Skip to main content
main-content
Top

Hint

Swipe to navigate through the chapters of this book

Published in:
Cover of the book

2020 | OriginalPaper | Chapter

Leaky Controller: Cross-VM Memory Controller Covert Channel on Multi-core Systems

Authors : Benjamin Semal, Konstantinos Markantonakis, Raja Naeem Akram, Jan Kalbantner

Published in: ICT Systems Security and Privacy Protection

Publisher: Springer International Publishing

share
SHARE

Abstract

Data confidentiality is put at risk on cloud platforms where multiple tenants share the underlying hardware. As multiple workloads are executed concurrently, conflicts in memory resource occur, resulting in observable timing variations during execution. Malicious tenants can intentionally manipulate the hardware platform to devise a covert channel, enabling them to steal the data of co-residing tenants. This paper presents two new microarchitectural covert channel attacks using the memory controller. The first attack allows a privileged adversary (i.e. process) to leak information in a native environment. The second attack is an extension to cross-VM scenarios for unprivileged adversaries. This work is the first instance of leakage channel based on the memory controller. As opposed to previous denial-of-service attacks, we manage to modulate the load on the channel scheduler with accuracy. Both attacks are implemented on cross-core configurations. Furthermore, the cross-VM covert channel is successfully tested across three different Intel microarchitectures. Finally, a comparison against state-of-the-art covert channel attacks is provided, along with a discussion on potential mitigation techniques.
Footnotes
1
The source code of our native covert channel is available at https://​github.​com/​bsepage/​mc2c.​git.
 
2
DRAM addressing functions on the Ivy Bridge test platform (see Table 2): BA0 \(=b_{13}\oplus b_{17}\); BA1 \(=b_{14}\oplus b_{18}\); BA2 \(=b_{16}\oplus b_{20}\); and Rank \(=b_{15}\oplus b_{19}\).
 
Literature
4.
go back to reference Base, V.K.: Security considerations and disallowing inter-virtual machine transparent page sharing. VMware Knowl. Base 2080735 (2014) Base, V.K.: Security considerations and disallowing inter-virtual machine transparent page sharing. VMware Knowl. Base 2080735 (2014)
5.
go back to reference Cock, D., Ge, Q., Murray, T., Heiser, G.: The last mile: an empirical study of timing channels on sel4. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 570–581. ACM (2014) Cock, D., Ge, Q., Murray, T., Heiser, G.: The last mile: an empirical study of timing channels on sel4. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 570–581. ACM (2014)
6.
go back to reference Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement, pp. 475–488. ACM (2014) Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement, pp. 475–488. ACM (2014)
7.
go back to reference Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018) CrossRef Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018) CrossRef
8.
go back to reference Godfrey, M.M., Zulkernine, M.: Preventing cache-based side-channel attacks in a cloud environment. IEEE Trans. Cloud Comput. 2(4), 395–408 (2014) CrossRef Godfrey, M.M., Zulkernine, M.: Preventing cache-based side-channel attacks in a cloud environment. IEEE Trans. Cloud Comput. 2(4), 395–408 (2014) CrossRef
10.
go back to reference Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: The 21st USENIX Security Symposium, pp. 189–204 (2012) Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: The 21st USENIX Security Symposium, pp. 189–204 (2012)
11.
go back to reference Klein, G., et al.: Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst. (TOCS) 32(1), 2 (2014) CrossRef Klein, G., et al.: Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst. (TOCS) 32(1), 2 (2014) CrossRef
12.
go back to reference Liu, F., et al.: Catalyst: defeating last-level cache side channel attacks in cloud computing. In: 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA), pp. 406–418. IEEE (2016) Liu, F., et al.: Catalyst: defeating last-level cache side channel attacks in cloud computing. In: 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA), pp. 406–418. IEEE (2016)
13.
go back to reference Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: 2015 IEEE Symposium on Security and Privacy, pp. 605–622. IEEE (2015) Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: 2015 IEEE Symposium on Security and Privacy, pp. 605–622. IEEE (2015)
14.
go back to reference Marshall, A., et al.: Security best practices for developing windows azure applications, p. 42. Microsoft Corp (2010) Marshall, A., et al.: Security best practices for developing windows azure applications, p. 42. Microsoft Corp (2010)
16.
go back to reference Maurice, C., et al.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS, vol. 17, pp. 8–11 (2017) Maurice, C., et al.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS, vol. 17, pp. 8–11 (2017)
17.
go back to reference Moscibroda, O., Mutlu, T.: Memory performance attacks: denial of memory service in multi-core systems. In: 16th USENIX Security Symposium (2007) Moscibroda, O., Mutlu, T.: Memory performance attacks: denial of memory service in multi-core systems. In: 16th USENIX Security Symposium (2007)
18.
go back to reference Murray, T., et al.: seL4: from general purpose to a proof of information flow enforcement. In: 2013 IEEE Symposium on Security and Privacy, pp. 415–429. IEEE (2013) Murray, T., et al.: seL4: from general purpose to a proof of information flow enforcement. In: 2013 IEEE Symposium on Security and Privacy, pp. 415–429. IEEE (2013)
19.
go back to reference Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in Javascript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1406–1418. ACM (2015) Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in Javascript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1406–1418. ACM (2015)
20.
go back to reference Page, D.: Partitioned cache architecture as a side-channel defence mechanism (2005) Page, D.: Partitioned cache architecture as a side-channel defence mechanism (2005)
21.
go back to reference Percival, C.: Cache missing for fun and profit (2005) Percival, C.: Cache missing for fun and profit (2005)
22.
go back to reference Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: 25th USENIX Security Symposium, pp. 565–581 (2016) Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: 25th USENIX Security Symposium, pp. 565–581 (2016)
23.
go back to reference Sullivan, D., Arias, O., Meade, T., Jin, Y.: Microarchitectural minefields: 4K-aliasing covert channel and multi-tenant detection in IaaS clouds. In: NDSS (2018) Sullivan, D., Arias, O., Meade, T., Jin, Y.: Microarchitectural minefields: 4K-aliasing covert channel and multi-tenant detection in IaaS clouds. In: NDSS (2018)
24.
go back to reference Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.: A placement vulnerability study in multi-tenant public clouds. In: 24th USENIX Security Symposium, pp. 913–928 (2015) Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.: A placement vulnerability study in multi-tenant public clouds. In: 24th USENIX Security Symposium, pp. 913–928 (2015)
25.
go back to reference Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in xen. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 41–46. ACM (2011) Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in xen. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 41–46. ACM (2011)
26.
go back to reference Wang, Y., Ferraiuolo, A., Suh, G.E.: Timing channel protection for a shared memory controller. In: 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA), pp. 225–236. IEEE (2014) Wang, Y., Ferraiuolo, A., Suh, G.E.: Timing channel protection for a shared memory controller. In: 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA), pp. 225–236. IEEE (2014)
27.
go back to reference Wang, Y., Suh, G.E.: Efficient timing channel protection for on-chip networks. In: 2012 IEEE/ACM Sixth International Symposium on Networks-on-Chip, pp. 142–151. IEEE (2012) Wang, Y., Suh, G.E.: Efficient timing channel protection for on-chip networks. In: 2012 IEEE/ACM Sixth International Symposium on Networks-on-Chip, pp. 142–151. IEEE (2012)
28.
go back to reference Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 473–482. IEEE (2006) Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 473–482. IEEE (2006)
29.
go back to reference Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Comput. Archit. News 35(2), 494–505 (2007) CrossRef Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Comput. Archit. News 35(2), 494–505 (2007) CrossRef
30.
go back to reference Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud. IEEE/ACM Trans. Network. 23(2), 603–615 (2014) CrossRef Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud. IEEE/ACM Trans. Network. 23(2), 603–615 (2014) CrossRef
31.
go back to reference Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 29–40. ACM (2011) Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 29–40. ACM (2011)
32.
go back to reference Xu, Z., Wang, H., Wu, Z.: A measurement study on co-residence threat inside the cloud. In: 24th USENIX Security Symposium, pp. 929–944 (2015) Xu, Z., Wang, H., Wu, Z.: A measurement study on co-residence threat inside the cloud. In: 24th USENIX Security Symposium, pp. 929–944 (2015)
33.
Metadata
Title
Leaky Controller: Cross-VM Memory Controller Covert Channel on Multi-core Systems
Authors
Benjamin Semal
Konstantinos Markantonakis
Raja Naeem Akram
Jan Kalbantner
Copyright Year
2020
DOI
https://doi.org/10.1007/978-3-030-58201-2_1

Premium Partner