Abstract

Crypto libraries such as OpenSSL and Libgcrypt are essential building blocks for implementing secure cloud services. Unfortunately, these libraries are subject to cache side-channel attacks, which are more devastating in cloud environments where inevitable cache contention among different tenants occurs. Previous approaches for mitigating cache side-channel attacks have limitations in terms of the deployability and security; these hinder utilization in cloud services. In this paper, we propose an R2-relocator, a novel library protection technique based on moving target defence. When injected into a running process, the R2-relocator performs randomized relocation of the library during runtime. By doing this, it transforms a vulnerable crypto library into one that randomly changes its memory (cache) location, thereby preventing the delivery of cache side-channel attacks against the library. The proposed technique achieves robust protection against cache side-channel attacks for all crypto libraries, even those containing unpatched critical vulnerabilities, without the need for reconfiguration of the library. Extensive evaluations of security, performance, and deployability of the R2-relocator demonstrate its effectiveness for secure cloud services.

Highlights

  • Cloud computing brings financial benefits to customers but at the cost of security, as data are outsourced from their onpremise servers to the cloud [1]

  • Owing to the sophisticated structure of cryptographic algorithms, developers commonly use wellcrafted crypto libraries such as OpenSSL [2] and Libgcrypt [3] for cloud services, instead of implementing the algorithm by themselves. It is well-known that security flaws that can result in a cache side-channel attack (CSA) have been discovered in these libraries [4]–[7]

  • In this paper, we proposed the application of the R2relocator to protect crypto libraries from CSAs in a cloud computing environment

Read more

Summary

Introduction

Cloud computing brings financial benefits to customers but at the cost of security, as data are outsourced from their onpremise servers to the (untrusted) cloud [1]. Owing to the sophisticated structure of cryptographic algorithms, developers commonly use wellcrafted crypto libraries such as OpenSSL [2] and Libgcrypt [3] for cloud services, instead of implementing the algorithm by themselves It is well-known that security flaws that can result in a cache side-channel attack (CSA) have been discovered in these libraries [4]–[7]. The newly patched library should be redeployed in the cloud services, which usually have a large number of hosts that need to be patched Such a patching-by-reconfiguration approach hinders instant responses when new critical security flaws are found in the library.

Methods
Results
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.