Keisuke Okamura
Yoshihiro Oyama
ABSTRACT
Multiple virtual machines on a single virtual machine monitor are isolated from each other. A malicious user on one virtual machine usually cannot relay secret data to other virtual machines without using explicit communication media such as shared files or a network. However, this isolation is threatened by communication in which CPU load is used as a covert channel. Unfortunately, this threat has not been fully understood or evaluated. In this study, we quantitatively evaluate the threat of CPU-based covert channels between virtual machines on the Xen hypervisor. We have developed CCCV, a system that creates a covert channel and communicates data secretly using CPU loads. CCCV consists of two user processes, a sender and a receiver. The sender runs on one virtual machine, and the receiver runs on another virtual machine on the same hypervisor. We measured the bandwidth and communication accuracy of the covert channel. CCCV communicated 64-bit data with a 100% success rate in an ideal environment, and with a success rate of over 90% in an environment where Web servers are processing requests on other virtual machines.
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP '03), pages 164--177, 2003. Google Scholar
Digital Library
- T. G. Handel and M. T. S. II. Hiding Data in the OSI Network Model. In Proceedings of the 1st International Workshop on Information Hiding, volume 1174 of Lecture Notes in Computer Science, pages 23--38, 1996. Google ScholarDigital Library
- W.-M. Hu. Reducing Timing Channels with Fuzzy Time. In Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy, pages 8--20, 1991.Google ScholarCross Ref
- W.-M. Hu. Lattice Scheduling and Covert Channels. In Proceedings of the 1992 IEEE Symposium on Security and Privacy, pages 52--61, 1992. Google ScholarDigital Library
- T. Jaeger, R. Sailer, and Y. Sreenivasan. Managing the Risk of Covert Information Flows in Virtual Machine Systems. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pages 81--90, 2007. Google ScholarDigital Library
- M. Lageman. Solaris Containers --- What They Are and How to Use Them. http://www.sun.com/blueprints/0505/819-2679.pdf, 2005.Google Scholar
- B. W. Lampson. A Note on the Confinement Problem. Communications of the ACM, 16(10):613--615, 1973. Google ScholarDigital Library
- J. N. Matthews, W. Hu, M. Hapuarachchi, T. Deshane, D. Dimatos, G. Hamilton, M. McCabe, and J. Owens. Quantifying the Performance Isolation Properties of Virtualization Systems. In Proceedings of the 2007 Workshop on Experimental Computer Science, 2007. Google ScholarDigital Library
- National Computer Security Center. A Guide to Understanding Covert Channel Analysis of Trusted Systems. Technical Report NCSC-TG-030, 1993.Google Scholar
- D. A. Osvik, A. Shamir, and E. Tromer. Cache Attacks and Countermeasures: The Case of AES. In Proceedings of the Cryptographer's Track at the RSA Conference 2006, volume 3860 of Lecture Notes in Computer Science, pages 1--20, 2006. Google ScholarDigital Library
- T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), 2009. Google ScholarDigital Library
- RSA Security Inc. RSA Data Loss Prevention (DLP) Suite. http://www.rsa.com/node.aspx?id=3426.Google Scholar
- R. Sailer, T. Jaeger, E. Valdez, R. Cáceres, R. Perez, S. Berger, J. L. Griffin, and L. van Doorn. Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. In Proceedings of the 21st Annual Computer Security Applications Conference, pages 276--285, 2005. Google ScholarDigital Library
- S. Soltesz, H. Pötzl, M. E. Fiuczynski, A. Bavier, and L. Peterson. Container-based Operating System Virtualization: A Scalable, High-performance Alternative to Hypervisors. In Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems, pages 275--287, 2007. Google ScholarDigital Library
- Symantec Corporation. Symantec Data Loss Prevention. http://www.symantec.com/business/data-loss-prevention.Google Scholar
- TrendMicro. LeakProof. http://us.trendmicro.com/us/products/enterprise/leakproof/.Google Scholar
- VMware. VMware vShield Zones. http://www.vmware.com/jp/products/vshield-zones/.Google Scholar
- Z. Wang and R. Lee. Covert and Side Channels due to Processor Architecture. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 473--482, 2006. Google ScholarDigital Library
Index Terms
- Load-based covert channels between Xen virtual machines
Recommendations
Xen and the art of virtualization
SOSP '03Numerous systems have been designed which use virtualization to subdivide the ample resources of a modern computer. Some require specialized hardware, or cannot support commodity operating systems. Some target 100% binary compatibility at the expense of ...
Diagnosing performance overheads in the xen virtual machine environment
VEE '05: Proceedings of the 1st ACM/USENIX international conference on Virtual execution environmentsVirtual Machine (VM) environments (e.g., VMware and Xen) are experiencing a resurgence of interest for diverse uses including server consolidation and shared hosting. An application's performance in a virtual machine environment can differ markedly from ...
Hybrid CPU Management for Adapting to the Diversity of Virtual Machines
As an important cornerstone for clouds, virtualization plays a vital role in building this emerging infrastructure. Virtual machines (VMs) with a variety of workloads may run simultaneously on a physical machine in the cloud platform. The scheduling ...
Comments