Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring
- 1 June 2011
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE) in 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W)
Abstract
Multi-tenant cloud, which features utility-like computing resources to tenants in a “pay-as-you-go” style, has been commercially popular for years. As one of the sole purposes of such a cloud is maximizing resource usages to increase its revenue, it usually uses virtualization to consolidate VMs from different and even mutually-malicious tenants atop a powerful physical machine. This, however, also enables a malicious tenant to steal security-critical information such as crypto keys from victims, due to the shared physical resources such as caches. In this paper, we show that stealing crypto keys in a virtualized cloud may be a real threat by evaluating a cache-based side-channel attack against an encryption process. To mitigate such attacks while not notably degrading performance, we propose an approach that leverages dynamic cache coloring: when an application is doing security-sensitive operations, the VMM is notified to swap the associated data to a safe and isolated cache line. This approach may eliminate cache-based side-channel for security-critical operations, yet ensure efficient resource sharing during normal operations. We demonstrate the applicability by illustrating a preliminary implementation based on Xen and its performance overhead.Keywords
This publication has 8 references indexed in Scilit:
- Hey, you, get off of my cloudPublished by Association for Computing Machinery (ACM) ,2009
- Towards practical page coloring-based multicore cache managementPublished by Association for Computing Machinery (ACM) ,2009
- A Simple Cache Partitioning Approach in a Virtualized EnvironmentPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- Reducing the harmful effects of last-level cache polluters with an OS-level, software-only pollute bufferPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2008
- IntelŴVirtualization Technology: Hardware Support for Efficient Processor VirtualizationIntel Technology Journal, 2006
- A Side-Channel Analysis Resistant Description of the AES S-BoxLecture Notes in Computer Science, 2005
- Xen and the art of virtualizationPublished by Association for Computing Machinery (ACM) ,2003
- The TLB slice—a low-cost high-speed address translation mechanismACM SIGARCH Computer Architecture News, 1990