Skip to Main content Skip to Navigation
Theses

Unified isolation architectures and mechanisms against side channel attacks for decentralized cloud infrastructures

Mohammad-Mahdi Bazm 1, 2
2 STACK - Software Stack for Massively Geo-Distributed Infrastructures
Inria Rennes – Bretagne Atlantique , LS2N - Laboratoire des Sciences du Numérique de Nantes
Abstract : Since their discovery by Ristenpart [Ristenpart et al., 2009], the security concern of side-channel attacks is rising in virtualized environments such as cloud computing infrastructures because of rapid improvements in the attack techniques. Therefore, the mitigation and the detection of such attacks have received more attention in these environments and consequently, have been the subject of research works. These attacks exploit, for instance, sharing of hardware resources such as the processor in virtualized environments. Moreover, the resources are often shared between different users at very low-level through the virtualization layer. As a result, such sharing allows bypassing security mechanisms implemented at the virtualization layer through such a leaky sharing. Cache levels of the processor are the resources that are shared between instances and play as an information disclosure channel. Side-channel attacks thus use this leaky channel to retrieve sensitive information such as cryptographic keys. Various research works already exist on the detection or mitigation of these attacks in information systems. Mitigation techniques of cache-based side-channel attacks are mainly divided into three classes according to the application layers of techniques in cloud infrastructures (i.e., application, system, and hardware). The detection is done at OS/hypervisor level due to the potentiality of analyzing virtualized instances at both layers. In this thesis, we first provide a survey on the isolation challenge and cache-based side channel attacks in cloud computing infrastructures. We then present different approaches to detect or mitigate cross-VM/container cache-based side-channel attacks. Regarding the detection of cache-based side-channel attacks, we achieve that by leveraging Hardware Performance Counters (HPCs) and Intel Cache Monitoring Technology (CMT) with anomaly detection approaches to identify a malicious instance. Our experimental results show a high detection rate. We then leverage an approach based on the Moving Target Defense (MTD) theory to interrupt a cache-based side-channel attack between two Linux containers. MTD allows us to make the configuration of a system more dynamic and consequently harder to attack by an adversary, through leveraging shuffling at different levels of systems and cloud. Our approach does not need to apply modifications either to the guest OS or the hypervisor. Experimental results show that our approach imposes a low-performance overhead. We also discuss the challenge of isolated execution, different scenarios to secure running of Linux containers on remote hosts, and various trusted execution technologies for cloud computing environments. Finally, we propose a secure model for distributed computing through using Linux containers secured by Intel SGX, to perform trusted execution on untrusted Fog computing infrastructures.
Complete list of metadata

https://hal.inria.fr/tel-02417362
Contributor : Mario Südholt Connect in order to contact the contributor
Submitted on : Saturday, June 19, 2021 - 1:50:25 PM
Last modification on : Wednesday, October 13, 2021 - 3:52:07 PM

Identifiers

  • HAL Id : tel-02417362, version 2

Citation

Mohammad-Mahdi Bazm. Unified isolation architectures and mechanisms against side channel attacks for decentralized cloud infrastructures. Software Engineering [cs.SE]. Université de Nantes (UNAM), 2019. English. ⟨tel-02417362⟩

Share

Metrics

Record views

93

Files downloads

238