Skip to main content
Springer Nature Link
Log in

A Study on Microarchitectural Covert Channel Vulnerabilities in Infrastructure-as-a-Service

  • Conference paper
  • First Online:
Applied Cryptography and Network Security Workshops (ACNS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12418))

Included in the following conference series:

  • 2673 Accesses

Abstract

Microarchitectural cross-VM covert channels are software-launched attacks which exploit multi-tenant environments’ shared hardware. They enable transmitting information from a compromised system when the information flow policy does not allow to do so. These attacks represent a threat to the confidentiality and integrity of data processed and stored on cloud platforms. Although potentially severe, covert channels tend to be overlooked due to an allegedly strong adversary model. The literature focuses on mechanisms for encoding information through timing variations, without addressing practical considerations. Furthermore, the field lacks a realistic evaluation framework. Covert channels are usually compared to each other using the channel capacity. While a valuable performance metric, the capacity is inadequate to assess the severity of an attack. In this paper, we conduct a comprehensive study on the severity of microarchitectural covert channels in public clouds. State-of-the-art attacks are evaluated against the Common Vulnerability Scoring System in its most recent version (CVSS v3.1). The study shows that a medium severity score of 5.0 is achieved. In comparison, the SSLv3 POODLE (CVE-2014-3566) and OpenSSL Heartbleed (CVE-2014-0160) vulnerabilities achieved respective scores of 3.1 and 7.5. As such, the paper successfully demonstrates that covert channels are not theoretical threats, and that they require the immediate attention of the community. Furthermore, we devise a new and independent scoring system, the Covert Channel Scoring System (CCSS). The scoring of related works under the CCSS shows that cache-based covert channels, although more and more popular, are the least practical ones to deploy. We encourage authors of future cross-VM covert channel attacks to include a CCSS metric in their study, in order to account for deployment constraints and provide a fair point of comparison for the adversary model.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Amazon EC2 dedicated instances. https://aws.amazon.com/ec2/pricing/dedicated-instances/. Accessed 25 July 2020

  2. CVE-2013-0375 detail. https://nvd.nist.gov/vuln/detail/CVE-2013-0375. Accessed 25 July 2020

  3. CVSS v3 Equations. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator/equations. Accessed 25 July 2020

  4. Improving real-time performance by utilizing cache allocation technology, Intel Corporation (2015)

    Google Scholar 

  5. Monitoring your instances using CloudWatch. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch.html. Accessed 25 July 2020

  6. Sole-tenant nodes. https://cloud.google.com/compute/docs/nodes. Accessed 25 July 2020

  7. Atya, A.O.F., Qian, Z., Krishnamurthy, S.V., La Porta, T., McDaniel, P., Marvel, L.M.: Catch me if you can: a closer look at malicious co-residency on the cloud. IEEE/ACM Trans. Netw. 27(2), 560–576 (2019)

    Article  Google Scholar 

  8. Cock, D., Ge, Q., Murray, T., Heiser, G.: The last mile: an empirical study of timing channels on sel4. In: ACM CCS, pp. 570–581 (2014)

    Google Scholar 

  9. Godfrey, M.M., Zulkernine, M.: Preventing cache-based side-channel attacks in a cloud environment. IEEE TCC 2(4), 395–408 (2014)

    Google Scholar 

  10. Herzberg, A., Shulman, H., Ullrich, J., Weippl, E.: Cloudoscopy: services discovery and topology mapping. In: ACM CCSW, pp. 113–122. ACM (2013)

    Google Scholar 

  11. Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: USENIX Security, pp. 189–204 (2012)

    Google Scholar 

  12. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE S&P 9(3), 49–51 (2011)

    Google Scholar 

  13. Liu, F., et al.: Catalyst: defeating last-level cache side channel attacks in cloud computing. In: IEEE HPCA, pp. 406–418. IEEE (2016)

    Google Scholar 

  14. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE S&P, pp. 605–622. IEEE (2015)

    Google Scholar 

  15. Marshall, A., Howard, M., Bugher, G., Harden, B., Kaufman, C., Rues, M., Bertocci, V.: Security best practices for developing windows azure applications, p. 42. Microsoft Corp (2010)

    Google Scholar 

  16. Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_3

    Chapter  Google Scholar 

  17. Maurice, C., et al.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS, vol. 17, pp. 8–11 (2017)

    Google Scholar 

  18. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1

    Chapter  Google Scholar 

  19. Page, D.: Partitioned cache architecture as a side-channel defence mechanism (2005)

    Google Scholar 

  20. Percival, C.: Cache missing for fun and profit (2005)

    Google Scholar 

  21. Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: Exploiting DRAM addressing for cross-CPU attacks. In: USENIX Security, pp. 565–581 (2016)

    Google Scholar 

  22. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: ACM CCS, pp. 199–212. ACM (2009)

    Google Scholar 

  23. Semal, B., Markantonakis, K., Akram, R.N., Kalbantner, J.: Leaky controller: cross-VM memory controller covert channel on multi-core systems. EasyChair Preprint no. 2941, EasyChair (2020)

    Google Scholar 

  24. Sullivan, D., Arias, O., Meade, T., Jin, Y.: Microarchitectural minefields: 4k-aliasing covert channel and multi-tenant detection in IaaS clouds. In: NDSS (2018)

    Google Scholar 

  25. Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.: A placement vulnerability study in multi-tenant public clouds. In: USENIX Security, pp. 913–928 (2015)

    Google Scholar 

  26. Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in Xen. In: ACM CCSW, pp. 41–46 (2011)

    Google Scholar 

  27. Wang, Y., Ferraiuolo, A., Suh, G.E.: Timing channel protection for a shared memory controller. In: IEEE HPCA, pp. 225–236. IEEE (2014)

    Google Scholar 

  28. Wang, Y., Ferraiuolo, A., Zhang, D., Myers, A.C., Suh, G.E.: SecDCP: secure dynamic cache partitioning for efficient timing channel protection. In: DAC, pp. 1–6 (2016)

    Google Scholar 

  29. Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. In: ISCA, pp. 494–505 (2007)

    Google Scholar 

  30. Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-bandwidth and reliable covert channel attacks inside the cloud. IEEE/ACM Trans. Netw. 23(2), 603–615 (2014)

    Article  Google Scholar 

  31. Xiao, Z., Xiao, Y.: Security and privacy in cloud computing. IEEE Commun. Surv. Tutorials 15(2), 843–859 (2012)

    Article  MathSciNet  Google Scholar 

  32. Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: ACM CCSW, pp. 29–40. ACM (2011)

    Google Scholar 

  33. Xu, Z., Wang, H., Wu, Z.: A measurement study on co-residence threat inside the cloud. In: USENIX Security, pp. 929–944 (2015)

    Google Scholar 

  34. Zhang, T., Zhang, Y., Lee, R.B.: CloudRadar: a real-time side-channel attack detection system in clouds. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 118–140. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_6

    Chapter  Google Scholar 

  35. Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: HomeAlone: co-residency detection in the cloud via side-channel analysis. In: IEEE S&P, pp. 313–328. IEEE (2011)

    Google Scholar 

  36. Zhou, Z., Reiter, M.K., Zhang, Y.: A software approach to defeating side channels in last-level caches. In: ACM CCS, pp. 871–882 (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Royal Holloway University of London, Egham, UK

    Benjamin Semal, Konstantinos Markantonakis, Raja Naeem Akram & Jan Kalbantner

Authors
  1. Benjamin Semal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Konstantinos Markantonakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Raja Naeem Akram
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jan Kalbantner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benjamin Semal .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  2. University of Padua, Padua, Italy

    Mauro Conti

  3. Singapore University of Technology and Design, Singapore, Singapore

    Chuadhry Mujeeb Ahmed

  4. The University of Hong Kong, Hong Kong, Hong Kong

    Man Ho Au

  5. ICIS, Radboud University Nijmegen, Nijmegen, The Netherlands

    Lejla Batina

  6. University of California, Irvine, CA, USA

    Zhou Li

  7. University of Science and Technology of China, Hefei, China

    Jingqiang Lin

  8. University of Padua, Padua, Italy

    Eleonora Losiouk

  9. University of Kansas, Lawrence, KS, USA

    Bo Luo

  10. CIISE, Concordia University, Montréal, QC, Canada

    Suryadipta Majumdar

  11. Technical University of Denmark, Lyngby, Denmark

    Weizhi Meng

  12. AppGate Inc., Bogotá, Colombia

    Martín Ochoa

  13. Delft University of Technology, Delft, The Netherlands

    Stjepan Picek

  14. Stevens Institute of Technology, Hoboken, NJ, USA

    Georgios Portokalidis

  15. City University of Hong Kong, Hong Kong, China

    Cong Wang

  16. Chinese University of Hong Kong, Shatin, Hong Kong

    Kehuan Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Semal, B., Markantonakis, K., Akram, R.N., Kalbantner, J. (2020). A Study on Microarchitectural Covert Channel Vulnerabilities in Infrastructure-as-a-Service. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2020. Lecture Notes in Computer Science(), vol 12418. Springer, Cham. https://doi.org/10.1007/978-3-030-61638-0_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-61638-0_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-61637-3

  • Online ISBN: 978-3-030-61638-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics