TY - GEN
T1 - Cloudradar
T2 - 19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016
AU - Zhang, Tianwei
AU - Zhang, Yinqian
AU - Lee, Ruby B.
N1 - Publisher Copyright:
© Springer International Publishing Switzerland 2016.
PY - 2016
Y1 - 2016
N2 - We present CloudRadar, a system to detect, and hence mitigate, cache-based side-channel attacks in multi-tenant cloud systems. CloudRadar operates by correlating two events: first, it exploits signature-based detection to identify when the protected virtual machine (VM) executes a cryptographic application; at the same time, it uses anomaly-based detection techniques to monitor the co-located VMs to identify abnormal cache behaviors that are typical during cache-based side-channel attacks. We show that correlation in the occurrence of these two events offer strong evidence of side-channel attacks. Compared to other work on side-channel defenses, CloudRadar has the following advantages: first, CloudRadar focuses on the root causes of cachebased side-channel attacks and hence is hard to evade using metamorphic attack code, while maintaining a low false positive rate. Second, CloudRadar is designed as a lightweight patch to existing cloud systems, which does not require new hardware support, or any hypervisor, operating system, application modifications. Third, CloudRadar provides real-time protection and can detect side-channel attacks within the order of milliseconds. We demonstrate a prototype implementation of CloudRadar in the OpenStack cloud framework. Our evaluation suggests CloudRadar achieves negligible performance overhead with high detection accuracy.
AB - We present CloudRadar, a system to detect, and hence mitigate, cache-based side-channel attacks in multi-tenant cloud systems. CloudRadar operates by correlating two events: first, it exploits signature-based detection to identify when the protected virtual machine (VM) executes a cryptographic application; at the same time, it uses anomaly-based detection techniques to monitor the co-located VMs to identify abnormal cache behaviors that are typical during cache-based side-channel attacks. We show that correlation in the occurrence of these two events offer strong evidence of side-channel attacks. Compared to other work on side-channel defenses, CloudRadar has the following advantages: first, CloudRadar focuses on the root causes of cachebased side-channel attacks and hence is hard to evade using metamorphic attack code, while maintaining a low false positive rate. Second, CloudRadar is designed as a lightweight patch to existing cloud systems, which does not require new hardware support, or any hypervisor, operating system, application modifications. Third, CloudRadar provides real-time protection and can detect side-channel attacks within the order of milliseconds. We demonstrate a prototype implementation of CloudRadar in the OpenStack cloud framework. Our evaluation suggests CloudRadar achieves negligible performance overhead with high detection accuracy.
KW - Attack detection
KW - Cloud computing
KW - Mitigation
KW - Performance counters
KW - Side-channel attacks
UR - http://www.scopus.com/inward/record.url?scp=84988557289&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84988557289&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-45719-2_6
DO - 10.1007/978-3-319-45719-2_6
M3 - Conference contribution
AN - SCOPUS:84988557289
SN - 9783319457185
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 118
EP - 140
BT - Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings
A2 - Dacier, Marc
A2 - Monrose, Fabian
A2 - Blanc, Gregory
A2 - Garcia-Alfaro, Joaquin
PB - Springer Verlag
Y2 - 19 September 2016 through 21 September 2016
ER -