Abstract
Cloud computing relies on resources sharing to achieve high resource utilization and economy of scale. Meanwhile, contention on shared resources opens doors for co-located virtual machines (VMs) to have negative impacts on each other, and even introduces vulnerabilities such as information leakage. For example, via CPU cache-based side-channel attacks, an attacker VM can extract crypto keys from a victim VM.
To cost-effectively secure the cloud against those threats without sacrificing resource sharing, in this paper, we first investigate the factors that can impact the success of such attacks. Our investigation reveals that the root cause of such attacks is the constant sharing patterns of hardware resources between VMs. Based on our findings, we quantify the negative impacts a VM can have on another VM on the same machine using the vulnerable probability, and propose lightweight and generic scheduler-based defense mechanisms called Shuffler schedulers, which can effectively limit the vulnerable probability of all VMs. The key is that distributing CPU time to vCPUs with equal probability would reduce the overall vulnerable probability of the system. Our analyses and experimental results show that the Shuffler schedulers can effectively reduce information leakage to mitigate cross-VM side-channel attacks, with little performance penalty while preserving high resource utilization.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Credit Scheduler (2017). http://wiki.xen.org/wiki/Credit_Scheduler. Accessed 19 Feb 2018
Amazon EC2 Dedicated Hosts (2018). https://aws.amazon.com/ec2/dedicated-hosts/. Accessed 19 Feb 2018
Amazon EC2 Instance Types (2018). https://aws.amazon.com/ec2/instance-types/. Accessed 19 Feb 2018
Overcommitting CPU and RAM (2018). https://docs.openstack.org/arch-design/design-compute/design-compute-overcommit.html. Accessed 19 Feb 2018
Askarov, A., Zhang, D., Myers, A.C.: Predictive black-box mitigation of timing channels. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 297–307. ACM (2010)
Cortez, E., Bonde, A., Muzio, A., Russinovich, M., Fontoura, M., Bianchini, R.: Resource central: understanding and predicting workloads for improved resource management in large cloud platforms. In: Proceedings of the 26th Symposium on Operating Systems Principles, pp. 153–167. ACM (2017)
Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8, 1–27 (2016)
Ghosh, R., Naik, V.K.: Biting off safely more than you can chew: predictive analytics for resource over-commit in IaaS cloud. In: 2012 IEEE 5th International Conference on Cloud Computing (CLOUD), pp. 25–32. IEEE (2012)
Godfrey, M., Zulkernine, M.: A server-side solution to cache-based side-channel attacks in the cloud. In: 2013 IEEE Sixth International Conference on Cloud Computing (CLOUD), pp. 163–170. IEEE (2013)
Gueron, S.: Efficient software implementations of modular exponentiation. J. Cryptogr. Eng. 2(1), 31–43 (2012)
Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on AES to practice. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011, pp. 490–505. IEEE Computer Society, Washington, DC (2011)
Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_1
Holenstein, T., Mitzenmacher, M., Panigrahy, R., Wieder, U.: Trace reconstruction with constant deletion probability and related results. In: Proceedings of the Nineteenth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 389–398. Society for Industrial and Applied Mathematics (2008)
Hu, W.M.: Lattice scheduling and covert channels. In: Proceedings of 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 52–61. IEEE (1992)
Inci, M.S., Gulmezoglu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Seriously, get off my cloud! cross-VM RSA key recovery in a public cloud. Technical report, IACR Cryptology ePrint Archive (2015)
Irazoqui, G., Eisenbarth, T., Sunar, B.: Cross processor cache attacks. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 353–364. ACM (2016)
Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 11. USENIX Association, Berkeley (2012)
Kopytov, A.: Sysbench: a system performance benchmark (2004). http://sysbench.sourceforge.net
Liu, F., et al.: Catalyst: defeating last-level cache side channel attacks in cloud computing. In: 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA), pp. 406–418. IEEE (2016)
Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE Symposium on Security and Privacy, San Jose, CA, US (2015)
Liu, L., Wang, A., Zang, W., Yu, M., Chen, S.: Empirical evaluation of the hypervisor scheduling on side channel attacks. In: 2018 IEEE International Conference on Communications (ICC). IEEE (2018)
Lowe, S.D.: Best practices for oversubscription of CPU, memory and storage in vSphere virtual environments. Technical Whitepaper, Dell (2013)
McGregor, A., Price, E., Vorotnikova, S.: Trace reconstruction revisited. In: Schulz, A.S., Wagner, D. (eds.) ESA 2014. LNCS, vol. 8737, pp. 689–700. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44777-2_57
Mitzenmacher, M., et al.: A survey of results for deletion channels and related synchronization channels. Probab. Surv. 6, 1–33 (2009)
Moon, S.J., Sekar, V., Reiter, M.K.: Nomad: mitigating arbitrary cloud side channels via provider-assisted migration. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1595–1606. ACM (2015)
Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: Drama: exploiting dram addressing for cross-CPU attacks. In: 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, 2016, pp. 565–581. USENIX Association (2016)
Rane, A., Lin, C., Tiwari, M.: Raccoon: closing digital side-channels through obfuscated execution. In: USENIX Security, pp. 431–446 (2015)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212. ACM (2009)
Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 3–24. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_1
Stefan, D., et al.: Eliminating cache-based timing attacks with instruction-based scheduling. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 718–735. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_40
Varadarajan, V., Ristenpart, T., Swift, M.: Scheduler-based defenses against cross-VM side-channels. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 687–702. USENIX Association, San Diego (2014)
Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.M.: A placement vulnerability study in multi-tenant public clouds. In: USENIX Security, pp. 913–928 (2015)
Vateva-Gurova, T., Suri, N., Mendelson, A.: The impact of hypervisor scheduling on compromising virtualized environments. In: 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM), pp. 1910–1917. IEEE (2015)
Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in Xen. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW 2011, pp. 41–46. ACM, New York (2011)
Wang, H., Li, F., Chen, S.: Towards cost-effective moving target defense against DDoS and covert channel attacks. In: Proceedings of the 2016 ACM Workshop on Moving Target Defense, pp. 15–25. ACM (2016)
Wang, Y., Ferraiuolo, A., Suh, G.E.: Timing channel protection for a shared memory controller. In: 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA), pp. 225–236. IEEE (2014)
Wang, Y., Suh, G.E.: Efficient timing channel protection for on-chip networks. In: 2012 Sixth IEEE/ACM International Symposium on Networks on Chip (NoCS), pp. 142–151. IEEE (2012)
Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. In: Proceedings of the 34th Annual International Symposium on Computer Architecture, ISCA 2007, pp. 494–505. ACM, New York (2007)
Xu, Z., Wang, H., Wu, Z.: A measurement study on co-residence threat inside the cloud. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 929–944. USENIX Association, Washington, D.C., August 2015
Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 719–732. USENIX Association, San Diego (2014)
Yarom, Y., Genkin, D., Heninger, N.: Cachebleed: a timing attack on openssl constant-time rsa. J. Cryptogr. Eng. 7(2), 99–112 (2017)
Zhang, R., Su, X., Wang, J., Wang, C., Liu, W., Lau, R.W.: On mitigating the risk of cross-vm covert channels in a public cloud. IEEE Trans. Parallel Distrib. Syst. 26(8), 2327–2339 (2015)
Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 305–316. ACM, New York (2012)
Zhou, Z., Reiter, M.K., Zhang, Y.: A software approach to defeating side channels in last-level caches. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 871–882. ACM (2016)
Acknowledgment
We appreciate constructive comments from anonymous referees. This work is partially supported by an ARO grant W911NF-15-1-0262, a NIST grant 70NANB16H166. and NSF grants CNS-1422355, CNS-1524462, and CNS-1634441.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Liu, L., Wang, A., Zang, W., Yu, M., Xiao, M., Chen, S. (2018). Shuffler: Mitigate Cross-VM Side-Channel Attacks via Hypervisor Scheduling. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 254. Springer, Cham. https://doi.org/10.1007/978-3-030-01701-9_27
Download citation
DOI: https://doi.org/10.1007/978-3-030-01701-9_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01700-2
Online ISBN: 978-3-030-01701-9
eBook Packages: Computer ScienceComputer Science (R0)