Exploiting Timing Side-Channels against VM Monitoring
Wang, Gary
This item is only available for download by members of the University of Illinois community. Students, faculty, and staff at the U of I may log in with your NetID and password to view the item. If you are trying to access an Illinois-restricted dissertation or thesis, you can request a copy through your library's Inter-Library Loan office or purchase a copy directly from ProQuest.
Permalink
https://hdl.handle.net/2142/55506
Description
Title
Exploiting Timing Side-Channels against VM Monitoring
Author(s)
Wang, Gary
Contributor(s)
Kalbarczyk, Zbigniew
Issue Date
2014-05
Keyword(s)
security
side-channel
VM
monitoring
hypervisor
low-latency
Abstract
With the advent of cloud computing, integrity of virtualization technologies (e.g., hypervisors) has become more important. Insight into hypervisor activity could allow normal users to identify suspicious behavior and benchmark performance. On the other hand, malicious users can use this information to craft a more advanced transient attack that would be undetectable to VM passive monitoring systems. This thesis introduces a novel side-channel to extract timing information from hypervisor-level monitoring systems, such as Virtual Machine Introspection (VMI) based monitoring. This information can be used to launch more sophisticated attacks, such as transient attacks, against hypervisor-level monitoring systems.
It is often assumed that hypervisor activity is hidden from guest VMs, but we show that this is not always true. When the hypervisor performs certain actions (e.g. security monitoring of the guest OS), the VM must be paused. Therefore, suspension of the VM leaks information about the hypervisor’s activities. We analyze these measurements along with benchmarks on overall hypervisor overhead to determine whether or not VM passive monitoring is being utilized on a target system.
We present suspended network activity as an example of a side-channel that can be used to measure the duration of the VM suspend. In order to make these measurements, we developed a kernel-level UDP networking framework, and statistical analysis was performed on these measurements to obtain a profile of hypervisor behavior.
Use this login method if you
don't
have an
@illinois.edu
email address.
(Oops, I do have one)
IDEALS migrated to a new platform on June 23, 2022. If you created
your account prior to this date, you will have to reset your password
using the forgot-password link below.