Skip to main content
Springer Nature Link
Log in

CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9854))

  • 4322 Accesses

Abstract

We present CloudRadar, a system to detect, and hence mitigate, cache-based side-channel attacks in multi-tenant cloud systems. CloudRadar operates by correlating two events: first, it exploits signature-based detection to identify when the protected virtual machine (VM) executes a cryptographic application; at the same time, it uses anomaly-based detection techniques to monitor the co-located VMs to identify abnormal cache behaviors that are typical during cache-based side-channel attacks. We show that correlation in the occurrence of these two events offer strong evidence of side-channel attacks. Compared to other work on side-channel defenses, CloudRadar has the following advantages: first, CloudRadar focuses on the root causes of cache-based side-channel attacks and hence is hard to evade using metamorphic attack code, while maintaining a low false positive rate. Second, CloudRadar is designed as a lightweight patch to existing cloud systems, which does not require new hardware support, or any hypervisor, operating system, application modifications. Third, CloudRadar provides real-time protection and can detect side-channel attacks within the order of milliseconds. We demonstrate a prototype implementation of CloudRadar in the OpenStack cloud framework. Our evaluation suggests CloudRadar achieves negligible performance overhead with high detection accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Azar, Y., Kamara, S., Menache, I., Raykova, M., Shepard, B.: Co-location-resistant clouds. In: ACM Workshop on Cloud Computing Security (2014)

    Google Scholar 

  2. Bahador, M., Abadi, M., Tajoddin, A.: HPCMalHunter: behavioral malware detection using hardware performance counters and singular value decomposition. In: IEEE International Conference on Computer and Knowledge Engineering (2014)

    Google Scholar 

  3. Barr, J.: Cloud computing, server utilization & the environment (2015). https://aws.amazon.com/blogs/aws/cloud-computing-server-utilization-the-environment/

  4. Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. Cryptology ePrint Archive, Report 2015/1034 (2015). http://eprint.iacr.org/

  5. Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.: On the feasibility of online malware detection with performance counters. In: ACM International Symposium on Computer Architecture (2013)

    Google Scholar 

  6. Domnitser, L., Jaleel, A., Loew, J., Abu-Ghazaleh, N., Ponomarev, D.: Non-monopolizable caches: low-complexity mitigation of cache side channel attacks. ACM Trans. Archit. Code Optim. 8, 35:1–35:21 (2012)

    Article  Google Scholar 

  7. Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification, 2nd edn. Wiley-Interscience, Hoboken (2000)

    MATH  Google Scholar 

  8. EPFL: Cloudsuite. http://parsa.epfl.ch/cloudsuite/cloudsuite.html

  9. Gruss, D., Maurice, C., Wagner, K., Mangard, S.: Flush+flush: a fast and stealthy cache attack. In: Detection of Intrusions and Malware and Vulnerability Assessment (2016)

    Google Scholar 

  10. Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Conference on Security Symposium (2015)

    Google Scholar 

  11. Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on aes to practice. In: IEEE Symposium on Security and Privacy (2011)

    Google Scholar 

  12. Han, Y., Alpcan, T., Chan, J., Leckie, C.: Security games for virtual machine allocation in cloud computing. In: Das, S.K., Nita-Rotaru, C., Kantarcioglu, M. (eds.) GameSec 2013. LNCS, vol. 8252, pp. 99–118. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  13. Herath, N., Fogh, A.: These are not your grand daddys CPU performance counters: CPU hardware performance counters for security. In: Black Hat USA (2015)

    Google Scholar 

  14. Irazoqui, G., Eisenbarth, T., Sunar, B.: S$A: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: IEEE Symposium on Security and Privacy (2015)

    Google Scholar 

  15. Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! A fast, cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Heidelberg (2014)

    Google Scholar 

  16. Jamkhedkar, P., Szefer, J., Perez-Botero, D., Zhang, T., Triolo, G., Lee, R.B.: A framework for realizing security on demand in cloud computing. In: IEEE Conference on Cloud Computing Technology and Science (2013)

    Google Scholar 

  17. Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: USENIX Conference on Security Symposium (2012)

    Google Scholar 

  18. Li, P., Gao, D., Reiter, M.K.: Stopwatch: a cloud architecture for timing channel mitigation. ACM Trans. Inf. Syst. Secur. 17, 8:1–8:28 (2014)

    Article  Google Scholar 

  19. Liu, F., Ge, Q., Yarom, Y., Mckeen, F., Rozas, C., Heiser, G., Lee, R.B.: Catalyst: defeating last-level cache side channel attacks in cloud computing. In: IEEE International Symposium on High Performance Computer Architecture (2016)

    Google Scholar 

  20. Liu, F., Lee, R.B.: Random fill cache architecture. In: IEEE/ACM International Symposium on Microarchitecture (2014)

    Google Scholar 

  21. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE Symposium on Security and Privacy (2015)

    Google Scholar 

  22. Liu, H.: A measurement study of server utilization in public clouds. In: IEEE International Conference on Dependable, Autonomic and Secure Computing (2011)

    Google Scholar 

  23. Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: ACM Workshop on Scalable Trusted Computing (2011)

    Google Scholar 

  24. McCalpin, J.D.: Stream: sustainable memory bandwidth in high performance computers. http://www.cs.virginia.edu/stream/

  25. Moon, S.-J., Sekar, V., Reiter, M.K.: Nomad: mitigating arbitrary cloud side channels via provider-assisted migration. In: ACM Conference on Computer and Communications Security (2015)

    Google Scholar 

  26. Natarajan, R.: 50 most frequently used unix/linux commands (with examples). http://www.thegeekstuff.com/2010/11/50-linux-commands/?utm_source=feedburner

  27. Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan (2005)

    Google Scholar 

  28. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: ACM Conference on Computer and Communications Security (2009)

    Google Scholar 

  29. Sakoe, H., Chiba, S.: Dynamic programming algorithm optimization for spoken word recognition. IEEE Trans. Acoust. Speech Signal Process. 26, 43–49 (1978)

    Article  MATH  Google Scholar 

  30. Sherwood, T., Perelman, E., Hamerly, G., Sair, S., Calder, B.: Discovering and exploiting program phases. IEEE Micro 23, 84–93 (2003)

    Article  Google Scholar 

  31. Shi, J., Song, X., Chen, H., Zang, B.: Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring. In: IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (2011)

    Google Scholar 

  32. Tang, A., Sethumadhavan, S., Stolfo, S.J.: Unsupervised anomaly-based malware detection using hardware features. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 109–129. Springer, Heidelberg (2014)

    Google Scholar 

  33. Varadarajan, V., Ristenpart, T., Swift, M.: Scheduler-based defenses against cross-VM side-channels. In: USENIX Conference on Security Symposium (2014)

    Google Scholar 

  34. Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.: A placement vulnerability study in multi-tenant public clouds. In: USENIX Security Symposium (2015)

    Google Scholar 

  35. Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in Xen. In: ACM Workshop on Cloud Computing Security (2011)

    Google Scholar 

  36. Wang, X., Karri, R.: Numchecker: detecting kernel control-flow modifying rootkits by using hardware performance counters. In: ACM/EDAC/IEEE Design Automation Conference (2013)

    Google Scholar 

  37. Wang, X., Konstantinou, C., Maniatakos, M., Karri, R.: Confirm: detecting firmware modifications in embedded systems using hardware performance counters. In: IEEE/ACM International Conference on Computer-Aided Design (2015)

    Google Scholar 

  38. Wang, Y., Ferraiuolo, A., Suh, G.E.: Timing channel protection for a shared memory controller. In: IEEE International Symposium on High Performance Computer Architecture (2014)

    Google Scholar 

  39. Wang, Z., Lee, R.: A novel cache architecture with enhanced performance and security. In: IEEE/ACM International Symposium on Microarchitecture (2008)

    Google Scholar 

  40. Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channelattacks. In: ACM International Symposium on Computer Architecture (2007)

    Google Scholar 

  41. Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks (2012)

    Google Scholar 

  42. Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: USENIX Conference on Security Symposium (2014)

    Google Scholar 

  43. Yuan, L., Xing, W., Chen, H., Zang, B.: Security breaches as PMU deviation: detecting and identifying security attacks using performance counters. In: Asia-Pacific Workshop on Systems (2011)

    Google Scholar 

  44. Zhang, T., Lee, R.B.: Cloudmonatt: an architecture for security health monitoring andattestation of virtual machines in cloud computing. In: ACM International Symposium on Computer Architecture (2015)

    Google Scholar 

  45. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  46. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: ACM Conference on Computer and Communications Security (2014)

    Google Scholar 

  47. Zhang, Y., Li, M., Bai, K., Yu, M., Zang, W.: Incentive compatible moving target defense against VM-colocation attacks in clouds. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 388–399. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  48. Zhang, Y., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: ACM Conference on Computer and Communications Security (2013)

    Google Scholar 

Download references

Acknowledgements

We thank Fangfei Liu and Dr. Yuval Yarom for providing side-channel attack codes, and the anonymous reviewers for their feedback on this work. This work was supported in part by the National Science Foundation under grants NSF CNS-1218817 and NSF CNS-1566444. Any opinions, findings, and conclusions or recommendations expressed in this work are those of the authors and do not necessarily reflect the views of the NSF.

Author information

Authors and Affiliations

  1. Princeton University, Princeton, NJ, USA

    Tianwei Zhang & Ruby B. Lee

  2. The Ohio State University, Columbus, OH, USA

    Yinqian Zhang

Authors
  1. Tianwei Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yinqian Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ruby B. Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tianwei Zhang .

Editor information

Editors and Affiliations

  1. University of North Carolina at Chapel H , Chapel-Hill, USA

    Fabian Monrose

  2. Qatar Computing Research Institute , Doha, Qatar

    Marc Dacier

  3. Université Paris-Saclay , Evry, France

    Gregory Blanc

  4. TELECOM SudParis , EVRY, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Zhang, T., Zhang, Y., Lee, R.B. (2016). CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45719-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45718-5

  • Online ISBN: 978-3-319-45719-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics