Understanding the Security Implication of Aborting Live Migration

Live migration of Virtual machines (VMs) has become a regular tool for edge and cloud operators to facilitate system maintenance, fault tolerance, and load balancing, with little impact on running instances. However, the potential security risks of live migration of VMs are still obscure. In this paper, we expose a new vulnerability in the existing VM live migration approaches, especially the post-copy approach. The entire live migration mechanism relies upon reliable TCP connectivity for the transfer of the VM state. We demonstrate that, if the host server is vulnerable to off-path TCP attacks, the loss of TCP reliability leads to VM live migration failure. We demonstrate that, by intentionally aborting the TCP connection, attackers can cause unrecoverable memory inconsistency for post-copy, leading to a significant increase in downtime and performance degradation of the running VM. Additionally, we present detailed techniques to reset the migration connection under heavy networking traffic. We also propose effective defenses to secure the VM live migration. Our experimental results demonstrate that memory inconsistencies could be devastating to some applications, and it only takes a few minutes to reset a heavy migration connection.