260 likes | 373 Views
Eliminating Fine Grained Timers in Xen. Bhanu Vattikonda with Sambit Das and Hovav Shacham. Motivation Project goals Goals of the paper Discussion Future work. Motivation.
E N D
Eliminating Fine Grained Timers in Xen Bhanu Vattikonda with Sambit Das and HovavShacham
Motivation • Project goals • Goals of the paper • Discussion • Future work
Motivation • Recent research efforts have shown that covert channel attacks are possible in the cloud using fine grained timers [Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al.] • Presence of covert channels indicates the likelihood of side channels • Side channels could be exploited to obtain confidential information from the victim VM
Motivation • Some attacks do not require fine grained timers: • Determining whether two VMs are co-resident • This is done by using network addresses and verifying that the dom0 IP address is the same for both the VMs Server dom0 VM1 Prober Tracerouteprobes VM2
Motivation • Whereas some attacks require access to fine grained timers: • Sanboxed VMs can communicate using cache as a covert channel • This attack assumes that the VMs are co-located Sender Receiver Send “1” Send “0” 1 1 Load cache and de-schedule Load cache and de-schedule 2 2 Disturb cache Do nothing 3 3 High read time for loaded data Low read time for loaded data
Motivation • Project goals • Goals of the paper • Discussion • Future work
Project goals • Prevent covert channel and side channel attacks • Eliminating access to fine grained timers could prevent such attacks [Reducing timing channels with fuzzy time, Wei-Ming Hu]
Motivation • Project goals • Goals of the paper • Discussion • Future work
Goals of the paper • Can fine grained timers be eliminated from the system? • What impact does it have on the utility of the system? • How coarse can the timers be?
Not addressed in the paper • Thorough evaluation of security benefits • Preventing alternative attack strategies to obtain fine grained timers
Can fine grained timers be eliminated from the system? • Various sources of fine grained timers • RDTSC instruction (cycle counter on x86 processors) • gettimeofday • clock_gettime • System time read by gettimeofday and clock_gettimegets updated using the value of RDTSC register Modifying value returned by RDTSC instruction should affect all timers
Can fine grained timers be eliminated from the system? • Yes! • Xen has a mode in which it traps and emulates the RDTSC instruction
Can fine grained timers be eliminated from the system? • In our experiments, we returned the actual RDTSC value rounded off to a certain number of cycles • To measure the impact, we measure the difference between return values of consecutive RDTSC instructions
What impact does it have on the utility of the system? • We evaluate the impact of clock fuzziness on a small testbed of two machines running Xen 4.0.1 on Centos 5.5 Server1 Server2 VM1 VM2
What impact does it have on the utility of the system? • Compute intensive jobs are not affected • We run a fast fourier transform and measure the completion time
What impact does it have on the utility of the system? • Network performance is not affected either, impact on throughput and RTT is insignificant • RTT is measured using a UDP based ping between the VMs • Throughput is measured using a long lasting TCP flow between the VMs
What impact does it have on the utility of the system? • Negligible impact on the finish times of all to all transfer • The two VMs send 1GB of data to each other and we measure the completion time
What impact does it have on the utility of the system? • Performance of Apache web server is also unaffected • Requests per second measured by requesting a ~200KB file • Throughput measured by requesting a ~15MB file from a web server running on the VM
Motivation • Project goals • Goals of the paper • Discussion • Future work
How coarse can the timers be? • Para-virtualized system becomes unusable at a fuzziness of 10000 cycles (10s of microseconds) • In the case of fully virtualized systems the system becomes unusable at a fuzziness of 100 million cycles (100s of milliseconds)
How coarse can the timers be? • Performance of TCP applications begins to degrade at high fuzziness (1ms) • Performance of other applications is not affected It should be possible to modify granularity of clock to 100s of microseconds
Fine grained timing using userspace counter • On a multi-processor system, a thread can be dedicated to maintain a counter and used in place of RDTSC counter • The amount of time taken for a constant number of nops has variance
Motivation • Project goals • Goals of the paper • Discussion • Future work
Future work • Push the limit on coarseness of the timer in the case of para-virtualized system • We only explored a step function for eliminating fine grained timers, other functions need to be explored • Evaluate the feasibility of existing attack strategies on the modified system
Summary • Fine grained timers in Xen can be eliminated • Performance of typical cloud based applications is not affected by the elimination of fine grained timers • Security benefits achieved due to the elimination of timers must be evaluated • Impact of using other methods to obtain fine grained timers, on security must be evaluated