

is considered high if it is equal to 4) between two virtual and rollback attacks, VM Hopping, VM Escape, etc.),
machines based on their investment in security. However, applications (Malware injection, Steganography attacks, Web
we wanted to show that we can label the security risks of a services & Protocol based attacks, etc.) and information
virtual machine based on the associated account. From this security policy (Contracts and Electronic Discovery, Laws
labeling, the provider will be able to define its own threshold and Regulations, Audit Assurance, Information leakage,
of difference of potential of loss between virtual machines. Vendor Lock-in, Identity Management, etc.) [7].
In addition, we use a straightforward method by reducing
the number of running servers, unlike energy-aware virtual VII. CONCLUSION
machine allocation techniques (a) [25], [26], [27]. Moreover, In this paper, we develop the first secure and performant
our allocation policies do not consider the possibility of solution against the interdependency attack between cloud
migrating a virtual machine from one server to another. users sharing the same hypervisor. It focuses on minimizing
However, it is a critical process for alleviating servers. It can security metrics while considering power consumption and
also play an important role when a server can no longer run workload balance. This approach considers all legitimate
an application due to insufficient resources (b). Thus, (a), users as attackers who attempt to hack the host’s hypervisor
(b), and other simulation scenarios with many users may be and gain unauthorized privileges on the VMs it contains.
the subjects of a study in our future work. Additionally, the Specifically, we define a secure allocation policy that
simulation settings are the same as in previous works [14] maximizes workload balance (SALAEC-B) and a secure
and [15]. Nevertheless, we are yet to use 30% of the servers. and performant allocation policy that simultaneously opti-
In addition, 30% servers mean we have allocated all 125 VMS mizes security, workload balance, and power consumption
to 45 servers. So, indirectly, we remain efficient even with (SPALAEC). We also show that these solutions are optimal
more VMs than servers. As part of future research, we will with polynomial complexities synonymous with ‘‘feasible’’
evaluate the algorithms from various aspects by using more and ‘‘efficient’’. In addition, results from the simulation show
virtual machines than hosts. that SALAEC-B is secure and balanced, and it performs better
This work only considers attacks between users sharing than its counterpart in the related work, PSSF-Balanced [14].
the same hypervisor. However, other types of attacks have Finally, SPALAEC is also secure against the interdependency
not been considered and are closely related to this work. attack while being efficient regarding workload balance
For example, with Rowhammer exploits, malicious code and power consumption. Furthermore, our VM allocation
is executed on a vulnerable system to compromise the policies prevent the negative impact that can be caused by
machine’s services (web browsers, cloud services). The the failure of one of the servers, unlike in PSSF-LEAST
resulting analysis is that the attacker needs a privilege [15] and PSSF-Balanced [14]. Our allocation policies do
that gives him the right to execute code in this type of not consider the possibility of migrating a virtual machine
exploit. In addition, the code exploits only compromise the from one server to another. We propose an energy-aware
victim’s virtual machine’s services (other network machines approach with virtual machine migration as future work to
are spared). Therefore, other works like in [28] try to change deal with the high energy consumption in cloud computing
the context of the attack via the network. Indeed, since the and service level agreements (SLAs) violations. In addition,
virtual machines are connected by a network then launching during allocation, our algorithms use the amount of security
an attack on other machines of the network can be acquired. investment, which does not change over time (i). Our future
So the paper [28] shows that from a remote machine, work may investigate (i) and other simulation scenarios with
a malicious user can trigger and exploit Rowhammer bit many users.
flips directly by only sending network packets. Our solution
does not take into account this type of attack, the reason REFERENCES
is that we focus on the security of the allocation policies [1] T. Velte, A. Velte, and R. Elsenpeter, Cloud Computing, A Practical
and not on the security of the subnets. However, this type Approach, 1st ed. New York, NY, USA: McGraw-Hill, 2009.
of attack can be considered in our future work. Also, our [2] A. Jasti, P. Shah, R. Nagaraj, and R. Pendse, ‘‘Security in multi-tenancy
cloud,’’ in Proc. 44th Annu. 2010 IEEE Int. Carnahan Conf. Secur.
algorithms use the amount of security investment during Technol., Oct. 2010, pp. 35–41.
allocation. So, this amount of security investment does not [3] C. A. Kamhoua, L. Kwiat, K. A. Kwiat, J. S. Park, M. Zhao, and
vary over time. However, as future works, we can address M. Rodriguez, ‘‘Game theoretic modeling of security and interdependency
in a public cloud,’’ in Proc. IEEE 7th Int. Conf. Cloud Comput., Jun. 2014,
the latter by defining a dynamic game where the attacker pp. 514–521.
and legitimate users can change strategies (such as the [4] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, ‘‘Hey, you, get
investment in security) at any time. We cannot tackle all off of my cloud: Exploring information leakage in third-party compute
clouds,’’ in Proc. 16th ACM Conf. Comput. Commun. Secur., Nov. 2009,
existing attacks at the same time. Indeed, the vulnerabilities pp. 199–212.
of virtual machines can be explored in different ways via [5] Y. Yarom and N. Benger, ‘‘Recovering openssl ecdsa nonces using the
the network (Flooding Attacks (DDoS), Metadata Spoofing flush+reload cache side-channel attack,’’ IACR Cryptol. ePrint Arch.,
vol. 2014, p. 140, Jul. 2014.
Attacks, Rowhammer attacks over RDMA-enabled networks,
[6] Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, ‘‘Cross-VM side
etc.), hosts (cross VM side-channel attacks, VM creation channels and their use to extract private keys,’’ in Proc. ACM Conf.
attacks, VM scheduler based attacks, VM migration, Comput. Commun. Secur., Oct. 2012, pp. 305–316.

VOLUME 12, 2024 74959

 B. O. Sane et al.: Interdependency Attack-Aware Secure and Performant VM Allocation Policies

[7] B. O. Sane, I. Niang, and D. Fall, ‘‘A review of virtualization, BERNARD OUSMANE SANE (Member, IEEE)
hypervisor and VM allocation security: Threats, vulnerabilities, and received the M.E. degree in data transmission
countermeasures,’’ in Proc. Int. Conf. Comput. Sci. Comput. Intell. (CSCI), and information security and the Ph.D. degree in
Dec. 2018, pp. 1317–1322. computer science from the University Cheikh Anta
[8] J. Xu and J. A. B. Fortes, ‘‘Multi-objective virtual machine placement Diop of Dakar, Senegal, in 2022. He was a Special
in virtualized data center environments,’’ in Proc. IEEE/ACM Int. Conf. Research Student with Nara Institute of Science
Green Comput. Commun. Int. Conf. Cyber, Phys. Social Comput.,
and Technology (NAIST). He is currently a Project
Dec. 2010, pp. 179–188.
Assistant Professor with Keio University, Japan.
[9] J. F. Frenzel, ‘‘Genetic algorithms,’’ IEEE Potentials, vol. 12, no. 3,
pp. 21–24, Oct. 1993. His research interests include cloud computing
[10] A. Beloglazov and R. Buyya, ‘‘Optimal online deterministic algorithms security, game theory security, quantum error
and adaptive heuristics for energy and performance efficient dynamic correction, quantum internet, and quantum cryptography.
consolidation of virtual machines in cloud data centers,’’ Concurrency
Comput., Pract. Exper., vol. 24, no. 13, pp. 137–1420, Sep. 2012. MANDICOU BA received the Ph.D. degree
[11] L. Kwiat, C. A. Kamhoua, K. A. Kwiat, J. Tang, and A. P. Martin,
in computer science from the University of
‘‘Security-aware virtual machine allocation in the cloud: A game theoretic
approach,’’ in Proc. 8th IEEE Int. Conf. Cloud Comput., Jul. 2015,
Reims Champagne-Ardenne, France, in 2014.
pp. 556–563. He is currently an Assistant Professor with Ecole
[12] Y. Han, T. Alpcan, J. Chan, and C. Leckie, ‘‘Security games for virtual Supérieure Polytechnique, University Cheikh
machine allocation in cloud computing,’’ in Lecture Notes in Computer Anta Diop of Dakar, Senegal. His research
Science. Cham, Switzerland: Springer, 2013, pp. 99–118. interests include network security, the IoT secu-
[13] S. B. Ousmane, B. C. S. Mbacke, and N. Ibrahima, ‘‘A game rity, cloud computing security, self-stabilization,
theoretic approach for virtual machine allocation security in cloud clustering, ad hoc and wireless sensor networks,
computing,’’ in Proc. 2nd Int. Conf. Netw., Inf. Syst. Secur., Mar. 2019, deep learning, and IA.
p. 47.
[14] Y. Han, J. Chan, T. Alpcan, and C. Leckie, ‘‘Using virtual machine alloca-
tion policies to defend against co-resident attacks in cloud computing,’’ DOUDOU FALL received the M.E. degree in data
IEEE Trans. Dependable Secur. Comput., vol. 14, no. 1, pp. 95–108, transmission and information security from the
Jan. 2017. University Cheikh Anta Diop of Dakar, Senegal,
[15] Y. Han, J. Chan, T. Alpcan, and C. Leckie, ‘‘Virtual machine allocation in 2009, and the M.E. and Ph.D. degrees in infor-
policies against co-resident attacks in cloud computing,’’ in Proc. IEEE mation science from Nara Institute of Science and
Int. Conf. Commun. (ICC). IEEE, 2014, pp. 786–792. Technology (NAIST), Japan, in 2012 and 2015,
[16] B. O. Sane, M. Ba, D. Fall, S. Kashihara, Y. Taenaka, I. Niang, and respectively. He is currently an Assistant Professor
Y. Kadobayashi, ‘‘Solving the interdependency problem: A secure virtual with the Division of Information Science, NAIST.
machine allocation method relying on the attacker’s efficiency and His research interests include cloud computing
coverage,’’ in Proc. 20th IEEE/ACM Int. Symp. Cluster, Cloud Internet
security, the IoT security, blockchain security,
Comput., May 2020, pp. 440–449.
[17] P. Graubner, M. Schmidt, and B. Freisleben, ‘‘Energy-efficient manage-
vulnerability, and security risk analysis.
ment of virtual machines in eucalyptus,’’ in Proc. IEEE 4th Int. Conf. Cloud
Comput., Jul. 2011, pp. 243–250. YUZO TAENAKA (Member, IEEE) received the
[18] H. Zhao and W. Chenyu, ‘‘A dynamic dispatching method of resource D.E. degree in information science from Nara
based on particle swarm optimization for cloud computing environment,’’ Institute of Science and Technology (NAIST),
in Proc. 10th Web Inf. Syst. Appl. Conf., Nov. 2013, pp. 351–354.
Japan, in 2010. He was an Assistant Professor with
[19] W. Lin, J. Z. Wang, C. Liang, and D. Qi, ‘‘A threshold-based dynamic
The University of Tokyo, Japan, and has been an
resource allocation scheme for cloud computing,’’ Proc. Eng., vol. 23,
pp. 695–703, Oct. 2011. Associate Professor with the Laboratory for Cyber
[20] C. A. Kamhoua, N. Pissinou, and K. Makki, ‘‘Game theoretic modeling Resilience, NAIST, since April 2018. His research
and evolution of trust in autonomous multi-hop networks: Application to interests include information networks, cyberse-
network security and privacy,’’ in Proc. IEEE Int. Conf. Commun. (ICC), curity, distributed systems, and software-defined
Jun. 2011, pp. 1–6. technology.
[21] S. Jin, J. Ahn, S. Cha, and J. Huh, ‘‘Architectural support for secure virtu-
alization under a vulnerable hypervisor,’’ in Proc. 44th Annu. IEEE/ACM
IBRAHIMA NIANG received the Ph.D. degree
Int. Symp. Microarchitecture (MICRO), Dec. 2011, pp. 272–283.
[22] J. Szefer, E. Keller, R. B. Lee, and J. Rexford, ‘‘Eliminating the hypervisor in computer science from the University of Paris
attack surface for a more secure cloud,’’ in Proc. 18th ACM Conf. Comput. V Descartes, in 2002. He obtained the rank of a
Commun. Secur., NY, NY, USA, Oct. 2011, pp. 401–412. Full Professor with the University Cheikh Anta
[23] H. Jia, X. Liu, X. Di, H. Qi, L. Cong, J. Li, and H. Yang, ‘‘Security strategy Diop of Dakar, Senegal, in 2018. His research
for virtual machine allocation in cloud computing,’’ Proc. Comput. Sci., interests include quality of service (QoS) manage-
vol. 147, pp. 140–144, Sep. 2019. ment, mobility and optimization of networks and
[24] (2020). Amazon’s Leadership Principles. [Online]. Available: systems, cloud-edge computing systems, and the
https://aws.amazon.com/careers/culture/ Internet of Things.
[25] R. Yadav, W. Zhang, K. Li, C. Liu, M. Shafiq, and N. K. Karn, ‘‘An
adaptive heuristic for managing energy consumption and overloaded hosts
in a cloud data center,’’ Wireless Netw., vol. 26, no. 3, pp. 1905–1919,
Apr. 2020. YOUKI KADOBAYASHI (Member, IEEE)
[26] R. Yadav and W. Zhang, ‘‘MeReg: Managing energy-SLA tradeoff for received the Ph.D. degree in computer science
green mobile cloud computing,’’ Wireless Commun. Mobile Comput., from Osaka University, Japan, in 1997. He is
vol. 2017, pp. 1–11, Jun. 2017. currently a Professor with the Laboratory for
[27] R. Yadav, W. Zhang, H. Chen, and T. Guo, ‘‘MuMs: Energy-aware VM Cyber Resilience, Nara Institute of Science and
selection scheme for cloud data center,’’ in Proc. 28th Int. Workshop Technology, Japan. His research interests include
Database Expert Syst. Appl. (DEXA), Aug. 2017, pp. 132–136. cybersecurity, web security, and distributed
[28] A. Tatar, R. K. Konoth, E. Athanasopoulos, C. Giuffrida, H. Bos, and systems. He is a member of ACM and the IEEE
K. Razavi, ‘‘Throwhammer: Rowhammer attacks over the network and Communications Society.
defenses,’’ in Proc. Annu. Tech. Conf., Jul. 2018, pp. 213–226.

74960 VOLUME 12, 2024