Cloudradar: A real-time side-channel attack detection system in clouds

Tianwei Zhang; Yinqian Zhang; Ruby B. Lee

doi:10.1007/978-3-319-45719-2_6

Cloudradar: A real-time side-channel attack detection system in clouds

Tianwei Zhang, Yinqian Zhang, Ruby B. Lee

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

114 Scopus citations

Abstract

We present CloudRadar, a system to detect, and hence mitigate, cache-based side-channel attacks in multi-tenant cloud systems. CloudRadar operates by correlating two events: first, it exploits signature-based detection to identify when the protected virtual machine (VM) executes a cryptographic application; at the same time, it uses anomaly-based detection techniques to monitor the co-located VMs to identify abnormal cache behaviors that are typical during cache-based side-channel attacks. We show that correlation in the occurrence of these two events offer strong evidence of side-channel attacks. Compared to other work on side-channel defenses, CloudRadar has the following advantages: first, CloudRadar focuses on the root causes of cachebased side-channel attacks and hence is hard to evade using metamorphic attack code, while maintaining a low false positive rate. Second, CloudRadar is designed as a lightweight patch to existing cloud systems, which does not require new hardware support, or any hypervisor, operating system, application modifications. Third, CloudRadar provides real-time protection and can detect side-channel attacks within the order of milliseconds. We demonstrate a prototype implementation of CloudRadar in the OpenStack cloud framework. Our evaluation suggests CloudRadar achieves negligible performance overhead with high detection accuracy.

Original language	English (US)
Title of host publication	Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings
Editors	Marc Dacier, Fabian Monrose, Gregory Blanc, Joaquin Garcia-Alfaro
Publisher	Springer Verlag
Pages	118-140
Number of pages	23
ISBN (Print)	9783319457185
DOIs	https://doi.org/10.1007/978-3-319-45719-2_6
State	Published - 2016
Event	19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016 - Paris, France Duration: Sep 19 2016 → Sep 21 2016

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	9854 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016
Country/Territory	France
City	Paris
Period	9/19/16 → 9/21/16

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Keywords

Attack detection
Cloud computing
Mitigation
Performance counters
Side-channel attacks

Access to Document

10.1007/978-3-319-45719-2_6

Cite this

Zhang, T., Zhang, Y., & Lee, R. B. (2016). Cloudradar: A real-time side-channel attack detection system in clouds. In M. Dacier, F. Monrose, G. Blanc, & J. Garcia-Alfaro (Eds.), Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings (pp. 118-140). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9854 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-45719-2_6

Zhang, Tianwei ; Zhang, Yinqian ; Lee, Ruby B. / Cloudradar : A real-time side-channel attack detection system in clouds. Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings. editor / Marc Dacier ; Fabian Monrose ; Gregory Blanc ; Joaquin Garcia-Alfaro. Springer Verlag, 2016. pp. 118-140 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{3b39a0dd4b9d400a966ee0ef63b8aaec,

title = "Cloudradar: A real-time side-channel attack detection system in clouds",

abstract = "We present CloudRadar, a system to detect, and hence mitigate, cache-based side-channel attacks in multi-tenant cloud systems. CloudRadar operates by correlating two events: first, it exploits signature-based detection to identify when the protected virtual machine (VM) executes a cryptographic application; at the same time, it uses anomaly-based detection techniques to monitor the co-located VMs to identify abnormal cache behaviors that are typical during cache-based side-channel attacks. We show that correlation in the occurrence of these two events offer strong evidence of side-channel attacks. Compared to other work on side-channel defenses, CloudRadar has the following advantages: first, CloudRadar focuses on the root causes of cachebased side-channel attacks and hence is hard to evade using metamorphic attack code, while maintaining a low false positive rate. Second, CloudRadar is designed as a lightweight patch to existing cloud systems, which does not require new hardware support, or any hypervisor, operating system, application modifications. Third, CloudRadar provides real-time protection and can detect side-channel attacks within the order of milliseconds. We demonstrate a prototype implementation of CloudRadar in the OpenStack cloud framework. Our evaluation suggests CloudRadar achieves negligible performance overhead with high detection accuracy.",

keywords = "Attack detection, Cloud computing, Mitigation, Performance counters, Side-channel attacks",

author = "Tianwei Zhang and Yinqian Zhang and Lee, {Ruby B.}",

note = "Funding Information: We thank Fangfei Liu and Dr. Yuval Yarom for providing sidechannel attack codes, and the anonymous reviewers for their feedback on this work. This work was supported in part by the National Science Foundation under grants NSF CNS-1218817 and NSF CNS-1566444. Any opinions, findings, and conclusions or recommendations expressed in this work are those of the authors and do not necessarily reflect the views of the NSF. Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2016.; 19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016 ; Conference date: 19-09-2016 Through 21-09-2016",

year = "2016",

doi = "10.1007/978-3-319-45719-2_6",

language = "English (US)",

isbn = "9783319457185",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "118--140",

editor = "Marc Dacier and Fabian Monrose and Gregory Blanc and Joaquin Garcia-Alfaro",

booktitle = "Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings",

address = "Germany",

}

Zhang, T, Zhang, Y & Lee, RB 2016, Cloudradar: A real-time side-channel attack detection system in clouds. in M Dacier, F Monrose, G Blanc & J Garcia-Alfaro (eds), Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9854 LNCS, Springer Verlag, pp. 118-140, 19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016, Paris, France, 9/19/16. https://doi.org/10.1007/978-3-319-45719-2_6

Cloudradar: A real-time side-channel attack detection system in clouds. / Zhang, Tianwei; Zhang, Yinqian; Lee, Ruby B.
Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings. ed. / Marc Dacier; Fabian Monrose; Gregory Blanc; Joaquin Garcia-Alfaro. Springer Verlag, 2016. p. 118-140 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9854 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Cloudradar

T2 - 19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016

AU - Zhang, Tianwei

AU - Zhang, Yinqian

AU - Lee, Ruby B.

N1 - Funding Information: We thank Fangfei Liu and Dr. Yuval Yarom for providing sidechannel attack codes, and the anonymous reviewers for their feedback on this work. This work was supported in part by the National Science Foundation under grants NSF CNS-1218817 and NSF CNS-1566444. Any opinions, findings, and conclusions or recommendations expressed in this work are those of the authors and do not necessarily reflect the views of the NSF. Publisher Copyright: © Springer International Publishing Switzerland 2016.

PY - 2016

Y1 - 2016

N2 - We present CloudRadar, a system to detect, and hence mitigate, cache-based side-channel attacks in multi-tenant cloud systems. CloudRadar operates by correlating two events: first, it exploits signature-based detection to identify when the protected virtual machine (VM) executes a cryptographic application; at the same time, it uses anomaly-based detection techniques to monitor the co-located VMs to identify abnormal cache behaviors that are typical during cache-based side-channel attacks. We show that correlation in the occurrence of these two events offer strong evidence of side-channel attacks. Compared to other work on side-channel defenses, CloudRadar has the following advantages: first, CloudRadar focuses on the root causes of cachebased side-channel attacks and hence is hard to evade using metamorphic attack code, while maintaining a low false positive rate. Second, CloudRadar is designed as a lightweight patch to existing cloud systems, which does not require new hardware support, or any hypervisor, operating system, application modifications. Third, CloudRadar provides real-time protection and can detect side-channel attacks within the order of milliseconds. We demonstrate a prototype implementation of CloudRadar in the OpenStack cloud framework. Our evaluation suggests CloudRadar achieves negligible performance overhead with high detection accuracy.

AB - We present CloudRadar, a system to detect, and hence mitigate, cache-based side-channel attacks in multi-tenant cloud systems. CloudRadar operates by correlating two events: first, it exploits signature-based detection to identify when the protected virtual machine (VM) executes a cryptographic application; at the same time, it uses anomaly-based detection techniques to monitor the co-located VMs to identify abnormal cache behaviors that are typical during cache-based side-channel attacks. We show that correlation in the occurrence of these two events offer strong evidence of side-channel attacks. Compared to other work on side-channel defenses, CloudRadar has the following advantages: first, CloudRadar focuses on the root causes of cachebased side-channel attacks and hence is hard to evade using metamorphic attack code, while maintaining a low false positive rate. Second, CloudRadar is designed as a lightweight patch to existing cloud systems, which does not require new hardware support, or any hypervisor, operating system, application modifications. Third, CloudRadar provides real-time protection and can detect side-channel attacks within the order of milliseconds. We demonstrate a prototype implementation of CloudRadar in the OpenStack cloud framework. Our evaluation suggests CloudRadar achieves negligible performance overhead with high detection accuracy.

KW - Attack detection

KW - Cloud computing

KW - Mitigation

KW - Performance counters

KW - Side-channel attacks

UR - http://www.scopus.com/inward/record.url?scp=84988557289&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84988557289&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-45719-2_6

DO - 10.1007/978-3-319-45719-2_6

M3 - Conference contribution

AN - SCOPUS:84988557289

SN - 9783319457185

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 118

EP - 140

BT - Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings

A2 - Dacier, Marc

A2 - Monrose, Fabian

A2 - Blanc, Gregory

A2 - Garcia-Alfaro, Joaquin

PB - Springer Verlag

Y2 - 19 September 2016 through 21 September 2016

ER -

Zhang T, Zhang Y, Lee RB. Cloudradar: A real-time side-channel attack detection system in clouds. In Dacier M, Monrose F, Blanc G, Garcia-Alfaro J, editors, Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings. Springer Verlag. 2016. p. 118-140. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-45719-2_6

Cloudradar: A real-time side-channel attack detection system in clouds

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Keywords

Access to Document

Other files and links

Fingerprint

Cite this