Controlled Channel Attack Detection Based on Hardware Virtualization

  • Chenyi Qiang
  • Weijie Liu
  • Lina Wang
  • Rongwei YuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11334)


Controlled-channel attack is a novel side-channel attack that uses page faults (#PF) to infer process-sensitive information of guest-VMs. Existing protection schemes focus on restricting malicious OS of virtual machine access to page number information. They need to copy memory page content frequently or manually mark and recompile sensitive programs, which takes a lot of time and labor overhead. This paper introduces a hardware-based detection method against it in a different way. The Hypervisor monitors the modification of the guest page table entry (PTE) and the Interrupt Descriptor Table (IDT) entries to find the trace of adversary’s operations. As there is a semantic gap between VMs and Hypervisor, we take advantage of VMI (Virtual Machine Introspection) to convert important data. To overcome the challenge of changeable page tables, we grasp the feature of the target attack and filter out required records. Experiments show that this method can effectively detect controlled-channel attacks. In general, the performance overhead of the operations related to context switching will increase but within an acceptable range.


Virtualization security Side channel attack Extended page table 



This work was supported by National Natural Science Foundation of China (No. U1536204); Foundation of Science and Technology on Information Assurance Laboratory (No. 61421120301162112009).


  1. 1.
    Intel 64 and IA-32 Architectures Software Developer’s Manual.
  2. 2.
    Intel software guard extensions programming reference (rev2).
  3. 3.
  4. 4.
  5. 5.
    Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with haven. ACM Trans. Comput. Syst. (TOCS) 33(3), 8 (2015)CrossRefGoogle Scholar
  6. 6.
    Bellard, F.: QEMU, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, vol. 41, p. 46 (2005)Google Scholar
  7. 7.
    Checkoway, S., Shacham, H.: Iago attacks: Why the system call API is a bad untrusted RPC interface. In: Eighteenth International Conference on Architectural Support for Programming Languages & Operating Systems, pp. 253–264 (2013)Google Scholar
  8. 8.
    Chen, X., et al.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. ACM SIGOPS Oper. Syst. Rev. 42(2), 2–13 (2008)CrossRefGoogle Scholar
  9. 9.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62. ACM (2008)Google Scholar
  10. 10.
    Grace, M., et al.: Transparent protection of commodity OS kernels using hardware virtualization. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICST, vol. 50, pp. 162–180. Springer, Heidelberg (2010). Scholar
  11. 11.
    Hofmann, O.S., Kim, S., Dunn, A.M., Lee, M.Z., Witchel, E.: InkTag: secure applications on an untrusted operating system. In: ACM SIGARCH Computer Architecture News, vol. 41, pp. 265–278. ACM (2013)Google Scholar
  12. 12.
    King, S.T., Chen, P.M.: SubVirt: implementing malware with virtual machines. In: IEEE Symposium on Security and Privacy, pp. 14–pp. IEEE (2006)Google Scholar
  13. 13.
    Kivity, A., Kamay, Y., Laor, D., Lublin, U., Liguori, A.: KVM: the Linux virtual machine monitor. In: Proceedings of the Linux symposium, vol. 1, pp. 225–230 (2007)Google Scholar
  14. 14.
    Maas, M., et al.: Phantom: practical oblivious computation in a secure processor. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 311–324. ACM (2013)Google Scholar
  15. 15.
    Nguyen, A.M., Schear, N., Jung, H., Godiyal, A., King, S.T., Nguyen, H.D.: MAVMM: lightweight and purpose built VMM for malware analysis. In: Annual Computer Security Applications Conference, ACSAC 2009, pp. 441–450. IEEE (2009)Google Scholar
  16. 16.
    Rane, A., Lin, C., Tiwari, M.: Raccoon: closing digital side-channels through obfuscated execution. In: USENIX Security Symposium, pp. 431–446 (2015)Google Scholar
  17. 17.
    Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA (2017)Google Scholar
  18. 18.
    Shinde, S., Chua, Z.L., Narayanan, V., Saxena, P.: Preventing page faults from telling your secrets. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 317–328. ACM (2016)Google Scholar
  19. 19.
    Wu, R., Chen, P., Liu, P., Mao, B.: System call redirection: a practical approach to meeting real-world virtual machine introspection needs. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 574–585. IEEE (2014)Google Scholar
  20. 20.
    Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 640–656. IEEE (2015)Google Scholar
  21. 21.
    Zhou, Z., Reiter, M.K., Zhang, Y.: A software approach to defeating side channels in last-level caches. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 871–882. ACM (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Chenyi Qiang
    • 1
  • Weijie Liu
    • 1
    • 2
  • Lina Wang
    • 1
  • Rongwei Yu
    • 1
    Email author
  1. 1.School of Cyber Science and EngineeringWuhan UniversityWuhanChina
  2. 2.Tencent Technology Company LimitedShenzhenChina

Personalised recommendations