Adam Bates
ABSTRACT
Virtualization is the cornerstone of the developing third party compute industry, allowing cloud providers to instantiate multiple virtual machines (VMs) on a single set of physical resources. Customers utilize cloud resources alongside unknown and untrusted parties, creating the co-resident threat -- unless perfect isolation is provided by the virtual hypervisor, there exists the possibility for unauthorized access to sensitive customer information through the exploitation of covert side channels.
This paper presents co-resident watermarking, a traffic analysis attack that allows a malicious co-resident VM to inject a watermark signature into the network flow of a target instance. This watermark can be used to exfiltrate and broadcast co-residency data from the physical machine, compromising isolation without reliance on internal side channels. As a result, our approach is difficult to defend without costly underutilization of the physical machine. We evaluate co-resident watermarking under a large variety of conditions, system loads and hardware configurations, from a local lab environment to production cloud environments (Futuregrid and the University of Oregon's ACISS). We demonstrate the ability to initiate a covert channel of 4 bits per second, and we can confirm co-residency with a target VM instance in less than 10 seconds. We also show that passive load measurement of the target and subsequent behavior profiling is possible with this attack. Our investigation demonstrates the need for the careful design of hardware to be used in the cloud.
- Amazon EC2 Service Level Agreement. http://aws.amazon.com/ec2-sla/.Google Scholar
- Amazon. Amazon Elastic Compute Cloud (EC2). http://aws.amazon.com/ec2/.Google Scholar
- M. Armbrust, A. Fox, R. Griffith, A. Joseph, R. Katz, et al. Above the Clouds: A Berkeley View of Cloud Computing. Technical Report UCB/EECS-2009-28, University of California, Berkeley, 2009.Google Scholar
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proc. 19th ACM Symp. on Operating Systems Principles, SOSP '03, pages 164--177, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- A. Blum, D. Song, and S. Venkataraman. Detection of interactive stepping stones: Algorithms and confidence bounds. Proc. Recent Advances in Intrusion Detection (RAID), 2004.Google ScholarCross Ref
- K. D. Bowers, M. van Dijk, A. Juels, A. Oprea, and R. L. Rivest. How to Tell if Your Cloud Files Are Vulnerable to Drive Crashes. In CCS '11: Proc. 18th ACM Conf. on Computer and Communications Security, pages 501--514, Chicago, IL, USA, 2011. Google ScholarDigital Library
- J. Brodkin. VMware confirms source code leak, LulzSec-affiliated hacker claims credit. http://arstechnica.com/business/news/2012/04/vmware-confirms-sourcecode-leak-lulzsec-affiliated-hackerclaims-credit.ars.Google Scholar
- S. Cabuk, C. E. Brodley, and C. Shields. Ip covert timing channels: design and detection. In Proc. 11th ACM conference on Computer and communications security, CCS '04, pages 178--187, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- S. Cabuk, C. E. Brodley, and C. Shields. IP Covert Channel Detection. ACM Transactions on Information and System Security (TISSEC), 12(4), Apr. 2009. Google ScholarDigital Library
- S. Chinni and R. Hiremane. Virtual Machine Device Queues. White paper, Intel Corporation, 2007.Google Scholar
- B. Coskun and N. Memon. Online sketching of network flows for real-time stepping-stone detection. In Proc. 2009 Annual Computer Security Applications Conf., ACSAC '09, pages 473--483, Washington, DC, USA, 2009. IEEE Computer Society. Google ScholarDigital Library
- CVE-2007-4993. pygrub (tools/pygrub/src/grubconf.py) in xen 3.0.3. http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2007-4993.Google Scholar
- CVE-2007-5497. Multiple integer overflows in libext2fs. http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2007-5497.Google Scholar
- CVE-2010-2240. The do_anonymous_page function in mm/memory.c. http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2010-2240.Google Scholar
- Y. Dong, Z. Yu, and G. Rose. SR-IOV Networking in Xen: Architecture, Design and Implementation. In Proc. First Conf. on I/O Virtualization, WIOV'08, page 10, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
- S. Gamage, A. Kangarlou, R. R. Kompella, and D. Xu. Opportunistic Flooding to Improve TCP Transmit Performance in Virtualized Clouds. In Proc. 2nd ACM Symp. on Cloud Computing, SOCC '11, pages 1--14, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- S. Gianvecchio and H. Wang. Detecting covert timing channels: an entropy-based approach. In Proc. 14th ACM conference on Computer and communications security (CCS'07), Alexandria, VA, USA, 2007. Google ScholarDigital Library
- D. Gupta, L. Cherkasova, R. Gardner, and A. Vahdat. Enforcing Performance Isolation Across Virtual Machines in Xen. In In Middleware, 2006. Google ScholarDigital Library
- I. Habib. Virtualization with KVM. Linux Journal, Feb. 2008. Google ScholarDigital Library
- A. Houmansadr and N. Borisov. SWIRL: A Scalable Watermark to Detect Correlated Network Flows. In Proc. 18th ISOC Symp. on Network and Distributed Systems Security (NDSS '11), San Diego, CA, USA, Feb. 2011.Google Scholar
- A. Houmansadr, N. Kiyavash, and N. Borisov. RAINBOW: A Robust and Invisible Non-Blind Watermark for Network Flows. In Proc. 16th Network and Distributed System Security Symp. (NDSS'09), February 2009.Google Scholar
- E. Keller, J. Szefer, J. Rexford, and R. B. Lee. Eliminating the Hypervisor Attack Surface for a More Secure Cloud. In Proc. ACM Conf. on Computer and Communications Security (CCS'11), Oct. 2011. Google ScholarDigital Library
- G. Keramidas, A. Antonopoulos, D. Serpanos, and S. Kaxiras. Non Deterministic Caches: A Simple and Effective Defense Against Side Channel Attacks. Design Automation for Embedded Systems, pages 221--230, 2008.Google ScholarDigital Library
- N. Kiyavash, A. Houmansadr, and N. Borisov. Multi-flow Attacks Against Network Flow Watermarking Schemes. In Proc. 17th USENIX Security Symp., San Jose, CA, 2008. Google ScholarDigital Library
- P. Kutch. PCI-SIG SR-IOV Primer. Technical report, Intel Corporation, 2011.Google Scholar
- A. M. Law and D. W. Kelton. Simulation Modeling and Analysis. McGraw-Hill Higher Education, 2000. Google ScholarDigital Library
- X. Luo, E. Chan, and R. Chang. Cloak: A Ten-Fold Way for Reliable Covert Communications. In Proc. European Symp. on Research in Computer Security ESORICS, 2007. Google ScholarDigital Library
- X. Luo, J. Zhang, R. Perdisci, and W. Lee. On the Secrecy of Spread-Spectrum Flow Watermarks. In Proc. European Symp. on Research in Computer Security ESORICS. 2010. Google ScholarDigital Library
- X. Luo, P. Zhou, J. Zhang, R. Perdisci, W. Lee, and R. K. C. Chang. Exposing Invisible Timing-based Traffic Watermarks with BACKLIT. In Proc. 27th Ann. Comp. Sec. Applications Conf., ACSAC '11, Orlando, FL, USA, Dec. 2011. Google ScholarDigital Library
- J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In Proc. 2010 IEEE Symp. on Security and Privacy, Oakland, CA, USA, May 2010. Google ScholarDigital Library
- S. Murdoch and G. Danezis. Low-Cost Traffic Analysis of Tor. In Proc. 2005 IEEE Symp. on Security and Privacy, Oakland, CA, USA, May 2005. Google ScholarDigital Library
- K. Okamura and Y. Oyama. Load-based covert channels between Xen virtual machines. In Proc. 2010 ACM Symp. on Applied Computing, SAC '10, Sierre, Switzerland, 2010. Google ScholarDigital Library
- P. Peng, P. Ning, and D. S. Reeves. On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques. In Proc. 2006 IEEE Symp. on Security and Privacy, Oakland, CA, USA, 2006. Google ScholarDigital Library
- A. N. Pettitt and M. A. Stephens. The Kolmogorov-Smirnov Goodness-of-Fit Statistic with Discrete and Grouped Data. Technometrics, 19(2):205--210, 1977.Google Scholar
- H. Raj, R. Nathuji, A. Singh, and P. England. Resource Management for Isolation Enhanced Cloud Services. In Proc. 2009 ACM Workshop on Cloud Computing Security, CCSW '09, Chicago, IL, USA, 2009. Google ScholarDigital Library
- K. K. Ram, J. R. Santos, Y. Turner, A. L. Cox, A. L. Cox, and S. Rixner. Achieving 10 Gb/s using Xen Para-virtualized Network Drivers. Xen Summit, Febuary 2009.Google Scholar
- T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In CCS'09: Proc. 16th ACM Conf. on Computer and Communications Security, Chicago, IL, USA, October 2009. Google ScholarDigital Library
- J. Schad, J. Dittrich, and J.-A. Quiané-Ruiz. Runtime Measurements in the Cloud: Observing, Analyzing, and Reducing Variance. Proc. VLDB Endowment, 3(1-2):460--471, Sept. 2010. Google ScholarDigital Library
- A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In SOSP'07: Proc. 21st ACM Symp. on Operating Systems Principles, Stevenson, WA, USA, 2007. Google ScholarDigital Library
- W. R. Stevens. TCP/IP illustrated (vol. 1): the protocols. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1993. Google ScholarDigital Library
- VMSA-2008-0008. Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion Resolve Critical Security Issues. http://www.vmware.com/security/advisories/VMSA-2008-0008.html.Google Scholar
- X. Wang, S. Chen, and S. Jajodia. Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems. In Proc. 2007 IEEE Symp. on Security and Privacy, Oakland, CA, USA, May 2007. Google ScholarDigital Library
- X. Wang and D. S. Reeves. Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In Proc. 10th ACM conference on Computer and communications security, CCS '03, pages 20--29, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- J. Whiteaker, F. Schneider, and R. Teixeira. Explaining Packet Delays Under Virtualization. SIGCOMM Computer and Communication Review, pages 38--44, 2011. Google ScholarDigital Library
- Y. Xu, M. Bailey, F. Jahanian, K. Joshi, M. Hiltunen, and R. Schlichting. An Exploration of L2 Cache Covert Channels in Virtualized Environments. In Proc. 3rd ACM Workshop on Cloud Computing Security (CCSW'11), Nov. 2011. Google ScholarDigital Library
- W. Yu, X. Fu, S. Graham, D. Xuan, and W. Zhao. DSSS-Based Flow Marking Technique for Invisible Traceback. In Proc. 2007 IEEE Symp. on Security and Privacy, May 2007. Google ScholarDigital Library
- Y. Zhang, A. Juels, A. Oprea, and M. Reiter. HomeAlone: Co-Residency Detection in the Cloud via Side-Channel Analysis. In Proc. 2011 IEEE Symp. on Security and Privacy, Berkeley, CA, USA, May 2011. Google ScholarDigital Library
Index Terms
- Detecting co-residency with active traffic analysis techniques
Recommendations
On detecting co-resident cloud instances using network flow watermarking techniques
Virtualization is the cornerstone of the developing third-party compute industry, allowing cloud providers to instantiate multiple virtual machines (VMs) on a single set of physical resources. Customers utilize cloud resources alongside unknown and ...
Critical analysis of layer 2 network security in virtualised environments
In this article, we explore whether layer 2 network attacks that work on physical switches apply to their virtualised counterparts by performing a systematic study across four major hypervisor environments - Open vSwitch, Citrix XenServer, Microsoft ...
Intrusion detection techniques in cloud environment
Security is of paramount importance in this new era of on-demand Cloud Computing. Researchers have provided a survey on several intrusion detection techniques for detecting intrusions in the cloud computing environment. Most of them provide a discussion ...
Comments