ABSTRACT
Cloud computing offers new cost effective services on-demand such as Software as a service (SaaS), Infrastructure as a service (IaaS) and Platform as a service (PaaS). However, with all of these services promising facilities and benefits, there are still a number of challenges associated with utilizing cloud computing such as data security, cyber-attacks, and multi-tenancy. Multi-tenancy in cloud computing has unique vulnerabilities, one particular issue involves virtual machines physical co-residency, which has been exploited to leak sensitive information and extract sensitive data using hardware side-channels. Side-channel attacks are classified according to the hardware medium they target and exploit, for instance, cache side-channel attacks, which are one of the most common hardware devices targeted by adversaries due to their high-rate interactions and sharing between processes. There are a number of proposed solutions to detect and prevent cache side-channel attacks, which failed due to the deceived normal behavior by cache side-channel in one hand. In the other hand, these solutions mainly rely on attached software or applications to detect any abnormal behavior on the CPU cache. These applications and software will slow down the CPU operations and introduce unwanted overload, which will affect the CPU performance. This paper presents a detailed study and analysis to cache side-channel attacks in cloud computing. It surveys and reports the important directions utilized to detect and prevent them. It also identifies important gaps, which are not fulfilled by the proposed solutions.
- P. Mell and T. Grance, "The NIST definition of cloud computing," NIST special publication, 2011. {Online}. Available: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf. {Accessed: 15-Oct-2012}.Google Scholar
- K. Weins, "Cloud Computing Trends: 2016 State of the Cloud Survey," 2016.Google Scholar
- O. Aciçmez, W. Schindler, and Ç. Koç, "Cache based remote timing attack on the AES," Cryptogr. Track RSA Conf., vol. 4377, pp. 271--286, 2006. Google ScholarDigital Library
- O. Aciçmez and W. Schindler, "A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL," in The Cryptopgraphers' Track at the RSA conference on Topics in cryptology (CT-RSA'08), 2008, pp. 256--273. Google ScholarDigital Library
- F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee, "Last-level cache side-channel attacks are practical," in Proceedings - IEEE Symposium on Security and Privacy, 2015, vol. 2015-July, pp. 605--622. Google ScholarDigital Library
- Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, "Cross-VM side channels and their use to extract private keys," in The 2012 ACM conference on Computer and communications security (CCS '12), 2012, pp. 305--316. Google ScholarDigital Library
- T. Kim, M. Peinado, and G. Mainar-Ruiz, "Stealthmem: system-level protection against cache-based side channel attacks in the cloud," in The 21st USENIX conference on Security symposium (Security'12), 2012, p. 16. Google ScholarDigital Library
- M. Godfrey and M. Zulkernine, "A Server-Side Solution to Cache-Based Side-Channel Attacks in the Cloud," in The IEEE Sixth International Conference on Cloud Computing, 2013, pp. 163--170. Google ScholarDigital Library
- Y. Zhang and M. Reiter, "Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud," in The 2013 ACM SIGSAC conference on Computer & communications security (CCS '13), 2013, p. 11. Google ScholarDigital Library
- Y. Zhang, A. Juels, A. Oprea, and M. K. Reiter, "HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis," in The IEEE Symposium on Security and Privacy, 2011, pp. 313--328. Google ScholarDigital Library
- S. Yu, X. Gui, and J. Lin, "An approach with two-stage mode to detect cache-based side channel attacks," in The International Conference on Information Networking 2013 (ICOIN), 2013, pp. 186--191. Google ScholarDigital Library
- Y. A. Younis, K. Kifayat, Q. Shi, and B. Askwith, "A New Prime and Probe Cache Side-Channel Attack for Cloud Computing," in 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing, 2015, pp. 1718--1724.Google Scholar
- O. Aciçmez, B. Brumley, and P. Grabher, "New results on instruction cache attacks," in The 12th international conference on Cryptographic hardware and embedded systems (CHES'10), 2010, vol. 216499, pp. 110--124. Google ScholarDigital Library
- Z. Wu, Z. Xu, and H. Wang, "Whispers in the hyper-space: High-speed covert channel attacks in the cloud," in The 21st USENIX conference on Security symposium (Security'12), 2012, pp. 1--9. Google ScholarDigital Library
- O. Acrimez and C. Koc, "Trace-driven cache attacks on AES," in The 8th international conference on Information and Communications Security (ICICS'06), 2006, pp. 112--121. Google ScholarDigital Library
- E. Tromer, D. A. Osvik, and A. Shamir, "Efficient Cache Attacks on AES, and Countermeasures," J. Cryptol., vol. 23, no. 1, pp. 37--71, Jul. 2009. Google ScholarDigital Library
- O. Aciiçmez, Ç. Koç, and J. Seifert, "On the power of simple branch prediction analysis," in ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security, 2007, pp. 312--320. Google ScholarDigital Library
- O. Aciicmez and J.-P. Seifert, "Cheap Hardware Parallelism Implies Cheap Security," in Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), 2007, pp. 80--91. Google ScholarDigital Library
- Y. Yarom and K. Falkner, "Flush + Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack," Cryptology ePrint Archive, 2013. {Online}. Available: http://eprint.iacr.org/. {Accessed: 02-Mar-2014}.Google Scholar
- M. M. Godfrey and M. Zulkernine, "Preventing cache-based side-channel attacks in a cloud environment," IEEE Trans. Cloud Comput., vol. 2, no. 4, pp. 395--408, 2014.Google Scholar
- D. Bernstein, "OProfile overhead," 2014. {Online}. Available: http://oprofile.sourceforge.net/performance/. {Accessed: 03-Feb-2015}.Google Scholar
Index Terms
- Preventing and detecting cache side-channel attacks in cloud computing
Recommendations
Micro-architectural Cache Side-Channel Attacks and Countermeasures
ASPDAC '21: Proceedings of the 26th Asia and South Pacific Design Automation ConferenceCentral Processing Unit (CPU) is considered as the brain of a computer. If the CPU has vulnerabilities, the security of software running on it is difficult to be guaranteed. In recent years, various micro-architectural cache side-channel attacks on the ...
Cross-Tenant Side-Channel Attacks in PaaS Clouds
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityWe present a new attack framework for conducting cache-based side-channel attacks and demonstrate this framework in attacks between tenants on commercial Platform-as-a-Service (PaaS) clouds. Our framework uses the FLUSH-RELOAD attack of Gullasch et al. ...
How secure is your cache against side-channel attacks?
MICRO-50 '17: Proceedings of the 50th Annual IEEE/ACM International Symposium on MicroarchitectureSecurity-critical data can leak through very unexpected side channels, making side-channel attacks very dangerous threats to information security. Of these, cache-based side-channel attacks are some of the most problematic. This is because caches are ...
Comments