2011 IEEE Symposium on Security and Privacy (2011)
Oakland, California USA
May 22, 2011 to May 25, 2011
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/SP.2011.31
Security is a major barrier to enterprise adoption of cloud computing. Physical co-residency with other tenants poses a particular risk, due to pervasive virtualization in the cloud. Recent research has shown how side channels in shared hardware may enable attackers to exfiltrate sensitive data across virtual machines (VMs). In view of such risks, cloud providers may promise physically isolated resources to select tenants, but a challenge remains: Tenants still need to be able to verify physical isolation of their VMs. We introduce Home Alone, a system that lets a tenant verify its VMs' exclusive use of a physical machine. The key idea in Home Alone is to invert the usual application of side channels. Rather than exploiting a side channel as a vector of attack, Home Alone uses a side-channel (in the L2 memory cache) as a novel, defensive detection tool. By analyzing cache usage during periods in which "friendly" VMs coordinate to avoid portions of the cache, a tenant using Home Alone can detect the activity of a co-resident "foe" VM. Key technical contributions of Home Alone include classification techniques to analyze cache usage and guest operating system kernel modifications that minimize the performance impact of friendly VMs sidestepping monitored cache portions. Home Alone requires no modification of existing hyper visors and no special action or cooperation by the cloud provider.
Cloud computing, Infrastructure-as-a-Service (IaaS), co-residency detection, side-channel analysis
A. Oprea, A. Juels, Y. Zhang and M. K. Reiter, "HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis," 2011 IEEE Symposium on Security and Privacy(SP), Oakland, California USA, 2011, pp. 313-328.