Cross-VM Attacks: Attack Taxonomy, Defense Mechanisms, and New Directions

  • Gulshan Kumar Singh
  • Gaurav Somani
Part of the Advances in Information Security book series (ADIS, volume 72)


Cloud computing is a service which provides virtual machines (VMs) to the cloud customer with an ability to scale its resources on-demand. Cloud offers logical isolation among the VMs to isolate one VM from another VM. VMs running on the same physical server share the same resources. Hence, cross-VM attacks are possible in the multi-tenant virtualized environment. Most of the researchers focus on cross-VM attacks which primarily target the cache memory. There are additional attack instances which target other essential resources such as CPU, memory, I/O devices, and the cloud network. This chapter features a taxonomic classification of the cross-VM attacks and discusses the attacks space and the solution space to combat the cross-VM attacks. We also explain new sophistication in the cross-VM attack space and provide a comprehensive discussion to the solution design and guidelines.


  1. 1.
    Onur Acıiçmez, Çetin Kaya Koç, and Jean-Pierre Seifert. Predicting secret keys via branch prediction. In CT-RSA, volume 2007, pages 225–242. Springer, 2007.Google Scholar
  2. 2.
    Shahid Anwar, Zakira Inayat, Mohamad Fadli Zolkipli, Jasni Mohamad Zain, Abdullah Gani, Nor Badrul Anuar, Muhammad Khurram Khan, and Victor Chang. Cross-vm cache-based side channel attacks and proposed prevention mechanisms: A survey. Journal of Network and Computer Applications, 93:259–279, 2017.CrossRefGoogle Scholar
  3. 3.
    Aslan Askarov, Danfeng Zhang, and Andrew C Myers. Predictive black-box mitigation of timing channels. In Proceedings of the 17th ACM conference on Computer and communications security, pages 297–307. ACM, 2010.Google Scholar
  4. 4.
    Amittai Aviram, Sen Hu, Bryan Ford, and Ramakrishna Gummadi. Determinating timing channels in compute clouds. In Proceedings of the 2010 ACM workshop on Cloud computing security workshop, pages 103–108. ACM, 2010.Google Scholar
  5. 5.
    Andrey Bogdanov, Thomas Eisenbarth, Christof Paar, and Malte Wienecke. Differential cache-collision timing attacks on aes with applications to embedded cpus. In CT-RSA, volume 10, pages 235–251. Springer, 2010.Google Scholar
  6. 6.
    Ernie Brickell, Gary Graunke, Michael Neve, and Jean-Pierre Seifert. Software mitigations to hedge aes against cache-based software side channel vulnerabilities. IACR Cryptology ePrint Archive, 2006:52, 2006.Google Scholar
  7. 7.
    Ron C Chiang, Sundaresan Rajasekaran, Nan Zhang, and H Howie Huang. Swiper: Exploiting virtual machine vulnerability in third-party clouds with competition for i/o resources. IEEE Transactions on Parallel and Distributed Systems, 26(6):1732–1742, 2015.CrossRefGoogle Scholar
  8. 8.
    Cisco. 2017 annual cybersecurity report, January 2017. Available at
  9. 9.
    Stephen Crane, Andrei Homescu, Stefan Brunthaler, Per Larsen, and Michael Franz. Thwarting cache side-channel attacks through dynamic software diversity. In NDSS, pages 8–11, 2015.Google Scholar
  10. 10.
    Jean-Francois Dhem, Francois Koeune, Philippe-Alexandre Leroux, Patrick Mestré, Jean-Jacques Quisquater, and Jean-Louis Willems. A practical implementation of the timing attack. In International Conference on Smart Card Research and Advanced Applications, pages 167–182. Springer, 1998.Google Scholar
  11. 11.
    Craig Disselkoen, David Kohlbrenner, Leo Porter, and Dean Tullsen. Prime+abort: A timer-free high-precision l3 cache attack using intel tsx. In 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC, 2017. USENIX Association.Google Scholar
  12. 12.
    Xing Gao, Zhongshu Gu, Mehmet Kayaalp, Dimitrios Pendarakis, and Haining Wang. Containerleaks: Emerging security threats of information leakages in container clouds. In Dependable Systems and Networks (DSN), 2017 47th Annual IEEE/IFIP International Conference on, pages 237–248. IEEE, 2017.Google Scholar
  13. 13.
    Vinodh Gopal, James Guilford, Erdinc Ozturk, Wajdi Feghali, Gil Wolrich, and Martin Dixon. Fast and constant-time implementation of modular exponentiation. Embedded Systems and Communications Security, Niagara Falls, NY, US, 2009.Google Scholar
  14. 14.
    Sudhakar Govindavajhala and Andrew W Appel. Using memory errors to attack a virtual machine. In Security and Privacy, 2003. Proceedings. 2003 Symposium on, pages 154–165. IEEE, 2003.Google Scholar
  15. 15.
    Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. Flush+ flush: a fast and stealthy cache attack. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 279–299. Springer, 2016.Google Scholar
  16. 16.
    David Gullasch, Endre Bangerter, and Stephan Krenn. Cache games–bringing access-based cache attacks on aes to practice. In Security and Privacy (SP), 2011 IEEE Symposium on, pages 490–505. IEEE, 2011.Google Scholar
  17. 17.
    Berk Gülmezoğlu, Mehmet Sinan Inci, Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. A faster and more realistic flush+ reload attack on aes. In International Workshop on Constructive Side-Channel Analysis and Secure Design, pages 111–126. Springer, 2015.Google Scholar
  18. 18.
    Yi Han, Jeffrey Chan, Tansu Alpcan, and Christopher Leckie. Using virtual machine allocation policies to defend against co-resident attacks in cloud computing. IEEE Transactions on Dependable and Secure Computing, 14(1):95–108, 2017.Google Scholar
  19. 19.
    Mehmet Sinan Inci, Berk Gulmezoglu, Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. Cache attacks enable bulk key recovery on the cloud. In International Conference on Cryptographic Hardware and Embedded Systems, pages 368–388. Springer, 2016.Google Scholar
  20. 20.
    Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. S $ a: a shared cache attack that works across cores and defies vm sandboxing–and its application to aes. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 591–604. IEEE, 2015.Google Scholar
  21. 21.
    Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar. Fine grain cross-vm attacks on xen and vmware. In Big Data and Cloud Computing (BdCloud), 2014 IEEE Fourth International Conference on, pages 737–744. IEEE, 2014.Google Scholar
  22. 22.
    Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar. Wait a minute! a fast, cross-vm attack on aes. In International Workshop on Recent Advances in Intrusion Detection, pages 299–319. Springer, 2014.Google Scholar
  23. 23.
    Georgios Keramidas, Alexandros Antonopoulos, Dimitrios N Serpanos, and Stefanos Kaxiras. Non deterministic caches: A simple and effective defense against side channel attacks. Design Automation for Embedded Systems, 12(3):221–230, 2008.CrossRefGoogle Scholar
  24. 24.
    Taesoo Kim, Marcus Peinado, and Gloria Mainar-Ruiz. Stealthmem: System-level protection against cache-based side channel attacks in the cloud. In USENIX Security symposium, pages 189–204, 2012.Google Scholar
  25. 25.
    Paul C Kocher. Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In Annual International Cryptology Conference, pages 104–113. Springer, 1996.Google Scholar
  26. 26.
    Robert Könighofer. A fast and cache-timing resistant implementation of the aes. Topics in Cryptology–CT-RSA 2008, pages 187–202, 2008.zbMATHGoogle Scholar
  27. 27.
    Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard. Armageddon: Cache attacks on mobile devices. In USENIX Security Symposium, pages 549–564, 2016.Google Scholar
  28. 28.
    Alan Litchfield and Abid Shahzad. Virtualization technology: Cross-vm cache side channel attacks make it vulnerable. arXiv preprint arXiv:1606.01356, 2016.Google Scholar
  29. 29.
    Fangfei Liu, Qian Ge, Yuval Yarom, Frank Mckeen, Carlos Rozas, Gernot Heiser, and Ruby B Lee. Catalyst: Defeating last-level cache side channel attacks in cloud computing. In High Performance Computer Architecture (HPCA), 2016 IEEE International Symposium on, pages 406–418. IEEE, 2016.Google Scholar
  30. 30.
    Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. Last-level cache side-channel attacks are practical. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 605–622. IEEE, 2015.Google Scholar
  31. 31.
    Weijie Liu, Debin Gao, and Michael K Reiter. On-demand time blurring to support side-channel defense. In European Symposium on Research in Computer Security, pages 210–228. Springer, 2017.Google Scholar
  32. 32.
    Stefan Mangard. Malware guard extension: Using sgx to conceal cache attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 14th International Conference, DIMVA 2017, Bonn, Germany, July 6–7, 2017, Proceedings, volume 10327, page 3. Springer, 2017.Google Scholar
  33. 33.
    Preeti Mishra, Emmanuel S Pilli, Vijay Varadharajan, and Udaya Tupakula. Out-vm monitoring for malicious network packet detection in cloud. In Asia Security and Privacy (ISEASP), 2017 ISEA, pages 1–10. IEEE, 2017.Google Scholar
  34. 34.
    Ahmad Moghimi, Gorka Irazoqui, and Thomas Eisenbarth. Cachezoom: How sgx amplifies the power of cache attacks. arXiv preprint arXiv:1703.06986, 2017.Google Scholar
  35. 35.
    Bodo Möller. Securing elliptic curve point multiplication against side-channel attacks. In International Conference on Information Security, pages 324–334. Springer, 2001.Google Scholar
  36. 36.
    Soo-Jin Moon, Vyas Sekar, and Michael K Reiter. Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration. In Proceedings of the 22nd acm sigsac conference on computer and communications security, pages 1595–1606. ACM, 2015.Google Scholar
  37. 37.
    Amin Nezarat and Yaser Shams. A game theoretic-based distributed detection method for vm-to-hypervisor attacks in cloud environment. The Journal of Supercomputing, pages 1–21, 2017.Google Scholar
  38. 38.
    Keisuke Okamura and Yoshihiro Oyama. Load-based covert channels between xen virtual machines. In Proceedings of the 2010 ACM Symposium on Applied Computing, pages 173–180. ACM, 2010.Google Scholar
  39. 39.
    Yossef Oren, Vasileios P Kemerlis, Simha Sethumadhavan, and Angelos D Keromytis. The spy in the sandbox: Practical cache attacks in javascript and their implications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1406–1418. ACM, 2015.Google Scholar
  40. 40.
    Dag Arne Osvik, Adi Shamir, and Eran Tromer. Cache attacks and countermeasures: the case of aes. In Cryptographers Track at the RSA Conference, pages 1–20. Springer, 2006.Google Scholar
  41. 41.
    Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, and Stefan Mangard. Drama: Exploiting dram addressing for cross-cpu attacks. In USENIX Security Symposium, pages 565–581, 2016.Google Scholar
  42. 42.
    Xing Pu, Ling Liu, Yiduo Mei, Sankaran Sivathanu, Younggyun Koh, and Calton Pu. Understanding performance interference of i/o workload in virtualized cloud environments. In Cloud Computing (CLOUD), 2010 IEEE 3rd International Conference on, pages 51–58. IEEE, 2010.Google Scholar
  43. 43.
    Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security, pages 199–212. ACM, 2009.Google Scholar
  44. 44.
    Michael Schwarz, Clémentine Maurice, Daniel Gruss, and Stefan Mangard. Fantastic timers and where to find them: high-resolution microarchitectural attacks in javascript. In International Conference on Financial Cryptography and Data Security, pages 247–267. Springer, 2017.Google Scholar
  45. 45.
    Gaurav Somani, Manoj Singh Gaur, Dheeraj Sanghi, Mauro Conti, and Rajkumar Buyya. Ddos attacks in cloud computing: issues, taxonomy, and future directions. Computer Communications, 2017.Google Scholar
  46. 46.
    Eran Tromer, Dag Arne Osvik, and Adi Shamir. Efficient cache attacks on aes, and countermeasures. Journal of Cryptology, 23(1):37–71, 2010.Google Scholar
  47. 47.
    Venkatanathan Varadarajan, Yinqian Zhang, Thomas Ristenpart, and Michael M Swift. A placement vulnerability study in multi-tenant public clouds. In USENIX Security Symposium, pages 913–928, 2015.Google Scholar
  48. 48.
    Omar Abdel Wahab, Jamal Bentahar, Hadi Otrok, and Azzam Mourad. Optimal load distribution for the detection of vm-based ddos attacks in the cloud. IEEE Transactions on Services Computing, 2017.Google Scholar
  49. 49.
    Sheng Wang, Weizhong Qiang, Hai Jin, and Jinfeng Yuan. Covertinspector: Identification of shared memory covert timing channel in multi-tenanted cloud. International Journal of Parallel Programming, 45(1):142–156, 2017.CrossRefGoogle Scholar
  50. 50.
    Zhe Wang, Chenggang Wu, Jianjun Li, Yuanming Lai, Xiangyu Zhang, Wei-Chung Hsu, and Yueqiang Cheng. Reranz: A light-weight virtual machine to mitigate memory disclosure attacks. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pages 143–156. ACM, 2017.Google Scholar
  51. 51.
    Zhenghong Wang and Ruby B Lee. Covert and side channels due to processor architecture. In Computer Security Applications Conference, 2006. ACSAC’06. 22nd Annual, pages 473–482. IEEE, 2006.Google Scholar
  52. 52.
    Zhenghong Wang and Ruby B Lee. New cache designs for thwarting software cache-based side channel attacks. In ACM SIGARCH Computer Architecture News, volume 35, pages 494–505. ACM, 2007.Google Scholar
  53. 53.
    Ziqi Wang, Rui Yang, Xiao Fu, Xiaojiang Du, and Bin Luo. A shared memory based cross-vm side channel attacks in iaas cloud. In Computer Communications Workshops (INFOCOM WKSHPS), 2016 IEEE Conference on, pages 181–186. IEEE, 2016.Google Scholar
  54. 54.
    Michael Weiß, Benedikt Heinz, and Frederic Stumpf. A cache timing attack on aes in virtualization environments. Financial Cryptography and Data Security, pages 314–328, 2012.Google Scholar
  55. 55.
    Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, and Radu Teodorescu. One bit flips, one cloud flops: Cross-vm row hammer attacks and privilege escalation. In USENIX Security Symposium, pages 19–35, 2016.Google Scholar
  56. 56.
    Zhang Xu, Haining Wang, and Zhenyu Wu. A measurement study on co-residence threat inside the cloud. In USENIX Security Symposium, pages 929–944, 2015.Google Scholar
  57. 57.
    Ziye Yang, Haifeng Fang, Yingjun Wu, Chungi Li, Bin Zhao, and H Howie Huang. Understanding the effects of hypervisor i/o scheduling for virtual machine performance interference. In Cloud Computing Technology and Science (CloudCom), 2012 IEEE 4th International Conference on, pages 34–41. IEEE, 2012.Google Scholar
  58. 58.
    Yuval Yarom and Naomi Benger. Recovering openssl ecdsa nonces using the flush+ reload cache side-channel attack. IACR Cryptology ePrint Archive, 2014:140, 2014.Google Scholar
  59. 59.
    Yuval Yarom and Katrina Falkner. Flush+ reload: A high resolution, low noise, l3 cache side-channel attack. In USENIX Security Symposium, pages 719–732, 2014.Google Scholar
  60. 60.
    Tianwei Zhang, Yinqian Zhang, and Ruby B Lee. Memory dos attacks in multi-tenant clouds: Severity and mitigation. arXiv preprint arXiv:1603.03404, 2016.Google Scholar
  61. 61.
    Tianwei Zhang, Yinqian Zhang, and Ruby B Lee. Dos attacks on your memory in cloud. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pages 253–265. ACM, 2017.Google Scholar
  62. 62.
    Xiaokuan Zhang, Yuan Xiao, and Yinqian Zhang. Return-oriented flush-reload side channels on arm and their implications for android devices. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 858–870. ACM, 2016.Google Scholar
  63. 63.
    Yinqian Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. Cross-vm side channels and their use to extract private keys. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 305–316. ACM, 2012.Google Scholar
  64. 64.
    Yinqian Zhang and Michael K Reiter. Düppel: Retrofitting commodity operating systems to mitigate cache side channels in the cloud. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 827–838. ACM, 2013.Google Scholar
  65. 65.
    Ziqiao Zhou, Michael K Reiter, and Yinqian Zhang. A software approach to defeating side channels in last-level caches. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 871–882. ACM, 2016.Google Scholar
  66. 66.
    Rui Zhuang, Scott A DeLoach, and Xinming Ou. Towards a theory of moving target defense. In Proceedings of the First ACM Workshop on Moving Target Defense, pages 31–40. ACM, 2014.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Gulshan Kumar Singh
    • 1
  • Gaurav Somani
    • 1
  1. 1.Department of Computer Science and EngineeringCentral University of RajasthanAjmerIndia

Personalised recommendations