Home > Research > Publications & Outputs > A Cross-Virtual Machine Network Channel Attack ...

Research

Associated organisational units

Electronic data

  • Cloud Cross-VM Attack

    Rights statement: ©2018 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

    Accepted author manuscript, 6.68 MB, PDF document

    Available under license: CC BY-NC: Creative Commons Attribution-NonCommercial 4.0 International License

Links

Text available via DOI:

Keywords

View graph of relations

A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Published

Standard

A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation. / Saeed, Atif; Garraghan, Peter; Craggs, Barnaby et al.
2018 IEEE International Conference on Cloud Computing (CLOUD). IEEE, 2018. p. 606-613.

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Harvard

Saeed, A, Garraghan, P, Craggs, B, van der Linden, D, Rashid, A & Asad Hussain, S 2018, A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation. in 2018 IEEE International Conference on Cloud Computing (CLOUD). IEEE, pp. 606-613. https://doi.org/10.1109/CLOUD.2018.00084

APA

Saeed, A., Garraghan, P., Craggs, B., van der Linden, D., Rashid, A., & Asad Hussain, S. (2018). A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation. In 2018 IEEE International Conference on Cloud Computing (CLOUD) (pp. 606-613). IEEE. https://doi.org/10.1109/CLOUD.2018.00084

Vancouver

Saeed A, Garraghan P, Craggs B, van der Linden D, Rashid A, Asad Hussain S. A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation. In 2018 IEEE International Conference on Cloud Computing (CLOUD). IEEE. 2018. p. 606-613 doi: 10.1109/CLOUD.2018.00084

Author

Saeed, Atif ; Garraghan, Peter ; Craggs, Barnaby et al. / A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation. 2018 IEEE International Conference on Cloud Computing (CLOUD). IEEE, 2018. pp. 606-613

Bibtex

@inproceedings{021824af97724c1ea68ad219ffb0b1e9,
title = "A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation",
abstract = "Data privacy and security is a leading concern for providers and customers of cloud computing, where Virtual Machines (VMs) can co-reside within the same underlying physical machine. Side channel attacks within multi-tenant virtualized cloud environments are an established problem, where attackers are able to monitor and exfiltrate data from co-resident VMs. Virtualization services have attempted to mitigate such attacks by preventing VM-to-VM interference on shared hardware by providing logical resource isolation between co-located VMs via an internal virtual network. However, such approaches are also insecure, with attackers capable of performing network channel attacks which bypass mitigation strategies using vectors such as ARP Spoofing, TCP/IP steganography, and DNS poisoning. In this paper we identify a new vulnerability within the internal cloud virtual network, showing that through a combination of TAP impersonation and mirroring, a malicious VM can successfully redirect and monitor network traffic of VMs co-located within the same physical machine. We demonstrate the feasibility of this attack in a prominent cloud platform – OpenStack – under various security requirements and system conditions, and propose countermeasures for mitigation.",
keywords = "Cloud Computing, Channel Attack, Security",
author = "Atif Saeed and Peter Garraghan and Barnaby Craggs and {van der Linden}, Dirk and Awais Rashid and {Asad Hussain}, Syed",
note = "{\textcopyright}2018 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.",
year = "2018",
month = jul,
day = "2",
doi = "10.1109/CLOUD.2018.00084",
language = "English",
pages = "606--613",
booktitle = "2018 IEEE International Conference on Cloud Computing (CLOUD)",
publisher = "IEEE",

}

RIS

TY - GEN

T1 - A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation

AU - Saeed, Atif

AU - Garraghan, Peter

AU - Craggs, Barnaby

AU - van der Linden, Dirk

AU - Rashid, Awais

AU - Asad Hussain, Syed

N1 - ©2018 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

PY - 2018/7/2

Y1 - 2018/7/2

N2 - Data privacy and security is a leading concern for providers and customers of cloud computing, where Virtual Machines (VMs) can co-reside within the same underlying physical machine. Side channel attacks within multi-tenant virtualized cloud environments are an established problem, where attackers are able to monitor and exfiltrate data from co-resident VMs. Virtualization services have attempted to mitigate such attacks by preventing VM-to-VM interference on shared hardware by providing logical resource isolation between co-located VMs via an internal virtual network. However, such approaches are also insecure, with attackers capable of performing network channel attacks which bypass mitigation strategies using vectors such as ARP Spoofing, TCP/IP steganography, and DNS poisoning. In this paper we identify a new vulnerability within the internal cloud virtual network, showing that through a combination of TAP impersonation and mirroring, a malicious VM can successfully redirect and monitor network traffic of VMs co-located within the same physical machine. We demonstrate the feasibility of this attack in a prominent cloud platform – OpenStack – under various security requirements and system conditions, and propose countermeasures for mitigation.

AB - Data privacy and security is a leading concern for providers and customers of cloud computing, where Virtual Machines (VMs) can co-reside within the same underlying physical machine. Side channel attacks within multi-tenant virtualized cloud environments are an established problem, where attackers are able to monitor and exfiltrate data from co-resident VMs. Virtualization services have attempted to mitigate such attacks by preventing VM-to-VM interference on shared hardware by providing logical resource isolation between co-located VMs via an internal virtual network. However, such approaches are also insecure, with attackers capable of performing network channel attacks which bypass mitigation strategies using vectors such as ARP Spoofing, TCP/IP steganography, and DNS poisoning. In this paper we identify a new vulnerability within the internal cloud virtual network, showing that through a combination of TAP impersonation and mirroring, a malicious VM can successfully redirect and monitor network traffic of VMs co-located within the same physical machine. We demonstrate the feasibility of this attack in a prominent cloud platform – OpenStack – under various security requirements and system conditions, and propose countermeasures for mitigation.

KW - Cloud Computing

KW - Channel Attack

KW - Security

U2 - 10.1109/CLOUD.2018.00084

DO - 10.1109/CLOUD.2018.00084

M3 - Conference contribution/Paper

SP - 606

EP - 613

BT - 2018 IEEE International Conference on Cloud Computing (CLOUD)

PB - IEEE

ER -