Moving in next door: Network flooding as a side channel in cloud environments
cans-paper.pdf (288.8Kb) Final author draft
MetadataShow full item record
CitationAgarwal Y., Murale V., Hennessey J., Hogan K., Varia M. (2016) Moving in Next Door: Network Flooding as a Side Channel in Cloud Environments. In: Foresti S., Persiano G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science, vol 10052. Springer, Cham. doi: DOI: 10.1007/978-3-319-48965-0_56
Co-locating multiple tenants' virtual machines (VMs) on the same host underpins public clouds' affordability, but sharing physical hardware also exposes consumer VMs to side channel attacks from adversarial co-residents. We demonstrate passive bandwidth measurement to perform traffic analysis attacks on co-located VMs. Our attacks do not assume a privileged position in the network or require any communication between adversarial and victim VMs. Using a single feature in the observed bandwidth data, our algorithm can identify which of 3 potential YouTube videos a co-resident VM streamed with 66% accuracy. We discuss defense from both a cloud provider's and a consumer's perspective, showing that effective defense is difficult to achieve without costly under-utilization on the part of the cloud provider or over-utilization on the part of the consumer.
The final publication is available at http://link.springer.com/chapter/10.1007/978-3-319-48965-0_56