Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines

Owens, Rodney; Wang, Weichao

doi:10.1109/pccc.2011.6108094

Cited by 35 publications

(25 citation statements)

References 13 publications

(12 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A small but growing handful of works have explored side channels in settings characteristic of IaaS clouds, to which tenants deploy tasks in the form of virtual machines (VMs). Demonstrated attacks include side channels by which an attacker VM can extract coarse load measurements of a victim VM with which it is co-located [32]; identify pages it shares with a co-located victim VM, allowing it to detect victim VM applications, downloaded files [33] and its operating system (OS) [29]; and even exfiltrate a victim VM's private decryption key [40]. However, only the first of these attacks was demonstrated on a public cloud, with the others being demonstrated in lab settings.…”

Section: Introductionmentioning

confidence: 99%

Cross-Tenant Side-Channel Attacks in PaaS Clouds

Zhang

Juels

Reiter

et al. 2014

Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

265

159

View full text Add to dashboard Cite

We present a new attack framework for conducting cachebased side-channel attacks and demonstrate this framework in attacks between tenants on commercial Platform-as-aService (PaaS) clouds. Our framework uses the FlushReload attack of Gullasch et al. as a primitive, and extends this work by leveraging it within an automaton-driven strategy for tracing a victim's execution. We leverage our framework first to confirm co-location of tenants and then to extract secrets across tenant boundaries. We specifically demonstrate attacks to collect potentially sensitive application data (e.g., the number of items in a shopping cart), to hijack user accounts, and to break SAML single sign-on. To the best of our knowledge, our attacks are the first granular, cross-tenant, side-channel attacks successfully demonstrated on state-of-the-art commercial clouds, PaaS or otherwise.

show abstract

Section: Introductionmentioning

confidence: 99%

Cross-Tenant Side-Channel Attacks in PaaS Clouds

Zhang

Juels

Reiter

et al. 2014

Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

265

159

View full text Add to dashboard Cite

show abstract

“…An implementation of the key extraction attack was presented in [23]. The delay caused by separation of deduplicated memory pages in virtual machines has been used to identify guest OS types [13] or derive out memory page contents [24].…”

Section: A Information Leakage Among Virtual Machinesmentioning

confidence: 99%

“…We will access the pages of F1 and F2 regularly to keep them in the main memory. We can estimate the progress of deduplication based on our previous research [13]. When this procedure is finished, we can initiate "writing" operations to the pages.…”

Section: Basic Ideas Of the Proposed Approachesmentioning

confidence: 99%

“…For example, many mainframe virtual machine hypervisors such as VMware ESX and ESXi [10], Extended Xen [11], and KSM (Kernel Samepage Merging) [12] of the Linux kernel use the technique of memory deduplication to reduce memory footprint size of virtual machines. Since previous research has shown that page level memory sharing could create a side channel for information leakage [13], [14], [15], many end users ask the hypervisor to disable memory deduplication for their VMs. However, there exists no solution for end users to verify the execution of this agreement other than trusting the words of the cloud provider.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Detection of Service Level Agreement (SLA) Violation in Memory Management in Virtual Machines

Xie

Wang

Qin

2015

2015 24th International Conference on Computer Communication and Networks (ICCCN)

Self Cite

View full text Add to dashboard Cite

In cloud computing, quality of services is often enforced through Service Level Agreement (SLA) between end users and cloud providers. While SLAs on hardware resources such as CPU cycles or bandwidth can be monitored by low layer sensors, the enforcement of security SLAs stays a very challenging problem. Several high level architectures for security SLAs have been proposed. However, details still need to be filled before they can be deployed.In this paper, we propose to design mechanisms to detect violations of security SLAs. Specifically, we focus on unauthorized accesses to memory pages of a virtual machine and violation of the memory deduplication policies. Through measuring the accumulated memory access latency, we try to derive out whether or not the memory pages have been swapped out and the order of accesses to them. These events will then be compared to access commands issued by the local VM. In this way, unauthorized memory accesses or violation of deduplication policies can be detected. Compared to existing approaches, our mechanisms do not need explicit help from the hypervisor or third parties. Therefore, it can detect SLA violations even when they are initiated by the hypervisor. We implement our approaches under VMWare with Windows virtual machines. Our experiment results show that the VM can effectively detect the violations with small increases in overhead.

show abstract

“…Fingerprinting has become a popular method for device identification, and has been used to identify home electronics [38], websites [39], [40], [41], [42], [43], [44], the operating system of VMs [45], [46], and the source of phone calls [47]. The concept of fingerprinting stems from leveraging measurable signals caused by hardware imperfections in analog circuitry to uniquely identify devices.…”

Section: A Fingerprintingmentioning

confidence: 99%

Leveraging USB to Establish Host Identity Using Commodity Devices

Bates

Leonard

Pruse

et al. 2014

Proceedings 2014 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-Determining a computer's identity is a challenge of critical importance to users wishing to ensure that they are interacting with the correct system; it is also extremely valuable to forensics investigators. However, even hosts that contain trusted computing hardware to establish identity can be defeated by relay and impersonation attacks. In this paper, we consider how to leverage the virtually ubiquitous USB interface to uniquely identify computers based on the characteristics of their hardware, firmware, and software stacks. We collect USB data on a corpus of over 250 machines with a variety of hardware and software configurations, and through machine learning classification techniques we demonstrate that, given a period of observation on the order of tenths of a second, we can differentiate hosts based on a variety of attributes such as operating system, manufacturer, and model with upwards of 90% accuracy. Over longer periods of observation on the order of minutes, we demonstrate the ability to distinguish between hosts that are seemingly identical; using Random Forest classification and statistical analysis, we generate fingerprints that can be used to uniquely and consistently identify 70% of a field of 30 machines that share identical OS and hardware specifications. Additionally, we show that we can detect the presence of a hypervisor on a computer with 100% accuracy and that our results are resistant to concept drift, a spoofing attack in which malicious hosts provide fraudulent USB messages, and relaying of commands from other machines. Our techniques are thus generally employable in an easy-to-use and low-cost fashion.

show abstract

Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines

Cited by 35 publications

References 13 publications

Cross-Tenant Side-Channel Attacks in PaaS Clouds

Cross-Tenant Side-Channel Attacks in PaaS Clouds

Detection of Service Level Agreement (SLA) Violation in Memory Management in Virtual Machines

Leveraging USB to Establish Host Identity Using Commodity Devices

Contact Info

Product

Resources

About