Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
158 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Dynamic Frequency-Based Fingerprinting Attacks against Modern Sandbox Environments (2404.10715v3)

Published 16 Apr 2024 in cs.CR and cs.LG

Abstract: The cloud computing landscape has evolved significantly in recent years, embracing various sandboxes to meet the diverse demands of modern cloud applications. These sandboxes encompass container-based technologies like Docker and gVisor, microVM-based solutions like Firecracker, and security-centric sandboxes relying on Trusted Execution Environments (TEEs) such as Intel SGX and AMD SEV. However, the practice of placing multiple tenants on shared physical hardware raises security and privacy concerns, most notably side-channel attacks. In this paper, we investigate the possibility of fingerprinting containers through CPU frequency reporting sensors in Intel and AMD CPUs. One key enabler of our attack is that the current CPU frequency information can be accessed by user-space attackers. We demonstrate that Docker images exhibit a unique frequency signature, enabling the distinction of different containers with up to 84.5% accuracy even when multiple containers are running simultaneously in different cores. Additionally, we assess the effectiveness of our attack when performed against several sandboxes deployed in cloud environments, including Google's gVisor, AWS' Firecracker, and TEE-based platforms like Gramine (utilizing Intel SGX) and AMD SEV. Our empirical results show that these attacks can also be carried out successfully against all of these sandboxes in less than 40 seconds, with an accuracy of over 70% in all cases. Finally, we propose a noise injection-based countermeasure to mitigate the proposed attack on cloud environments.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (64)
  1. epanaroma: Escape Docker Container Using waitid() — CVE-2017-5123 — Twistlock. https://www.epanorama.net/blog/2018/01/05/escape-docker-container-using-waitid-cve-2017-5123-twistlock-19/, 2017.
  2. Onur Aciiçmez. Yet another microarchitectural attack: : exploiting i-cache. In CSAW, pages 11–18. ACM, 2007.
  3. On the power of simple branch prediction analysis. In AsiaCCS, pages 312–320. ACM, 2007.
  4. Firecracker: Lightweight virtualization for serverless applications. In NSDI, pages 419–434. USENIX Association, 2020.
  5. Port contention for fun and profit. In IEEE Symposium on Security and Privacy, pages 870–887. IEEE, 2019.
  6. Turbo core technology, 2023. https://www.amd.com/en/technologies/turbo-core.
  7. AMD. Google Cloud Confidential Computing Powered by AMD, Last accessed: 03-17-2024. https://www.amd.com/en/solutions/google-cloud-confidential-computing.
  8. Wait a minute! A fast, cross-vm attack on AES. In RAID, volume 8688 of Lecture Notes in Computer Science, pages 299–319. Springer, 2014.
  9. Apparmor – linux kernel security module, 2019. https://apparmor.net/.
  10. SCONE: secure linux containers with intel SGX. In OSDI, pages 689–703. USENIX Association, 2016.
  11. The security design of the aws nitro system. White paper, AWS, Nov 2022.
  12. A tale of two worlds: Assessing the vulnerability of enclave shielding runtimes. In CCS, pages 1741–1758. ACM, 2019.
  13. Alibaba Cloud. Elastic Compute Service, Last accessed: 03-17-2024. https://www.alibabacloud.com/help/en/ecs/user-guide/step-1-deploy-a-client.
  14. Google Cloud. AMD and Google Cloud, Last accessed: 03-17-2024. https://cloud.google.com/amd.
  15. To docker or not to docker: A security perspective. IEEE Cloud Comput., 3(5):54–62, 2016.
  16. Aex-notify: Thwarting precise single-stepping attacks through interrupt awareness for intel sgx enclaves. In 32nd USENIX Security Symposium, pages 4051–4068, August 2023.
  17. containerd, Last accessed: 08-21-2023. https://containerd.io/.
  18. Intel SGX explained. IACR Cryptol. ePrint Arch., page 86, 2016.
  19. Bolt: I know what you did last summer… in the cloud. In ASPLOS, pages 599–613. ACM, 2017.
  20. DF-SCA: dynamic frequency side channel attacks are practical. In ACSAC, pages 841–853. ACM, 2022.
  21. Docker hub api, 2023. https://docs.docker.com/docker-hub/api/latest/.
  22. Seccomp security profiles for docker, 2023. https://docs.docker.com/engine/security/seccomp/.
  23. https://www.docker.com/resources/what-container/.
  24. Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks. In Annual Network and Distributed System Security Symposium, NDSS, 2022.
  25. Containerleaks: Emerging security threats of information leakages in container clouds. In DSN, pages 237–248. IEEE Computer Society, 2017.
  26. Gramine - a library os for unmodified applications, 2023. https://gramineproject.io/.
  27. gsc – gramine shielded containers, 2023. https://gramine.readthedocs.io/projects/gsc/en/latest/.
  28. Cache-based application detection in the cloud using machine learning. In AsiaCCS, pages 288–300. ACM, 2017.
  29. Perfweb: How to violate web privacy with hardware performance events. In ESORICS (2), volume 10493 of Lecture Notes in Computer Science, pages 80–97. Springer, 2017.
  30. Seriously, get off my cloud! cross-vm RSA key recovery in a public cloud. IACR Cryptol. ePrint Arch., page 898, 2015.
  31. Co-location detection on the cloud. In COSADE, volume 9689 of Lecture Notes in Computer Science, pages 19–34. Springer, 2016.
  32. Cache attacks enable bulk key recovery on the cloud. In CHES, volume 9813 of Lecture Notes in Computer Science, pages 368–388. Springer, 2016.
  33. What is intel turbo boost technology?, 2023. https://www.intel.com/content/www/us/en/gaming/resources/turbo-boost.html.
  34. Intel SGX Explained. Cryptology ePrint Archive, Paper 2016/086, 2016. https://eprint.iacr.org/2016/086.
  35. David Kaplan. Protecting VM register state with SEV-ES. White paper, AMD, Feb 2017.
  36. Create firecracker VM images for use with firecracker-containerd, 2023.
  37. Michael Kerrisk. perf-trace(1) – linux manual page, 2023. https://man7.org/linux/man-pages/man1/perf-trace.1.html.
  38. Thermalbleed: A practical thermal side-channel attack. IEEE Access, 10:25718–25731, 2022.
  39. PLATYPUS: software-based power side-channel attacks on x86. In IEEE Symposium on Security and Privacy, pages 355–371. IEEE, 2021.
  40. Hardware-based trusted computing architectures for isolation and attestation. IEEE Transactions on Computers, 67(3):361–374, 2018.
  41. Cachezoom: How SGX amplifies the power of cache attacks. In CHES, volume 10529 of Lecture Notes in Computer Science, pages 69–90. Springer, 2017.
  42. Rendered insecure: GPU side channel attacks are practical. In CCS, pages 2139–2153. ACM, 2018.
  43. NIST. CVE-2016-6662, Last accessed: 11-2-2023. https://nvd.nist.gov/vuln/detail/CVE-2016-6662.
  44. NIST. CVE-2021-27928, Last accessed: 11-2-2023. https://nvd.nist.gov/vuln/detail/CVE-2021-27928.
  45. Lord of the ring(s): Side channel attacks on the CPU on-chip ring interconnect are practical. In USENIX Security Symposium, pages 645–662. USENIX Association, 2021.
  46. What is selinux, 2019. https://www.redhat.com/en/topics/linux/what-is-selinux.
  47. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In CCS, pages 199–212. ACM, 2009.
  48. Kai Salmen. Automatic conversion of containers to virtual machines, 2021. https://www.typefox.io/blog/automatic-conversion-of-containers-to-virtual-machines/.
  49. Amazon Web Services. AMD SEV-SNP, Last accessed: 03-17-2024. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html.
  50. Amazon Web Services. AWS and Intel, Last accessed: 03-17-2024. https://aws.amazon.com/intel/.
  51. Hot pixels: Frequency, power, and temperature attacks on gpus and arm socs. In USENIX Security Symposium, pages 6275–6292. USENIX Association, 2023.
  52. Graphene-sgx: A practical library OS for unmodified applications on SGX. In USENIX Annual Technical Conference, pages 645–658. USENIX Association, 2017.
  53. SGX-Step: A practical attack framework for precise enclave execution control. In 2nd Workshop on System Software for Trusted Execution (SysTEX), pages 4:1–4:6. ACM, October 2017.
  54. gvisor, 2023.
  55. Peeking behind the curtains of serverless platforms. In USENIX Annual Technical Conference, pages 133–146. USENIX Association, 2018.
  56. Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX. In CCS, pages 2421–2434. ACM, 2017.
  57. Hertzbleed: Turning power side-channel attacks into remote timing attacks on x86. In USENIX Security Symposium, pages 679–697. USENIX Association, 2022.
  58. Kata containers architecture – container creation, 2023.
  59. Whispers in the hyper-space: High-bandwidth and reliable covert channel attacks inside the cloud. IEEE/ACM Trans. Netw., 23(2):603–615, 2015.
  60. The true cost of containing: A gvisor case study. In HotCloud. USENIX Association, 2019.
  61. Peeping tom in the neighborhood: Keystroke eavesdropping on multi-user systems. In USENIX Security Symposium, pages 17–32. USENIX Association, 2009.
  62. Cross-vm side channels and their use to extract private keys. In CCS, pages 305–316. ACM, 2012.
  63. Cross-tenant side-channel attacks in paas clouds. In CCS, pages 990–1003. ACM, 2014.
  64. Red alert for power leakage: Exploiting intel rapl-induced side channels. In AsiaCCS, pages 162–175. ACM, 2021.

Summary

  • The paper introduces a dynamic frequency-based method to fingerprint Docker containers and other sandbox environments using CPU sensors.
  • It shows that fingerprinting achieves up to 84.5% accuracy in distinguishing concurrent workloads across platforms like gVisor, Firecracker, and TEEs.
  • The study also proposes noise injection as an effective mitigation technique to obscure CPU frequency signatures and enhance sandbox security.

Dynamic Frequency-Based Fingerprinting Attacks against Modern Sandbox Environments

Introduction

The proliferation of cloud technology has been met with increasing security demands, addressed in part by advanced sandbox environments. These include container-based solutions like Docker, microVMs such as AWS' Firecracker, and secure Trusted Execution Environments (TEEs) like Intel SGX. Despite their intended security enhancements, these environments face vulnerabilities to side-channel attacks that can compromise tenant security.

Methodology and Technical Challenges

The authors propose a technique to fingerprint Docker containers by leveraging CPU frequency reporting sensors available in modern Intel and AMD processors. By observing variations in CPU frequency, which reflect the computational activity of containers, attackers can theoretically and practically differentiate between simultaneous workloads with high accuracy. This frequency-based side-channel attack represents a significant shift in attack methodology since it requires only user-space privileges.

Empirical Results

Empirical testing showed that:

  • Different Docker containers could be distinguished with an accuracy of up to 84.5%, even when operating concurrently on separate cores.
  • Similar attacks conducted against various sandbox environments—including Google’s gVisor, AWS' Firecracker, and TEEs like Gramine using Intel SGX and AMD SEV—achieved identification accuracies over 70% in all cases, all within an execution time frame of under 40 seconds.

Countermeasures and Implications

The paper not only outlines the vulnerability but also proposes mitigation techniques against these frequency-based fingerprinting attacks. The primary method discussed is noise injection, which can potentially obscure the frequency signatures that the attacks rely on. This countermeasure is essential for sustaining the security integrity of sandbox environments in cloud computing contexts.

Concluding Remarks and Future Work

The findings underscore an often-overlooked vector in sandbox security, highlighting the need for continued evolution in defensive measures against side-channel attacks. Future research could expand on mitigation strategies and test the robustness of various sandbox configurations under diverse attack scenarios, potentially leading to more resilient cloud environments.

End Notes

The paper's implications touch on both theoretical and practical aspects of cloud security, suggesting pathways for both immediate and long-term enhancements to protect against sophisticated attacks leveraging seemingly benign system data, such as CPU frequency metrics. The proposed noise injection countermeasure, if further refined, could provide an effective defense mechanism against this class of side-channel attacks, ensuring safer multi-tenant environments in cloud infrastructures.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown