Go back to homepage.
Security of Cloud Multi-Tenancy
With its massive pooling and multiplexing of computing resources, the cloud offers enterprises the prospect of lower IT costs, lighter administrative burdens, and rapid scaling of resources. Security, however, is a major impediment to enterprise adoption of public clouds, i.e., clouds administered by third parties. By relinquishing control over their IT resources, cloud tenants expose themselves to the security choices and mistakes of their providers. Because many tenants share common pools of hardware, the cloud makes strange bedfellows. Businesses may find themselves sharing adjacent or overlapping computing resources with partners, suppliers, competitors, or attackers.
Strong isolation among tenants is therefore a pillar of secure cloud computing. Logical isolation of computing resources can help protect against poorly or inadequately implemented or conceived access-control policies. However, because VMs that execute on the same physical machine share a range of hardware resources: computing, memory, and so forth, even when solid logical isolation ensures against abuse of explicit logical channels, shared hardware creates a variety of security vulnerabilities.
In the following projects, we have explored the confidentiality
, and availability
of computations in public multi-tenancy clouds.
Understanding the attack surface:
Side channel defenses:
- (ATC'18) Peeking Behind the Curtains of Serverless Platforms
Serverless computing is an emerging paradigm in which an application's resource provisioning and scaling are managed by third-party services. In this project, we conducted the largest measurement study to date, launching more than 50,000 function instances across AWS Lambda, Azure Functions, and Google Cloud Functions, in order to characterize their architectures, performance, and resource management efficiency. We explain how the platforms isolate the functions of different accounts, using either virtual machines or containers, which has important security implications. The research was a collaborative research between University of Wisconsin, Cornell Tech, and OSU.
Media coverage: Jaxenter
- (Security'15) A Placement Vulnerability Study in Multi-Tenant Public Clouds
In this project, we investigated VM placement vulnerabilities and quantitatively evaluated three popular public clouds for their susceptibility to co-location attacks. We found new ways to reliably test for co-location across Amazon EC2, Google GCE, and Microsoft Azure. We also found ways to detect co-location with victim web servers in a multi-tiered cloud application located behind a load balancer. It was a collaborative research between University of Wisconsin, Cornell Tech, and OSU.
- (CCS'14) Cross-Tenant Side-Channel Attacks in PaaS Clouds
In this project, we developed a new attack framework for conducting Flush-Reload based cache-based side-channel attacks and demonstrated this framework in attacks between tenants on commercial Platform-as-a-Service (PaaS) clouds.
- (CCS'12) Cross-VM Side Channels and Their Use to Extract Private Keys
This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized using a modern VMM (Xen). The paper has been fortunately cited very broadly.
Media coverage: HackerNews,
- (TDSC 2018) CPU Elasticity to Mitigate Cross-VM Runtime Monitoring
In this project, we present CREASE (CPU Resource Elasticity as a Service), a technique enabling a VM to purchase a higher clock rate from the cloud, through lowering the frequency of others, to support its security-critical operations within a short period. During that period, the weakened peer becomes unable to catch up with the pace of the strengthened principal, therefore losing the capability to effectively collect its sensitive information. The performance impact on the peer is made up through refunding schedule credits or service credits, in line with the service level agreement of today's cloud. At the center of our design is the novel application of on-demand frequency scaling and schedule quantum randomization, together with a situation-awareness mechanism that dynamically assesses the security risk posed by the peer.
- (CCS'16) A Software Approach to Defeating Side Channels in Last-Level Caches
In this project, we designed a software approach to mitigate access-driven side-channel attacks that leverage last-level caches shared across cores to leak information between security domains (e.g., tenants in a cloud). Our approach dynamically manages physical memory pages shared between security domains to disable sharing of LLC lines, thus preventing "Flush-Reload" side channels via LLCs. It also manages cacheability of memory pages to thwart cross-tenant "Prime-Probe" attacks in LLCs.
- (RAID'16) CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds
In this project, we designed and implemented a system called CloudRadar to detect, and hence mitigate, cache-based side-channel attacks in multi-tenant cloud systems. CloudRadar operates by correlating two events: first, it exploits signature-based detection to identify when the protected virtual machine executes a cryptographic application; at the same time, it uses anomaly-based detection techniques to monitor the co-located VMs to identify abnormal cache behaviors that are typical during cache-based side-channel attacks. We show that correlation in the occurrence of these two events offer strong evidence of side-channel attacks.
- (CCS'13) Düppel: Retrofitting Commodity Operating Systems to Mitigate Cache Side Channels in the Cloud
This paper presents the design, implementation and evaluation of a system called Düppel that enables a tenant virtual machine to defend itself from cache-based side-channel attacks on time-shared caches such as per-core L1 and L2 caches in public clouds. Düppel requires no changes to hypervisors or support from cloud operators.
- (Oakland'11) HomeAlone: Co-Residency Detection in the Cloud via Side-Channel Analysis
In this project, we designed a system that lets a tenant verify its VMs' exclusive use of a physical machine in public clouds. The key idea in HomeAlone is to invert the usual application of side channels. Rather than exploiting a side channel as a vector of attack, HomeAlone uses a side-channel as a novel, defensive detection tool. By analyzing cache usage during periods in which "friendly" VMs coordinate to avoid portions of the cache, a tenant using HomeAlone can detect the activity of a co-resident "foe" VM.
Media coverage: MIT Technology Review
- (Security'16) One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation
Row hammer attacks exploit electrical interactions between neighboring memory cells in high-density DRAM to induce memory errors. By rapidly and repeatedly accessing DRAMs with specific patterns, an adversary with limited privilege on the target machine may trigger bit flips in memory regions that he has no permission to access directly. In this project, we explored row hammer attacks in cross-VM settings, in which a malicious VM exploits bit flips induced by row hammer attacks to crack memory isolation enforced by virtualization. Our study suggests that row hammer attacks are practical in modern public clouds where Xen paravirtualization technology is adopted. The paper was selected top 10 Finalists of CSAW Best Applied Research Paper Award in 2016.
- (AsiaCCS'17) DoS Attacks on Your Memory in the Cloud
Memory DoS attacks are Denial of Service (or Degradation of Service) attacks caused by contention for hardware memory resources on a cloud server. Despite the strong memory isolation techniques for virtual machines enforced by the software virtualization layer in cloud servers, the underlying hardware memory layers are still shared by the VMs and can be exploited by a clever attacker in a hostile VM co-located on the same server as the victim VM, denying the victim the working memory he needs. In this project, we showed quantitatively the severity of contention on different memory resources in the Amazon EC2 cloud. Then, we designed an effective, new defense against these memory DoS attacks, using a statistical metric to detect their existence and execution throttling to mitigate the attack damage.