9th EAI International Conference on Mobile Multimedia Communications

Research Article

Investigating Timing Channel in IaaS

  • @INPROCEEDINGS{10.4108/eai.18-6-2016.2264107,
        author={Rui Yang and Xiao Fu and Xiaojiang Du and Bin Luo},
        title={Investigating Timing Channel in IaaS},
        proceedings={9th EAI International Conference on Mobile Multimedia Communications},
        publisher={ACM},
        proceedings_a={MOBIMEDIA},
        year={2016},
        month={12},
        keywords={cloud security timing channel infrastructure as a service cloud forensics},
        doi={10.4108/eai.18-6-2016.2264107}
    }
    
  • Rui Yang
    Xiao Fu
    Xiaojiang Du
    Bin Luo
    Year: 2016
    Investigating Timing Channel in IaaS
    MOBIMEDIA
    ACM
    DOI: 10.4108/eai.18-6-2016.2264107
Rui Yang1, Xiao Fu1,*, Xiaojiang Du2, Bin Luo1
  • 1: Nanjing University
  • 2: Temple University
*Contact email: fuxiao@nju.edu.cn

Abstract

In IaaS (such as Amazon EC2 and Microsoft Azure), several VM (virtual-machine) instances usually run in one physical machine so as to improve resource utilization. However this also caused more attack opportunities. A typical example is a cross-VM timing channel. Recent studies show that this kind of covert channel can successfully steal private information (e.g. private key) from the co-resident VM instances. It brought great challenges to the security of the cloud and has absorbed more and more attention in recent years. But to our knowledge, there is still little work on detecting and investigating such covert channel. Therefore, we propose a behavior-based method to automatically detect and investigate the timing channel. First, in order to record the behavior of this covert channel, a page-level memory monitoring method is designed. Second, an automatic identification algorithm is proposed based on some memory activity signatures. Finally, in order to confirm the result, the memory dump will be obtained and the binary code of the suspicious process will be analyzed. We have implemented a prototype on Xen, and the experimental results show that all of these kinds of attacks can be detected even under the disturbance from normal processes.