Home > Research > Publications & Outputs > Protecting Cloud-Based CIs

Links

Text available via DOI:

View graph of relations

Protecting Cloud-Based CIs: Covert Channel Vulnerabilities at the Resource Level

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNChapter

Published
  • T. Vateva-Gurova
  • S. Manzoor
  • R. Trapero
  • Neeraj Suri
  • Marin Tordera E.
  • Fournaris A.P. (Editor)
  • Lampropoulos K.
Close
NullPointerException

Abstract

Critical Infrastructures (CIs) increasingly leverage Cloud computing given its benefits of on-demand scalability, high availability and cost efficiency. However, the Cloud is typically characterized by the co-location of users from varied security domains that also use shared computing resources. This introduces a number of resource/architecture-level vulnerabilities. For example, the usage of a basic shared storage component, such as a memory cache, can expose the entire Cloud system to security risks such as covert-channel attacks. The success of these exploits depends on various execution environment properties. Thus, providing means to assess the feasibility of these attacks in a specific execution environment and enabling postmortem analysis is needed. While attacks at the architectural level represent a potent vulnerability to exfiltrate information, the low-level often get neglected with techniques such as intrusion detection focused more on the high-level network/middleware threats. Interestingly, cache-based covert-channel attacks are typically not detectable by traditional intrusion detection systems as covert channels do not obey any access rights or other security policies. This paper focuses on the information provided at the low architectural level to cope with the cache-based covert-channel threat. We propose the usage of feasibility metrics collected at the low level to monitor the core-private cache covert channel and, infer information regarding the probability of a covert-channel exploit happening. We also illustrate the applicability of the proposed feasibility metrics in a use case.