Top

Annals of Telecommunications

Published in:

14-02-2019

Isolation in cloud computing infrastructures: new security challenges

Authors: Mohammad-Mahdi Bazm, Marc Lacoste, Mario Südholt, Jean-Marc Menaud

Published in: Annals of Telecommunications | Issue 3-4/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Cloud computing infrastructures share hardware resources among different clients, leveraging virtualization to multiplex physical resources among several self-contained execution environments such as virtual machines or Linux containers. Isolation is a core security challenge for such a computing paradigm. It may be threatened by side-channels, created due to the sharing of physical resources like processor caches, or by mechanisms implemented in the virtualization layer. Side-channel attacks (SCAs) exploit and use such leaky channels to obtain sensitive data such as kernel information. This paper aims to clarify the nature of this threat for cloud infrastructures. Current SCAs are performed locally and exploit isolation challenges of virtualized environments to retrieve sensitive information. This paper also clarifies the concept of distributed side-channel attack (DSCA). We explore how such attacks can threaten isolation of any virtualized environments such as cloud computing infrastructures. Finally, we study a set of different applicable countermeasures for attack mitigation in cloud infrastructures.

previous article A situation-driven framework for dynamic security management

next article Oblique projection-based interference suppression for MIMO power line communication

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Merkel D (2014) Docker: lightweight Linux containers for consistent development and deployment. Linux Journal 2014(239):2

Madhavapeddy A, Mortier R, Rotsos C, Scott D, Singh B, Gazagnaire T, Smith S, Hand S, Crowcroft J (2013) Unikernels: library operating systems for the cloud. ACM SIGPLAN Not 48(4):461–472CrossRef

Bazm MM, Lacoste M, Südholt M, Menaud JM (2017) Side-channels beyond the cloud edge: new isolation threats and solutions. In Cyber Security in Networking Conference (CSNet), 2017 1st (pp. 1–8). IEEE

Costan V, Devadas S (2016) Intel SGX explained. IACR Cryptology ePrint Archive 2016(086):1–118

Schwarz M, Weiser S, Gruss D, Maurice C, Mangard S (2017) Malware guard extension: Using SGX to conceal cache attacks. In international conference on detection of intrusions and malware, and vulnerability assessment. Springer, Cham, pp 3–24

Kocher Paul et al (J2018), “Spectre attacks: exploiting speculative execution”, ArXiv e-prints

Disselkoen C et al (2017) “Prime+ abort: a timer-free high-precision l3 cache attack using intel TSX.” 26th USENIX Security Symposium. USENIX Security 17, Vancouver

Demme J, Martin R, Waksman A, Sethumadhavan S (2012) SideChannel vulnerability factor: a metric for measuring information leakage. ACM SIGARCH Computer Architecture News 40(3):106–117CrossRef

Arcangeli A, Eidus I, Wright C (2009) Increasing memory density by using KSM. In Proceedings of the linux symposium (pp. 19–28)

10.

Suzaki K, Iijima K, Yagi T, Artho C (2011) Memory deduplication as a threat to the guest OS. In Proceedings of the Fourth European Workshop on System Security (p. 1). ACM

11.

Apecechea GI, Eisenbarth T, Sunar B (2014) Jackpot stealing information from large caches via huge pages, Cryptology ePrint Archive 2014/970

12.

Weiß M, Heinz B, Stumpf F (2012) A cache timing attack on AES in virtualization environments. In: in International Conference on Financial Cryptography and Data Security. Springer, pp 314–328

13.

Acıiçmez O, Schindler W, Koç ÇK (2007) Cache based remote timing attack on the AES. In Cryptographers’ Track at the RSA Conference (pp. 271-286). Springer, Berlin

14.

Tsunoo Y, Saito T, Suzaki T, Shigeri M, Miyauchi H (2003) Cryptanalysis of DES implemented on computers with cache. In: International Workshop on Cryptographic Hardware and Embedded Systems. Springer, pp 62–76

15.

Gruss D, Maurice C, Wagner K, & Mangard S (2016) Flush+ Flush: a fast and stealthy cache attack. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 279-299). Springer, Cham

16.

Yarom Y, Falkner K (2014) FLUSH+ RELOAD: a high resolution, low noise, L3 cache sidechannel Attack. In USENIX Security Symposium (Vol. 1, pp. 22–25)

17.

Aciiçmez O, Koç ÇK (2006) Trace-driven cache attacks on AES (short paper). In : International Conference on Information and Communications Security. Springer, Berlin, p 112–121

18.

Gallais J-F, Kizhvatov I, Tunstall M (2010) Improved trace-driven cachecollision attacks against embedded AES implementations. In : International Workshop on Information Security Applications. Springer, Berlin, p 243–257

19.

Ristenpart T, Tromer E, Shacham H et al (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In : Proceedings of the 16th ACM conference on Computer and communications security. ACM, p 199–212

20.

Spreitzer R, Plos T (2013) Cache-access pattern attack on disaligned aes t-tables. In: International Workshop on Constructive Side-Channel Analysis and Secure Design. Springer, Berlin, p 200–214

21.

Lipp M, Schwarz M, Gruss D et al (2018) Meltdown: reading kernel memory from user space. In : 27th {USENIX} Security Symposium ({USENIX} Security 18). p 973–990

22.

Zhang W, Jia X, Wang C, Zhang S, Huang Q, Wang M, Liu P (2016) A comprehensive study of co-residence threat in multi-tenant public paas clouds. In International Conference on Information and Communications Security (pp. 361–375). Springer, Cham

23.

Delimitrou C, Kozyrakis C (2017) Bolt: I know what you did last summer... in the cloud. In: ACM SIGARCH Computer Architecture News. ACM, p 599–613

24.

Varadarajan V, Zhang Y, Ristenpart T, Swift MM (2015) A placement vulnerability study in multi-tenant public clouds. In USENIX Security Symposium (pp. 913–928)

25.

Payer M (2016) HexPADS: a platform to detect “stealth” attacks. In : International Symposium on Engineering Secure Software and Systems. Springer, Cham, p 138–154

26.

Zhang T, Zhang Y, Lee RB (2016) Cloudradar: a real-time side-channel attack detection system in clouds. In : International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, Cham, p 118–140

27.

Chiappetta M, Savas E, Yilmaz C (2016) Real time detection of cache-based side-channel attacks using hardware performance counters. Appl Soft Comput 49:1162–1174CrossRef

28.

Bazm M-M, Sautereau T, Lacoste M, Südholt M, Menaud J-M (2018) Cache-based side-channel attacks detection through Intel Cache Monitoring Technology and Hardware Performance Counters. 3rd IEEE International Conference on Fog and Mobile Edge Computing (FMEC), BarcelonaCrossRef

29.

Intel’s Cache Monitoring Technology: Use models and data, https://software.intel.com/enus/blogs/2014/12/11/intels-cache-monitoring-technology-use-models-and-data, 2014

30.

Gopal V, Guilford J, Ozturk E, Feghali W, Wolrich G, Dixon M (2009) Fast and constant-time implementation of modular exponentiation. Embedded Systems and Communications Security, Niagara Falls, NY, US

31.

Rivain M, Prouff E (2010) Provably secure higher-order masking of AES. In: International Workshop on Cryptographic Hardware and Embedded Systems. Springer, pp 413–427

32.

Osvik DA, Shamir A, Tromer E (2006) Cache attacks and countermeasures: the case of AES. In: Pointcheval D (ed) Topics in cryptology – CT-RSA 2006. CT-RSA 2006. Lecture notes in computer science, vol 3860. Springer, Berlin

33.

Barthe G, Rezk T, Warnier M (2006) Preventing timing leaks through transactional branching instructions. Electronic Notes in Theoretical Computer Science 153(2):33–55CrossRef

34.

Cleemput JV, Coppens B, De Sutter B (2012) Compiler mitigations for time attacks on modern x86 processors. ACM Transactions on Architecture and Code Optimization (TACO) 8(4):23

35.

Coppens B, Verbauwhede I, De Bosschere K, De Sutter B (2009) Practical mitigations for timing-based side-channel attacks on modern x86 processors. In: 30th IEEE Symposium on Security and Privacy. IEEE, pp 45–60

36.

Zhang Y, Reiter MK (2013) Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In : Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, p 827–838

37.

Kim T, Peinado M, Mainar-Ruiz G (2012) STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In : Proceedings of the 21st USENIX conference on Security symposium. USENIX Association, p 11–11

38.

Gens D, Arias O, Sullivan D, Liebchen C, Jin Y, Sadeghi AR (2017) LAZARUS: practical side-channel resilient kernel-space randomization. In International Symposium on Research in Attacks, Intrusions, and Defenses (pp. 238–258). Springer, Cham

39.

Gruss D, Lipp M, Schwarz M, Fellner R, Maurice C, Mangard S (2017) KASLR is dead: long live KASLR. In: International Symposium on Engineering Secure Software and Systems. Springer, Cham, pp 161–176CrossRef

40.

Zhang Y, Li M, Bai K, Yu M, Zang W (2012) Incentive compatible moving target defense against VM-colocation attacks in clouds. In: IFIP International Information Security Conference. Springer, pp 388–399

41.

Varadarajan V, Ristenpart T, Swift MM (2014) Scheduler-based defenses against cross-vM side-channels. In : USENIX Security Symposium, p 687–702

42.

Jin X, Chen H, Wang X, Wang Z, Wen X, Luo Y, Li X (2009) A simple cache partitioning approach in a virtualized environment. In Parallel and Distributed Processing with Applications, 2009 IEEE International Symposium on (pp. 519-524). IEEE

43.

Shi J, Song X, Chen H, Zang B (2011) Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring. In Dependable Systems and Networks Workshops (DSN-W), 2011 IEEE/IFIP 41st International Conference on (pp. 194-199). IEEE

44.

Vattikonda BC, Das S, Shacham H (2011) Eliminating fine grained timers in Xen. In : Proceedings of the 3rd ACM workshop on Cloud computing security workshop. ACM, p 41–46

45.

Zhuang R, Deloach SA, Ou X (2014) Towards a theory of moving target defense. In : Proceedings of the First ACM Workshop on Moving Target Defense. ACM, p 31–40

46.

Kong J, Aciicmez O, Seifert JP, Zhou H (2008) Deconstructing new cache designs for thwarting software cache-based side channel attacks. In Proceedings of the 2nd ACM workshop on Computer security architectures (pp. 25–34). ACM

47.

Liu F, Ge Q, Yarom Y, Mckeen F, Rozas C, Heiser G, Lee RB (2016) Catalyst: Defeating last-level cache side channel attacks in cloud computing. In High Performance Computer Architecture (HPCA), 2016 IEEE International Symposium on (pp. 406-418). IEEE

48.

INTEL, C. A. T (2015) Improving real-time performance by utilizing cache allocation technology. Intel Corporation

49.

Wright M, Venkatesan S, Albanese M, Wellman MP (2016) Moving target defense against ddos attacks: An empirical game-theoretic analysis. In Proceedings of the 2016 ACM Workshop on Moving Target Defense (pp. 93–104). ACM

50.

Moon S-J, Sekar V, Reiter MK (2015) Nomad: mitigating arbitrary cloud side channels via provider-assisted migration. In : Proceedings of the 22nd acm sigsac conference on computer and communications security. ACM, p 1595–1606

51.

Hermenier F, Lorca X, Menaud JM, Muller G, Lawall J (2009). Entropy: a consolidation manager for clusters. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments (pp. 41-50). ACM

52.

Quesnel F, Lebre A, Südholt M (2013) Cooperative and reactive scheduling in large-scale virtualized platforms with DVMS. Concurrency and Computation: Practice and Experience 25(12):1643–1655CrossRef

53.

Mills K, Filliben J, Dabrowski C (2011) Comparing vm-placement algorithms for on-demand clouds. In : Cloud Computing Technology and Science (CloudCom), 2011 IEEE Third International Conference on. IEEE, p 91–98

54.

Denneman F (2016) NUMA deep dive part 5: ESXi VMkernel NUMA constructs, http://frankdenneman.nl/tag/numa

Title: Isolation in cloud computing infrastructures: new security challenges
Authors: Mohammad-Mahdi Bazm
Marc Lacoste
Mario Südholt
Jean-Marc Menaud
Publication date: 14-02-2019
Publisher: Springer International Publishing
Published in: Annals of Telecommunications / Issue 3-4/2019
Print ISSN: 0003-4347
Electronic ISSN: 1958-9395
DOI: https://doi.org/10.1007/s12243-019-00703-z

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3-4/2019

Cache nFace: a simple countermeasure for the producer-consumer collusion attack in Named Data Networking

Additively homomorphic encryption and fragmentation scheme for data aggregation inside unattended wireless sensor networks

A high gain S-band slot antenna with MSS for CubeSat

A fast unsupervised preprocessing method for network monitoring

Oblique projection-based interference suppression for MIMO power line communication

A situation-driven framework for dynamic security management