In this paper, We present a new technique that offers lightweight, general, and elastic protection against Crum (Cross-VM runtime monitoring) attacks. Our protection, called Crease (CPU Resource Elasticity as a Service), enables a VM (called principal) to purchase a higher clock rate from the cloud, through lowering the frequency of a malicious VM (called peer), to support its security-critical operations within a short period. During that period, the weakened peer becomes unable to catch up with the pace of the strengthened principal, therefore losing the capability to effectively collect its sensitive information. In the meantime, our approach can also make up for the performance impact on the peer through refunding schedule credits or service credits, in line with the service level agreement of today's cloud. At the center of our design is the novel application of on-demand frequency scaling and schedule quantum randomization, together with a situation-awareness mechanism that dynamically assesses the security risk posed by the peer. We analyzed the security guarantee of our design, implemented a prototype and evaluated it on a well-known Crum attack (an LLC side-channel attack) and various workloads. Our study shows that Crease is effective at protecting the principal, with only a small impact on the peer's operations.

中文翻译：

---

用于缓解跨虚拟机运行时监控的 CPU 弹性

在本文中，我们提出了一种新技术，该技术提供针对 Crum（跨虚拟机运行时监控）攻击的轻量级、通用和弹性保护。我们的保护称为 Crease（CPU 资源弹性即服务），通过降低恶意 VM（称为对等）的频率，使 VM（称为主体）能够从云中购买更高的时钟频率，以支持其安全关键型短时间内的操作。在此期间，被削弱的对等变得无法跟上被加强的委托人的步伐，从而失去有效收集其敏感信息的能力。同时，我们的方法还可以通过退还进度积分或服务积分来弥补对节点的性能影响，符合当今云的服务水平协议。我们设计的核心是按需频率缩放和调度量子随机化的新颖应用，以及动态评估对等点带来的安全风险的态势感知机制。我们分析了我们设计的安全保证，实现了一个原型，并在著名的 Crum 攻击（一种 LLC 侧信道攻击）和各种工作负载上对其进行了评估。我们的研究表明，Crease 在保护本金方面是有效的，对同行的运营影响很小。实现了一个原型，并在著名的 Crum 攻击（一种 LLC 侧信道攻击）和各种工作负载上对其进行了评估。我们的研究表明，Crease 在保护本金方面是有效的，对同行的运营影响很小。实现了一个原型，并在著名的 Crum 攻击（一种 LLC 侧信道攻击）和各种工作负载上对其进行了评估。我们的研究表明，Crease 在保护本金方面是有效的，对同行的运营影响很小。