Shuffler: Mitigate Cross-VM Side-Channel Attacks via Hypervisor Scheduling

  • Li LiuEmail author
  • An Wang
  • WanYu Zang
  • Meng Yu
  • Menbai Xiao
  • Songqing Chen
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 254)


Cloud computing relies on resources sharing to achieve high resource utilization and economy of scale. Meanwhile, contention on shared resources opens doors for co-located virtual machines (VMs) to have negative impacts on each other, and even introduces vulnerabilities such as information leakage. For example, via CPU cache-based side-channel attacks, an attacker VM can extract crypto keys from a victim VM.

To cost-effectively secure the cloud against those threats without sacrificing resource sharing, in this paper, we first investigate the factors that can impact the success of such attacks. Our investigation reveals that the root cause of such attacks is the constant sharing patterns of hardware resources between VMs. Based on our findings, we quantify the negative impacts a VM can have on another VM on the same machine using the vulnerable probability, and propose lightweight and generic scheduler-based defense mechanisms called Shuffler schedulers, which can effectively limit the vulnerable probability of all VMs. The key is that distributing CPU time to vCPUs with equal probability would reduce the overall vulnerable probability of the system. Our analyses and experimental results show that the Shuffler schedulers can effectively reduce information leakage to mitigate cross-VM side-channel attacks, with little performance penalty while preserving high resource utilization.



We appreciate constructive comments from anonymous referees. This work is partially supported by an ARO grant W911NF-15-1-0262, a NIST grant 70NANB16H166. and NSF grants CNS-1422355, CNS-1524462, and CNS-1634441.


  1. 1.
    Credit Scheduler (2017). Accessed 19 Feb 2018
  2. 2.
    Amazon EC2 Dedicated Hosts (2018). Accessed 19 Feb 2018
  3. 3.
    Amazon EC2 Instance Types (2018). Accessed 19 Feb 2018
  4. 4.
    Overcommitting CPU and RAM (2018). Accessed 19 Feb 2018
  5. 5.
    Askarov, A., Zhang, D., Myers, A.C.: Predictive black-box mitigation of timing channels. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 297–307. ACM (2010)Google Scholar
  6. 6.
    Cortez, E., Bonde, A., Muzio, A., Russinovich, M., Fontoura, M., Bianchini, R.: Resource central: understanding and predicting workloads for improved resource management in large cloud platforms. In: Proceedings of the 26th Symposium on Operating Systems Principles, pp. 153–167. ACM (2017)Google Scholar
  7. 7.
    Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8, 1–27 (2016)CrossRefGoogle Scholar
  8. 8.
    Ghosh, R., Naik, V.K.: Biting off safely more than you can chew: predictive analytics for resource over-commit in IaaS cloud. In: 2012 IEEE 5th International Conference on Cloud Computing (CLOUD), pp. 25–32. IEEE (2012)Google Scholar
  9. 9.
    Godfrey, M., Zulkernine, M.: A server-side solution to cache-based side-channel attacks in the cloud. In: 2013 IEEE Sixth International Conference on Cloud Computing (CLOUD), pp. 163–170. IEEE (2013)Google Scholar
  10. 10.
    Gueron, S.: Efficient software implementations of modular exponentiation. J. Cryptogr. Eng. 2(1), 31–43 (2012)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on AES to practice. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011, pp. 490–505. IEEE Computer Society, Washington, DC (2011)Google Scholar
  12. 12.
    Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009). Scholar
  13. 13.
    Holenstein, T., Mitzenmacher, M., Panigrahy, R., Wieder, U.: Trace reconstruction with constant deletion probability and related results. In: Proceedings of the Nineteenth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 389–398. Society for Industrial and Applied Mathematics (2008)Google Scholar
  14. 14.
    Hu, W.M.: Lattice scheduling and covert channels. In: Proceedings of 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 52–61. IEEE (1992)Google Scholar
  15. 15.
    Inci, M.S., Gulmezoglu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Seriously, get off my cloud! cross-VM RSA key recovery in a public cloud. Technical report, IACR Cryptology ePrint Archive (2015)Google Scholar
  16. 16.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: Cross processor cache attacks. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 353–364. ACM (2016)Google Scholar
  17. 17.
    Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 11. USENIX Association, Berkeley (2012)Google Scholar
  18. 18.
    Kopytov, A.: Sysbench: a system performance benchmark (2004).
  19. 19.
    Liu, F., et al.: Catalyst: defeating last-level cache side channel attacks in cloud computing. In: 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA), pp. 406–418. IEEE (2016)Google Scholar
  20. 20.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE Symposium on Security and Privacy, San Jose, CA, US (2015)Google Scholar
  21. 21.
    Liu, L., Wang, A., Zang, W., Yu, M., Chen, S.: Empirical evaluation of the hypervisor scheduling on side channel attacks. In: 2018 IEEE International Conference on Communications (ICC). IEEE (2018)Google Scholar
  22. 22.
    Lowe, S.D.: Best practices for oversubscription of CPU, memory and storage in vSphere virtual environments. Technical Whitepaper, Dell (2013)Google Scholar
  23. 23.
    McGregor, A., Price, E., Vorotnikova, S.: Trace reconstruction revisited. In: Schulz, A.S., Wagner, D. (eds.) ESA 2014. LNCS, vol. 8737, pp. 689–700. Springer, Heidelberg (2014). Scholar
  24. 24.
    Mitzenmacher, M., et al.: A survey of results for deletion channels and related synchronization channels. Probab. Surv. 6, 1–33 (2009)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Moon, S.J., Sekar, V., Reiter, M.K.: Nomad: mitigating arbitrary cloud side channels via provider-assisted migration. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1595–1606. ACM (2015)Google Scholar
  26. 26.
    Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: Drama: exploiting dram addressing for cross-CPU attacks. In: 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, 2016, pp. 565–581. USENIX Association (2016)Google Scholar
  27. 27.
    Rane, A., Lin, C., Tiwari, M.: Raccoon: closing digital side-channels through obfuscated execution. In: USENIX Security, pp. 431–446 (2015)Google Scholar
  28. 28.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212. ACM (2009)Google Scholar
  29. 29.
    Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 3–24. Springer, Cham (2017). Scholar
  30. 30.
    Stefan, D., et al.: Eliminating cache-based timing attacks with instruction-based scheduling. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 718–735. Springer, Heidelberg (2013). Scholar
  31. 31.
    Varadarajan, V., Ristenpart, T., Swift, M.: Scheduler-based defenses against cross-VM side-channels. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 687–702. USENIX Association, San Diego (2014)Google Scholar
  32. 32.
    Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.M.: A placement vulnerability study in multi-tenant public clouds. In: USENIX Security, pp. 913–928 (2015)Google Scholar
  33. 33.
    Vateva-Gurova, T., Suri, N., Mendelson, A.: The impact of hypervisor scheduling on compromising virtualized environments. In: 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM), pp. 1910–1917. IEEE (2015)Google Scholar
  34. 34.
    Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine grained timers in Xen. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW 2011, pp. 41–46. ACM, New York (2011)Google Scholar
  35. 35.
    Wang, H., Li, F., Chen, S.: Towards cost-effective moving target defense against DDoS and covert channel attacks. In: Proceedings of the 2016 ACM Workshop on Moving Target Defense, pp. 15–25. ACM (2016)Google Scholar
  36. 36.
    Wang, Y., Ferraiuolo, A., Suh, G.E.: Timing channel protection for a shared memory controller. In: 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA), pp. 225–236. IEEE (2014)Google Scholar
  37. 37.
    Wang, Y., Suh, G.E.: Efficient timing channel protection for on-chip networks. In: 2012 Sixth IEEE/ACM International Symposium on Networks on Chip (NoCS), pp. 142–151. IEEE (2012)Google Scholar
  38. 38.
    Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. In: Proceedings of the 34th Annual International Symposium on Computer Architecture, ISCA 2007, pp. 494–505. ACM, New York (2007)Google Scholar
  39. 39.
    Xu, Z., Wang, H., Wu, Z.: A measurement study on co-residence threat inside the cloud. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 929–944. USENIX Association, Washington, D.C., August 2015Google Scholar
  40. 40.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 719–732. USENIX Association, San Diego (2014)Google Scholar
  41. 41.
    Yarom, Y., Genkin, D., Heninger, N.: Cachebleed: a timing attack on openssl constant-time rsa. J. Cryptogr. Eng. 7(2), 99–112 (2017)CrossRefGoogle Scholar
  42. 42.
    Zhang, R., Su, X., Wang, J., Wang, C., Liu, W., Lau, R.W.: On mitigating the risk of cross-vm covert channels in a public cloud. IEEE Trans. Parallel Distrib. Syst. 26(8), 2327–2339 (2015)CrossRefGoogle Scholar
  43. 43.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 305–316. ACM, New York (2012)Google Scholar
  44. 44.
    Zhou, Z., Reiter, M.K., Zhang, Y.: A software approach to defeating side channels in last-level caches. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 871–882. ACM (2016)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Li Liu
    • 1
    Email author
  • An Wang
    • 1
  • WanYu Zang
    • 2
  • Meng Yu
    • 3
  • Menbai Xiao
    • 1
  • Songqing Chen
    • 1
  1. 1.George Mason UniversityFairfaxUSA
  2. 2.TAMU at San AntonioSan AntonioUSA
  3. 3.University of Texas at San AntonioSan AntonioUSA

Personalised recommendations