ConfMVM: A Hardware-Assisted Model to Confine Malicious VMs Zirak Allaf

Contents What is Side Channel Attack? Background Detection System Overview Methodology Rresults and Discussion Conclusion and Future works

1. What is Side Channel Attack Is the action of stealing information by exploiting h/s vulnerabilities to provide unauthorised communication between two entities in shared systems The Attack Characteristics: Such attacks do not require any privileges CPU cycles were the original key factors in both attack and countermeasures There are two main attack techniques: Flush+Reload Prime+Probe

Flush+Reload Main Memory LLC Cache 𝒑𝒓𝒐𝒄𝒆𝒔𝒔𝒐𝒓 𝒄𝒐𝒓𝒆 𝒊 𝑳 𝟐 𝑳 𝟏 Attacker 𝑝𝑎𝑔𝑒 1 𝑝𝑎𝑔𝑒 2 𝑝𝑎𝑔𝑒 3 Shared area to store AES look-up table . 𝑝𝑎𝑔𝑒 𝑛 LLC Cache 𝑠𝑒𝑡 1 𝑠𝑒𝑡 2 𝑠𝑒𝑡 3 . 𝑠𝑒𝑡 𝑛 𝒑𝒓𝒐𝒄𝒆𝒔𝒔𝒐𝒓 𝒄𝒐𝒓𝒆 𝒊 𝑳 𝟐 Attacker n=3000, threshold 𝑳 𝟏 Victm loop ( 1 to n) AESEncrypt() end loop (0= to 255, step 16) end loop 𝑠𝑒𝑡 3 21 a1 loop (add=start 𝑝 2 to end 𝑝 2 ) End loop access(add) 𝑠𝑒𝑡 3 flush(add) 𝑠𝑒𝑡 3 a1 wait() 𝑠𝑒𝑡 3 a1 if time(add)<threshold accessed by victim else not accessed accessed by victim

3. Detection System Overview

4. Methodology Standard Performance Evaluation Corporation (SPEC) It is designed to provide performance measurement which can be used to compute sensitive workloads on different computer systems. SPEC benchmark suite includes 29 applications which are written in C,C++ and Fortran There two types: SPECint 2006: 12 applications (bzip2, gcc) SPECfp 2006: 17 applications (bwaves, dealII) Hardware Performance Counters (HPCs) Events Model Specific Registers (MSR) Kernel privilege There are two types of PMC: Three fixed function registers (core cycles, reference cycles and core instructions) four programmable events (e.g. L3 misses, branch predictions)

4. Methodology (cont’d) Hardware and Software Specifications HP Proliant DL360 G7 Intel’s Xeon X5650 2.66 GHz 16 GB RAM Ubuntu 14.04 K-Nearest Neighbors (k-NN) Instance-based algorithm Hamming measurements 𝐷 𝐻 = 𝑖=0 𝑘 |𝑥−𝑦|

4. Methodology (cont’d) Data collection Processor core-based profiling Preprocessing Window size = 0.2 µp Data aggregation

5. Results The distribution of ROC curves in native system

5. Results (cont’d) The distribution of ROC curves in cloud system

6. Conclusion and Future works The detection system of side channel attacks classification Hardware Performance Counter (HPCs) host system events relevant to a Flush+Reload attack 99% and 96% respectively under SPEC CPU2006 workloads Limitation and Future Work detect techniques such as Prime+Probe due to the behaviour of the malicious loop inside the program

Spinnaker Tower End slide

Questions