Abstract
Crypto libraries such as OpenSSL and Libgcrypt are essential building blocks for implementing secure cloud services. Unfortunately, these libraries are subject to cache side-channel attacks, which are more devastating in cloud environments where inevitable cache contention among different tenants occurs. Previous approaches for mitigating cache side-channel attacks have limitations in terms of the deployability and security; these hinder utilization in cloud services. In this paper, we propose an R2-relocator, a novel library protection technique based on moving target defence. When injected into a running process, the R2-relocator performs randomized relocation of the library during runtime. By doing this, it transforms a vulnerable crypto library into one that randomly changes its memory (cache) location, thereby preventing the delivery of cache side-channel attacks against the library. The proposed technique achieves robust protection against cache side-channel attacks for all crypto libraries, even those containing unpatched critical vulnerabilities, without the need for reconfiguration of the library. Extensive evaluations of security, performance, and deployability of the R2-relocator demonstrate its effectiveness for secure cloud services.
Highlights
Cloud computing brings financial benefits to customers but at the cost of security, as data are outsourced from their onpremise servers to the cloud [1]
Owing to the sophisticated structure of cryptographic algorithms, developers commonly use wellcrafted crypto libraries such as OpenSSL [2] and Libgcrypt [3] for cloud services, instead of implementing the algorithm by themselves. It is well-known that security flaws that can result in a cache side-channel attack (CSA) have been discovered in these libraries [4]–[7]
In this paper, we proposed the application of the R2relocator to protect crypto libraries from CSAs in a cloud computing environment
Summary
Cloud computing brings financial benefits to customers but at the cost of security, as data are outsourced from their onpremise servers to the (untrusted) cloud [1]. Owing to the sophisticated structure of cryptographic algorithms, developers commonly use wellcrafted crypto libraries such as OpenSSL [2] and Libgcrypt [3] for cloud services, instead of implementing the algorithm by themselves It is well-known that security flaws that can result in a cache side-channel attack (CSA) have been discovered in these libraries [4]–[7]. The newly patched library should be redeployed in the cloud services, which usually have a large number of hosts that need to be patched Such a patching-by-reconfiguration approach hinders instant responses when new critical security flaws are found in the library.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
