Prying CoW: Inferring Secrets Across Virtual Machine Boundaries

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

By exploiting a side channel created by Copy-on-Write (CoW) operations of modern file systems, we present a novel attack which allows for detecting files in a shared cloud environment across virtual machine boundaries. In particular, we measure deduplication operation timings in order to probe for existing files of neighbouring virtual machines in a shared file system pool. As a result, no assumptions about the underlying hardware and no network access are necessary. To evaluate the real-world implications, we successfully demonstrate the feasibility of our attack on the ZFS file system. Our results clearly show that the presented attack enables the detection of vulnerable software or operating systems in a victim’s virtual machine on the same file system pool with high accuracy. Furthermore, we discuss several potential countermeasures and their implications.
Original languageEnglish
Title of host publicationProceedings of the 16th International Joint Conference on e-Business and Telecommunications
Place of PublicationPrague, Czech Republic
PublisherSciTePress - Science and Technology Publications
Pages187 - 197
Volume2: SECRYPT
ISBN (Electronic)978-989-758-378-0
DOIs
Publication statusPublished - Jul 2019
Event16th International Joint Conference on e-Business and Telecommunications - Prague, Czech Republic
Duration: 26 Jul 201928 Jul 2019

Conference

Conference16th International Joint Conference on e-Business and Telecommunications
Abbreviated titleICETE 2019
CountryCzech Republic
CityPrague
Period26/07/1928/07/19

Fingerprint

Computer operating systems
Hardware
Virtual machine

Cite this

Palfinger, G., Prünster, B., & Ziegler, D. (2019). Prying CoW: Inferring Secrets Across Virtual Machine Boundaries. In Proceedings of the 16th International Joint Conference on e-Business and Telecommunications (Vol. 2: SECRYPT, pp. 187 - 197). Prague, Czech Republic: SciTePress - Science and Technology Publications. https://doi.org/10.5220/0007932301870197

Prying CoW: Inferring Secrets Across Virtual Machine Boundaries. / Palfinger, Gerald; Prünster, Bernd; Ziegler, Dominik.

Proceedings of the 16th International Joint Conference on e-Business and Telecommunications. Vol. 2: SECRYPT Prague, Czech Republic : SciTePress - Science and Technology Publications, 2019. p. 187 - 197.

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Palfinger, G, Prünster, B & Ziegler, D 2019, Prying CoW: Inferring Secrets Across Virtual Machine Boundaries. in Proceedings of the 16th International Joint Conference on e-Business and Telecommunications. vol. 2: SECRYPT, SciTePress - Science and Technology Publications, Prague, Czech Republic, pp. 187 - 197, 16th International Joint Conference on e-Business and Telecommunications, Prague, Czech Republic, 26/07/19. https://doi.org/10.5220/0007932301870197
Palfinger G, Prünster B, Ziegler D. Prying CoW: Inferring Secrets Across Virtual Machine Boundaries. In Proceedings of the 16th International Joint Conference on e-Business and Telecommunications. Vol. 2: SECRYPT. Prague, Czech Republic: SciTePress - Science and Technology Publications. 2019. p. 187 - 197 https://doi.org/10.5220/0007932301870197
Palfinger, Gerald ; Prünster, Bernd ; Ziegler, Dominik. / Prying CoW: Inferring Secrets Across Virtual Machine Boundaries. Proceedings of the 16th International Joint Conference on e-Business and Telecommunications. Vol. 2: SECRYPT Prague, Czech Republic : SciTePress - Science and Technology Publications, 2019. pp. 187 - 197
@inproceedings{1b3934f8c46e403fa934ab11e5b62100,
title = "Prying CoW: Inferring Secrets Across Virtual Machine Boundaries",
abstract = "By exploiting a side channel created by Copy-on-Write (CoW) operations of modern file systems, we present a novel attack which allows for detecting files in a shared cloud environment across virtual machine boundaries. In particular, we measure deduplication operation timings in order to probe for existing files of neighbouring virtual machines in a shared file system pool. As a result, no assumptions about the underlying hardware and no network access are necessary. To evaluate the real-world implications, we successfully demonstrate the feasibility of our attack on the ZFS file system. Our results clearly show that the presented attack enables the detection of vulnerable software or operating systems in a victim’s virtual machine on the same file system pool with high accuracy. Furthermore, we discuss several potential countermeasures and their implications.",
author = "Gerald Palfinger and Bernd Pr{\"u}nster and Dominik Ziegler",
year = "2019",
month = "7",
doi = "10.5220/0007932301870197",
language = "English",
volume = "2: SECRYPT",
pages = "187 -- 197",
booktitle = "Proceedings of the 16th International Joint Conference on e-Business and Telecommunications",
publisher = "SciTePress - Science and Technology Publications",

}

TY - GEN

T1 - Prying CoW: Inferring Secrets Across Virtual Machine Boundaries

AU - Palfinger, Gerald

AU - Prünster, Bernd

AU - Ziegler, Dominik

PY - 2019/7

Y1 - 2019/7

N2 - By exploiting a side channel created by Copy-on-Write (CoW) operations of modern file systems, we present a novel attack which allows for detecting files in a shared cloud environment across virtual machine boundaries. In particular, we measure deduplication operation timings in order to probe for existing files of neighbouring virtual machines in a shared file system pool. As a result, no assumptions about the underlying hardware and no network access are necessary. To evaluate the real-world implications, we successfully demonstrate the feasibility of our attack on the ZFS file system. Our results clearly show that the presented attack enables the detection of vulnerable software or operating systems in a victim’s virtual machine on the same file system pool with high accuracy. Furthermore, we discuss several potential countermeasures and their implications.

AB - By exploiting a side channel created by Copy-on-Write (CoW) operations of modern file systems, we present a novel attack which allows for detecting files in a shared cloud environment across virtual machine boundaries. In particular, we measure deduplication operation timings in order to probe for existing files of neighbouring virtual machines in a shared file system pool. As a result, no assumptions about the underlying hardware and no network access are necessary. To evaluate the real-world implications, we successfully demonstrate the feasibility of our attack on the ZFS file system. Our results clearly show that the presented attack enables the detection of vulnerable software or operating systems in a victim’s virtual machine on the same file system pool with high accuracy. Furthermore, we discuss several potential countermeasures and their implications.

U2 - 10.5220/0007932301870197

DO - 10.5220/0007932301870197

M3 - Conference contribution

VL - 2: SECRYPT

SP - 187

EP - 197

BT - Proceedings of the 16th International Joint Conference on e-Business and Telecommunications

PB - SciTePress - Science and Technology Publications

CY - Prague, Czech Republic

ER -