By exploiting a side channel created by Copy-on-Write (CoW) operations of modern file systems, we present a novel attack which allows for detecting files in a shared cloud environment across virtual machine boundaries. In particular, we measure deduplication operation timings in order to probe for existing files of neighbouring virtual machines in a shared file system pool. As a result, no assumptions about the underlying hardware and no network access are necessary. To evaluate the real-world implications, we successfully demonstrate the feasibility of our attack on the ZFS file system. Our results clearly show that the presented attack enables the detection of vulnerable software or operating systems in a victim’s virtual machine on the same file system pool with high accuracy. Furthermore, we discuss several potential countermeasures and their implications.
Original languageEnglish
Title of host publicationProceedings of the 16th International Joint Conference on e-Business and Telecommunications
Place of PublicationPrague, Czech Republic
PublisherSciTePress - Science and Technology Publications
Pages187 - 197
Volume2: SECRYPT
ISBN (Electronic)978-989-758-378-0
Publication statusPublished - Jul 2019
Event16th International Joint Conference on e-Business and Telecommunications - Prague, Czech Republic
Duration: 26 Jul 201928 Jul 2019


Conference16th International Joint Conference on e-Business and Telecommunications
Abbreviated titleICETE 2019
CountryCzech Republic


Dive into the research topics of 'Prying CoW: Inferring Secrets Across Virtual Machine Boundaries'. Together they form a unique fingerprint.

Cite this