Publication Type
Journal Article
Version
publishedVersion
Publication Date
11-2014
Abstract
This article presents StopWatch, a system that defends against timing-based side-channel attacks that arise from coresidency of victims and attackers in infrastructure-as-a-service clouds. StopWatch triplicates each cloud-resident guest virtual machine (VM) and places replicas so that the three replicas of a guest VM are coresident with nonoverlapping sets of (replicas of) other VMs. StopWatch uses the timing of I/O events at a VM’s replicas collectively to determine the timings observed by each one or by an external observer, so that observable timing behaviors are similarly likely in the absence of any other individual, coresident VMs. We detail the design and implementation of StopWatch in Xen, evaluate the factors that influence its performance, demonstrate its advantages relative to alternative defenses against timing side channels with commodity hardware, and address the problem of placing VM replicas in a cloud under the constraints of StopWatch so as to still enable adequate cloud utilization.
Keywords
Timing channels, clouds, replication, side channels, virtualization
Discipline
Computer Sciences | Information Security | Systems Architecture
Research Areas
Cybersecurity
Publication
ACM Transactions on Information and System Security (TISSEC)
Volume
17
Issue
2
ISSN
1094-9224
Identifier
10.1145/2670940
Publisher
ACM
Citation
Li, Peng; GAO, Debin; and Reiter, Michael K.
StopWatch: A Cloud Architecture for Timing Channel Mitigation. (2014). ACM Transactions on Information and System Security (TISSEC). 17, (2),.
Available at: https://ink.library.smu.edu.sg/sis_research/2525
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
http://dx.doi.org/10.1145/2670940