Towards a Comprehensive Model of Isolation for Mitigating Illicit Channels

  • Kevin FalzonEmail author
  • Eric Bodden
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9635)


The increased sharing of computational resources elevates the risk of side channels and covert channels, where an entity’s security is affected by the entities with which it is co-located. This introduces a strong demand for mechanisms that can effectively isolate individual computations. Such mechanisms should be efficient, allowing resource utilisation to be maximised despite isolation.

In this work, we develop a model for uniformly describing isolation, co-location and containment relationships between entities at multiple levels of a computer’s architecture and at different granularities. In particular, we examine the formulation of constraints on co-location and placement using partial specifications, as well as the cost of maintaining isolation guarantees on dynamic systems. We apply the model to a number of established attacks and mitigations.


Virtual Machine Cloud Provider Covert Channel Global Schedule Local Schedule 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    CRIU project page, January 2016.
  2. 2.
    Libvirt project page, January 2016.
  3. 3.
    Adams, K., Agesen, O.: A comparison of software and hardware techniques for x86 virtualization. In: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 2–13. ASPLOS XII. ACM, New York (2006).
  4. 4.
    Afoulki, Z., Rouzaud-Cornabas, J.: A security-aware scheduler for virtual machines on IaaS clouds. Technical report LIFO, ENSI de Bourges (2011)Google Scholar
  5. 5.
    Amazon: Amazon EC2 instances, April 2015.
  6. 6.
    Azar, Y., Kamara, S., Menache, I., Raykova, M., Shepard, B.: Co-location-resistant clouds. In: Proceedings of the 6th Edition of the ACM Workshop on Cloud Computing Security, pp. 9–20. CCSW 2014. ACM, New York (2014).
  7. 7.
    Backes, M., Kopf, B., Rybalchenko, A.: Automatic discovery and quantification of information leaks. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP 2009, pp. 141–153. IEEE Computer Society, Washington, DC (2009).
  8. 8.
    Barbanera, F., Bugliesi, M., Dezani-Ciancaglini, M., Sassone, V.: A calculus of bounded capacities. In: Saraswat, V.A. (ed.) ASIAN 2003. LNCS, vol. 2896, pp. 205–223. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with haven. In: 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2014), pp. 267–283. USENIX Association, Broomfield, October 2014.
  10. 10.
    Bijon, K.Z., Krishnan, R., Sandhu, R.: A formal model for isolation management in cloud infrastructure-as-a-service. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 41–53. Springer, Heidelberg (2014)Google Scholar
  11. 11.
    Bleikertz, S., Groß, T., Mödersheim, S.: Automated verification of virtualized infrastructures. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW 2011, pp. 47–58. ACM, New York (2011).
  12. 12.
    Bleikertz, S., Groß, T., Mödersheim, S.: Modeling and analysis of dynamic infrastructure clouds. Technical report, IBM Zurich, December 2013Google Scholar
  13. 13.
    Bleikertz, S., Vogel, C., Groß, T.: Cloud radar: near real-time detection of security failures in dynamic virtualized infrastructures. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 26–35. ACM, New York (2014).
  14. 14.
    Bleikertz, S., Gro, T.: A virtualization assurance language for isolation and deployment. In: POLICY, pp. 33–40. IEEE Computer Society (2011).
  15. 15.
    Braghin, C., Cortesi, A., Focardi, R.: Security boundaries in mobile ambients. Comput. Lang. Syst. Struct. 28(1), 101–127 (2002). Computer Languages and Security. Scholar
  16. 16.
    Broquedis, F., Clet-Ortega, J., Moreaud, S., Furmento, N., Goglin, B., Mercier,G., Thibault, S., Namyst, R.: hwloc: a generic framework for managing hardware affinities in HPC applications. In: The 18th Euromicro International Conference on Parallel, Distributed and Network-Based Computing, PDP 2010. IEEE, Pisa, February 2010.
  17. 17.
    Cardelli, L., Gordon, A.D.: Mobile ambients. In: Proceedings of POPL 1998. ACM Press (1998)Google Scholar
  18. 18.
    Caron, E., Rouzaud-Cornabas, J.: Improving users’ isolation in IaaS: virtual machine placement with security constraints. Research report RR-8444, INRIA, January 2014.
  19. 19.
    Dolan-Gavitt, B., Leek, T., Hodosh, J., Lee, W.: Tappan zee (north) bridge: mining memory accesses for introspection. In: ACM CCS 2013, pp. 839–850. ACM, New York (2013).
  20. 20.
    Doychev, G., Feld, D., Köpf, B., Mauborgne, L., Reineke, J.: Cacheaudit: A tool for the static analysis of cache side channels. In: Proceedings of the 22nd USENIX Conference on Security, SEC 2013, pp. 431–446. USENIX Association, Berkeley (2013).
  21. 21.
    Falzon, K., Bodden, E.: Dynamically provisioning isolation in hierarchical architectures. In: López, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 83–101. Springer, Heidelberg (2015). Scholar
  22. 22.
    Gao, X., Xiao, B., Tao, D., Li, X.: A survey of graph edit distance. Pattern Anal. Appl. 13(1), 113–129 (2010). Scholar
  23. 23.
    Gueron, S.: Intel advanced encryption standard (aes) new instructions set, May 2010.
  24. 24.
    Hu, W.M.: Reducing timing channels with fuzzy time. In: Proceedings, 1991 IEEE Computer Society Symposium on Research in Security and Privacy, 1991, pp. 8–20, May 1991Google Scholar
  25. 25.
    Jarraya, Y., Eghtesadi, A., Debbabi, M., Zhang, Y., Pourzandi, M.: Cloud calculus: security verification in elastic cloud computing platform. In: Smari, W.W., Fox, G.C. (eds.) CTS, pp. 447–454. IEEE (2012).
  26. 26.
    Kim, T., Peinado, M., Mainar-Ruiz, G.: Stealthmem: system-level protection against cache-based side channel attacks in the cloud. In: 21st USENIX Conference on Security Symposium. Security 2012. USENIX Association, Berkeley (2012).
  27. 27.
    Li, P., Gao, D., Reiter, M.: Mitigating access-driven timing channels in clouds using stopwatch. In: 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12, June 2013Google Scholar
  28. 28.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). Scholar
  29. 29.
    Priebe, C., Muthukumaran, D., O’Keeffe, D., Eyers, D., Shand, B., Kapitza, R., Pietzuch, P.: Cloudsafetynet: detecting data leakage between cloud tenants. In: ACM Cloud Computing Security Workshop (CCSW). ACM, Scottsdale, November 2014Google Scholar
  30. 30.
    Raj, H., Nathuji, R., Singh, A., England, P.: Resource management for isolation enhanced cloud services. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW 2009, pp. 77–84. ACM, New York (2009).
  31. 31.
    Varadarajan, V., Kooburat, T., Farley, B., Ristenpart, T., Swift, M.M.: Resource-freeing attacks: improve your cloud performance (at your neighbor’s expense). In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 281–292. ACM, New York (2012).
  32. 32.
    Varadarajan, V., Ristenpart, T., Swift, M.: Scheduler-based defenses against cross-vm side-channels. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 687–702. USENIX Association, San Diego, August 2014.
  33. 33.
    Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: 21st USENIX Conference on Security Symposium, Security 2012, pp. 159–173. USENIX Association, Berkeley (2012).
  34. 34.
    Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: Homealone: Co-residency detection in the cloud via side-channel analysis. In: IEEE S&P 2011, pp. 313–328. IEEE Computer Society, Washington, DC (2011).
  35. 35.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-vm side channels and their use to extract private keys. In: ACM CCS 2012, pp. 305–316. ACM, New York (2012).
  36. 36.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in paas clouds. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 990–1003. ACM, New York (2014).
  37. 37.
    Zhang, Y., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: ACM CCS 2013, pp. 827–838. ACM, New York (2013).

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.Technische Universität DarmstadtDarmstadtGermany
  2. 2.Universität Paderborn and Fraunhofer IEMPaderbornGermany

Personalised recommendations