You are here

NDSS 2017 - Session 6A: Cloud and Potpourri

Session Chair:  Adam Bates

Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud

Covert channels evade isolation mechanisms between multiple parties in the cloud. Especially cache covert channels allow the transmission of several hundred kilobits per second between unprivileged user programs in separate virtual machines. However, caches are small and shared and thus cache-based communication is susceptible to noise from any system activity and interrupts. The feasibility of a reliable cache covert channel under a severe noise scenario has not been demonstrated yet. Instead, previous work relies on either of the two contradicting assumptions: the assumption of direct applicability of error-correcting codes, or the assumption that noise effectively prevents covert channels. 

In this paper, we show that both assumptions are wrong. First, error-correcting codes cannot be applied directly, due to the noise characteristics. Second, even with extraordinarily high system activity, we demonstrate an error-free and highthroughput covert channel. We provide the first comprehensive characterization of noise on cache covert channels due to cache activity and interrupts. We build the first robust covert channel based on established techniques from wireless transmission protocols, adapted for our use in microarchitectural attacks. Our errorcorrecting and error-handling high-throughput covert channel can sustain transmission rates of more than 45 KBps on Amazon EC2, which is 3 orders of magnitude higher than previous covert channels demonstrated on Amazon EC2. Our robust and errorfree channel even allows us to build an SSH connection between two virtual machines, where all existing covert channels fail. 

Authors:     Clémentine Maurice (Graz University of Technology)
                  Manuel Weber (Graz University of Technology)
                  Michael Schwarz (Graz University of Technology)
                  Lukas Giner (Graz University of Technology)
                  Daniel Gruss (Graz Univ. of Technology, Microsoft Research)
                  Carlo Alberto Boano (Graz University of Technology)
                  Stefan Mangard (Graz University of Technology)
                 Kay Römer (Graz University of Technology)

Dynamic Differential Location Privacy with Personalized Error Bounds

Location privacy continues to attract significant attentions in recent years, fueled by the rapid growth of locationbased services (LBSs) and smart mobile devices. Location obfuscation has been the dominating location privacy preserving approach, which transforms the exact location of a mobile user to a perturbed location before its public release. The notion of location privacy has evolved from user-defined location kanonymity to two statistical quantification based privacy notions: geo-indistinguishability and expected inference error. The former promotes di erential location privacy but does not protect location against inference attacks of Bayesian adversary with using prior information, whereas the latter promotes the background inference resilient location privacy but does not guarantee di erential location privacy with respect to geo-indistinguishability. In this paper we argue that geo-indistinguishability and expected inference error are two complementary notions for location privacy. We formally study the relationship between two privacy notions. By leveraging this relationship and a personalized error bound, we can e ectively combine the two privacy notions. We develop PIVE, a two-phase dynamic di erential location privacy framework. In Phase I, we take into account the user-defined inference error threshold and the prior knowledge about the user   s location to determine a subset of locations as the protection location set for protecting the actual location by increasing adversary   s expected location inference error. In Phase II, we generate pseudo-locations (i.e., perturbed locations) in the way that achieves di erential privacy over the protection location set. This two-phase location obfuscation is constructed dynamically by leveraging the relationship between two privacy notions based on adversary   s current prior information and user-specific privacy requirements on di erent locations and at di erent times. Experiments with real-world datasets demonstrate that our PIVE approach e ectively guarantees the two privacy notions simultaneously and outperforms the existing mechanisms in terms of adaptive privacy protection in presence of skewed locations and computation e ciency. 

Authors:     Lei Yu (Georgia Institute of Technology)
                  Ling Liu (
Georgia Institute of Technology)
                  Calton Pu 
(Georgia Institute of Technology)

Are We There Yet? On RPKI's Deployment and Security

The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners    public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI   s deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fundamental questions regarding today   s RPKI   s deployment and security: What is the adoption status of RPKI and ROV? What are the implications for global security of partial adoption? What are the root-causes for slow adoption? How can deployment be pushed forward? We address these questions through a combination of empirical analyses, a survey of over 100 network practitioners, and extensive simulations. Our main contributions include the following.We present the first study measuring ROV enforcement, revealing disappointingly low adoption at the core of the Internet. We show, in contrast, that without almost ubiquitous ROV adoption by large ISPs significant security benefits cannot be attained. We next expose a critical security vulnerability: about a third of RPKI authorizations issued for IP prefixes do not protect the prefix from hijacking attacks. We examine potential reasons for scarce adoption of RPKI and ROV, including human error in issuing RPKI certificates and inter-organization dependencies, and present recommendations for addressing these challenges. 

Authors:     Yossi Gilad (Boston University and MIT)
                  Avichai Cohen (Hebrew University)
                  Amir Herzberg (Bar Ilan University)
                  Michael Schapira (Hebrew University)
                  Haya Shulman (Fraunhofer SIT)

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation

Multi-tenancy in the cloud usually leads to security concerns over network isolation around each cloud tenant   s virtual resources. However, verifying network isolation in cloud virtual networks poses several unique challenges. The sheer size of virtual networks implies a prohibitive complexity, whereas the constant changes in virtual resources demand a short response time. To make things worse, such networks typically allow fine-grained (e.g., VM-level) and distributed (e.g., security groups) network access control. Those challenges can either invalidate existing approaches or cause an unacceptable delay which prevents runtime applications. In this paper, we present TenantGuard, a scalable system for verifying cloud-wide, VMlevel network isolation at runtime. We take advantage of the hierarchical nature of virtual networks, efficient data structures, incremental verification, and parallel computation to reduce the performance overhead of security verification. We implement our approach based on OpenStack and evaluate its performance both in-house and on Amazon EC2, which confirms its scalability and efficiency (13 seconds for verifying 168 millions of VM pairs). We further integrate TenantGuard with Congress, an OpenStack policy service, to verify compliance with respect to isolation requirements based on tenant-specific high-level security policies.

Yushun Wang (CIISE Concordia Univ., Montreal, QC, Canada)
Taous Madi (CIISE Concordia Univ., Montreal, QC, Canada)
Suryadipta Majumdar (CIISE Concordia Univ., Montreal, QC, Canada)
Yosr Jarraya (Ericsson Security Research, Ericsson Canada)
Amir Alimohammadifar (CIISE Concordia Univ., Montreal, QC, Canada)
Makan Pourzandi (Ericsson Security Research, Ericsson Canada)
Lingyu Wang ((CIISE Concordia Univ., Montreal, QC, Canada))
Mourad Debbabi (CIISE Concordia Univ., Montreal, QC, Canada)