Exploiting Timing Side-Channels against VM Monitoring

Wang, Gary

Permalink

https://hdl.handle.net/2142/55506 Copy

Description

Title

Exploiting Timing Side-Channels against VM Monitoring

Author(s)

Wang, Gary

Contributor(s)

Kalbarczyk, Zbigniew

Issue Date

2014-05

Keyword(s)

• security
• side-channel
• VM
• monitoring
• hypervisor
• low-latency

Abstract

With the advent of cloud computing, integrity of virtualization technologies (e.g., hypervisors) has become more important. Insight into hypervisor activity could allow normal users to identify suspicious behavior and benchmark performance. On the other hand, malicious users can use this information to craft a more advanced transient attack that would be undetectable to VM passive monitoring systems. This thesis introduces a novel side-channel to extract timing information from hypervisor-level monitoring systems, such as Virtual Machine Introspection (VMI) based monitoring. This information can be used to launch more sophisticated attacks, such as transient attacks, against hypervisor-level monitoring systems. It is often assumed that hypervisor activity is hidden from guest VMs, but we show that this is not always true. When the hypervisor performs certain actions (e.g. security monitoring of the guest OS), the VM must be paused. Therefore, suspension of the VM leaks information about the hypervisor’s activities. We analyze these measurements along with benchmarks on overall hypervisor overhead to determine whether or not VM passive monitoring is being utilized on a target system. We present suspended network activity as an example of a side-channel that can be used to measure the duration of the VM suspend. In order to make these measurements, we developed a kernel-level UDP networking framework, and statistical analysis was performed on these measurements to obtain a profile of hypervisor behavior.

Type of Resource

text

Language

en

Permalink

http://hdl.handle.net/2142/55506

Owning Collections