Skip to main content
SpringerLink
Log in

Isolation in cloud computing infrastructures: new security challenges

  • Published:
Annals of Telecommunications Aims and scope Submit manuscript

Abstract

Cloud computing infrastructures share hardware resources among different clients, leveraging virtualization to multiplex physical resources among several self-contained execution environments such as virtual machines or Linux containers. Isolation is a core security challenge for such a computing paradigm. It may be threatened by side-channels, created due to the sharing of physical resources like processor caches, or by mechanisms implemented in the virtualization layer. Side-channel attacks (SCAs) exploit and use such leaky channels to obtain sensitive data such as kernel information. This paper aims to clarify the nature of this threat for cloud infrastructures. Current SCAs are performed locally and exploit isolation challenges of virtualized environments to retrieve sensitive information. This paper also clarifies the concept of distributed side-channel attack (DSCA). We explore how such attacks can threaten isolation of any virtualized environments such as cloud computing infrastructures. Finally, we study a set of different applicable countermeasures for attack mitigation in cloud infrastructures.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Merkel D (2014) Docker: lightweight Linux containers for consistent development and deployment. Linux Journal 2014(239):2

    Google Scholar 

  2. Madhavapeddy A, Mortier R, Rotsos C, Scott D, Singh B, Gazagnaire T, Smith S, Hand S, Crowcroft J (2013) Unikernels: library operating systems for the cloud. ACM SIGPLAN Not 48(4):461–472

    Article  Google Scholar 

  3. Bazm MM, Lacoste M, Südholt M, Menaud JM (2017) Side-channels beyond the cloud edge: new isolation threats and solutions. In Cyber Security in Networking Conference (CSNet), 2017 1st (pp. 1–8). IEEE

  4. Costan V, Devadas S (2016) Intel SGX explained. IACR Cryptology ePrint Archive 2016(086):1–118

  5. Schwarz M, Weiser S, Gruss D, Maurice C, Mangard S (2017) Malware guard extension: Using SGX to conceal cache attacks. In international conference on detection of intrusions and malware, and vulnerability assessment. Springer, Cham, pp 3–24

  6. Kocher Paul et al (J2018), “Spectre attacks: exploiting speculative execution”, ArXiv e-prints

  7. Disselkoen C et al (2017) “Prime+ abort: a timer-free high-precision l3 cache attack using intel TSX.” 26th USENIX Security Symposium. USENIX Security 17, Vancouver

    Google Scholar 

  8. Demme J, Martin R, Waksman A, Sethumadhavan S (2012) SideChannel vulnerability factor: a metric for measuring information leakage. ACM SIGARCH Computer Architecture News 40(3):106–117

    Article  Google Scholar 

  9. Arcangeli A, Eidus I, Wright C (2009) Increasing memory density by using KSM. In Proceedings of the linux symposium (pp. 19–28)

  10. Suzaki K, Iijima K, Yagi T, Artho C (2011) Memory deduplication as a threat to the guest OS. In Proceedings of the Fourth European Workshop on System Security (p. 1). ACM

  11. Apecechea GI, Eisenbarth T, Sunar B (2014) Jackpot stealing information from large caches via huge pages, Cryptology ePrint Archive 2014/970

  12. Weiß M, Heinz B, Stumpf F (2012) A cache timing attack on AES in virtualization environments. In: in International Conference on Financial Cryptography and Data Security. Springer, pp 314–328

  13. Acıiçmez O, Schindler W, Koç ÇK (2007) Cache based remote timing attack on the AES. In Cryptographers’ Track at the RSA Conference (pp. 271-286). Springer, Berlin

  14. Tsunoo Y, Saito T, Suzaki T, Shigeri M, Miyauchi H (2003) Cryptanalysis of DES implemented on computers with cache. In: International Workshop on Cryptographic Hardware and Embedded Systems. Springer, pp 62–76

  15. Gruss D, Maurice C, Wagner K, & Mangard S (2016) Flush+ Flush: a fast and stealthy cache attack. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 279-299). Springer, Cham

  16. Yarom Y, Falkner K (2014) FLUSH+ RELOAD: a high resolution, low noise, L3 cache sidechannel Attack. In USENIX Security Symposium (Vol. 1, pp. 22–25)

  17. Aciiçmez O, Koç ÇK (2006) Trace-driven cache attacks on AES (short paper). In : International Conference on Information and Communications Security. Springer, Berlin, p 112–121

  18. Gallais J-F, Kizhvatov I, Tunstall M (2010) Improved trace-driven cachecollision attacks against embedded AES implementations. In : International Workshop on Information Security Applications. Springer, Berlin, p 243–257

  19. Ristenpart T, Tromer E, Shacham H et al (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In : Proceedings of the 16th ACM conference on Computer and communications security. ACM, p 199–212

  20. Spreitzer R, Plos T (2013) Cache-access pattern attack on disaligned aes t-tables. In: International Workshop on Constructive Side-Channel Analysis and Secure Design. Springer, Berlin, p 200–214

  21. Lipp M, Schwarz M, Gruss D et al (2018) Meltdown: reading kernel memory from user space. In : 27th {USENIX} Security Symposium ({USENIX} Security 18). p 973–990

  22. Zhang W, Jia X, Wang C, Zhang S, Huang Q, Wang M, Liu P (2016) A comprehensive study of co-residence threat in multi-tenant public paas clouds. In International Conference on Information and Communications Security (pp. 361–375). Springer, Cham

  23. Delimitrou C, Kozyrakis C (2017) Bolt: I know what you did last summer... in the cloud. In: ACM SIGARCH Computer Architecture News. ACM, p 599–613

  24. Varadarajan V, Zhang Y, Ristenpart T, Swift MM (2015) A placement vulnerability study in multi-tenant public clouds. In USENIX Security Symposium (pp. 913–928)

  25. Payer M (2016) HexPADS: a platform to detect “stealth” attacks. In : International Symposium on Engineering Secure Software and Systems. Springer, Cham, p 138–154

  26. Zhang T, Zhang Y, Lee RB (2016) Cloudradar: a real-time side-channel attack detection system in clouds. In : International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, Cham, p 118–140

  27. Chiappetta M, Savas E, Yilmaz C (2016) Real time detection of cache-based side-channel attacks using hardware performance counters. Appl Soft Comput 49:1162–1174

    Article  Google Scholar 

  28. Bazm M-M, Sautereau T, Lacoste M, Südholt M, Menaud J-M (2018) Cache-based side-channel attacks detection through Intel Cache Monitoring Technology and Hardware Performance Counters. 3rd IEEE International Conference on Fog and Mobile Edge Computing (FMEC), Barcelona

    Book  Google Scholar 

  29. Intel’s Cache Monitoring Technology: Use models and data, https://software.intel.com/enus/blogs/2014/12/11/intels-cache-monitoring-technology-use-models-and-data, 2014

  30. Gopal V, Guilford J, Ozturk E, Feghali W, Wolrich G, Dixon M (2009) Fast and constant-time implementation of modular exponentiation. Embedded Systems and Communications Security, Niagara Falls, NY, US

  31. Rivain M, Prouff E (2010) Provably secure higher-order masking of AES. In: International Workshop on Cryptographic Hardware and Embedded Systems. Springer, pp 413–427

  32. Osvik DA, Shamir A, Tromer E (2006) Cache attacks and countermeasures: the case of AES. In: Pointcheval D (ed) Topics in cryptology – CT-RSA 2006. CT-RSA 2006. Lecture notes in computer science, vol 3860. Springer, Berlin

    Google Scholar 

  33. Barthe G, Rezk T, Warnier M (2006) Preventing timing leaks through transactional branching instructions. Electronic Notes in Theoretical Computer Science 153(2):33–55

    Article  Google Scholar 

  34. Cleemput JV, Coppens B, De Sutter B (2012) Compiler mitigations for time attacks on modern x86 processors. ACM Transactions on Architecture and Code Optimization (TACO) 8(4):23

    Google Scholar 

  35. Coppens B, Verbauwhede I, De Bosschere K, De Sutter B (2009) Practical mitigations for timing-based side-channel attacks on modern x86 processors. In: 30th IEEE Symposium on Security and Privacy. IEEE, pp 45–60

  36. Zhang Y, Reiter MK (2013) Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In : Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, p 827–838

  37. Kim T, Peinado M, Mainar-Ruiz G (2012) STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In : Proceedings of the 21st USENIX conference on Security symposium. USENIX Association, p 11–11

  38. Gens D, Arias O, Sullivan D, Liebchen C, Jin Y, Sadeghi AR (2017) LAZARUS: practical side-channel resilient kernel-space randomization. In International Symposium on Research in Attacks, Intrusions, and Defenses (pp. 238–258). Springer, Cham

  39. Gruss D, Lipp M, Schwarz M, Fellner R, Maurice C, Mangard S (2017) KASLR is dead: long live KASLR. In: International Symposium on Engineering Secure Software and Systems. Springer, Cham, pp 161–176

    Chapter  Google Scholar 

  40. Zhang Y, Li M, Bai K, Yu M, Zang W (2012) Incentive compatible moving target defense against VM-colocation attacks in clouds. In: IFIP International Information Security Conference. Springer, pp 388–399

  41. Varadarajan V, Ristenpart T, Swift MM (2014) Scheduler-based defenses against cross-vM side-channels. In : USENIX Security Symposium, p 687–702

  42. Jin X, Chen H, Wang X, Wang Z, Wen X, Luo Y, Li X (2009) A simple cache partitioning approach in a virtualized environment. In Parallel and Distributed Processing with Applications, 2009 IEEE International Symposium on (pp. 519-524). IEEE

  43. Shi J, Song X, Chen H, Zang B (2011) Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring. In Dependable Systems and Networks Workshops (DSN-W), 2011 IEEE/IFIP 41st International Conference on (pp. 194-199). IEEE

  44. Vattikonda BC, Das S, Shacham H (2011) Eliminating fine grained timers in Xen. In : Proceedings of the 3rd ACM workshop on Cloud computing security workshop. ACM, p 41–46

  45. Zhuang R, Deloach SA, Ou X (2014) Towards a theory of moving target defense. In : Proceedings of the First ACM Workshop on Moving Target Defense. ACM, p 31–40

  46. Kong J, Aciicmez O, Seifert JP, Zhou H (2008) Deconstructing new cache designs for thwarting software cache-based side channel attacks. In Proceedings of the 2nd ACM workshop on Computer security architectures (pp. 25–34). ACM

  47. Liu F, Ge Q, Yarom Y, Mckeen F, Rozas C, Heiser G, Lee RB (2016) Catalyst: Defeating last-level cache side channel attacks in cloud computing. In High Performance Computer Architecture (HPCA), 2016 IEEE International Symposium on (pp. 406-418). IEEE

  48. INTEL, C. A. T (2015) Improving real-time performance by utilizing cache allocation technology. Intel Corporation

  49. Wright M, Venkatesan S, Albanese M, Wellman MP (2016) Moving target defense against ddos attacks: An empirical game-theoretic analysis. In Proceedings of the 2016 ACM Workshop on Moving Target Defense (pp. 93–104). ACM

  50. Moon S-J, Sekar V, Reiter MK (2015) Nomad: mitigating arbitrary cloud side channels via provider-assisted migration. In : Proceedings of the 22nd acm sigsac conference on computer and communications security. ACM, p 1595–1606

  51. Hermenier F, Lorca X, Menaud JM, Muller G, Lawall J (2009). Entropy: a consolidation manager for clusters. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments (pp. 41-50). ACM

  52. Quesnel F, Lebre A, Südholt M (2013) Cooperative and reactive scheduling in large-scale virtualized platforms with DVMS. Concurrency and Computation: Practice and Experience 25(12):1643–1655

    Article  Google Scholar 

  53. Mills K, Filliben J, Dabrowski C (2011) Comparing vm-placement algorithms for on-demand clouds. In : Cloud Computing Technology and Science (CloudCom), 2011 IEEE Third International Conference on. IEEE, p 91–98

  54. Denneman F (2016) NUMA deep dive part 5: ESXi VMkernel NUMA constructs, http://frankdenneman.nl/tag/numa

Download references

Author information

Authors and Affiliations

  1. Orange Labs, 44 Avenue de la République, 92320, Châtillon, France

    Mohammad-Mahdi Bazm & Marc Lacoste

  2. IMT Atlantique, 4 Rue Alfred Kastler, 44307, Nantes, France

    Mario Südholt & Jean-Marc Menaud

Authors
  1. Mohammad-Mahdi Bazm
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marc Lacoste
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mario Südholt
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jean-Marc Menaud
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammad-Mahdi Bazm.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bazm, MM., Lacoste, M., Südholt, M. et al. Isolation in cloud computing infrastructures: new security challenges. Ann. Telecommun. 74, 197–209 (2019). https://doi.org/10.1007/s12243-019-00703-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12243-019-00703-z

Keywords

Search

Navigation