Skip to main content
SpringerLink
Log in

HyperDetector: Detecting, Isolating, and Mitigating Timing Attacks in Virtualized Environments

  • Conference paper
  • First Online:
Cryptology and Network Security (CANS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13641))

Included in the following conference series:

Abstract

We present a generic approach, called HyperDetector, to detect, isolate, and prevent ongoing timing based side-channel attacks that operate by measuring the execution times of short-running operations in virtualized environments. HyperDetector, being implemented at the level of hypervisor, uses a hardware extension for virtualization to intercept the rdtsc instructions, such that the consecutive pairs of time readings that are close to each other in time can be detected. Once potentially malicious time measurements are detected, noise is introduced into the measurements to prevent the ongoing attacks and the sequence of such measurements is analyzed at runtime by using a sliding window-based approach to determine the processes involved in the attacks. In the experiments, HyperDetector detected all the malicious processes with a perfect accuracy after these processes made few time measurements, reduced the success rates of the attacks from between 98%–99% to between 0%–0.5%, and did so with a runtime overhead of 1.14%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. IEEE Commun. Surv. Tutor. 9(3), 44–57 (2007)

    Article  Google Scholar 

  2. Szefer, J.: Survey of microarchitectural side and covert channels, attacks, and defenses. J. Hardw. Syst. Secur. 3(3), 219–234 (2019)

    Article  Google Scholar 

  3. Betz, J., Westhoff, D., Müller, G.: Survey on covert channels in virtual machines and cloud computing. Trans. Emerg. Telecommun. Technol. 28(6), e3134 (2017)

    Article  Google Scholar 

  4. Atici, A.C., Yilmaz, C., Savas, E.: An approach for isolating the sources of information leakage exploited in cache-based side-channel attacks. In: 2013 IEEE Seventh International Conference on Software Security and Reliability Companion, pp. 74–83 (2013)

    Google Scholar 

  5. Bernstein, D.J.: Cache-timing attacks on AES (2005)

    Google Scholar 

  6. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1

    Chapter  Google Scholar 

  7. Percival, C.: Cache missing for fun and profit (2005)

    Google Scholar 

  8. Lipp, M., et al.: MeltDown: reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 2018) (2018)

    Google Scholar 

  9. Gruss, D., Maurice, C., Wagner, K., Mangard, S.: Flush+Flush: a fast and stealthy cache attack. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 279–299. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_14

    Chapter  Google Scholar 

  10. Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23rd USENIX Conference on Security Symposium, ser. SEC 2014, pp. 719–732. USENIX Association, USA (2014)

    Google Scholar 

  11. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: 2015 IEEE Symposium on Security and Privacy, pp. 605–622. IEEE (2015)

    Google Scholar 

  12. Javeed, A., Yilmaz, C., Savas, E.: Detector+: an approach for detecting, isolating, and preventing timing attacks. Comput. Secur. 110, 102454 (2021)

    Article  Google Scholar 

  13. Martin, R., Demme, J., Sethumadhavan, S.: TimeWarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: 2012 39th Annual International Symposium on Computer Architecture (ISCA), pp. 118–129. IEEE (2012)

    Google Scholar 

  14. Li, P., Gao, D., Reiter, M.K.: Stopwatch: a cloud architecture for timing channel mitigation. ACM Trans. Inf. Syst. Secur. (TISSEC) 17(2), 1–28 (2014)

    Article  Google Scholar 

  15. Wu, J., Ding, L., Lin, Y., Min-Allah, N., Wang, Y.: XenPump: a new method to mitigate timing channel in cloud computing. In: 2012 IEEE Fifth International Conference on Cloud Computing, pp. 678–685. IEEE (2012)

    Google Scholar 

  16. Moon, S.-J., Sekar, V., Reiter, M.K.: Nomad: mitigating arbitrary cloud side channels via provider-assisted migration. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1595–1606 (2015)

    Google Scholar 

  17. Varadarajan, V., Ristenpart, T., Swift, M.: Scheduler-based defenses against \(\{\)Cross-VM\(\}\) side-channels. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 687–702 (2014)

    Google Scholar 

  18. Neiger, G., Santoni, A., Leung, F., Rodgers, D., Uhlig, R.: Intel virtualization technology: hardware support for efficient processor virtualization. Intel Technol. J. 10(3) (2006)

    Google Scholar 

  19. The parsec benchmark suite. https://parsec.cs.princeton.edu/

  20. Kivity, A., Kamay, Y., Laor, D., Lublin, U., Liguori, A.: KVM: the linux virtual machine monitor. In: Proceedings of the Linux Symposium, Dttawa, Ontorio, Canada, vol. 1, no. 8, pp. 225–230 (2007)

    Google Scholar 

  21. https://www.virtualbox.org/

  22. VMware workstation pro, June 2022. https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html

  23. Bugnion, E., Nieh, J., Tsafrir, D.: Hardware and Software Support for Virtualization. Synthesis Lectures on Computer Architecture, vol. 12, pp. 1–206. Springer, Cham (2017)

    Book  Google Scholar 

  24. https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb

  25. IAIK: Flush + flush (2016). https://github.com/IAIK/flush_flush

  26. IAIK: Meltdown (2018). https://github.com/IAIK/meltdown

  27. Spreitzer, R., Moonsamy, V., Korak, T., Mangard, S.: Systematic classification of side-channel attacks: a case study for mobile devices. IEEE Commun. Surv. Tutor. 20(1), 465–488 (2017)

    Article  Google Scholar 

  28. Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018)

    Article  Google Scholar 

  29. Biswas, A.K., Ghosal, D., Nagaraja, S.: A survey of timing channels and countermeasures. ACM Comput. Surv. (CSUR) 50(1), 1–39 (2017)

    Article  Google Scholar 

  30. Zhang, Q., Gong, H., Zhang, X., Liang, C., Tan, Y.-A.: A sensitive network jitter measurement for covert timing channels over interactive traffic. Multimedia Tools Appl. 78(3), 3493–3509 (2019)

    Article  Google Scholar 

  31. Qureshi, M.K.: New attacks and defense for encrypted-address cache. In: 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA), pp. 360–371. IEEE (2019)

    Google Scholar 

  32. Canella, C., et al.: Fallout: leaking data on meltdown-resistant CPUs. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 769–784 (2019)

    Google Scholar 

  33. Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in javascript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1406–1418 (2015)

    Google Scholar 

  34. Hu, W.-M.: Reducing timing channels with fuzzy time. J. Comput. Secur. 1(3–4), 233–254 (1992)

    Article  Google Scholar 

  35. Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F., Emmi, M.: Verifying constant-time implementations. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 53–70 (2016)

    Google Scholar 

  36. Zhang, D., Wang, Y., Suh, G.E., Myers, A.C.: A hardware design language for timing-sensitive information-flow security. ACM SIGPLAN Not. 50(4), 503–516 (2015)

    Article  Google Scholar 

  37. Li, X., et al.: Sapper: a language for hardware-level security policy enforcement. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 97–112 (2014)

    Google Scholar 

  38. Porter, D.E., Bond, M.D., Roy, I., McKinley, K.S., Witchel, E.: Practical fine-grained information flow control using laminar. ACM Trans. Program. Lang. Syst. (TOPLAS) 37(1), 1–51 (2014)

    Article  Google Scholar 

  39. Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. (TISSEC) 18(1), 1–32 (2015)

    Article  Google Scholar 

  40. Cock, D., Ge, Q., Murray, T., Heiser, G.: The last mile: an empirical study of timing channels on seL4. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 570–581 (2014)

    Google Scholar 

  41. Rodrigues, B., Quintão Pereira, F.M., Aranha, D.F.: Sparse representation of implicit flows with applications to side-channel detection. In: Proceedings of the 25th International Conference on Compiler Construction, pp. 110–120 (2016)

    Google Scholar 

  42. Barthe, G., Betarte, G., Campo, J., Luna, C., Pichardie, D.: System-level non-interference for constant-time cryptography. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1267–1279 (2014)

    Google Scholar 

  43. Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 300–321. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_15

    Chapter  Google Scholar 

  44. Nomani, J., Szefer, J.: Predicting program phases and defending against side-channel attacks using hardware performance counters. In: Proceedings of the Fourth Workshop on Hardware and Architectural Support for Security and Privacy, pp. 1–4 (2015)

    Google Scholar 

  45. Zhang, X., Xiao, Y., Zhang, Y.: Return-oriented flush-reload side channels on arm and their implications for android devices. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 858–870 (2016)

    Google Scholar 

  46. Andrysco, M., Kohlbrenner, D., Mowery, K., Jhala, R., Lerner, S., Shacham, H.: On subnormal floating point and abnormal timing. In: 2015 IEEE Symposium on Security and Privacy, pp. 623–639. IEEE (2015)

    Google Scholar 

  47. Domnitser, L., Jaleel, A., Loew, J., Abu-Ghazaleh, N., Ponomarev, D.: Non-monopolizable caches: low-complexity mitigation of cache side channel attacks. ACM Trans. Archit. Code Optim. (TACO) 8(4), 1–21 (2012)

    Article  Google Scholar 

  48. Kiriansky, V., Lebedev, I., Amarasinghe, S., Devadas, S., Emer, J.: DAWG: a defense against cache timing attacks in speculative execution processors. In: 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pp. 974–987. IEEE (2018)

    Google Scholar 

  49. Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. In: Proceedings of the 34th Annual International Symposium on Computer Architecture, pp. 494–505 (2007)

    Google Scholar 

  50. Page, D.: Partitioned cache architecture as a side-channel defence mechanism. Cryptology ePrint Archive (2005)

    Google Scholar 

  51. Fletchery, C.W., Ren, L., Yu, X., Van Dijk, M., Khan, O., Devadas, S.: Suppressing the oblivious ram timing channel while making information leakage and program efficiency trade-offs. In: 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA), pp. 13–224. IEEE (2014)

    Google Scholar 

  52. Wang, S., Wang, P., Liu, X., Zhang, D., Wu, D.: CacheD: identifying Cache-Based timing channels in production software. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 235–252 (2017)

    Google Scholar 

  53. Akyildiz, T.A., Guzgeren, C.B., Yilmaz, C., Savas, E.: MeltdownDetector: a runtime approach for detecting meltdown attacks. Futur. Gener. Comput. Syst. 112, 136–147 (2020)

    Article  Google Scholar 

  54. Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-Level protection against Cache-Based side channel attacks in the cloud. In: 21st USENIX Security Symposium (USENIX Security 2012), pp. 189–204 (2012)

    Google Scholar 

  55. Kulah, Y., Dincer, B., Yilmaz, C., Savas, E.: SpyDetector: an approach for detecting side-channel attacks at runtime. Int. J. Inf. Secur. 18(4), 393–422 (2018). https://doi.org/10.1007/s10207-018-0411-7

    Article  Google Scholar 

  56. Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. Appl. Soft Comput. 49, 1162–1174 (2016)

    Article  Google Scholar 

  57. Zhang, Y., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 827–838 (2013)

    Google Scholar 

  58. Payer, M.: HexPADS: a platform to detect “Stealth’’ attacks. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 138–154. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30806-7_9

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Sabanci University, Istanbul, Turkey

    Musa Sadik Unal, Arsalan Javeed, Cemal Yilmaz & Erkay Savas

Authors
  1. Musa Sadik Unal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arsalan Javeed
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cemal Yilmaz
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Erkay Savas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cemal Yilmaz .

Editor information

Editors and Affiliations

  1. University of Cambridge, Cambridge, UK

    Alastair R. Beresford

  2. Indian Institute of Science, Bangalore, India

    Arpita Patra

  3. Cryptography Research Center, Technology Innovation Institute, Abu Dhabi, United Arab Emirates

    Emanuele Bellini

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Unal, M.S., Javeed, A., Yilmaz, C., Savas, E. (2022). HyperDetector: Detecting, Isolating, and Mitigating Timing Attacks in Virtualized Environments. In: Beresford, A.R., Patra, A., Bellini, E. (eds) Cryptology and Network Security. CANS 2022. Lecture Notes in Computer Science, vol 13641. Springer, Cham. https://doi.org/10.1007/978-3-031-20974-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-20974-1_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-20973-4

  • Online ISBN: 978-3-031-20974-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation