Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 4216240, 18 pages
https://doi.org/10.1155/2018/4216240
Research Article

Leveraging KVM Events to Detect Cache-Based Side Channel Attacks in a Virtualization Environment

Laboratory for Cyber Resilience, Nara Institute of Science and Technology, 8916-5 Takayama, Ikoma, Nara 630-0192, Japan

Correspondence should be addressed to Ady Wahyudi Paundu; pj.tsian.si@9ka.udnuap.yda

Received 25 September 2017; Revised 13 December 2017; Accepted 23 January 2018; Published 25 February 2018

Academic Editor: Wojciech Mazurczyk

Copyright © 2018 Ady Wahyudi Paundu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Linked References

  1. Q. Ge, Y. Yarom, D. Cock, and G. Heiser, “A survey of microarchitectural timing attacks and countermeasures on contemporary hardware,” Journal of Cryptographic Engineering, 2016. View at Publisher · View at Google Scholar
  2. J. Szefer, “Survey of microarchitectural side and covert channels, attacks, and defenses. Cryptology ePrint Archive,” Report 2016/479, 2016. View at Google Scholar
  3. A. K. Biswas, D. Ghosal, and S. Nagaraja, “A survey of timing channels and countermeasures,” ACM Computing Surveys, vol. 50, no. 1, article no. 6, 2017. View at Publisher · View at Google Scholar · View at Scopus
  4. Security aspects of virtualization, “The European Union Agency for Network and Information Security,” Technical Report, February 2017. View at Google Scholar
  5. D. J. Dean, H. Nguyen, and X. Gu, “UBL: Unsupervised behavior learning for predicting performance anomalies in virtualized cloud systems,” in Proceedings of the 9th ACM International Conference on Autonomic Computing, (ICAC '12), pp. 191–200, USA, September 2012. View at Publisher · View at Google Scholar · View at Scopus
  6. F. Doelitzscher, M. Knahl, C. Reich, and N. Clarke, “Anomaly detection in IaaS Clouds,” in Proceedings of the 5th IEEE International Conference on Cloud Computing Technology and Science, (CloudCom '13), pp. 387–394, UK, December 2013. View at Publisher · View at Google Scholar · View at Scopus
  7. S. S. Alarifi and S. D. Wolthusen, “Detecting anomalies in IaaS environments through virtual machine host system call analysis,” in Proceedings of the 7th International Conference for Internet Technology and Secured Transactions, (ICITST '12), pp. 211–218, December 2012. View at Scopus
  8. A. S. Abed, T. C. Clancy, and D. S. Levy, “Applying bag of system calls for anomalous behavior detection of applications in linux containers,” in Proceedings of the IEEE Globecom Workshops, (GC Wkshps '15), IEEE, USA, December 2015. View at Publisher · View at Google Scholar · View at Scopus
  9. W. Sha, Y. Zhu, M. Chen, and T. Huang, “Statistical learning for anomaly detection in cloud server systems: A multi-order Markov chain framework,” IEEE Transactions on Cloud Computing, vol. PP, no. 99, 2015. View at Publisher · View at Google Scholar · View at Scopus
  10. B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee, “Leveraging forensic tools for virtual machine introspection,” Technical Report GT-CS-11-05, Georgia Institute of Technology, 2011. View at Google Scholar
  11. B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee, “Virtuoso: Narrowing the semantic gap in virtual machine introspection,” in Proceedings of the 2011 IEEE Symposium on Security and Privacy, (SP '11), pp. 297–312, USA, May 2011. View at Publisher · View at Google Scholar · View at Scopus
  12. Y. Fu and Z. Lin, “Bridging the semantic gap in virtual machine introspection via online kernel data redirection,” ACM Transactions on Information and System Security, vol. 16, no. 2, article no. 7, 2013. View at Publisher · View at Google Scholar · View at Scopus
  13. W.-M. Hu, “Lattice scheduling and covert channels,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 52–61, May 1992. View at Scopus
  14. D. J. Bernstein, “Cache-timing attacks on aes,” Technical Report, The University of Illinois at Chicago, 2005. View at Google Scholar
  15. D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and countermeasures: the case of AES,” in Proceedings of the 2006 The Cryptographers’ Track at the RSA conference on Topics in Cryptology, (CT-RSA’06), vol. 3860 of Lecture Notes in Computer Science, pp. 1–20, Springer, Berlin, 2006. View at Publisher · View at Google Scholar · View at MathSciNet
  16. Y. Yarom and K. Falkner, “Flush + reload: a high resolution, low noise, l3 cache side-channel attack,” in Proceedings of the 23rd USENIX conference on Security Symposium, (SEC '14), pp. 719–732, August 2014.
  17. K. Suzaki, K. Iijima, T. Yagi, and C. Artho, “Memory deduplication as a threat to the guest OS,” in Proceedings of the 4th Workshop on European Workshop on System Security, (EUROSEC '11), Austria, April 2011. View at Publisher · View at Google Scholar · View at Scopus
  18. Y. Oren, V. P. Kemerlis, S. Sethumadhavan, and A. D. Keromytis, “The spy in the sandbox: Practical cache attacks in JavaScript and their implications,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, (CCS '15), pp. 1406–1418, USA, October 2015. View at Publisher · View at Google Scholar · View at Scopus
  19. T. Hornby, Side-channel attacks on everyday applications, Black hat, USA, 2016. View at Publisher · View at Google Scholar
  20. M. Lipp, D. Gruss, M. Schwarz, D. Bidner, C. Maurice, and S. Mangard, “Practical Keystroke Timing Attacks in Sandboxed JavaScript,” in Proceedings of the 25th USENIX Security Symposium, vol. 10493 of Lecture Notes in Computer Science, pp. 549–564, Springer International Publishing. View at Publisher · View at Google Scholar
  21. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds,” in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09), pp. 199–212, November 2009. View at Publisher · View at Google Scholar · View at Scopus
  22. Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Cross-vm side channels and their use to extract private keys,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, (CCS '12), pp. 305–316, USA, October 2012. View at Publisher · View at Google Scholar · View at Scopus
  23. Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Cross-tenant side-channel attacks in PaaS clouds,” in Proceedings of the 21st ACM Conference on Computer and Communications Security, (CCS '14), pp. 990–1003, USA, November 2014. View at Publisher · View at Google Scholar · View at Scopus
  24. M. S. İnci, B. Gulmezoglu, G. Irazoqui, T. Eisenbarth, and B. Sunar, “Cache attacks enable bulk key recovery on the cloud,” in Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems, (CHES '16), vol. 9813, pp. 368–388, August 2016. View at Publisher · View at Google Scholar · View at Scopus
  25. Z. Wang and R. B. Lee, “A novel cache architecture with enhanced performance and security,” in Proceedings of the 2008 - 41st Annual IEEE/ACM International Symposium on Microarchitecture, MICRO-41, pp. 83–93, IEEE, Italy, November 2008. View at Publisher · View at Google Scholar · View at Scopus
  26. Z. Wang and R. B. Lee, “New cache designs for thwarting software cache-based side channel attacks,” in Proceedings of the 34th Annual International Symposium on Computer Architecture, (ISCA '07), pp. 494–505, ACM, USA, June 2007. View at Publisher · View at Google Scholar · View at Scopus
  27. F. Liu and R. B. Lee, “Random Fill Cache Architecture,” in Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture, (MICRO '14), pp. 203–215, UK, December 2014. View at Publisher · View at Google Scholar · View at Scopus
  28. Y. Zhang and M. K. Reiter, “Düppel: Retrofitting commodity operating systems to mitigate cache side channels in the cloud,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, (CCS '13), pp. 827–837, ACM, November 2013. View at Publisher · View at Google Scholar · View at Scopus
  29. F. Liu, Q. Ge, Y. Yarom et al., “CATalyst: Defeating last-level cache side channel attacks in cloud computing,” in Proceedings of the 22nd IEEE International Symposium on High Performance Computer Architecture, (HPCA '16), pp. 406–418, IEEE, Spain, March 2016. View at Publisher · View at Google Scholar · View at Scopus
  30. Z. Zhou, M. K. Reiter, and Y. Zhang, “A software approach to defeating side channels in last-level caches,” in Proceedings of the 23rd ACM Conference on Computer and Communications Security, (CCS '16), pp. 871–882, Austria, October 2016. View at Publisher · View at Google Scholar · View at Scopus
  31. G. Irazoqui, T. Eisenbarth, and B. Sunar, “Mascat: Stopping microarchitectural attacs before execution,” Cryptology ePrint Archive, 2016. View at Google Scholar
  32. G. Doychev, D. Feld, B. Köpf, L. Mauborgne, and J. Reineke, “Cacheaudit: a tool for the static analysis of cache side channels,” in Proceedings of the 22nd USENIX conference on Security, (SEC '13), vol. 18, pp. 431–446, 2013. View at Publisher · View at Google Scholar · View at Scopus
  33. L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev, “Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks,” ACM Transactions on Architecture and Code Optimization (TACO), vol. 8, no. 4, article no. 35, 2012. View at Publisher · View at Google Scholar · View at Scopus
  34. T. Kim, M. Peinado, and G. Mainar-Ruiz, “Stealthmem: system-level protection against cache-based side channel attacks in the cloud,” in Proceedings of the 21st USENIX conference on Security symposium, August 2012.
  35. J. Shi, X. Song, H. Chen, and B. Zang, “Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring,” in Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops, (DSN-W '11), pp. 194–199, China, June 2011. View at Publisher · View at Google Scholar · View at Scopus
  36. Y. Han, T. Alpcan, J. Chan, and C. Leckie, “Security games for virtual machine allocation in cloud computing,” in Proceeding of the 4th International Conference on Decision and Game Theory for Security, (Gamesec '13), vol. 8252 of Lecture Notes in Computer Science, pp. 99–118, November 2013. View at Publisher · View at Google Scholar · View at Scopus
  37. S.-J. Moon, V. Sekar, and M. K. Reiter, “Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, (CCS '15), pp. 1595–1606, USA, October 2015. View at Publisher · View at Google Scholar · View at Scopus
  38. Y. Zhang, M. Li, K. Bai, M. Yu, and W. Zang, “Incentive compatible moving target defense against VM-colocation attacks in clouds,” in Proceedings of the IFIP International Information Security Conference on Information Security and Privacy Research, (SEC '12), pp. 388–399, Springer, 2012. View at Publisher · View at Google Scholar · View at Scopus
  39. M. Chiappetta, E. Savas, and C. Yilmaz, “Real time detection of cache-based side-channel attacks using hardware performance counters,” Applied Soft Computing, vol. 49, pp. 1162–1174, 2016. View at Publisher · View at Google Scholar · View at Scopus
  40. T. Zhang, Y. Zhang, and R. B. Lee, “Cloudradar: A real-time side-channel attack detection system in clouds,” in Proceedings of the Research in Attacks, Intrusions, and Defenses. (RAID '16), vol. 9854 of Lecture Notes in Computer Science, pp. 118–140, Springer. View at Publisher · View at Google Scholar · View at Scopus
  41. M. Payer, “HexPADS: A platform to detect “stealth” attacks,” in Proceedings of the 8th International Symposium on Engineering Secure Software and Systems, (ESSoS '16), vol. 9639, pp. 138–154, Springer-Verlag. View at Publisher · View at Google Scholar · View at Scopus
  42. N. Herath and A. Fogh, These Are Not Your Grand Daddy’S cpu Performance Counters, Black hat, USA, 2015.
  43. D. Gruss, C. Maurice, K. Wagner, and S. Mangard, “Flush + Flush: A fast and stealthy cache attack,” in Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, (DIMVA '16), vol. 9721, pp. 279–299, Springer-Verlag, July 2016. View at Publisher · View at Google Scholar · View at Scopus
  44. T. Garfinkel and M. Rosenblum, “A virtual machine introspection based architecture for intrusion detection,” in Proceedings of The 10th Annual Network and Distributed System Security Symposium, 2003.
  45. A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Ligauri, “Kvm: the linux virtual machine monitor,” in Proceedings of the 2007 Ottawa Linux Symposium - OLS07, 2007.
  46. A. Arcangeli, I. Eidus, and C. Wright, Increasing Memory Density by Using Ksm, Red Hat Inc, 2009.
  47. G. Venkitachalam and M. Cohen, “Transparent page sharing on commodity operating systems,” Patent US7500048 B1, 2009. View at Publisher · View at Google Scholar
  48. S. Rostedt, “Ftrace kernel hooks, more than just tracing. LINUX Plumbers Conference”.
  49. E. Cecchet, A. Chanda, S. Elnikety, J. Marguerite, and W. Zwaenepoel, “Performance comparison of middleware architectures for generating dynamic web content,” in Proceedings of the 4th ACM/IFIP/USENIX International Middleware Conference, June 2003. View at Scopus
  50. B. E. Boser, I. M. Guyon, and V. N. Vapnik, “Training algorithm for optimal margin classifiers,” in Proceedings of the 5th Annual ACM Workshop on Computational Learning Theory (COLT '92), pp. 144–152, ACM, July 1992. View at Scopus
  51. F. Pedregosa, G. Varoquaux, and A. Gramfort, “Scikit-learn: machine learning in Python,” Journal of Machine Learning Research, vol. 12, pp. 2825–2830, 2011. View at Google Scholar · View at MathSciNet
  52. R. A. Fisher, “The use of multiple measurements in taxonomic problems,” Annals of Eugenics, vol. 7, pp. 179–188, 1936. View at Publisher · View at Google Scholar
  53. G. Irazoqui, M. S. IncI, T. Eisenbarth, and B. Sunar, “Know Thy neighbor: crypto library detection in cloud,” in Proceedings on Privacy Enhancing Technologies, vol. 2015. View at Publisher · View at Google Scholar
  54. A. Fogh, “Cache side channel attacks: Cpu design as a security problem. Hack In The Box”.
  55. G. Irazoqui, M. S. Inci, T. Eisenbarth, and B. Sunar, “Wait a minute! A fast, cross-VM attack on AES,” in Proceeding of the Research in Attacks, Intrusions and Defenses, (RAID '14), vol. 8688, pp. 299–319, Lecture Notes in Computer Science, 2014. View at Publisher · View at Google Scholar · View at Scopus
  56. G. Irazoqui, T. Eisenbarth, and B. Sunar, “S$A: A shared cache attack that works across cores and defies VM sandboxing - And its application to AES,” in Proceedings of the 36th IEEE Symposium on Security and Privacy, (SP '15), pp. 591–604, USA, May 2015. View at Publisher · View at Google Scholar · View at Scopus
  57. W. J. Youden, “Index for rating diagnostic tests,” Cancer, vol. 3, no. 1, pp. 32–35, 1950. View at Publisher · View at Google Scholar · View at Scopus