1 / 26

Eliminating Fine Grained Timers in Xen

Eliminating Fine Grained Timers in Xen. Bhanu Vattikonda with Sambit Das and Hovav Shacham. Motivation Project goals Goals of the paper Discussion Future work. Motivation.

ganya
Télécharger la présentation

Eliminating Fine Grained Timers in Xen

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Eliminating Fine Grained Timers in Xen Bhanu Vattikonda with Sambit Das and HovavShacham

  2. Motivation • Project goals • Goals of the paper • Discussion • Future work

  3. Motivation • Recent research efforts have shown that covert channel attacks are possible in the cloud using fine grained timers [Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al.] • Presence of covert channels indicates the likelihood of side channels • Side channels could be exploited to obtain confidential information from the victim VM

  4. Motivation • Some attacks do not require fine grained timers: • Determining whether two VMs are co-resident • This is done by using network addresses and verifying that the dom0 IP address is the same for both the VMs Server dom0 VM1 Prober Tracerouteprobes VM2

  5. Motivation • Whereas some attacks require access to fine grained timers: • Sanboxed VMs can communicate using cache as a covert channel • This attack assumes that the VMs are co-located Sender Receiver Send “1” Send “0” 1 1 Load cache and de-schedule Load cache and de-schedule 2 2 Disturb cache Do nothing 3 3 High read time for loaded data Low read time for loaded data

  6. Motivation • Project goals • Goals of the paper • Discussion • Future work

  7. Project goals • Prevent covert channel and side channel attacks • Eliminating access to fine grained timers could prevent such attacks [Reducing timing channels with fuzzy time, Wei-Ming Hu]

  8. Motivation • Project goals • Goals of the paper • Discussion • Future work

  9. Goals of the paper • Can fine grained timers be eliminated from the system? • What impact does it have on the utility of the system? • How coarse can the timers be?

  10. Not addressed in the paper • Thorough evaluation of security benefits • Preventing alternative attack strategies to obtain fine grained timers

  11. Can fine grained timers be eliminated from the system? • Various sources of fine grained timers • RDTSC instruction (cycle counter on x86 processors) • gettimeofday • clock_gettime • System time read by gettimeofday and clock_gettimegets updated using the value of RDTSC register Modifying value returned by RDTSC instruction should affect all timers

  12. Can fine grained timers be eliminated from the system? • Yes! • Xen has a mode in which it traps and emulates the RDTSC instruction

  13. Can fine grained timers be eliminated from the system? • In our experiments, we returned the actual RDTSC value rounded off to a certain number of cycles • To measure the impact, we measure the difference between return values of consecutive RDTSC instructions

  14. What impact does it have on the utility of the system? • We evaluate the impact of clock fuzziness on a small testbed of two machines running Xen 4.0.1 on Centos 5.5 Server1 Server2 VM1 VM2

  15. What impact does it have on the utility of the system? • Compute intensive jobs are not affected • We run a fast fourier transform and measure the completion time

  16. What impact does it have on the utility of the system? • Network performance is not affected either, impact on throughput and RTT is insignificant • RTT is measured using a UDP based ping between the VMs • Throughput is measured using a long lasting TCP flow between the VMs

  17. What impact does it have on the utility of the system? • Negligible impact on the finish times of all to all transfer • The two VMs send 1GB of data to each other and we measure the completion time

  18. What impact does it have on the utility of the system? • Performance of Apache web server is also unaffected • Requests per second measured by requesting a ~200KB file • Throughput measured by requesting a ~15MB file from a web server running on the VM

  19. Motivation • Project goals • Goals of the paper • Discussion • Future work

  20. How coarse can the timers be? • Para-virtualized system becomes unusable at a fuzziness of 10000 cycles (10s of microseconds) • In the case of fully virtualized systems the system becomes unusable at a fuzziness of 100 million cycles (100s of milliseconds)

  21. How coarse can the timers be? • Performance of TCP applications begins to degrade at high fuzziness (1ms) • Performance of other applications is not affected It should be possible to modify granularity of clock to 100s of microseconds

  22. Fine grained timing using userspace counter • On a multi-processor system, a thread can be dedicated to maintain a counter and used in place of RDTSC counter • The amount of time taken for a constant number of nops has variance

  23. Motivation • Project goals • Goals of the paper • Discussion • Future work

  24. Future work • Push the limit on coarseness of the timer in the case of para-virtualized system • We only explored a step function for eliminating fine grained timers, other functions need to be explored • Evaluate the feasibility of existing attack strategies on the modified system

  25. Summary • Fine grained timers in Xen can be eliminated • Performance of typical cloud based applications is not affected by the elimination of fine grained timers • Security benefits achieved due to the elimination of timers must be evaluated • Impact of using other methods to obtain fine grained timers, on security must be evaluated

  26. Thank you!

More Related