Skip to main content
main-content

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

Erschienen in:
Buchtitelbild

2020 | OriginalPaper | Buchkapitel

Leaky Controller: Cross-VM Memory Controller Covert Channel on Multi-core Systems

verfasst von: Benjamin Semal, Konstantinos Markantonakis, Raja Naeem Akram, Jan Kalbantner

Erschienen in: ICT Systems Security and Privacy Protection

Verlag: Springer International Publishing

share
TEILEN

Abstract

Data confidentiality is put at risk on cloud platforms where multiple tenants share the underlying hardware. As multiple workloads are executed concurrently, conflicts in memory resource occur, resulting in observable timing variations during execution. Malicious tenants can intentionally manipulate the hardware platform to devise a covert channel, enabling them to steal the data of co-residing tenants. This paper presents two new microarchitectural covert channel attacks using the memory controller. The first attack allows a privileged adversary (i.e. process) to leak information in a native environment. The second attack is an extension to cross-VM scenarios for unprivileged adversaries. This work is the first instance of leakage channel based on the memory controller. As opposed to previous denial-of-service attacks, we manage to modulate the load on the channel scheduler with accuracy. Both attacks are implemented on cross-core configurations. Furthermore, the cross-VM covert channel is successfully tested across three different Intel microarchitectures. Finally, a comparison against state-of-the-art covert channel attacks is provided, along with a discussion on potential mitigation techniques.
Fußnoten
1
The source code of our native covert channel is available at https://​github.​com/​bsepage/​mc2c.​git.
 
2
DRAM addressing functions on the Ivy Bridge test platform (see Table 2): BA0 \(=b_{13}\oplus b_{17}\); BA1 \(=b_{14}\oplus b_{18}\); BA2 \(=b_{16}\oplus b_{20}\); and Rank \(=b_{15}\oplus b_{19}\).
 
Literatur
4.
Zurück zum Zitat Base, V.K.: Security considerations and disallowing inter-virtual machine transparent page sharing. VMware Knowl. Base 2080735 (2014) Base, V.K.: Security considerations and disallowing inter-virtual machine transparent page sharing. VMware Knowl. Base 2080735 (2014)
5.
Zurück zum Zitat Cock, D., Ge, Q., Murray, T., Heiser, G.: The last mile: an empirical study of timing channels on sel4. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 570–581. ACM (2014) Cock, D., Ge, Q., Murray, T., Heiser, G.: The last mile: an empirical study of timing channels on sel4. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 570–581. ACM (2014)
6.
Zurück zum Zitat Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement, pp. 475–488. ACM (2014) Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement, pp. 475–488. ACM (2014)
7.
Zurück zum Zitat Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018) CrossRef Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018) CrossRef
8.
Zurück zum Zitat Godfrey, M.M., Zulkernine, M.: Preventing cache-based side-channel attacks in a cloud environment. IEEE Trans. Cloud Comput. 2(4), 395–408 (2014) CrossRef Godfrey, M.M., Zulkernine, M.: Preventing cache-based side-channel attacks in a cloud environment. IEEE Trans. Cloud Comput. 2(4), 395–408 (2014) CrossRef
10.
Zurück zum Zitat Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: The 21st USENIX Security Symposium, pp. 189–204 (2012) Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: The 21st USENIX Security Symposium, pp. 189–204 (2012)
11.
Zurück zum Zitat Klein, G., et al.: Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst. (TOCS) 32(1), 2 (2014) CrossRef Klein, G., et al.: Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst. (TOCS) 32(1), 2 (2014) CrossRef
12.
Zurück zum Zitat Liu, F., et al.: Catalyst: defeating last-level cache side channel attacks in cloud computing. In: 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA), pp. 406–418. IEEE (2016) Liu, F., et al.: Catalyst: defeating last-level cache side channel attacks in cloud computing. In: 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA), pp. 406–418. IEEE (2016)
13.
Zurück zum Zitat Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: 2015 IEEE Symposium on Security and Privacy, pp. 605–622. IEEE (2015) Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: 2015 IEEE Symposium on Security and Privacy, pp. 605–622. IEEE (2015)
14.
Zurück zum Zitat Marshall, A., et al.: Security best practices for developing windows azure applications, p. 42. Microsoft Corp (2010) Marshall, A., et al.: Security best practices for developing windows azure applications, p. 42. Microsoft Corp (2010)
16.
Zurück zum Zitat Maurice, C., et al.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS, vol. 17, pp. 8–11 (2017) Maurice, C., et al.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS, vol. 17, pp. 8–11 (2017)
17.
Zurück zum Zitat Moscibroda, O., Mutlu, T.: Memory performance attacks: denial of memory service in multi-core systems. In: 16th USENIX Security Symposium (2007) Moscibroda, O., Mutlu, T.: Memory performance attacks: denial of memory service in multi-core systems. In: 16th USENIX Security Symposium (2007)
18.
Zurück zum Zitat Murray, T., et al.: seL4: from general purpose to a proof of information flow enforcement. In: 2013 IEEE Symposium on Security and Privacy, pp. 415–429. IEEE (2013) Murray, T., et al.: seL4: from general purpose to a proof of information flow enforcement. In: 2013 IEEE Symposium on Security and Privacy, pp. 415–429. IEEE (2013)
19.
Zurück zum Zitat Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in Javascript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1406–1418. ACM (2015) Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in Javascript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1406–1418. ACM (2015)
20.
Zurück zum Zitat Page, D.: Partitioned cache architecture as a side-channel defence mechanism (2005) Page, D.: Partitioned cache architecture as a side-channel defence mechanism (2005)
21.
Zurück zum Zitat Percival, C.: Cache missing for fun and profit (2005) Percival, C.: Cache missing for fun and profit (2005)
22.
Zurück zum Zitat Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: 25th USENIX Security Symposium, pp. 565–581 (2016) Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: 25th USENIX Security Symposium, pp. 565–581 (2016)
23.
Zurück zum Zitat Sullivan, D., Arias, O., Meade, T., Jin, Y.: Microarchitectural minefields: 4K-aliasing covert channel and multi-tenant detection in IaaS clouds. In: NDSS (2018) Sullivan, D., Arias, O., Meade, T., Jin, Y.: Microarchitectural minefields: 4K-aliasing covert channel and multi-tenant detection in IaaS clouds. In: NDSS (2018)
24.
Zurück zum Zitat Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.: A placement vulnerability study in multi-tenant public clouds. In: 24th USENIX Security Symposium, pp. 913–928 (2015) Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.: A placement vulnerability study in multi-tenant public clouds. In: 24th USENIX Security Symposium, pp. 913–928 (2015)
25.
Zurück zum Zitat Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in xen. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 41–46. ACM (2011) Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in xen. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 41–46. ACM (2011)
26.
Zurück zum Zitat Wang, Y., Ferraiuolo, A., Suh, G.E.: Timing channel protection for a shared memory controller. In: 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA), pp. 225–236. IEEE (2014) Wang, Y., Ferraiuolo, A., Suh, G.E.: Timing channel protection for a shared memory controller. In: 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA), pp. 225–236. IEEE (2014)
27.
Zurück zum Zitat Wang, Y., Suh, G.E.: Efficient timing channel protection for on-chip networks. In: 2012 IEEE/ACM Sixth International Symposium on Networks-on-Chip, pp. 142–151. IEEE (2012) Wang, Y., Suh, G.E.: Efficient timing channel protection for on-chip networks. In: 2012 IEEE/ACM Sixth International Symposium on Networks-on-Chip, pp. 142–151. IEEE (2012)
28.
Zurück zum Zitat Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 473–482. IEEE (2006) Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 473–482. IEEE (2006)
29.
Zurück zum Zitat Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Comput. Archit. News 35(2), 494–505 (2007) CrossRef Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Comput. Archit. News 35(2), 494–505 (2007) CrossRef
30.
Zurück zum Zitat Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud. IEEE/ACM Trans. Network. 23(2), 603–615 (2014) CrossRef Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud. IEEE/ACM Trans. Network. 23(2), 603–615 (2014) CrossRef
31.
Zurück zum Zitat Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 29–40. ACM (2011) Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 29–40. ACM (2011)
32.
Zurück zum Zitat Xu, Z., Wang, H., Wu, Z.: A measurement study on co-residence threat inside the cloud. In: 24th USENIX Security Symposium, pp. 929–944 (2015) Xu, Z., Wang, H., Wu, Z.: A measurement study on co-residence threat inside the cloud. In: 24th USENIX Security Symposium, pp. 929–944 (2015)
33.
Metadaten
Titel
Leaky Controller: Cross-VM Memory Controller Covert Channel on Multi-core Systems
verfasst von
Benjamin Semal
Konstantinos Markantonakis
Raja Naeem Akram
Jan Kalbantner
Copyright-Jahr
2020
DOI
https://doi.org/10.1007/978-3-030-58201-2_1

Premium Partner