Files in this item



application/pdfECE499-Sp2014-wangGary.pdf (635kB)Restricted to U of Illinois
(no description provided)PDF


Title:Exploiting Timing Side-Channels against VM Monitoring
Author(s):Wang, Gary
Contributor(s):Kalbarczyk, Zbigniew
Abstract:With the advent of cloud computing, integrity of virtualization technologies (e.g., hypervisors) has become more important. Insight into hypervisor activity could allow normal users to identify suspicious behavior and benchmark performance. On the other hand, malicious users can use this information to craft a more advanced transient attack that would be undetectable to VM passive monitoring systems. This thesis introduces a novel side-channel to extract timing information from hypervisor-level monitoring systems, such as Virtual Machine Introspection (VMI) based monitoring. This information can be used to launch more sophisticated attacks, such as transient attacks, against hypervisor-level monitoring systems. It is often assumed that hypervisor activity is hidden from guest VMs, but we show that this is not always true. When the hypervisor performs certain actions (e.g. security monitoring of the guest OS), the VM must be paused. Therefore, suspension of the VM leaks information about the hypervisor’s activities. We analyze these measurements along with benchmarks on overall hypervisor overhead to determine whether or not VM passive monitoring is being utilized on a target system. We present suspended network activity as an example of a side-channel that can be used to measure the duration of the VM suspend. In order to make these measurements, we developed a kernel-level UDP networking framework, and statistical analysis was performed on these measurements to obtain a profile of hypervisor behavior.
Issue Date:2014-05
Date Available in IDEALS:2014-10-24

This item appears in the following Collection(s)

Item Statistics