Xen Bhanu Vattikonda with Sambit Das and Hovav Shacham 2 Motivation Project goals Goals of the paper Discussion Future work Motivation 3 Recent research efforts have shown that covert channel attacks are possible in the cloud using fine grained timers ID: 480252
Download Presentation The PPT/PDF document "Eliminating Fine Grained Timers in" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Eliminating Fine Grained Timers in Xen
Bhanu Vattikondawith Sambit Das and Hovav ShachamSlide2
2
Motivation
Project goals
Goals of the paper
Discussion
Future workSlide3
Motivation
3Recent research efforts have shown that covert channel attacks are possible in the cloud using fine grained timers [Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds,
Ristenpart
et al.]
Presence of covert channels indicates
the likelihood of side channelsSide channels could be exploited to obtain confidential information from the victim VMSlide4
Motivation
4
Some attacks
do not require fine grained timers:
Determining whether two VMs are co-resident
This is done by using network addresses and verifying that the dom0 IP address is the same for both the VMs
Server
VM
1
VM
2
dom0
Prober
Traceroute
probesSlide5
Motivation
5Whereas some attacks require access to fine grained timers:Sanboxed VMs can communicate using cache as a covert channel
This attack assumes that the VMs are co-located
Load cache and de-schedule
1
Disturb cache
2
High read time for loaded data
3
Load cache and de-schedule
1
Do nothing
2
Low read time for loaded data
3
Sender
Receiver
Send “1”
Send “0”Slide6
6
Motivation
Project goals
Goals of the paper
Discussion
Future workSlide7
Project goals
7Prevent covert channel and side channel attacksEliminating access to fine grained timers could prevent such
attacks [Reducing timing channels with fuzzy time, Wei-Ming
Hu
]Slide8
8
Motivation
Project goals
Goals of the paper
Discussion
Future workSlide9
Goals of the paper
9Can fine grained timers be eliminated from the system?What impact does it have on the utility of the system?
How coarse can the timers be?Slide10
Not addressed in the paper
10
Thorough
evaluation of security benefits
Preventing alternative attack strategies to obtain fine grained timersSlide11
Can fine grained timers be eliminated from the system?
11
Various sources of fine grained timers
RDTSC
instruction
(cycle counter on x86 processors)
gettimeofday
clock_gettime
System time read by
gettimeofday
and
clock_gettime
gets updated using the value of
RDTSC
register
Modifying value returned by RDTSC instruction should affect all timersSlide12
Can fine grained timers be eliminated from the system?
12
Yes!
Xen
has a mode in which it traps and emulates the
RDTSC instructionSlide13
Can fine grained timers be eliminated from the system?
13In our experiments, we returned the actual RDTSC value rounded off to a certain number of cycles
To measure the impact, we measure the difference between return values of consecutive
RDTSC
instructionsSlide14
What impact does it have on the utility of the system?
14We evaluate the impact of clock fuzziness on a small testbed of two machines running Xen
4.0.1 on Centos 5.5
Server
1
VM
1
Server
2
VM
2Slide15
What impact does it have on the utility of the system?
15
Compute intensive job
s are not affected
We run a fast
fourier
transform and measure the completion timeSlide16
What impact does it have on the utility of the system?
16
Network performance
is not affected either, impact on throughput and RTT is insignificant
RTT is measured using a UDP based ping between the VMs
Throughput is measured using a long lasting TCP flow between the VMsSlide17
What impact does it have on the utility of the system?
17
Negligible impact on the finish times of all to all transfer
The two VMs send 1GB of data to each other and we measure the completion timeSlide18
What impact does it have on the utility of
the system?18
Performance of Apache web server
is also unaffected
Requests per second measured by requesting
a ~200KB
file
Throughput measured by requesting
a
~15MB file from a web server running on the VMSlide19
19
Motivation
Project goals
Goals of the paper
Discussion
Future workSlide20
How coarse can the timers be?
Para-virtualized system becomes unusable at a fuzziness of 10000 cycles (10s of microseconds)In the case of fully virtualized systems the system becomes unusable at a fuzziness of 100 million cycles (100s of milliseconds)Slide21
How coarse can the timers be?
Performance
of TCP applications begins
to degrade at high fuzziness (1ms
)
Performance of other applications is not affected
It should be possible to modify granularity of clock to 100s of microsecondsSlide22
Fine grained timing using userspace
counter22On a multi-processor system, a thread can be dedicated to
maintain a
counter and used in place of
RDTSC
counter
The amount of time taken for a constant number of
nops
has varianceSlide23
23
Motivation
Project goals
Goals of the paper
Discussion
Future workSlide24
Future work
24Push the limit on coarseness of the timer in the case of para-virtualized system
We only explored a step function for eliminating fine grained timers, other functions need to be explored
Evaluate the feasibility of existing attack strategies on the modified systemSlide25
Summary
25Fine grained timers in Xen can be eliminated
Performance of typical cloud based applications is not affected by the elimination of fine grained
timers
Security benefits achieved due to the elimination of timers must be evaluated
Impact of using other methods to obtain fine grained timers, on security must be evaluatedSlide26
Thank you!
26