Label-based Defenses Against Side Channel Attacks in PaaS Cloud Infrastructure

Size: px

Start display at page:

Download "Label-based Defenses Against Side Channel Attacks in PaaS Cloud Infrastructure"

Jessica Austin
5 years ago
Views:

1 Label-based Defenses Against Side Channel Attacks in PaaS Cloud Infrastructure Read Sprabery, Konstantin Evchenko, Abhilash Raj*, Shivana Wanjara*, Sibin Mohan, Rakesh Bobba*, Roy H. Campbell University of Illinois at Urbana-Champaign *Oregon State University

de channel hel ped t o ext ract a secret key

2 Why do we care? Fi r st at t empt s t o ext r act sensi t i ve i nf or mat i on go back i n 2005 Thi s wor k has been ext ended i n many ways I n 2012, cache si de channel hel ped t o ext ract a secret key across VMs I n 2014, t he at t ack was successful l y demonst rat ed i n a publ i c cl oud 2

3 Focus CPU Cac he- based S a me - cor e Cr o s s - cor e No t CPU Ca c h e - based ( Ne t wo r k, Di sk, et c) Pr i me+pr obe Si de Channel s i n Cl oud 3

4 Background: Modern Cache Architecture Cor e 0 Cor e 1 Cor e 2 Cor e 3 L1- I L1- D L1- I L1- D L1- I L1- D L1- I L1- D L2 L2 L2 L2 CPU L3 L3 L2 L1 Li ne 1 Li ne 2 Li ne 3 Li ne 4 0x x4005A6 0x4005E6 0x Li ne N 0x Cache 64 Byt es Memor y 4

5 Background: Cache Allocation Technology Cache Li ne Cache Li ne Cache Li ne Cache Li ne Cache Set Cache Li ne Cache Li ne Cache Li ne Cache Li ne Cache Set Cache Li ne Cache Li ne Cache Li ne Cache Li ne Cache Set Cache Li ne Cache Li ne Cache Li ne Cache Li ne Cache Set Co r e 1 Co r e 2 Co r e 3 Cache Way Cache Way Cache Way Cache Way Mi s s CAT Partition CAT Partition Hi t 5

6 Background: Attack Example if (!key[i]) access( ) Core 1 (Victim) Core 2 (Attacker) if ( key[ i ] ) access( ) while (1) { access( ) //prime access( ) i dl e( ) //let victim run t i me_access( ) / / pr obe t i me_access( ) } Cache Set Cache Set Cache Set Cache Set Cache Set Cache Set Cache Set Cache Set LLC Memor y 6

7 Background: Linux Containers App App App App VM1 VM2 App App App Container 1 Container 2 Container 3 Hypervisor Linux OS Node Node Just a process within the kernel Isolated with cgroups and namespaces Scheduled by default Linux scheduler 7

8 Initial System Design Secure partition per core is expensive, stay tuned 8

9 Introducing labels Or gani zat i on 1 Organization 2 No t r ust Tr us t Tr us t Tr ust ed Ker nel 9

10 Mitigation: Naive Approach App 1 App 2 App 3 App 4 Co r e 1 Cache Par t i t i on 1 ( Shar ed) Ti me App 4 App 1 App 3 App 4 Co r e 2 Or gani zat i on 1 Ap p Or gani zat i on 2 Ap p Or gani zat i on 3 Ap p App 1 App 2 App 4 App 3 Co r e 3 Fl ushi ng t he cache el i mi nat es i nf or mat i on l eak By usi ng CAT we assi gn smal l er par t i t i on t o secur i t y- sensi t i ve apps Fl ushi ng smal l er par t i t i on r educes over head Cache Par t i t i on 2 ( Pr ot ect ed) Or gani zat i on 1 Ap p Or gani zat i on 2 Ap p Or gani zat i on 3 Ap p LLC Fl us h 10

11 Mitigation: Improved Approach Ti me App 1 App 2 App 3 App 4 App 2 App 3 App 4 Core 3 Core 4 Cache Par t i t i on 2 ( Pr ot ect ed) Organization 1 App Organization 2 App Organization 3 App LLC Flush Gang-schedule apps from the same organization Reduces the number of flushes Potentially increases idling (workload-dependent) 11

12 Implementation: Cgroup Hierarchy Root Cgr oup Or g Cgr oups Cont ai ner Cgr oups Ta s ks 12

13 Follow-the-leader Algorithm Ti me Cor e 1 ( Leader ) Cor e 2 ( Fol l ower ) Gang Or der Pick Gang Ker nel Round Over Ker nel LLC Flush Ac k New Round Pick Gang Ker nel Round Over Ker nel LLC Flush Ac k New Round Ker nel Pick Gang Ker nel Round Over Ker nel Ac k New Round 13

14 Challenges Reducing the idle time Minimizing flushing overhead Improving synchronization overhead Reducing amount of gang switches Improving fairness Scalability to the number of cores in secure partitions 14

15 Initial results 15

16 Complementary work Container Live Migration recently introduced by: Virtuozzo runc Jelastic Possible to combine the approach with Nomad 16

17 Future Work Improve the cost of synchronization Move to lazy-per-core gang changing Using advanced features of CAT Dynamically change cache partitions No leader is needed Significantly reduces synchronization Extend Docker framework for Flush+Reload mitigation Extensive performance evaluation 17

18 Discussion Pros Transparent to apps Non-secure apps are not affected (almost) Easy to deploy Secure by design (not probabilistic defense) Cons Requires the notion of organization Requires separating apps (secure/nonsecure) Requires CAT Potential overheads for secure apps 18

Cauldron: A Framework to Defend Against Cache-based Side-channel Attacks in Clouds

Cauldron: A Framework to Defend Against Cache-based Side-channel Attacks in Clouds Mohammad Ahmad, Read Sprabery, Konstantin Evchenko, Abhilash Raj, Dr. Rakesh Bobba, Dr. Sibin Mohan, Dr. Roy Campbell