StopWatch: A Cloud Architecture for Timing Channel Mitigation

This article presents StopWatch, a system that defends against timing-based side-channel attacks that arise from coresidency of victims and attackers in infrastructure-as-a-service clouds. StopWatch triplicates each cloud-resident guest virtual machine (VM) and places replicas so that the three replicas of a guest VM are coresident with nonoverlapping sets of (replicas of) other VMs. StopWatch uses the timing of I/O events at a VM’s replicas collectively to determine the timings observed by each one or by an external observer, so that observable timing behaviors are similarly likely in the absence of any other individual, coresident VMs. We detail the design and implementation of StopWatch in Xen, evaluate the factors that influence its performance, demonstrate its advantages relative to alternative defenses against timing side channels with commodity hardware, and address the problem of placing VM replicas in a cloud under the constraints of StopWatch so as to still enable adequate cloud utilization.

[1]  Danfeng Zhang,et al.  Predictive mitigation of timing channels in interactive systems , 2011, CCS '11.

[2]  Christian Bienia,et al.  Benchmarking modern multiprocessors , 2011 .

[3]  Andreas Haeberlen,et al.  Differential Privacy Under Fire , 2011, USENIX Security Symposium.

[4]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[5]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[6]  Ira S. Moskowitz,et al.  A pump for rapid, reliable, secure communication , 1993, CCS '93.

[7]  Paul England,et al.  Resource management for isolation enhanced cloud services , 2009, CCSW '09.

[8]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[9]  Edgar R. Weippl,et al.  Cloudoscopy: services discovery and topology mapping , 2013, CCSW.

[10]  Mehmet Güngör,et al.  Distributions of Order Statistics , 2009 .

[11]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[12]  John C. Wray An Analysis of Covert Timing Channels , 1992, J. Comput. Secur..

[13]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[14]  Wolfgang Graetsch,et al.  Fault tolerance under UNIX , 1989, TOCS.

[15]  Fred B. Schneider,et al.  Hypervisor-based fault tolerance , 1996, TOCS.

[16]  Debin Gao,et al.  Behavioral Distance for Intrusion Detection , 2005, RAID.

[17]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[18]  Mohammad Ahsanullah,et al.  Distributions of Order Statistics , 2013 .

[19]  Dutch T. Meyer,et al.  Remus: High Availability via Asynchronous Virtual Machine Replication. (Best Paper) , 2008, NSDI.

[20]  Fred B. Schneider,et al.  Understanding Protocols for Byzantine Clock Synchronization , 1987 .

[21]  F. O R M A T I O N G U I D Timekeeping in VMware Virtual Machines , 2004 .

[22]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.

[23]  Brandon Lucia,et al.  DMP: Deterministic Shared-Memory Multiprocessing , 2010, IEEE Micro.

[24]  Elena Deza,et al.  Dictionary of distances , 2006 .

[25]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[26]  Ravishankar K. Iyer,et al.  Active replication of multithreaded applications , 2006, IEEE Transactions on Parallel and Distributed Systems.

[27]  Peter M. Chen,et al.  Execution replay of multiprocessor virtual machines , 2008, VEE '08.

[28]  Debin Gao,et al.  Beyond Output Voting: Detecting Compromised Replicas Using HMM-Based Behavioral Distance , 2009, IEEE Transactions on Dependable and Secure Computing.

[29]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[30]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[31]  Daniel Horsley Maximum packings of the complete graph with uniform length cycles , 2011, J. Graph Theory.

[32]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[33]  Vitaly Shmatikov,et al.  Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 , 2011, CCS.

[34]  Dino Farinacci,et al.  PGM Reliable Transport Protocol Specification , 2001, RFC.

[35]  Hovav Shacham,et al.  Eliminating fine grained timers in Xen , 2011, CCSW '11.

[36]  Kevin R. B. Butler,et al.  Detecting co-residency with active traffic analysis techniques , 2012, CCSW '12.

[37]  Robert Winter,et al.  Dimensional crossover in Sr2RuO4 within a slave-boson mean-field theory , 2008, 0812.3731.

[38]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[39]  Wei-Ming Hu Reducing Timing Channels with Fuzzy Time , 1992, J. Comput. Secur..

[40]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[41]  Jack W. Davidson,et al.  Security through redundant data diversity , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[42]  Min Xu ReTrace : Collecting Execution Trace with Virtual Machine Deterministic Replay , 2007 .

[43]  Michalis Faloutsos,et al.  A nonstationary Poisson view of Internet traffic , 2004, IEEE INFOCOM 2004.

[44]  Gerald J. Popek,et al.  Verifiable secure operating system software , 1974, AFIPS '74.

[45]  L. Alvisi,et al.  Byzantine Fault-Tolerant Condentiality , 2002 .

[46]  Bruce E. Hajek,et al.  An information-theoretic and game-theoretic study of timing channels , 2002, IEEE Trans. Inf. Theory.

[47]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[48]  Sen Hu,et al.  Efficient system-enforced deterministic parallelism , 2010, OSDI.

[49]  Priya Narasimhan,et al.  Enforcing determinism for the consistent replication of multithreaded CORBA applications , 1999, Proceedings of the 18th IEEE Symposium on Reliable Distributed Systems.

[50]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.