Formal Analysis of Sneak-Peek: A Data Centre Attack and Its Mitigations

  • Wei ChenEmail author
  • Yuhui Lin
  • Vashti Galpin
  • Vivek Nigam
  • Myungjin Lee
  • David Aspinall
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 529)


Attackers can exploit covert channels, such as timing side-channels, to transmit information without data owners or network administrators being aware. Sneak-Peek is a recently considered data centre attack, where, in a multi-tenant setting, an insider attacker can communicate with colluding outsiders by intentionally adding delays to traffic on logically isolated but physically shared links. Timing attack mitigations typically introduce delays or randomness which can make it difficult to understand the trade-off between level of security (bandwidth of the covert channel) and performance loss. We demonstrate that formal methods can help. We analyse the impacts of two Sneak-Peek mitigations, namely, noise addition and path hopping. We provide a precise mathematical model of the attack and of the effectiveness these defences. This mathematical analysis is extended by two tool-based stochastic formal models, one formalized in Uppaal and the other in Carma. The formal models can capture more general and larger networks than a paper-based analysis, can be used to check properties and make measurements, and are more easily modifiable than conventional network simulations. With Uppaal, we can analyse the effectiveness of mitigations and with Carma, we can analyse how these mitigations affect latencies in typical data centre topologies. As results, we show that using a selective strategy for path hopping is better than a random strategy, that using the two defences in conjunction may actually be worse than using a single defence, and we show the connection between hop frequency and network latency.



Our work is supported by EPSRC project EP/L02277X/1 and the Alan Turing Institute. The Uppaal and Carma models and experimental data are available at the web site


  1. 1.
    Al-Fares, M., Loukissas, A., Vahdat, A.: A scalable, commodity data center network architecture. In: Proceedings of ACM SIGCOMM 2008, pp. 63–74 (2008)Google Scholar
  2. 2.
    Alizadeh, M., et al.: CONGA: distributed congestion-aware load balancing for datacenters. In: Proceedings of ACM SIGCOMM 2014Google Scholar
  3. 3.
    Backes, M., Köpf, B.: Formally bounding the side-channel leakage in unknown-message attacks. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 517–532. Springer, Heidelberg (2008). Scholar
  4. 4.
    Behrmann, G., David, A., Larsen, K.G.: A tutorial on Uppaal. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer, Heidelberg (2004). Scholar
  5. 5.
    Benson, T., Akella, A., Maltz, D.A.: Network traffic characteristics of data centers in the wild. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, IMC 2010, pp. 267–280. ACM (2010)Google Scholar
  6. 6.
    Biswas, A.K., Ghosal, D., Nagaraja, S.: A survey of timing channels and countermeasures. ACM Comput. Surv. 50(1), 6:1–6:39 (2017)CrossRefGoogle Scholar
  7. 7.
    Clark, S.S., Mustafa, H., Ransford, B., Sorber, J., Fu, K., Xu, W.: Current events: identifying webpages by tapping the electrical outlet. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 700–717. Springer, Heidelberg (2013). Scholar
  8. 8.
    Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley, Hoboken (2006)zbMATHGoogle Scholar
  9. 9.
    Dantas, Y.G., Hamann, T., Mantel, H., Schickel, J.: An experimental study of a bucketing approach. In: Proceedings of QAPL 2017, pp. 517–532 (2017)Google Scholar
  10. 10.
    Eldib, H., Wang, C., Schaumont, P.: Formal verification of software countermeasures against side-channel attacks. ACM Trans. Softw. Eng. Methodol. 24, 11:1–11:24 (2014)CrossRefGoogle Scholar
  11. 11.
    Hillston, J., Loreti, M.: Carma eclipse plug-in: a tool supporting design and analysis of collective adaptive systems. In: Agha, G., Van Houdt, B. (eds.) QEST 2016. LNCS, vol. 9826, pp. 167–171. Springer, Cham (2016). Scholar
  12. 12.
    Ho, G., Boneh, D., Ballard, L., Provos, N.: Tick tock: building browser red pills from timing side channels. In: Proceedings of WOOT 2014 (2014)Google Scholar
  13. 13.
    Juarez, M., Imani, M., Perry, M., Diaz, C., Wright, M.: Toward an efficient website fingerprinting defense. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 27–46. Springer, Cham (2016). Scholar
  14. 14.
    Kemmerer, R.A.: A practical approach to identifying storage and timing channels: twenty years later. In: Proceedings of ACSAC 2002, pp. 109–118 (2002)Google Scholar
  15. 15.
    Köpf, B., Dürmuth, M.: A provably secure and efficient countermeasure against timing attacks. In: Proceedings of IEEE CSF 2009, pp. 324–335 (2009)Google Scholar
  16. 16.
    Lemos, M.O.O., Dantas, Y.G., Fonseca, I.E., Nigam, V.: On the accuracy of formal verification of selective defenses for TDoS attacks. JLAMP 94, 45–67 (2018)MathSciNetzbMATHGoogle Scholar
  17. 17.
    Loreti, M., Hillston, J.: Modelling and analysis of collective adaptive systems with Carma and its tools. In: Bernardo, M., De Nicola, R., Hillston, J. (eds.) SFM 2016. LNCS, vol. 9700, pp. 83–119. Springer, Cham (2016). Scholar
  18. 18.
    Majumdar, R., Tetali, S.D., Wang, Z.: Kuai: a model checker for software-defined networks. In: Proceedings of FMCAD 2014, pp. 27:163–27:170 (2014)Google Scholar
  19. 19.
    Pascoal, T.A., Dantas, Y.G., Fonseca, I.E., Nigam, V.: Slow TCAM exhaustion DDoS attack. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 17–31. Springer, Cham (2017). Scholar
  20. 20.
    Podymov, V.V., Popesko, U.V.: Uppaal-based software-defined network verification. In: Proceedings of TMPA 2013, pp. 9–14 (2013)Google Scholar
  21. 21.
    Rotsos, C., Sarrar, N., Uhlig, S., Sherwood, R., Moore, A.W.: OFLOPS: an open framework for openflow switch evaluation. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 85–95. Springer, Heidelberg (2012). Scholar
  22. 22.
    Sebastio, S., Vandin, A.: MultiVeStA: statistical model checking for discrete event simulators. In: Proceedings of ValueTools 2013, pp. 310–315 (2013)Google Scholar
  23. 23.
    Shannon, C.E.: A mathematical theory of communication. SIGMOBILE Mob. Comput. Commun. Rev. 5, 3–55 (2001)CrossRefGoogle Scholar
  24. 24.
    Tahir, R., et al.: Sneak-peek: high speed covert channels in data center networks. In: Proceedings of IEEE INFOCOM 2016, pp. 1–9 (2016)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.University of EdinburghEdinburghUK
  2. 2.Fortiss GmbHMunichGermany
  3. 3.Alan Turing InstituteLondonUK

Personalised recommendations