Co-Resident Watermarking

Project Details

Project Lead
Adam Bates 
Project Manager
Adam Bates 
Project Members
Joe Pletcher  
Supporting Experts
Gregor von Laszewski  
Institution
University of Oregon, CIS Department, OSIRIS Lab  
Discipline
Computer Science (401) 

Abstract

Virtualization is the cornerstone of cloud computing, allowing providers to instantiate multiple virtual machines on a single set of physical resources. Customers utilize cloud resources alongside unknown and untrusted parties, creating the co-resident threat: there is a possibility of unauthorized access to sensitive customer data through the exploitation of covert channels. Previous approaches to determining and exploiting co-residency require the ability to examine and manipulate internal hardware on these machines, behavior that can be patched or otherwise defended. We describe a new attack called co-resident watermarking that allows co-residents to inject a watermark into the network flow of a target instance. This watermark can be used to exfiltrate and broadcast co-residency data from the physical machine, compromising isolation without reliance on internal side channels. We evaluate co-resident watermarking under various network conditions and system configurations, showing co-residency can be determined in under 60 seconds and that a covert channel bitrate of 1.91 bps can be achieved. This work represents a first step in characterizing the co-resident watermarking threat.

Intellectual Merit

Our approach uses concepts previously explored in network flow watermarking. Watermarking is a method of breaking anonymity by tracing the path of a network flow. A target’s traffic is subjected to controlled packet delay at an institutional boundary in order to give it a distinct and recognizable pattern. When the traffic exits the institutional boundary, that pattern is still present and can be decoded. Watermarking is of great interest because of its ability to detect stepping stone relays and to compromise anonymity services.

Broader Impacts

Through third party clouds, businesses are able to avoid overprovisioning and pay for only the exact amount of computing that they require. The key to allowing the rollout of these services is virtualization, where physical resources and multiple guest virtual machines can be multiplexed on a single physical machine. However, new security challenges come forth as users are now potentially vulnerable to the actions of others allocated to their same physical machine: they no longer solely control resources. Researchers have already demonstrated attacks against virtualization middleware that allow for the detection and exploitation of co-residency. However, systems-level vulnerabilities such as these could eventually be resolved by patching the hypervisor. We are attempting to demonstrate that even if other channels for establishing co-residency are removed, we can determine whether an adversarial guest is co-resident with a targeted server through observation of network traffic.

Scale of Use

We will need to periodically launch several VMs for an experiment. Each trial will not last more than a couple of hours.

Results

Our use of Futuregrid led to an accepted paper at the 2012 ACM Cloud Computing Security Workshop entitled "Detecting Co-Residency with Active Traffic Analysis Techniques".  This work will be presented on 19 October, 2012.  Futuregrid is featured in the acknowledgements section.  A copy of the paper is available at:

http://ix.cs.uoregon.edu/~amb/documents/Bates_Ccsw12.pdf