27
All Rights Reserved © 2013 IJARCSEE
Abstract— Emerging trends in computation such as cloud computing require that computation be carried out in remote and hostile environments, where attackers have unlimited access to the devices, the data and the programs. Recent exploration into the unique security challenges of cloud computing have shown that when virtual machines belonging to different customers share the same physical machine, new forms of side channel communication appears. The flexibility of virtual machines running on a cloud service, presents a variety
of security concerns. However, by only allowing
service-provider VMs and enforcing rigorous management of VM images, many of these challenges can be overcome. However, the handling of security incidents in the cloud seems much more challenging as desires of the customers investigating a security breach run contrary to the privacy interests of the cloud service provider. In this paper, we explore cache base side channel attacks on cloud along with few security challenges.
Index Terms— Cloud Computing, Virtualization, Side Channel attack.
I. INTRODUCTION
Cloud Computing is a recent trend in computing that offers dynamic, low cost computing solutions by offloading infrastructure and software costs onto third party organizations who offer software-as-a-service (SaaS) (e.g. Google Apps [1]), platform-as-a-service (PaaS) (e.g. Google App Engine[2]), and infrastructure-as-a-service (IaaS) (e.g. Amazon EC2 [3]). In order to make the necessary environment, cloud service providers (CSP) make heavy use of virtualization to abstract away underlying hardware for simplicity and flexibility. IaaS cloud services are largely reliant on virtualization technology, which is seen as providing all the security and process isolation a customer might want. Despite being potential security offered through virtualization techniques there remains potential risks of data leakage through implicit channel, namely side channels in cloud. Recent research has demonstrated how hostile virtual machines (VM) [5] can potentially extract sensitive data,
such as passwords and cryptographic keys, from other VMs
G.SriTeja, Department, of computer science & engineering K L University,Vaddeswaram ,Guntur District, AndhraPradesh
Deepa G.M.,, Department, of computer science & engineering K L University,Vaddeswaram ,Guntur District, AndhraPradesh
Prof.S.Venkateswarlu, Department, of computer science & engineering K L University,Vaddeswaram ,Guntur District, AndhraPradesh
resident on the same physical machine by using memory caches as side channels. For such reasons, enterprises often demand physical isolation for their cloud deployments. This paper shows the threat of side channel attacks in the cloud is real and practical. Virtualization in a cloud context will be examined in Section II Section III will look at side-channel information leaks which are particularly critical in a virtualized cloud environment. Section IV will look at cache side channel techniques and their applications in virtualized environment. Challenges pertaining to security auditing and cloud management will be examined in Section V. Section VI will conclude this paper.
II. VIRTUALIZATION
With virtualization, resources can be divided or shared through multiple environments, where those environments are not aware of the others. These environments are known as VM’s[5], and usually host an OS, which are usually referred as guest OS’s. When a VM needs to interact with the hardware, instructions are passed directly to the physical hardware in order to decrease the latency and to operate more efficiently. However, virtualization is also billed as a powerful security apparatus when, in reality the very flexibility offered by virtualization can create security concerns[8]. The key issues include scaling, diversity, transience, software lifecycle, data lifetime, mobility and identity. Scaling and diversity are problematic because the ease with which virtualization enables the creation of new VMs can lead to an explosive growth in the number of different VMs within an organization. This problem is compounded by the fact that VMs can regularly appear and disappear from an organizations network or become dormant for a more amount of time. Additionally, numerous dormant VMs can make it difficult to completely eliminate worms or viruses from a virtualized cloud environment, as a dormant infected VM can re-emerge and cause new outbreaks of a piece of malware Furthermore, the ability to roll-back a VM to an earlier version runs the risk of un-patching a previously patched security hole (software-lifecycle) or even un-deleting sensitive data such as personal information or cryptographic keys (data lifetime). The mobility of VMs is problematic because if a physical machine is compromised then any VM on that machine may potentially be compromised. This means that the user of a VM has to consider the security of every machine that previously played host to their VM. Cloud offerings such as Amazons EC2 [1] offer a specific set of VM images which can be deployed, and
Attacking Cloud through cache based side
channel in virtualized environment
these images are tied directly to user accounts. This effectively eliminates issues with VM diversity and establishes clear VM ownership. If a cloud provider allows any customer VM to be executed within its VMM this step presents a security concern and more aggressive VM isolation may be necessary.
Perhaps by using virtual LANs a provider can achieve certain measure of network isolation between co-located virtual machines. Issues with rollback and data lifetime are more subtle. A cloud provider could potentially provide a VM and corresponding infrastructure that is logically separated from the rest of their cloud environment. VMs which are rolled back, or have not been adequately patched would be required their VM would a client be able to execute their VM outside of the isolated environment. Such a strategy could be improved by having the cloud provider identify the specific versions of software running on clients VM, and compare this information to a database of known vulnerabilities. This way, the service provider could potentially quantify the risks associated with executing a client VM. Such version information might be gathered using virtual machine introspection or using a system service that is installed on all of the VM images provided by the service provider. [11].
III. SIDE CHANNEL INFORMATION LEAKAGE
Side Channel is a well known type of security attack in multi user computer systems [6]. Information can be leaked through electromagnetic signals, virtual memory [9] or network stacks and channels [7,10] processor caches[12,13],CPU usage metrics, input devices [15], etc. Compared to other covert channel media, the processor cache is more attractive for exploitation, because its high operation
placement in the system hierarchy can bypass many high level isolation mechanisms. Thus, cache-based covert channels have attracted serious attention in recent studies.
IV. CACHE BASED SIDE CHANNEL
Ristenpart et al. rst introduced the concept of cross-vm covert channels [4].The basic idea is to construct certain pattterns of contention on the hardware resources shared by two co-located VMs and use the contention patterns to en- code information. For example, to send as single bit via a shared hard disk, attackers may let both the sender and the receiver VMs operate on large files concurrently for a specific period of time. During that time, the sender can choose to read les or do nothing to represent bit one or zero. At the same time, the receiver can distinguish the two by timing its own disk operations and decoding the information. Based on the above idea, Ristenpart et al. implemented three proof-of-concept covert channels on EC2: a 0.006 bps channel using memory bus contention, and 0.0005 bps channel using hard disk contention, and a 0.2 bps channel using L2 cache contention [4]. L2 cache-based information encoding scheme can be summarized as follows: All the cache lines are divided into two subsets (a and b). To send a bit, the sender evicts the receiver's cache content from the cache lines correspond to one subset and leave the other untouched by accessing the memory addresses mapped to the chosen cache lines. Then, the receiver can decode the information by comparing the timing in accessing the two subsets separately, and if subset a takes significantly longer to read than subset b, it is bit one; otherwise it is bit zero. This process is illustrated by Figure 2. In, the ideal case the minimum time to send a bit using L2 cache is the senders Figure 1
Virtual Machine (VM)
(a)Before Virtualization (b) After Virtualization
Applications Applications
Operating System Operating System
CPU, Memory, Disk CPU, Memory, Disk
NIC NIC
Virtualization Layer (or Abstract Layer)
Physical Hardware
Applications
Operating System
29
All Rights Reserved © 2013 IJARCSEE
write time (Tw) plus the receivers read time (Tr).This ideal case can be summarized using protocol P1[16]. Aviram et al. offer a technique for potentially combating side-channel information leaks [17].
Figure 2: An illustration of a side channel using L2 cache to encode information. For each bit, the sender evicts half of the cache lines from the L2 cache saturated previously by the receiver. The receiver then decodes the information by measuring the difference of timing in accessing different subsets of the cache.
Ultimately, if side-channel attacks are a serious point of concern for prospective cloud customers, it might be preferable for customers to pay the cloud provider to ensure that none of the customers VMs reside on the same hardware as other customers. This completely eliminates the risk of side-channel attacks in a virtualized cloud-environment. However, covert channels become significant when communication is (supposedly) forbidden by information
flow control (IFC) mechanisms such as sandboxing and IFC kernels [14].
Algorithm 1: Classic Cache Channel Protocol (P1)
Cache[N]: A shared processor cache, conceptually divided into N regions;Each cache region can be put in one of two states, cached or flushed.
DSend [N], DRecv[N]: N bit data to transmit and receive respectively.
Sender Operations: Receiver Operations: (Wait for receiver to
initialize the cache) for i := 0 to N −1 do
{Put Cache[i] into the cached state} Access memory maps to Cache[i]; end for
(Wait for sender to
prepare the cache) for i := 0 to N −1 do
if DSend[i] = 1 then {Put Cache[i] into
the flushed state} Access memory maps
to Cache[i]; end if
end for
(Wait for receiver
to read the cache) for i := 0 to N − 1 do Timed access memory maps to Cache[i];
{Detect the state of Cache[i] by latency}
if
AccessTime > Threshold then
DRecv[i] := 1; {Cache[i] is flushed}
else
DRecv[i] := 0; {Cache[i] is cached}
end if endfor
V. SECURITY CHALLENGES
Due to the remote nature of cloud services, the ability of a customer to respond to security incidents in their cloud software or VMs is significantly reduced, in particular completely eliminated.
1
0
1
0
1
1
0
0
Receiver
A. Challenges with immediate impact
The challenges described in this section are already visibly impacting users and providers. In particular, given the amount of data shared across these infrastructures, data confidentiality, trust relationships and shared reputation are concerning issues.
Data confidentiality: The obvious and, in general, effective measure to protect data confidentiality is encryption. However, encryption is not always a feasible solution, especially for data-intensive applications that require high I/O throughput. Although homomorphic encryption [18] can be exploited for limiting decryptions and re-encryptions when data needs to be transformed, in its current stage this solution requires significant efforts to be adopted in high-speed, real-world deployments. In addition, encryption is not straightforward when data is distributed. Also, this solution may have a low acceptance rate and, more importantly, raises the issue of data property. Moreover, if a remote storage is transparently encrypted (i.e., by the provider), the question arises of whom the data belongs to?
Sharing shared resources: The security issues typical of shared hosting environments are magnified in the case of highly distributed, in-the-cloud systems that host modern web services. The additional, un- perceived, complexity due to dynamic resource slicing, allocation, replication and optimization, gives indeed each user the illusion of being unique. In reality, each user (e.g., an actual system user or an application) operates in a shared environment with “porous" boundaries. Therefore, users may behave maliciously, or compromise virtualization software, affecting other users and their reputation.
B. Challenges with delayed impact
Debugging and auditing in large-scale, distributed systems unavoidably affect the foundations of secure software development. Although their impact may be delayed, and no incidents can be attributed directly to them as of now, we believe that these obstacles will influence significantly the security of the software developed for, or deployed onto, modern computing infrastructures.
Debugging in large distributed systems: Programmers know how to pinpoint and solve software flaws using debuggers, which allow to precisely track the execution of even complex, multi-threaded processes and inspect the memory content. This routine task turns out to be a challenging research problem in the case of distributed applications. Besides the intrinsic difficulties that programmers have to face, i.e., understanding what is the memory", or the “process state", debugging tools devised for large-scale distributed systems are quite obtrusive (e.g., they require code annotation). In general, the existing tools are designed for critical systems and suitable for C-like languages, rather than web-oriented frameworks. In addition, bugs are difficult to reproduce in local, smaller configurations because testing and development environments might differ significantly from deployment conditions. A less obvious complication that affects
debugging is the “invasion" of web development frameworks. Rapid development frameworks are indeed very popular and can speed up significantly the work of a programmer, because they hide many low-level details, exposing powerful abstract primitives. In some notable cases, such frameworks are the hosted service, thus are tightly coupled with the (cloud) service provider, e.g., GoogleAppEngine. Because debugging modern applications is an inherently difficult task, software flaws may become more prevalent. And, since such flaws are the main cause of security vulnerabilities, these aspects are likely to result in new venues for intrusions, and thus need to be considered thoroughly.
Auditability: When disasters occur, reconstructing a “picture" of the system's status is vital. From a purely forensic point of view, monitoring and keeping track of a system's activity is as important as debugging. Unfortunately, this might in turn be very difficult in large-scale, service-based systems, since data and processes are distributed rather than contained within well-defined boundaries. Even simple tasks such as collecting logs are naturally more challenging when applications are distributed and provided by different sources (e.g., mash-ups). In case of successful exploitation, a likely event in immature systems, the risk is that the compromised applications might leave insufficient or unreachable tamper evidence. For instance, is it always feasible to access the logs of all those hosted web services leveraged by an application that we developed? Despite the level of abstraction and the transparency offered by modern services, developers should be aware that software is not running on bare-metal hard-ware under their full control.
VI. CONCLUSION
This paper has provided the summary and analysis of Side channel attacks on the cloud along with security issues. We presented a novel construction of high bandwidth and reliable classic cache side channel protocol. However, the handling of security incidents in the cloud seems much more challenging as desires of the customers investigating a security breach run contrary to the privacy interests of the cloud service provider.
For the future work, we plan to explore the countermeasures at the cloud provider side which is a highly promising field of research. Not only do cloud providers have control of rich resources, they also have strong incentive to invest in covert channel mitigation, because ensuring covert channel security gives them a clear edge over their competitors.
REFERENCES
[1] Google-Apps, http://docs.google.com/.
[2] Google App Engine, http://code.google.com/appengine/. [3] Amazon-EC2, http://aws.amazon.com/ec2/.
[4] [4] Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, you, get out of my cloud! exploring information leakage in third-party compute clouds.
[5] Virtual Machine Contracts for Datacenter and Cloud Computing Environments by Jeanna Matthews, ClarksonUniversity.
[6] K. Suzaki, K. Iijima, T. Yagi, and C. Artho. Software side channel attack on memory deduplication. page Poster, 2011.
31
All Rights Reserved © 2013 IJARCSEE
[8] Garfinkel, T., and Rosenblum, M. 2005. When virtual is harder than real: Security challenges in virtual machine based computing environments. In Proceedings of the 10th HotOS.
[9] T. V. Vleck. Timing channels. Poster session, IEEE TCSP conference, 1990.
[10] S. Cabuk, C. E. Brodley, and C. Shields. IP covert timing channels: design and detection.
[11] [11] Wei, J., Zhang, X., Ammons, G., Bala, V., and Ning P. Managing security of virtual machine images in a cloud environment. 2009.
[12] Z. Wang and R. B. Lee. Covert and side channels due to processor architecture.
[13] C. Percival. Cache missing for fun and profit. In Proceedings of the BSDCan 2005, 2005
[14] N. B. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazi`eres. Making information flow explicit in HiStar.Symposium on Operating Systems Design and Implementation (OSDI), 2006
[15] G. Shah, A. Molina, and M. Blaze. Keyboards and covert channels. In Proceedings of the 15th conference on USENIX Security Symposium, pages 59–75, 2006
[16] W. Hu. Lattice scheduling and covert channels. InProceedings of the IEEE Symposium on Security and Privacy (S&P’92), pages 52–61, 1992.
[17] Aviram, A., Hu, S., Ford, B., and Gummadi, R. 2010. Determining Timing Channels in Compute Clouds.
[18] C. Gentry. Fully homomorphic encryption using ideal lattices. In STOC '09: Proceedings of the 41st annual ACM symposium on Theory of computing, pages 169{178, New York, NY, USA, 2009. ACM
BIOGRAPHIES
G.Sriteja received B.Tech degree in Computer Science and engineering from Acharya Nagarjuna University, Guntur District, Andhra Pradesh , INDIA in 2011 . She is Currently Pursuing M. tech in Computer Science and engineering from K L University, Vaddeswaram, Guntur District, Andhra Pradesh . Her areas of interests include Embedded Systems, Cloud Computing.
Deepa G.M. is Currently Pursuing M. tech in Computer Science and engineering from K L University, Vaddeswaram, Guntur District, Andhra Pradesh . Her areas of interests include Data Mining,, Networking, Cloud Computing.
