SCAMS: A Novel Side-Channel Attack Mitigation System in IaaS Cloud

Abstract

Infrastructure as a Service (IaaS) cloud enables tenants to access computing infrastructure easily. An underlying physical machine that provides physical resources can host multiple virtual machines (VMs) from different tenants. These co-resident VMs share the same physical resources such as CPU cache, memory, network interface card, among which cache-based side-channel attacks (CSCAs) pose severe threats to co-resident VMs. A malicious attacker can steal confidential information of a victim through CSCAs. The accessibility and sharing of the IaaS cloud provide a natural ground for CSCAs. In this paper, we propose SCAMS, a novel system to mitigate CSCAs in the multi-tenant IaaS cloud. SCAMS consists of three phases: (i) vulnerable cryptographic operations capturing; (ii) proactive event notification; (iii) cache anomaly monitoring. In the capturing phase, we modify the cryptographic library in the protected VM to allow sensitive cryptographic functions to trap into the handler functions in the hypervisor actively. In the notification phase, the hypervisor handler functions forward sensitive cryptographic events to the unified event notifier module, and the event notifier sends monitoring instructions to the cache monitoring module. In the monitoring phase, we apply hardware performance counters to monitor the number of cache hits or cache misses of co-resident VMs to analyze their cache behaviors. We implement SCAMS in a virtualization platform. Our experimental results show that it defends against CSCAs and introduces acceptable performance overhead.