One Covert Channel to Rule Them All: A Practical Approach to Data Exfiltration in the Cloud

Abstract

The sharing of hardware platforms in multi-tenant environments is a growing security concern. Microarchitectural timing-based covert channels allow tunneling information out of a compromised cloud instance, thus bypassing information flow policies. Significant research efforts have been carried out in order to address the super-set of timing channels. Nevertheless, new attacks keep on being published while disregarding the latest academic efforts, arguing that the relevant defences have not yet been deployed. In order to bridge the gap between vulnerabilities and countermeasures, we challenge state-of-the-art mitigation techniques by constructing the first cross-VM covert channel that is resilient against all known defences, whether they are already deployed or still theoretical. Defence strategies that are relevant with covert channels are surveyed, and a list of requirements is constructed for the new attack. Then, we re-visit the exploitation of the x86 memory bus lock, and launch the proposed covert communication channel across two AWS EC2 instances. While simple in design, the proposed implementation shows that x86 microarchitectures still present salient vulnerabilities, and that state-of-the-art defence strategies-even theoretical ones-remain unsuccessful at hindering data leakage in multi-tenant environments. Finally, a strategy to mitigate the remaining vulnerability is suggested, along with a comparison against the ARMv8 processor architecture.