research-article

Detecting co-residency with active traffic analysis techniques

Authors:

Masoud Valafar,

Kevin ButlerAuthors Info & Claims

CCSW '12: Proceedings of the 2012 ACM Workshop on Cloud computing security workshop

Pages 1 - 12

https://doi.org/10.1145/2381913.2381915

Published: 19 October 2012 Publication History

Abstract

Virtualization is the cornerstone of the developing third party compute industry, allowing cloud providers to instantiate multiple virtual machines (VMs) on a single set of physical resources. Customers utilize cloud resources alongside unknown and untrusted parties, creating the co-resident threat -- unless perfect isolation is provided by the virtual hypervisor, there exists the possibility for unauthorized access to sensitive customer information through the exploitation of covert side channels.

This paper presents co-resident watermarking, a traffic analysis attack that allows a malicious co-resident VM to inject a watermark signature into the network flow of a target instance. This watermark can be used to exfiltrate and broadcast co-residency data from the physical machine, compromising isolation without reliance on internal side channels. As a result, our approach is difficult to defend without costly underutilization of the physical machine. We evaluate co-resident watermarking under a large variety of conditions, system loads and hardware configurations, from a local lab environment to production cloud environments (Futuregrid and the University of Oregon's ACISS). We demonstrate the ability to initiate a covert channel of 4 bits per second, and we can confirm co-residency with a target VM instance in less than 10 seconds. We also show that passive load measurement of the target and subsequent behavior profiling is possible with this attack. Our investigation demonstrates the need for the careful design of hardware to be used in the cloud.

References

[1]

Amazon EC2 Service Level Agreement. http://aws.amazon.com/ec2-sla/.

[2]

Amazon. Amazon Elastic Compute Cloud (EC2). http://aws.amazon.com/ec2/.

[3]

M. Armbrust, A. Fox, R. Griffith, A. Joseph, R. Katz, et al. Above the Clouds: A Berkeley View of Cloud Computing. Technical Report UCB/EECS-2009-28, University of California, Berkeley, 2009.

[4]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proc. 19th ACM Symp. on Operating Systems Principles, SOSP '03, pages 164--177, New York, NY, USA, 2003. ACM.

Digital Library

[5]

A. Blum, D. Song, and S. Venkataraman. Detection of interactive stepping stones: Algorithms and confidence bounds. Proc. Recent Advances in Intrusion Detection (RAID), 2004.

[6]

K. D. Bowers, M. van Dijk, A. Juels, A. Oprea, and R. L. Rivest. How to Tell if Your Cloud Files Are Vulnerable to Drive Crashes. In CCS '11: Proc. 18th ACM Conf. on Computer and Communications Security, pages 501--514, Chicago, IL, USA, 2011.

Digital Library

[7]

J. Brodkin. VMware confirms source code leak, LulzSec-affiliated hacker claims credit. http://arstechnica.com/business/news/2012/04/vmware-confirms-sourcecode-leak-lulzsec-affiliated-hackerclaims-credit.ars.

[8]

S. Cabuk, C. E. Brodley, and C. Shields. Ip covert timing channels: design and detection. In Proc. 11th ACM conference on Computer and communications security, CCS '04, pages 178--187, New York, NY, USA, 2004. ACM.

Digital Library

[9]

S. Cabuk, C. E. Brodley, and C. Shields. IP Covert Channel Detection. ACM Transactions on Information and System Security (TISSEC), 12(4), Apr. 2009.

Digital Library

[10]

S. Chinni and R. Hiremane. Virtual Machine Device Queues. White paper, Intel Corporation, 2007.

[11]

B. Coskun and N. Memon. Online sketching of network flows for real-time stepping-stone detection. In Proc. 2009 Annual Computer Security Applications Conf., ACSAC '09, pages 473--483, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

[12]

CVE-2007-4993. pygrub (tools/pygrub/src/grubconf.py) in xen 3.0.3. http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2007-4993.

[13]

CVE-2007-5497. Multiple integer overflows in libext2fs. http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2007-5497.

[14]

CVE-2010-2240. The do_anonymous_page function in mm/memory.c. http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2010-2240.

[15]

Y. Dong, Z. Yu, and G. Rose. SR-IOV Networking in Xen: Architecture, Design and Implementation. In Proc. First Conf. on I/O Virtualization, WIOV'08, page 10, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[16]

S. Gamage, A. Kangarlou, R. R. Kompella, and D. Xu. Opportunistic Flooding to Improve TCP Transmit Performance in Virtualized Clouds. In Proc. 2nd ACM Symp. on Cloud Computing, SOCC '11, pages 1--14, New York, NY, USA, 2011. ACM.

Digital Library

[17]

S. Gianvecchio and H. Wang. Detecting covert timing channels: an entropy-based approach. In Proc. 14th ACM conference on Computer and communications security (CCS'07), Alexandria, VA, USA, 2007.

Digital Library

[18]

D. Gupta, L. Cherkasova, R. Gardner, and A. Vahdat. Enforcing Performance Isolation Across Virtual Machines in Xen. In In Middleware, 2006.

Digital Library

[19]

I. Habib. Virtualization with KVM. Linux Journal, Feb. 2008.

Digital Library

[20]

A. Houmansadr and N. Borisov. SWIRL: A Scalable Watermark to Detect Correlated Network Flows. In Proc. 18th ISOC Symp. on Network and Distributed Systems Security (NDSS '11), San Diego, CA, USA, Feb. 2011.

[21]

A. Houmansadr, N. Kiyavash, and N. Borisov. RAINBOW: A Robust and Invisible Non-Blind Watermark for Network Flows. In Proc. 16th Network and Distributed System Security Symp. (NDSS'09), February 2009.

[22]

E. Keller, J. Szefer, J. Rexford, and R. B. Lee. Eliminating the Hypervisor Attack Surface for a More Secure Cloud. In Proc. ACM Conf. on Computer and Communications Security (CCS'11), Oct. 2011.

Digital Library

[23]

G. Keramidas, A. Antonopoulos, D. Serpanos, and S. Kaxiras. Non Deterministic Caches: A Simple and Effective Defense Against Side Channel Attacks. Design Automation for Embedded Systems, pages 221--230, 2008.

Digital Library

[24]

N. Kiyavash, A. Houmansadr, and N. Borisov. Multi-flow Attacks Against Network Flow Watermarking Schemes. In Proc. 17th USENIX Security Symp., San Jose, CA, 2008.

Digital Library

[25]

P. Kutch. PCI-SIG SR-IOV Primer. Technical report, Intel Corporation, 2011.

[26]

A. M. Law and D. W. Kelton. Simulation Modeling and Analysis. McGraw-Hill Higher Education, 2000.

Digital Library

[27]

X. Luo, E. Chan, and R. Chang. Cloak: A Ten-Fold Way for Reliable Covert Communications. In Proc. European Symp. on Research in Computer Security ESORICS, 2007.

Digital Library

[28]

X. Luo, J. Zhang, R. Perdisci, and W. Lee. On the Secrecy of Spread-Spectrum Flow Watermarks. In Proc. European Symp. on Research in Computer Security ESORICS. 2010.

Digital Library

[29]

X. Luo, P. Zhou, J. Zhang, R. Perdisci, W. Lee, and R. K. C. Chang. Exposing Invisible Timing-based Traffic Watermarks with BACKLIT. In Proc. 27th Ann. Comp. Sec. Applications Conf., ACSAC '11, Orlando, FL, USA, Dec. 2011.

Digital Library

[30]

J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In Proc. 2010 IEEE Symp. on Security and Privacy, Oakland, CA, USA, May 2010.

Digital Library

[31]

S. Murdoch and G. Danezis. Low-Cost Traffic Analysis of Tor. In Proc. 2005 IEEE Symp. on Security and Privacy, Oakland, CA, USA, May 2005.

Digital Library

[32]

K. Okamura and Y. Oyama. Load-based covert channels between Xen virtual machines. In Proc. 2010 ACM Symp. on Applied Computing, SAC '10, Sierre, Switzerland, 2010.

Digital Library

[33]

P. Peng, P. Ning, and D. S. Reeves. On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques. In Proc. 2006 IEEE Symp. on Security and Privacy, Oakland, CA, USA, 2006.

Digital Library

[34]

A. N. Pettitt and M. A. Stephens. The Kolmogorov-Smirnov Goodness-of-Fit Statistic with Discrete and Grouped Data. Technometrics, 19(2):205--210, 1977.

[35]

H. Raj, R. Nathuji, A. Singh, and P. England. Resource Management for Isolation Enhanced Cloud Services. In Proc. 2009 ACM Workshop on Cloud Computing Security, CCSW '09, Chicago, IL, USA, 2009.

Digital Library

[36]

K. K. Ram, J. R. Santos, Y. Turner, A. L. Cox, A. L. Cox, and S. Rixner. Achieving 10 Gb/s using Xen Para-virtualized Network Drivers. Xen Summit, Febuary 2009.

[37]

T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In CCS'09: Proc. 16th ACM Conf. on Computer and Communications Security, Chicago, IL, USA, October 2009.

Digital Library

[38]

J. Schad, J. Dittrich, and J.-A. Quiané-Ruiz. Runtime Measurements in the Cloud: Observing, Analyzing, and Reducing Variance. Proc. VLDB Endowment, 3(1-2):460--471, Sept. 2010.

Digital Library

[39]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In SOSP'07: Proc. 21st ACM Symp. on Operating Systems Principles, Stevenson, WA, USA, 2007.

Digital Library

[40]

W. R. Stevens. TCP/IP illustrated (vol. 1): the protocols. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1993.

Digital Library

[41]

VMSA-2008-0008. Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion Resolve Critical Security Issues. http://www.vmware.com/security/advisories/VMSA-2008-0008.html.

[42]

X. Wang, S. Chen, and S. Jajodia. Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems. In Proc. 2007 IEEE Symp. on Security and Privacy, Oakland, CA, USA, May 2007.

Digital Library

[43]

X. Wang and D. S. Reeves. Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In Proc. 10th ACM conference on Computer and communications security, CCS '03, pages 20--29, New York, NY, USA, 2003. ACM.

Digital Library

[44]

J. Whiteaker, F. Schneider, and R. Teixeira. Explaining Packet Delays Under Virtualization. SIGCOMM Computer and Communication Review, pages 38--44, 2011.

Digital Library

[45]

Y. Xu, M. Bailey, F. Jahanian, K. Joshi, M. Hiltunen, and R. Schlichting. An Exploration of L2 Cache Covert Channels in Virtualized Environments. In Proc. 3rd ACM Workshop on Cloud Computing Security (CCSW'11), Nov. 2011.

Digital Library

[46]

W. Yu, X. Fu, S. Graham, D. Xuan, and W. Zhao. DSSS-Based Flow Marking Technique for Invisible Traceback. In Proc. 2007 IEEE Symp. on Security and Privacy, May 2007.

Digital Library

[47]

Y. Zhang, A. Juels, A. Oprea, and M. Reiter. HomeAlone: Co-Residency Detection in the Cloud via Side-Channel Analysis. In Proc. 2011 IEEE Symp. on Security and Privacy, Berkeley, CA, USA, May 2011.

Digital Library

Cited By

Kumar ASomani G(2024)Cyber Attack Victim Separation: New Dimensions to Minimize Attack Effects by Resource ManagementResource Management in Distributed Systems10.1007/978-981-97-2644-8_12(247-268)Online publication date: 31-May-2024
https://doi.org/10.1007/978-981-97-2644-8_12
Xu BLu M(2023)Agent-Based Virtual Machine Migration for Load Balancing and Co-Resident Attack in Cloud ComputingApplied Sciences10.3390/app1306370313:6(3703)Online publication date: 14-Mar-2023
https://doi.org/10.3390/app13063703
She JWang WWang Z(2023)The Dynamic Paradox: How Layer-skipping DNNs Amplify Cache Side-Channel Leakages2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00029(46-53)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00029
Show More Cited By

Index Terms

Detecting co-residency with active traffic analysis techniques
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

On detecting co-resident cloud instances using network flow watermarking techniques

Virtualization is the cornerstone of the developing third-party compute industry, allowing cloud providers to instantiate multiple virtual machines (VMs) on a single set of physical resources. Customers utilize cloud resources alongside unknown and ...
Critical analysis of layer 2 network security in virtualised environments

In this article, we explore whether layer 2 network attacks that work on physical switches apply to their virtualised counterparts by performing a systematic study across four major hypervisor environments - Open vSwitch, Citrix XenServer, Microsoft ...
Intrusion detection techniques in cloud environment

Security is of paramount importance in this new era of on-demand Cloud Computing. Researchers have provided a survey on several intrusion detection techniques for detecting intrusions in the cloud computing environment. Most of them provide a discussion ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCSW '12: Proceedings of the 2012 ACM Workshop on Cloud computing security workshop

October 2012

134 pages

ISBN:9781450316651

DOI:10.1145/2381913

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
Srdjan Capkun
ETH Zurich, Switzerland
,
Seny Kamara
Microsoft Research, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 19, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 37 of 108 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

67
Total Citations
View Citations
755
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)1

Reflects downloads up to 14 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kumar ASomani G(2024)Cyber Attack Victim Separation: New Dimensions to Minimize Attack Effects by Resource ManagementResource Management in Distributed Systems10.1007/978-981-97-2644-8_12(247-268)Online publication date: 31-May-2024
https://doi.org/10.1007/978-981-97-2644-8_12
Xu BLu M(2023)Agent-Based Virtual Machine Migration for Load Balancing and Co-Resident Attack in Cloud ComputingApplied Sciences10.3390/app1306370313:6(3703)Online publication date: 14-Mar-2023
https://doi.org/10.3390/app13063703
She JWang WWang Z(2023)The Dynamic Paradox: How Layer-skipping DNNs Amplify Cache Side-Channel Leakages2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00029(46-53)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00029
Reddy AFlower KAnitha JKandru A(2023)Detecting and Preventing Unauthorized User Access to Cloud Services by CASBs2023 Second International Conference on Electronics and Renewable Systems (ICEARS)10.1109/ICEARS56392.2023.10085406(868-873)Online publication date: 2-Mar-2023
https://doi.org/10.1109/ICEARS56392.2023.10085406
Levitin GXing LXiang Y(2022) Co-Residence Data Theft Attacks on N -Version Programming-Based Cloud Services With Task Cancelation IEEE Transactions on Systems, Man, and Cybernetics: Systems10.1109/TSMC.2020.300293052:1(324-333)Online publication date: Jan-2022
https://doi.org/10.1109/TSMC.2020.3002930
Levitin GXing LXiang Y(2022) Reliability versus Vulnerability of N -Version Programming Cloud Service Component With Dynamic Decision Time Under Co-Resident Attacks IEEE Transactions on Services Computing10.1109/TSC.2020.301942015:4(1774-1784)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TSC.2020.3019420
Deng QTan XYang JZheng CWang LXu Z(2022)A Secure Container Placement Strategy Using Deep Reinforcement Learning in Cloud2022 IEEE 25th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD54268.2022.9776226(1299-1304)Online publication date: 4-May-2022
https://doi.org/10.1109/CSCWD54268.2022.9776226
Xing LLevitin GXiang Y(2021) Defending N -Version Programming Service Components against Co-Resident Attacks in IoT Cloud Systems IEEE Transactions on Services Computing10.1109/TSC.2019.290495814:6(1717-1725)Online publication date: 1-Nov-2021
https://doi.org/10.1109/TSC.2019.2904958
Xie RWang LTao X(2021)A Secure VM Allocation Strategy Based on Tenant Behavior Analysis and Anomaly IdentificationMILCOM 2021 - 2021 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM52596.2021.9653113(721-726)Online publication date: 29-Nov-2021
https://dl.acm.org/doi/10.1109/MILCOM52596.2021.9653113
Maheswara Reddy Gali AKoduganti V(2021)Dynamic and scalable virtual machine placement algorithm for mitigating side channel attacks in cloud computingMaterials Today: Proceedings10.1016/j.matpr.2020.12.1136Online publication date: Feb-2021
https://doi.org/10.1016/j.matpr.2020.12.1136
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents