Co-Resident Watermarking
Abstract
Virtualization is the cornerstone of cloud computing, allowing providers to instantiate multiple virtual machines on a single set of physical resources. Customers utilize cloud resources alongside unknown and untrusted parties, creating the co-resident threat: there is a possibility of unauthorized access to sensitive customer data through the exploitation of covert channels. Previous approaches to determining and exploiting co-residency require the ability to examine and manipulate internal hardware on these machines, behavior that can be patched or otherwise defended. We describe a new attack called co-resident watermarking that allows co-residents to inject a watermark into the network flow of a target instance. This watermark can be used to exfiltrate and broadcast co-residency data from the physical machine, compromising isolation without reliance on internal side channels. We evaluate co-resident watermarking under various network conditions and system configurations, showing co-residency can be determined in under 60 seconds and that a covert channel bitrate of 1.91 bps can be achieved. This work represents a first step in characterizing the co-resident watermarking threat.
Intellectual Merit
Our approach uses concepts previously explored in network flow watermarking. Watermarking is a method of breaking anonymity by tracing the path of a network flow. A target’s traffic is subjected to controlled packet delay at an institutional boundary in order to give it a distinct and recognizable pattern. When the traffic exits the institutional boundary, that pattern is still present and can be decoded. Watermarking is of great interest because of its ability to detect stepping stone relays and to compromise anonymity services.
Broader Impact
Through third party clouds, businesses are able to avoid overprovisioning and pay for only the exact amount of computing that they require. The key to allowing the rollout of these services is virtualization, where physical resources and multiple guest virtual machines can be multiplexed on a single physical machine. However, new security challenges come forth as users are now potentially vulnerable to the actions of others allocated to their same physical machine: they no longer solely control resources. Researchers have already demonstrated attacks against virtualization middleware that allow for the detection and exploitation of co-residency. However, systems-level vulnerabilities such as these could eventually be resolved by patching the hypervisor. We are attempting to demonstrate that even if other channels for establishing co-residency are removed, we can determine whether an adversarial guest is co-resident with a targeted server through observation of network traffic.
Use of FutureGrid
We will be using FutureGrid to reinforce the results from in our lab. After launching our own instance that serves as our target, we will use our approach to co-locate another one of our instances to that target. Our work will not impact other users of Futuregrid.
Scale Of Use
We will need to periodically launch several VMs for an experiment. Each trial will not last more than a couple of hours.
Publications
- [fg-2231] Bates, A., B. Mood, J. Pletcher, H. Pruse, M. Valafar, and K. Butler, "Detecting Co-Residency with Active Traffic Analysis Techniques", ACM, 10/2012
Results
http://ix.cs.uoregon.edu/~amb/documents/Bates_Ccsw12.pdf
Futuregrid is a resource provider for