BusMonitor : A Hypervisor-Based Solution for Memory Bus Covert Channels

Researchers continue to find side channels present in cloud infrastructure which threaten virtual machine (VM) isolation. Specifically, the memory bus on virtualized x86 systems has been targeted as one such channel. Due to its connection to multiple processors, ease of control, and importance to system stability the memory bus could be one of the most powerful cross-VM side channels present in a cloud environment. To ensure that this critical component cannot be misused by an attacker, we have developed BusMonitor, a hypervisor-based protection which prevents a malicious tenant from abusing the memory bus’s operation. In this paper we investigate the dangers of previously known and possible future memory bus based side channel attacks. We then show that BusMonitor is able to fully prevent these attacks with negligible impact to the performance of guest applications.

[1]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[2]  Zhenyu Wu,et al.  Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[3]  Matti A. Hiltunen,et al.  An exploration of L2 cache covert channels in virtualized environments , 2011, CCSW '11.

[4]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[5]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[6]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[7]  Jean-Pierre Seifert,et al.  Hardware-software integrated approaches to defend against software cache-based side channel attacks , 2009, 2009 IEEE 15th International Symposium on High Performance Computer Architecture.

[8]  Ruby B. Lee,et al.  A novel cache architecture with enhanced performance and security , 2008, 2008 41st IEEE/ACM International Symposium on Microarchitecture.

[9]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[10]  Tzi-cker Chiueh,et al.  BIRD: binary interpretation using runtime disassembly , 2006, International Symposium on Code Generation and Optimization (CGO'06).

[11]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[12]  Dan Page,et al.  Partitioned Cache Architecture as a Side-Channel Defence Mechanism , 2005, IACR Cryptology ePrint Archive.

[13]  Jane E. Munn,et al.  Standards and Architecture for Token-Ring Local Area Networks , 1986, FJCC.