TY - GEN
T1 - A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation
AU - Saeed, Atif
AU - Garraghan, Peter
AU - Craggs, Barnaby
AU - van der Linden, Dirk
AU - Rashid, Awais
AU - Hussain, Syed Asad
N1 - Funding Information:
This work is supported by the EPSRC (EP/P031617/1).
PY - 2018/7/2
Y1 - 2018/7/2
N2 - Data privacy and security is a leading concern for providers and customers of cloud computing, where Virtual Machines (VMs) can co-reside within the same underlying physical machine. Side channel attacks within multi-tenant virtualized cloud environments are an established problem, where attackers are able to monitor and exfiltrate data from co-resident VMs. Virtualization services have attempted to mitigate such attacks by preventing VM-to-VM interference on shared hardware by providing logical resource isolation between co-located VMs via an internal virtual network. However, such approaches are also insecure, with attackers capable of performing network channel attacks which bypass mitigation strategies using vectors such as ARP Spoofing, TCP/IP steganography, and DNS poisoning. In this paper we identify a new vulnerability within the internal cloud virtual network, showing that through a combination of TAP impersonation and mirroring, a malicious VM can successfully redirect and monitor network traffic of VMs co-located within the same physical machine. We demonstrate the feasibility of this attack in a prominent cloud platform - OpenStack - under various security requirements and system conditions, and propose countermeasures for mitigation.
AB - Data privacy and security is a leading concern for providers and customers of cloud computing, where Virtual Machines (VMs) can co-reside within the same underlying physical machine. Side channel attacks within multi-tenant virtualized cloud environments are an established problem, where attackers are able to monitor and exfiltrate data from co-resident VMs. Virtualization services have attempted to mitigate such attacks by preventing VM-to-VM interference on shared hardware by providing logical resource isolation between co-located VMs via an internal virtual network. However, such approaches are also insecure, with attackers capable of performing network channel attacks which bypass mitigation strategies using vectors such as ARP Spoofing, TCP/IP steganography, and DNS poisoning. In this paper we identify a new vulnerability within the internal cloud virtual network, showing that through a combination of TAP impersonation and mirroring, a malicious VM can successfully redirect and monitor network traffic of VMs co-located within the same physical machine. We demonstrate the feasibility of this attack in a prominent cloud platform - OpenStack - under various security requirements and system conditions, and propose countermeasures for mitigation.
KW - Cloud Computing
KW - Network Channel Attack
KW - OpenStack
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=85057448839&partnerID=8YFLogxK
U2 - 10.1109/CLOUD.2018.00084
DO - 10.1109/CLOUD.2018.00084
M3 - Conference contribution
AN - SCOPUS:85057448839
T3 - IEEE International Conference on Cloud Computing, CLOUD
SP - 606
EP - 613
BT - 2018 IEEE International Conference on Cloud Computing, CLOUD 2018 - Part of the 2018 IEEE World Congress on Services
PB - IEEE
CY - Piscataway, NJ
T2 - 11th IEEE International Conference on Cloud Computing, CLOUD 2018
Y2 - 2 July 2018 through 7 July 2018
ER -