TY - JOUR
T1 - Investigating timing channel in IaaS
AU - Yang, Rui
AU - Du, Xiaojiang
AU - Fu, Xiao
AU - Luo, Bin
N1 - Publisher Copyright:
© 2016 EAI.
PY - 2016
Y1 - 2016
N2 - In IaaS (such as Amazon EC2 and Microsoft Azure), several VM (virtual-machine) instances usually run in one physical machine so as to improve resource utilization. However this also caused more attack opportunities. A typical example is a cross-VM timing channel. Recent studies show that this kind of covert channel can successfully steal private information (e.g. private key) from the co-resident VM instances. It brought great challenges to the security of the cloud and has absorbed more and more attention in recent years. But to our knowledge, there is still little work on detecting and investigating such covert channel. Therefore, we propose a behavior-based method to automatically detect and investigate the timing channel. First, in order to record the behavior of this covert channel, a page-level memory monitoring method is designed. Second, an automatic identification algorithm is proposed based on some memory activity signatures. Finally, in order to confirm the result, the memory dump will be obtained and the binary code of the suspicious process will be analyzed. We have implemented a prototype on Xen, and the experimental results show that all of these kinds of attacks can be detected even under the disturbance from normal processes.
AB - In IaaS (such as Amazon EC2 and Microsoft Azure), several VM (virtual-machine) instances usually run in one physical machine so as to improve resource utilization. However this also caused more attack opportunities. A typical example is a cross-VM timing channel. Recent studies show that this kind of covert channel can successfully steal private information (e.g. private key) from the co-resident VM instances. It brought great challenges to the security of the cloud and has absorbed more and more attention in recent years. But to our knowledge, there is still little work on detecting and investigating such covert channel. Therefore, we propose a behavior-based method to automatically detect and investigate the timing channel. First, in order to record the behavior of this covert channel, a page-level memory monitoring method is designed. Second, an automatic identification algorithm is proposed based on some memory activity signatures. Finally, in order to confirm the result, the memory dump will be obtained and the binary code of the suspicious process will be analyzed. We have implemented a prototype on Xen, and the experimental results show that all of these kinds of attacks can be detected even under the disturbance from normal processes.
KW - Cloud forensics
KW - Cloud security
KW - Infrastructure as a service
KW - Timing channel
UR - http://www.scopus.com/inward/record.url?scp=85052169860&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85052169860&partnerID=8YFLogxK
U2 - 10.4108/eai.18-6-2016.2264107
DO - 10.4108/eai.18-6-2016.2264107
M3 - Conference article
AN - SCOPUS:85052169860
JO - International Conference on Mobile Multimedia Communications (MobiMedia)
JF - International Conference on Mobile Multimedia Communications (MobiMedia)
T2 - 9th EAI International Conference on Mobile Multimedia Communications, MOBIMEDIA 2016
Y2 - 18 June 2016 through 20 June 2016
ER -