Recent work suggests that scheduling, with security as a consideration, can be effective in minimizing information leakage, via side-channels, that can exist when virtual machines (VMs) co-reside in clouds. We analyze the overhead that is incurred by such an approach. We first pose and answer a fundamental question: is the problem tractable? We show that the seemingly simpler sub-cases of initial placement and migration across only two equal-capacity servers are both intractable ($\mathbf {NP}\text{-hard}$NP-hard). However, a decision version of the general problem to which the optimization version is related polynomially is in $\mathbf {NP}$NP. With these results as the basis, we make several other contributions. We revisit recent work that proposes a greedy algorithm for this problem, called Nomad. We establish that if $\mathbf {P} \not= \mathbf {NP}$P≠NP, then there exist infinitely many classes of input, each with an infinite number of inputs, for which a decrease in information leakage is possible, but Nomad provides none, let alone minimize it. We establish also that a mapping to Integer Linear Programming (ILP) in prior work is deficient in that the mapping can be inefficient (exponential-time), and therefore does not accurately convey the overhead of such an approach that, unlike Nomad, actually decreases information leakage. We present our efficient reductions to ILP and boolean satisfiability in conjunctive normal form (CNF-SAT). We have implemented these approaches and conducted an empirical assessment using the same ILP solver as prior work, and a SAT solver. Our analytical and empirical results more accurately convey the overhead that is incurred by an approach that actually provides security (decrease in information leakage).

中文翻译：

---

使用 VM 调度在云系统中对抗侧信道的开销

最近的工作表明，在考虑安全性的情况下，调度可以有效地通过侧通道最大限度地减少信息泄漏，当虚拟机 (VM) 共同驻留在云中时，这种情况可能存在。我们分析了这种方法产生的开销。我们首先提出并回答一个基本问题：这个问题是否容易处理？我们表明，看似简单的初始放置和仅跨两个等容量服务器迁移的子案例都难以处理（$\mathbf {NP}\text{-hard}$NP-难的）。然而，优化版本与多项式相关的一般问题的决策版本在$\mathbf {NP}$NP. 以这些结果为基础，我们做出了其他一些贡献。我们回顾了最近的工作，该工作为这个问题提出了一种称为 Nomad 的贪心算法。我们确定如果$\mathbf {P} \not= \mathbf {NP}$磷≠NP，那么存在无限多的输入类别，每个类别都有无限数量的输入，可以减少信息泄漏，但 Nomad 没有提供，更不用说最小化了。我们还确定，在先前的工作中映射到整数线性规划 (ILP) 是有缺陷的，因为映射可能效率低下（指数时间），因此没有准确传达这种方法的开销，与 Nomad 不同，实际上减少了这种方法的开销信息泄露。我们以合取范式 (CNF-SAT) 呈现我们对 ILP 和布尔可满足性的有效减少。我们已经实施了这些方法，并使用与先前工作相同的 ILP 求解器和 SAT 求解器进行了实证评估。