Bolt: I Know What You Did Last Summer... In The Cloud

@article{Delimitrou2017BoltIK,
  title={Bolt: I Know What You Did Last Summer... In The Cloud},
  author={Christina Delimitrou and Christos Kozyrakis},
  journal={Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems},
  year={2017}
}
  • Christina Delimitrou, C. Kozyrakis
  • Published 4 April 2017
  • Computer Science
  • Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems
Cloud providers routinely schedule multiple applications per physical host to increase efficiency. The resulting interference on shared resources often leads to performance degradation and, more importantly, security vulnerabilities. Interference can leak important information ranging from a service's placement to confidential data, like private keys. We present Bolt, a practical system that accurately detects the type and characteristics of applications sharing a cloud platform based on the… Expand
Uncovering the Security Implications of Cloud Multi-Tenancy with Bolt
TLDR
Bolt is presented, a practical system that accurately detects the type and characteristics of applications sharing a cloud platform based on the interference an adversary sees on shared resources, and leverages online data mining techniques that only require 2-5 seconds for detection. Expand
Proctor: Detecting and Investigating Interference in Shared Datacenters
TLDR
Proctor, a real time, lightweight and scalable analytics fabric that detects performance intrusive VMs and identifies its root causes from among the arbitrary VMs running in shared datacenters across 4 key hardware resources – network, I/O, cache, and CPU, is introduced. Expand
Tuple space explosion: a denial-of-service attack against a software packet classifier
TLDR
This paper evaluates whether the de facto Tuple Space Search (TSS) packet classification algorithm used in popular software networking stacks such as the Open vSwitch is robust against low-rate denial-of-service attacks and proposes MFCGuard that carefully manages the tuple space and keeps packet classification fast. Expand
Tail Amplification in n-Tier Systems: A Study of Transient Cross-Resource Contention Attacks
TLDR
This paper presents a new type of Denial of Service (DoS) Attacks in the cloud, MemCA, with the goal of causing performance uncertainty (the long-tail response time problem) of the target n-tier web application while keeping stealthy. Expand
Rapid In-situ Profiling of Colocated Workloads
TLDR
This paper presents the design for a workload-characterization tool for colocated Kubernetes pods, and studied the overhead resulting from this on pods running Apache Lucene and Redis colocated with NAS Parallel Benchmarks. Expand
Stratus: Clouds with Microarchitectural Resource Management
TLDR
This paper introduces Stratus clouds that treat the isolation on microarchitectural elements as the key design principle when allocating cloud resources, and shows how this isolation improves both performance and security, but at the cost of reducing resource utilization. Expand
Seer: Leveraging Big Data to Navigate the Complexity of Performance Debugging in Cloud Microservices
TLDR
Seer is presented, an online cloud performance debugging system that leverages deep learning and the massive amount of tracing data cloud systems collect to learn spatial and temporal patterns that translate to QoS violations. Expand
Sage: practical and scalable ML-driven performance debugging in microservices
TLDR
Sage is presented, a machine learning-driven root cause analysis system for interactive cloud microservices that focuses on practicality and scalability and captures the impact of dependencies between microservices to determine the root cause of unpredictable performance online, and applies corrective actions to recover a cloud service’s QoS. Expand
A user-level toolkit for storage I/O isolation on multitenant hosts
TLDR
This work introduces the Polytropon toolkit, a collection of user-level components configurable to build several types of filesystems, and uses it to build the client of a distributed filesystem optionally combined with a union filesystem. Expand
Isolation in cloud computing infrastructures: new security challenges
TLDR
This paper clarifies the concept of distributed side-channel attack (DSCA), exploring how such attacks can threaten isolation of any virtualized environments such as cloud computing infrastructures, and studying a set of different applicable countermeasures for attack mitigation. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 112 REFERENCES
Scheduler-based Defenses against Cross-VM Side-channels
TLDR
A simple per-core CPU state cleansing mechanism is integrated into Xen that provides further protection against side-channel attacks at little cost when used in conjunction with an MRT guarantee, and it is found that the performance impact of MRT guarantees can be very low, particularly in multi-core settings. Expand
HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis
TLDR
Home Alone is introduced, a system that lets a tenant verify its VMs' exclusive use of a physical machine by using a side-channel in the L2 memory cache as a novel, defensive detection tool. Expand
Resource-freeing attacks: improve your cloud performance (at your neighbor's expense)
TLDR
This work explores in depth a particular example of an RFA, which can improve performance of synthetic benchmarks by up to 60% over not running the attack, and shows that by adding load to a co-resident victim, the attack speeds up a class of cache-bound workloads. Expand
Denial of Service via Algorithmic Complexity Attacks
TLDR
A new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures, and it is shown how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks. Expand
Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud
TLDR
This paper presents a novel covert channel attack that is capable of high-bandwidth and reliable data transmission in the cloud, and designs and implements a robust communication protocol, and demonstrates realistic covert channel attacks on various virtualized ×86 systems. Expand
Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds
TLDR
It is shown that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and then instantiate new VMs until one is placed co-resident with the target, and how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine. Expand
A Placement Vulnerability Study in Multi-Tenant Public Clouds
TLDR
It is found that it is much easier and cheaper to achieve co-location in these three clouds when compared to a secure reference placement policy, and new co-residence tests and multiple customer accounts are used to launch VM instances under different strategies that seek to maximize the likelihood of co-Residency. Expand
Mitigating Cross-VM Side Channel Attack on Multiple Tenants Cloud Platform
TLDR
A covert channel aware scheduler that considers security as first class to mitigate side- channel attack and offers the user to dynamically configure scheduling parameters to adapt to diverse circumstances, in order to make a balance between performance and security. Expand
Cross-VM side channels and their use to extract private keys
TLDR
This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer and demonstrates the attack in a lab setting by extracting an ElGamal decryption key from a victims using the most recent version of the libgcrypt cryptographic library. Expand
Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems
TLDR
This paper demonstrates that current multi-core processors are vulnerable to a new class of Denial of Service (DoS) attacks because the memory system is "unfairly" shared among multiple cores, and proposes a new memory system architecture that provides fairness to different applications running on the same chip. Expand
...
1
2
3
4
5
...