skip to main content
10.1145/3617232.3624867acmconferencesArticle/Chapter ViewAbstractPublication PagesasplosConference Proceedingsconference-collections
research-article

Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS

Published: 17 April 2024 Publication History

Abstract

Microarchitectural side-channel attacks exploit shared hardware resources, posing significant threats to modern systems. A pivotal step in these attacks is achieving physical host co-location between attacker and victim. This step is especially challenging in public cloud environments due to the widespread adoption of the virtual private cloud (VPC) and the ever-growing size of the data centers. Furthermore, the shift towards Function-as-a-Service (FaaS) environments, characterized by dynamic function instance placements and limited control for attackers, compounds this challenge.
In this paper, we present the first comprehensive study on risks of and techniques for co-location attacks in public cloud FaaS environments. We develop two physical host fingerprinting techniques and propose a new, inexpensive methodology for large-scale instance co-location verification. Using these techniques, we analyze how Google Cloud Run places function instances on physical hosts and identify exploitable placement behaviors. Leveraging our findings, we devise an effective strategy for instance launching that achieves 100% probability of co-locating the attacker with at least one victim instance. Moreover, the attacker co-locates with 61%--100% of victim instances in three major Cloud Run data centers.

References

[1]
Alexandru Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa. 2020. Firecracker: Lightweight Virtualization for Serverless Applications. In 17th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2020, Santa Clara, CA, USA, February 25--27, 2020. USENIX Association.
[2]
Alejandro Cabrera Aldaya, Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida García, and Nicola Tuveri. 2019. Port Contention for Fun and Profit. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19--23, 2019. IEEE, 870--887.
[3]
Omid Alipourfard, Hongqiang Harry Liu, Jianshu Chen, Shivaram Venkataraman, Minlan Yu, and Ming Zhang. 2017. CherryPick: Adaptively Unearthing the Best Cloud Configurations for Big Data Analytics. In 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017, Boston, MA, USA, March 27--29, 2017. USENIX Association, 469--482.
[4]
Amazon AWS. 2023. Secure and resizable cloud compute - Amazon EC2 - Amazon Web Services. https://aws.amazon.com/ec2/.
[5]
Amazon AWS. 2023. Serverless Computing - AWS Lambda - Amazon Web Services. https://aws.amazon.com/lambda/.
[6]
Yossi Azar, Seny Kamara, Ishai Menache, Mariana Raykova, and F. Bruce Shepherd. 2014. Co-Location-Resistant Clouds. In Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security, CCSW '14, Scottsdale, Arizona, USA, November 7, 2014. ACM, 9--20.
[7]
Microsoft Azure. 2023. Azure Functions - Serverless Functions in Computing | Microsoft Azure. https://azure.microsoft.com/en-us/products/functions.
[8]
Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus. 2019. SMoTherSpectre: Exploiting Speculative Execution through Port Contention. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, November 11--15, 2019. ACM, 785--800.
[9]
David A. Borman, Bob Braden, Van Jacobson, and Richard Scheffenegger. 2014. TCP Extensions for High Performance. RFC 7323 (2014), 1--49.
[10]
Google Cloud. 2023. About container instance autoscaling | Cloud Run Documentation | Google Cloud. https://cloud.google.com/run/docs/about-instance-autoscaling.
[11]
Google Cloud. 2023. About execution environments | Cloud Run Documentation | Google Cloud. https://cloud.google.com/run/docs/about-execution-environments.
[12]
Google Cloud. 2023. Cloud Functions | Google Cloud. https://cloud.google.com/functions.
[13]
Google Cloud. 2023. Cloud Run: Container to production in seconds | Google Cloud. https://cloud.google.com/run/.
[14]
Google Cloud. 2023. Cloud Run release notes | Cloud Run Documentation | Google Cloud. https://cloud.google.com/run/docs/release-notes.
[15]
Google Cloud. 2023. Container runtime contract | Cloud Run Documentation | Google Cloud. https://cloud.google.com/run/docs/container-contract.
[16]
Google Cloud. 2023. Invoking with an HTTPS Request | Cloud Run Documentation | Google Cloud. https://cloud.google.com/run/docs/triggering/https-request.
[17]
Google Cloud. 2023. Pricing | Cloud Run | Google Cloud. https://cloud.google.com/run/pricing.
[18]
Google Cloud. 2023. Virtual Private Cloud (VPC) | Google Cloud. "https://cloud.google.com/vpc".
[19]
Cloudflare. 2023. Security Model - Cloudflare Workers docs. https://developers.cloudflare.com/workers/learning/security-model/.
[20]
Kubernetes Contributors. 2023. Kubernetes Scheduler | Kubernetes. https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/.
[21]
Linux Contributors. 2023. Linux Source Code. https://github.com/torvalds/linux/blob/e62252bc55b6d4eddc6c2bdbf95a448180d6a08d/arch/x86/kernel/tsc.c.
[22]
Memcached Contributors. 2018. memcached - a distributed memory object caching system. https://memcached.org/.
[23]
Wikipedia Contributors. 2023. Pentium III - Wikipedia. https://en.wikipedia.org/wiki/Pentium_III.
[24]
Intel Corparation. Dec, 2021. Intel 64 and IA-32 Architectures Software Developer's Manual. Combined Volumes.
[25]
Christina Delimitrou and Christos Kozyrakis. 2017. Bolt: I Know What You Did Last Summer... In The Cloud. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2017, Xi'an, China, April 8--12, 2017. ACM, 599--613.
[26]
Craig Disselkoen, David Kohlbrenner, Leo Porter, and Dean M. Tullsen. 2017. Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16--18, 2017. USENIX Association, 51--67. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/disselkoen
[27]
Dmitry Evtyushkin and Dmitry V. Ponomarev. 2016. Covert Channels through Random Number Generator: Mechanisms, Capacity Estimation and Mitigations. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, Vienna, Austria, October 24--28, 2016. ACM, 843--857.
[28]
Chongzhou Fang, Han Wang, Najmeh Nazari, Behnam Omidi, Avesta Sasan, Khaled N. Khasawneh, Setareh Rafatirad, and Houman Homayoun. 2022. Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks. In 29th Annual Network and Distributed System Security Symposium, NDSS 2022, San Diego, California, USA, April 24--28, 2022. The Internet Society. https://www.ndss-symposium.org/ndss-paper/auto-draft-237/
[29]
Michael Ferdman, Almutaz Adileh, Yusuf Onur Koçberber, Stavros Volos, Mohammad Alisafaee, Djordje Jevdjic, Cansu Kaynak, Adrian Daniel Popescu, Anastasia Ailamaki, and Babak Falsafi. 2012. Clearing the clouds: a study of emerging scale-out workloads on modern hardware. In Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2012, London, UK, March 3--7, 2012, Tim Harris and Michael L. Scott (Eds.). ACM, 37--48.
[30]
Apache Software Foundation. 2023. Apache Cassandra | Apache Cassandra Documentation. https://cassandra.apache.org/_/index.html.
[31]
Edward B Fowlkes and Colin L Mallows. 1983. A method for comparing two hierarchical clusterings. J. Amer. Statist. Assoc. 78, 383 (1983), 553--569.
[32]
Google. 2023. Google Docs. https://docs.google.com/.
[33]
Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2018. Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15--17, 2018. USENIX Association, 955--972. https://www.usenix.org/conference/usenixsecurity18/presentation/gras
[34]
Brendan Gregg. 2021. The Speed of Time. https://www.brendangregg.com/blog/2021-09-26/the-speed-of-time.html.
[35]
Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+Flush: a fast and stealthy cache attack. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 279--299.
[36]
gVisor Contributors. 2023. The Container Security Platform | gVisor. https://gvisor.dev/.
[37]
Yi Han, Tansu Alpcan, Jeffrey Chan, Christopher Leckie, and Benjamin I. P. Rubinstein. 2016. A Game Theoretical Approach to Defend Against Co-Resident Attacks in Cloud Computing: Preventing Co-Residence Using Semi-Supervised Learning. IEEE Transactions on Information Forensics and Security 11, 3 (2016), 556--570.
[38]
Casen Hunger, Mikhail Kazdagli, Ankit Rawat, Alex Dimakis, Sriram Vishwanath, and Mohit Tiwari. 2015. Understanding contention-based channels and using them for defense. In 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA). IEEE, 639--650.
[39]
Advanced Micro Devices Inc. June, 2023. AMD64 Architecture Programmer's Manual. Volumes 1--5.
[40]
Docker Inc. 2023. Docker: Accelerated, Containerized Application Development. https://www.docker.com/.
[41]
Mehmet Sinan İnci, Berk Gülmezoğlu, Gorka Irazoqui Apecechea, Thomas Eisenbarth, and Berk Sunar. 2015. Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud. IACR Cryptol. ePrint Arch. (2015), 898. http://eprint.iacr.org/2015/898
[42]
Harshad Kasture and Daniel Sanchez. 2016. Tailbench: a benchmark suite and evaluation methodology for latency-critical applications. In 2016 IEEE International Workshop/Symposium on Workload Characterization (IISWC). IEEE, 1--10.
[43]
Tadayoshi Kohno, Andre Broido, and Kimberly C. Claffy. 2005. Remote Physical Device Fingerprinting. In 2005 IEEE Symposium on Security and Privacy (S&P 2005), 8--11 May 2005, Oakland, CA, USA. IEEE Computer Society, 211--225.
[44]
Redis Labs. 2022. Redis In-Memory Data Structure. https://redis.io.
[45]
Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-Level Cache Side-Channel Attacks are Practical. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17--21, 2015. IEEE Computer Society, 605--622.
[46]
David Lo, Liqun Cheng, Rama Govindaraju, Luiz André Barroso, and Christos Kozyrakis. 2014. Towards energy proportionality for large-scale latency-critical workloads. In ACM/IEEE 41st International Symposium on Computer Architecture, ISCA 2014, Minneapolis, MN, USA, June 14--18, 2014. IEEE Computer Society, 301--312.
[47]
Hosein Mohammadi Makrani, Hossein Sayadi, Najmeh Nazari, Khaled N. Khasawneh, Avesta Sasan, Setareh Rafatirad, and Houman Homayoun. 2021. Cloak & Co-locate: Adversarial Railroading of Resource Sharing-based Attacks on the Cloud. In 2021 International Symposium on Secure and Private Execution Environment Design (SEED), Washington, DC, USA, September 20--21, 2021. IEEE, 1--13.
[48]
David L. Mills, Jim Martin, Jack L. Burbank, and William T. Kasch. 2010. Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905 (2010), 1--110.
[49]
Ahmad Moghimi, Jan Wichelmann, Thomas Eisenbarth, and Berk Sunar. 2019. MemJam: A false dependency attack against constant-time crypto implementations. International Journal of Parallel Programming 47, 4 (2019), 538--570.
[50]
Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Countermeasures: The Case of AES. In Cryptographers' track at the RSA conference. 1--20.
[51]
Colin Percival. 2005. Cache missing for fun and profit. https://www.daemonology.net/papers/cachemissing.pdf.
[52]
Libor Polčák, Jakub Jirásek, and Petr Matoušek. 2013. Comment on "remote physical device fingerprinting". IEEE Transactions on Dependable and Secure Computing 11, 5 (2013), 494--496.
[53]
Alessandro Randazzo and Ilenia Tinnirello. 2019. Kata Containers: An Emerging Architecture for Enabling MEC Services in Fast and Secure Way. In Sixth International Conference on Internet of Things: Systems, Management and Security, IOTSMS 2019, Granada, Spain, October 22--25, 2019. IEEE, 209--214.
[54]
Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, November 9--13, 2009. 199--212.
[55]
Sheldon M Ross. 2017. Introductory Statistics. Academic Press.
[56]
Eric Schurman and Jake Brutlag. 2009. The user and business impact of server delays, additional bytes, and http chunking in web search. In Velocity Web Performance and Operations Conference. O'Reilly Media.
[57]
Andrei Tatar, Daniël Trujillo, Cristiano Giuffrida, and Herbert Bos. 2022. TLB;DR: Enhancing TLB-based Attacks with TLB Desyn-chronized Reverse Engineering. In 31st USENIX Security Symposium (USENIX Security 22). 989--1007.
[58]
Venkatanathan Varadarajan, Thomas Ristenpart, and Michael M. Swift. 2014. Scheduler-based Defenses against Cross-VM Side-channels. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 687--702. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/varadarajan
[59]
Venkatanathan Varadarajan, Yinqian Zhang, Thomas Ristenpart, and Michael M. Swift. 2015. A Placement Vulnerability Study in Multi-Tenant Public Clouds. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12--14, 2015. USENIX Association, 913--928. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/varadarajan
[60]
Shivaram Venkataraman, Zongheng Yang, Michael J. Franklin, Benjamin Recht, and Ion Stoica. 2016. Ernest: Efficient Performance Prediction for Large-Scale Advanced Analytics. In 13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016, Santa Clara, CA, USA, March 16--18, 2016. USENIX Association, 363--378.
[61]
Pepe Vila, Boris Köpf, and José F. Morales. 2019. Theory and Practice of Finding Eviction Sets. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19--23, 2019. IEEE, 39--54.
[62]
Zhenyu Wu, Zhang Xu, and Haining Wang. 2012. Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud. In Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, August 8--10, 2012. USENIX Association, 159--173. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/wu
[63]
Zhang Xu, Haining Wang, and Zhenyu Wu. 2015. A Measurement Study on Co-residence Threat inside the Cloud. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12--14, 2015. USENIX Association, 929--944. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/xu
[64]
Mengjia Yan, Read Sprabery, Bhargava Gopireddy, Christopher W. Fletcher, Roy H. Campbell, and Josep Torrellas. 2019. Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19--23, 2019. IEEE, 888--904.
[65]
Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014. USENIX Association, 719--732. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom
[66]
Tianwei Zhang, Yinqian Zhang, and Ruby B Lee. 2016. CloudRadar: A real-time side-channel attack detection system in clouds. In Research in Attacks, Intrusions, and Defenses: 19th International Symposium, RAID 2016, Paris, France, September 19--21, 2016, Proceedings 19. Springer, 118--140.
[67]
Yinqian Zhang, Ari Juels, Alina Oprea, and Michael K. Reiter. 2011. HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis. In 32nd IEEE Symposium on Security and Privacy, S&P 2011, 22--25 May 2011, Berkeley, California, USA. IEEE Computer Society, 313--328.
[68]
Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2014. Cross-Tenant Side-Channel Attacks in PaaS Clouds. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, Scottsdale, AZ, USA, November 3--7, 2014. ACM, 990--1003.

Cited By

View all
  • (2024)Principled Microarchitectural Isolation on Cloud CPUsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690183(183-197)Online publication date: 2-Dec-2024
  • (2024)Shared Resource Entanglement Attacks against Serverless Computing2024 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS62487.2024.10735670(1-9)Online publication date: 30-Sep-2024

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASPLOS '24: Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 1
April 2024
494 pages
ISBN:9798400703720
DOI:10.1145/3617232
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 April 2024

Check for updates

Author Tags

  1. cloud computing
  2. function-as-a-service (FaaS)
  3. co-location vulnerability
  4. timestamp counter

Qualifiers

  • Research-article

Funding Sources

Conference

ASPLOS '24

Acceptance Rates

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)487
  • Downloads (Last 6 weeks)38
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Principled Microarchitectural Isolation on Cloud CPUsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690183(183-197)Online publication date: 2-Dec-2024
  • (2024)Shared Resource Entanglement Attacks against Serverless Computing2024 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS62487.2024.10735670(1-9)Online publication date: 30-Sep-2024

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media